diff --git a/documentation/content/en/articles/committers-guide/_index.adoc b/documentation/content/en/articles/committers-guide/_index.adoc index ff2923c80c..0c3e116589 100644 --- a/documentation/content/en/articles/committers-guide/_index.adoc +++ b/documentation/content/en/articles/committers-guide/_index.adoc @@ -1,3795 +1,3795 @@ --- title: Committer's Guide authors: - author: The FreeBSD Documentation Project copyright: 1999-2022 The FreeBSD Documentation Project description: Introductory information for FreeBSD committers trademarks: ["freebsd", "coverity", "git", "github", "gitlab", "ibm", "intel", "general"] weight: 25 tags: ["FreeBSD Committer's Guide", "Guide", "Community"] --- = Committer's Guide :doctype: article :toc: macro :toclevels: 1 :icons: font :sectnums: :sectnumlevels: 6 :source-highlighter: rouge :experimental: :images-path: articles/committers-guide/ ifdef::env-beastie[] ifdef::backend-html5[] include::shared/authors.adoc[] include::shared/mirrors.adoc[] include::shared/releases.adoc[] include::shared/attributes/attributes-{{% lang %}}.adoc[] include::shared/{{% lang %}}/teams.adoc[] include::shared/{{% lang %}}/mailing-lists.adoc[] include::shared/{{% lang %}}/urls.adoc[] :imagesdir: ../../../images/{images-path} endif::[] ifdef::backend-pdf,backend-epub3[] include::../../../../shared/asciidoctor.adoc[] endif::[] endif::[] ifndef::env-beastie[] include::../../../../../shared/asciidoctor.adoc[] endif::[] [.abstract-title] Abstract This document provides information for the FreeBSD committer community. All new committers should read this document before they start, and existing committers are strongly encouraged to review it from time to time. Almost all FreeBSD developers have commit rights to one or more repositories. However, a few developers do not, and some of the information here applies to them as well. (For instance, some people only have rights to work with the Problem Report database.) Please see crossref:committers-guide[non-committers, Issues Specific to Developers Who Are Not Committers] for more information. This document may also be of interest to members of the FreeBSD community who want to learn more about how the project works. ''' toc::[] [[admin]] == Administrative Details [.informaltable] [cols="1,1", frame="none"] |=== |_Login Methods_ |man:ssh[1], protocol 2 only |_Main Shell Host_ |`freefall.FreeBSD.org` |_Reference Machines_ |`ref*.FreeBSD.org`, `universe*.freeBSD.org` (see also link:https://www.FreeBSD.org/internal/machines/[FreeBSD Project Hosts]) |_SMTP Host_ |`smtp.FreeBSD.org:587` (see also crossref:committers-guide[smtp-setup, SMTP Access Setup]). |`_src/_` Git Repository |`ssh://git@gitrepo.FreeBSD.org/src.git` |`_doc/_` Git Repository |`ssh://git@gitrepo.FreeBSD.org/doc.git` |`_ports/_` Git Repository |`ssh://git@gitrepo.FreeBSD.org/ports.git` |_Internal Mailing Lists_ |developers (technically called all-developers), doc-developers, doc-committers, ports-developers, ports-committers, src-developers, src-committers. (Each project repository has its own -developers and -committers mailing lists. Archives for these lists can be found in the files [.filename]#/local/mail/repository-name-developers-archive# and [.filename]#/local/mail/repository-name-committers-archive# on `freefall.FreeBSD.org`.) |_Core Team monthly reports_ |[.filename]#/home/core/public/reports# on the `FreeBSD.org` cluster. |_Ports Management Team monthly reports_ |[.filename]#/home/portmgr/public/monthly-reports# on the `FreeBSD.org` cluster. |_Noteworthy `src/` Git Branches:_ |`stable/n` (`n`-STABLE), `main` (-CURRENT) |=== man:ssh[1] is required to connect to the project hosts. For more information, see crossref:committers-guide[ssh.guide, SSH Quick-Start Guide]. Useful links: * link:https://www.FreeBSD.org/internal/[FreeBSD Project Internal Pages] * link:https://www.FreeBSD.org/internal/machines/[FreeBSD Project Hosts] * link:https://www.FreeBSD.org/administration/[FreeBSD Project Administrative Groups] [[pgpkeys]] == OpenPGP Keys for FreeBSD Cryptographic keys conforming to the OpenPGP (__Pretty Good Privacy__) standard are used by the FreeBSD project to authenticate committers. Messages carrying important information like public SSH keys can be signed with the OpenPGP key to prove that they are really from the committer. -See https://nostarch.com/releases/pgp_release.pdf[PGP & GPG: Email for the Practical Paranoid by Michael Lucas] and http://en.wikipedia.org/wiki/Pretty_Good_Privacy[] for more information. +See https://nostarch.com/releases/pgp_release.pdf[PGP & GPG: Email for the Practical Paranoid by Michael Lucas] and https://en.wikipedia.org/wiki/Pretty_Good_Privacy[] for more information. [[pgpkeys-creating]] === Creating a Key Existing keys can be used, but should be checked with [.filename]#documentation/tools/checkkey.sh# first. In this case, make sure the key has a FreeBSD user ID. For those who do not yet have an OpenPGP key, or need a new key to meet FreeBSD security requirements, here we show how to generate one. [[pgpkeys-create-steps]] [.procedure] ==== . Install [.filename]#security/gnupg#. Enter these lines in [.filename]#~/.gnupg/gpg.conf# to set minimum acceptable defaults for signing and new key preferences (see the link:https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html[GnuPG options documentation] for more details): + [.programlisting] .... # Sorted list of preferred algorithms for signing (strongest to weakest). personal-digest-preferences SHA512 SHA384 SHA256 SHA224 # Default preferences for new keys default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 CAST5 BZIP2 ZLIB ZIP Uncompressed .... . Generate a key: + [source,shell] .... % gpg --full-gen-key gpg (GnuPG) 2.1.8; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Warning: using insecure memory! Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 <.> Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 3y <.> Key expires at Wed Nov 4 17:20:20 2015 MST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Chucky Daemon <.> Email address: notreal@example.com Comment: You selected this USER-ID: "Chucky Daemon " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. .... <.> 2048-bit keys with a three-year expiration provide adequate protection at present (2022-10). <.> A three year key lifespan is short enough to obsolete keys weakened by advancing computer power, but long enough to reduce key management problems. <.> Use your real name here, preferably matching that shown on government-issued ID to make it easier for others to verify your identity. Text that may help others identify you can be entered in the `Comment` section. + After the email address is entered, a passphrase is requested. Methods of creating a secure passphrase are contentious. Rather than suggest a single way, here are some links to sites that describe various methods: https://world.std.com/~reinhold/diceware.html[], https://www.iusmentis.com/security/passphrasefaq/[], https://xkcd.com/936/[], https://en.wikipedia.org/wiki/Passphrase[]. ==== Protect the private key and passphrase. If either the private key or passphrase may have been compromised or disclosed, immediately notify mailto:accounts@FreeBSD.org[accounts@FreeBSD.org] and revoke the key. Committing the new key is shown in crossref:committers-guide[commit-steps, Steps for New Committers]. [[kerberos-ldap]] == Kerberos and LDAP web Password for FreeBSD Cluster The FreeBSD cluster requires a Kerberos password to access certain services. The Kerberos password also serves as the LDAP web password, since LDAP is proxying to Kerberos in the cluster. Some of the services which require this include: * https://bugs.freebsd.org/bugzilla[Bugzilla] * https://ci.freebsd.org[Jenkins] To create a new Kerberos account in the FreeBSD cluster, or to reset a Kerberos password for an existing account using a random password generator: [source,shell] .... % ssh kpasswd.freebsd.org .... [NOTE] ==== This must be done from a machine outside of the FreeBSD.org cluster. ==== A Kerberos password can also be set manually by logging into `freefall.FreeBSD.org` and running: [source,shell] .... % kpasswd .... [NOTE] ==== Unless the Kerberos-authenticated services of the FreeBSD.org cluster have been used previously, `Client unknown` will be shown. This error means that the `ssh kpasswd.freebsd.org` method shown above must be used first to initialize the Kerberos account. ==== [[committer.types]] == Commit Bit Types The FreeBSD repository has a number of components which, when combined, support the basic operating system source, documentation, third party application ports infrastructure, and various maintained utilities. When FreeBSD commit bits are allocated, the areas of the tree where the bit may be used are specified. Generally, the areas associated with a bit reflect who authorized the allocation of the commit bit. Additional areas of authority may be added at a later date: when this occurs, the committer should follow normal commit bit allocation procedures for that area of the tree, seeking approval from the appropriate entity and possibly getting a mentor for that area for some period of time. [.informaltable] [cols="1,1,1", frame="none"] |=== |__Committer Type__ |__Responsible__ |__Tree Components__ |src |core@ |src/ |doc |doceng@ |doc/, ports/, src/ documentation |ports |portmgr@ |ports/ |=== Commit bits allocated prior to the development of the notion of areas of authority may be appropriate for use in many parts of the tree. However, common sense dictates that a committer who has not previously worked in an area of the tree seek review prior to committing, seek approval from the appropriate responsible party, and/or work with a mentor. Since the rules regarding code maintenance differ by area of the tree, this is as much for the benefit of the committer working in an area of less familiarity as it is for others working on the tree. Committers are encouraged to seek review for their work as part of the normal development process, regardless of the area of the tree where the work is occurring. === Policy for Committer Activity in Other Trees * All committers may modify [.filename]#src/share/misc/committers-*.dot#, [.filename]#src/usr.bin/calendar/calendars/calendar.freebsd#, and [.filename]#ports/astro/xearth/files#. * doc committers may commit documentation changes to [.filename]#src# files, such as manual pages, READMEs, fortune databases, calendar files, and comment fixes without approval from a src committer, subject to the normal care and tending of commits. * Any committer may make changes to any other tree with an "Approved by" from a non-mentored committer with the appropriate bit. Mentored committers can provide a "Reviewed by" but not an "Approved by". * Committers can acquire an additional bit by the usual process of finding a mentor who will propose them to core, doceng, or portmgr, as appropriate. When approved, they will be added to 'access' and the normal mentoring period will ensue, which will involve a continuing of "Approved by" for some period. [[doc-blanket-approval]] ==== Documentation Implicit (Blanket) Approval Some types of fixes have "blanket approval" from the {doceng}, allowing any committer to fix those categories of problems on any part of the doc tree. These fixes do not need approval or review from a doc committer if the author doesn't have a doc commit bit. Blanket approval applies to these types of fixes: * Typos * Trivial fixes + Punctuation, URLs, dates, paths and file names with outdated or incorrect information, and other common mistakes that may confound the readers. Over the years, some implicit approvals were granted in the doc tree. This list shows the most common cases: * Changes in [.filename]#documentation/content/en/books/porters-handbook/versions/_index.adoc# + extref:{porters-handbook}versions/[__FreeBSD_version Values (Porter's Handbook)], mainly used for src committers. * Changes in [.filename]#doc/shared/contrib-additional.adoc# + extref:{contributors}[Additional FreeBSD Contributors, contrib-additional] maintenance. * All link:#commit-steps[Steps for New Committers], doc related * Security advisories; Errata Notices; Releases; + Used by {security-officer} and {re}. * Changes in [.filename]#website/content/en/donations/donors.adoc# + Used by {donations}. Before any commit, a build test is necessary; see the 'Overview' and 'The FreeBSD Documentation Build Process' sections of the extref:{fdp-primer}[FreeBSD Documentation Project Primer for New Contributors] for more details. [[git-primer]] == Git Primer [[git-basics]] === Git basics When one searches for "Git Primer" a number of good ones come up. Daniel Miessler's link:https://danielmiessler.com/study/git/[A git primer] and Willie Willus' link:https://gist.github.com/williewillus/068e9a8543de3a7ef80adb2938657b6b[Git - Quick Primer] are both good overviews. The Git book is also complete, but much longer https://git-scm.com/book/en/v2. There is also this website https://dangitgit.com/ for common traps and pitfalls of Git, in case you need guidance to fix things up. Finally, an introduction link:https://eagain.net/articles/git-for-computer-scientists/[targeted at computer scientists] has proven helpful to some at explaining the Git world view. This document will assume that you've read through it and will try not to belabor the basics (though it will cover them briefly). [[git-mini-primer]] === Git Mini Primer This primer is less ambitiously scoped than the old Subversion Primer, but should cover the basics. ==== Scope If you want to download FreeBSD, compile it from sources, and generally keep up to date that way, this primer is for you. It covers getting the sources, updating the sources, bisecting and touches briefly on how to cope with a few local changes. It covers the basics, and tries to give good pointers to more in-depth treatment for when the reader finds the basics insufficient. Other sections of this guide cover more advanced topics related to contributing to the project. The goal of this section is to highlight those bits of Git needed to track sources. They assume a basic understanding of Git. There are many primers for Git on the web, but the https://git-scm.com/book/en/v2[Git Book] provides one of the better treatments. [[git-mini-primer-getting-started]] ==== Getting Started For Developers This section describes the read-write access for committers to push the commits from developers or contributors. [[git-mini-daily-use]] ===== Daily use [NOTE] ==== In the examples below, replace `${repo}` with the name of the desired FreeBSD repository: `doc`, `ports`, or `src`. ==== * Clone the repository: + [source,shell] .... % git clone -o freebsd --config remote.freebsd.fetch='+refs/notes/*:refs/notes/*' https://git.freebsd.org/${repo}.git .... + Then you should have the official mirrors as your remote: + [source,shell] .... % git remote -v freebsd https://git.freebsd.org/${repo}.git (fetch) freebsd https://git.freebsd.org/${repo}.git (push) .... * Configure the FreeBSD committer data: + The commit hook in repo.freebsd.org checks the "Commit" field matches the committer's information in FreeBSD.org. The easiest way to get the suggested config is by executing `/usr/local/bin/gen-gitconfig.sh` script on freefall: + [source,shell] .... % gen-gitconfig.sh [...] % git config user.name (your name in gecos) % git config user.email (your login)@FreeBSD.org .... * Set the push URL: + [source,shell] .... % git remote set-url --push freebsd git@gitrepo.freebsd.org:${repo}.git .... + Then you should have separated fetch and push URLs as the most efficient setup: + [source,shell] .... % git remote -v freebsd https://git.freebsd.org/${repo}.git (fetch) freebsd git@gitrepo.freebsd.org:${repo}.git (push) .... + Again, note that `gitrepo.freebsd.org` has been canonicalized to `repo.freebsd.org`. * Install commit message template hook: + For doc repository: + [source,shell] .... % cd .git/hooks % ln -s ../../.hooks/prepare-commit-msg .... + For ports repository: + [source,shell] .... % git config --add core.hooksPath .hooks .... + For src repository: + [source,shell] .... % cd .git/hooks % ln -s ../../tools/tools/git/hooks/prepare-commit-msg .... [[admin-branch]] ===== "admin" branch The `access` and `mentors` files are stored in an orphan branch, `internal/admin`, in each repository. Following example is how to check out the `internal/admin` branch to a local branch named `admin`: [source,shell] .... % git config --add remote.freebsd.fetch '+refs/internal/*:refs/internal/*' % git fetch % git checkout -b admin internal/admin .... Alternatively, you can add a worktree for the `admin` branch: [source,shell] .... git worktree add -b admin ../${repo}-admin internal/admin .... For browsing `internal/admin` branch on web: `https://cgit.freebsd.org/${repo}/log/?h=internal/admin` For pushing, specify the full refspec: [source,shell] .... git push freebsd HEAD:refs/internal/admin .... ==== Keeping Current With The FreeBSD src Tree [[keeping_current]] First step: cloning a tree. This downloads the entire tree. There are two ways to download. Most people will want to do a deep clone of the repository. However, there are times when you may wish to do a shallow clone. ===== Branch Names FreeBSD-CURRENT uses the `main` branch. `main` is the default branch. For FreeBSD-STABLE, branch names include `stable/12` and `stable/13`. For FreeBSD-RELEASE, release engineering branch names include `releng/12.4` and `releng/13.2`. https://www.freebsd.org/releng/[] shows: * `main` and `stable/⋯` branches open * `releng/⋯` branches, each of which is frozen when a release is tagged. Examples: * tag https://cgit.freebsd.org/src/tag/?h=release/13.1.0[release/13.1.0] on the https://cgit.freebsd.org/src/log/?h=releng/13.1[releng/13.1] branch * tag https://cgit.freebsd.org/src/tag/?h=release/13.2.0[release/13.2.0] on the https://cgit.freebsd.org/src/log/?h=releng/13.2[releng/13.2] branch. ===== Repositories Please see the crossref:committers-guide[admin,Administrative Details] for the latest information on where to get FreeBSD sources. $URL below can be obtained from that page. Note: The project doesn't use submodules as they are a poor fit for our workflows and development model. How we track changes in third-party applications is discussed elsewhere and generally of little concern to the casual user. ===== Deep Clone A deep clone pulls in the entire tree, as well as all the history and branches. It is the easiest to do. It also allows you to use Git's worktree feature to have all your active branches checked out into separate directories but with only one copy of the repository. [source,shell] .... % git clone -o freebsd $URL -b branch [] .... -- will create a deep clone. `branch` should be one of the branches listed in the previous section. If no `branch` is given: the default (`main`) will be used. If no `` is given: the name of the new directory will match the name of the repo ([.filename]#doc#, [.filename]#ports# or [.filename]#src#). You will want a deep clone if you are interested in the history, plan on making local changes, or plan on working on more than one branch. It is the easiest to keep up to date as well. If you are interested in the history, but are working with only one branch and are short on space, you can also use --single-branch to only download the one branch (though some merge commits will not reference the merged-from branch which may be important for some users who are interested in detailed versions of history). ===== Shallow Clone A shallow clone copies just the most current code, but none or little of the history. This can be useful when you need to build a specific revision of FreeBSD, or when you are just starting out and plan to track the tree more fully. You can also use it to limit history to only so many revisions. However, see below for a significant limitation of this approach. [source,shell] .... % git clone -o freebsd -b branch --depth 1 $URL [dir] .... This clones the repository, but only has the most recent version in the repository. The rest of the history is not downloaded. Should you change your mind later, you can do `git fetch --unshallow` to get the old history. [WARNING] ==== When you make a shallow clone, you will lose the commit count in your uname output. This can make it more difficult to determine if your system needs to be updated when a security advisory is issued. ==== ===== Building Once you've downloaded, building is done as described in the handbook, e.g.: [source,shell] .... % cd src % make buildworld % make buildkernel % make installkernel % make installworld .... so that won't be covered in depth here. If you want to build a custom kernel, extref:{handbook}[the kernel config section, kernelconfig] of the FreeBSD Handbook recommends creating a file MYKERNEL under sys/${ARCH}/conf with your changes against GENERIC. To have MYKERNEL disregarded by Git, it can be added to .git/info/exclude. ===== Updating To update both types of trees uses the same commands. This pulls in all the revisions since your last update. [source,shell] .... % git pull --ff-only .... will update the tree. In Git, a 'fast forward' merge is one that only needs to set a new branch pointer and doesn't need to re-create the commits. By always doing a fast forward merge/pull, you'll ensure that you have an exact copy of the FreeBSD tree. This will be important if you want to maintain local patches. See below for how to manage local changes. The simplest is to use `--autostash` on the `git pull` command, but more sophisticated options are available. ==== Selecting a Specific Version In Git, `git checkout` checks out both branches and specific versions. Git's versions are the long hashes rather than a sequential number. When you checkout a specific version, just specify the hash you want on the command line (the git log command can help you decide which hash you might want): [source,shell] .... % git checkout 08b8197a74 .... and you have that checked out. You will be greeted with a message similar to the following: [source,shell] .... Note: checking out '08b8197a742a96964d2924391bf9fdfeb788865d'. You are in a 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b HEAD is now at 08b8197a742a hook gpiokeys.4 to the build .... where the last line is generated from the hash you are checking out and the first line of the commit message from that revision. The hash can be abbreviated to the shortest unique length. Git itself is inconsistent about how many digits it displays. ==== Bisecting Sometimes, things go wrong. The last version worked, but the one you just updated to does not. A developer may ask you to bisect the problem to track down which commit caused the regression. Git makes bisecting changes easy with a powerful `git bisect` command. Here's a brief outline of how to use it. For more information, you can view https://www.metaltoad.com/blog/beginners-guide-git-bisect-process-elimination or https://git-scm.com/docs/git-bisect for more details. The man git-bisect page is good at describing what can go wrong, what to do when versions won't build, when you want to use terms other than 'good' and 'bad', etc, none of which will be covered here. `git bisect start --first-parent` will start the bisection process. Next, you need to tell a range to go through. `git bisect good XXXXXX` will tell it the working version and `git bisect bad XXXXX` will tell it the bad version. The bad version will almost always be HEAD (a special tag for what you have checked out). The good version will be the last one you checked out. The `--first-parent` argument is necessary so that subsequent `git bisect` commands do not try to check out a vendor branch which lacks the full FreeBSD source tree. [TIP] ==== If you want to know the last version you checked out, you should use `git reflog`: [source,shell] .... 5ef0bd68b515 (HEAD -> main, freebsd/main, freebsd/HEAD) HEAD@{0}: pull --ff-only: Fast-forward a8163e165c5b (upstream/main) HEAD@{1}: checkout: moving from b6fb97efb682994f59b21fe4efb3fcfc0e5b9eeb to main ... .... shows me moving the working tree to the `main` branch (a816...) and then updating from upstream (to 5ef0...). In this case, bad would be HEAD (or 5ef0bd68b515) and good would be a8163e165c5b. As you can see from the output, HEAD@{1} also often works, but isn't foolproof if you have done other things to your Git tree after updating, but before you discover the need to bisect. ==== Set the 'good' version first, then set the bad (though the order doesn't matter). When you set the bad version, it will give you some statistics on the process: [source,shell] .... % git bisect start --first-parent % git bisect good a8163e165c5b % git bisect bad HEAD Bisecting: 1722 revisions left to test after this (roughly 11 steps) [c427b3158fd8225f6afc09e7e6f62326f9e4de7e] Fixup r361997 by balancing parens. Duh. .... You would then build/install that version. If it's good you'd type `git bisect good` otherwise `git bisect bad`. If the version doesn't compile, type `git bisect skip`. You will get a similar message to the above after each step. When you are done, report the bad version to the developer (or fix the bug yourself and send a patch). `git bisect reset` will end the process and return you back to where you started (usually tip of `main`). Again, the git-bisect manual (linked above) is a good resource for when things go wrong or for unusual cases. [[git-gpg-signing]] ==== Signing the commits, tags, and pushes, with GnuPG Git knows how to sign commits, tags, and pushes. When you sign a Git commit or a tag, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else. A more in-depth documentation on signing commits and tags can be found in the https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work[Git Tools - Signing Your Work] chapter of the Git's book. The rationale behind signing pushes can be found in the https://github.com/git/git/commit/a85b377d0419a9dfaca8af2320cc33b051cbed04[commit that introduced the feature]. The best way is to simply tell Git you always want to sign commits, tags, and pushes. You can do this by setting a few configuration variables: [source,shell] .... % git config --add user.signingKey LONG-KEY-ID % git config --add commit.gpgSign true % git config --add tag.gpgSign true % git config --add push.gpgSign if-asked .... // push.gpgSign should probably be set to `yes` once we enable it, or be set with --global, so that it is enabled for all repositories. [NOTE] ====== To avoid possible collisions, make sure you give a long key id to Git. You can get the long id with: `gpg --list-secret-keys --keyid-format LONG`. ====== [TIP] ====== To use specific subkeys, and not have GnuPG to resolve the subkey to a primary key, attach `!` to the key. For example, to encrypt for the subkey `DEADBEEF`, use `DEADBEEF!`. ====== ===== Verifying signatures Commit signatures can be verified by running either `git verify-commit `, or `git log --show-signature`. Tag signatures can be verified with `git verify-tag `, or `git tag -v `. //// Commented out for now until we decide what to do. Git pushes are a bit different, they live in a special ref in the repository. TODO: write how to verify them //// ==== Ports Considerations The ports tree operates the same way. The branch names are different and the repositories are in different locations. The cgit repository web interface for use with web browsers is at https://cgit.FreeBSD.org/ports/ . The production Git repository is at https://git.FreeBSD.org/ports.git and at ssh://anongit@git.FreeBSD.org/ports.git (or anongit@git.FreeBSD.org:ports.git). There is also a mirror on GitHub, see extref:{handbook}/mirrors[External mirrors, mirrors] for an overview. The _latest_ branch is `main`. The _quarterly_ branches are named `yyyyQn` for year 'yyyy' and quarter 'n'. [[port-commit-message-formats]] ===== Commit message formats A hook is available in the ports repository to help you write up your commit messages in https://cgit.freebsd.org/ports/tree/.hooks/prepare-commit-msg[.hooks/prepare-commit-message]. It can be enabled by running ``git config --add core.hooksPath .hooks``. The main point being that a commit message should be formatted in the following way: .... category/port: Summary. Description of why the changes where made. PR: 12345 .... [IMPORTANT] ==== The first line is the subject of the commit, it contains what port was changed, and a summary of the commit. It should contain 50 characters or less. A blank line should separate it from the rest of the commit message. The rest of the commit message should be wrapped at the 72 characters boundary. Another blank line should be added if there are any metadata fields, so that they are easily distinguishable from the commit message. ==== ==== Managing Local Changes This section addresses tracking local changes. If you have no local changes you can skip this section. One item that is important for all of them: all changes are local until pushed. Unlike Subversion, Git uses a distributed model. For users, for most things, there is very little difference. However, if you have local changes, you can use the same tool to manage them as you use to pull in changes from FreeBSD. All changes that you have not pushed are local and can easily be modified (git rebase, discussed below does this). ===== Keeping local changes The simplest way to keep local changes (especially trivial ones) is to use `git stash`. In its simplest form, you use `git stash` to record the changes (which pushes them onto the stash stack). Most people use this to save changes before updating the tree as described above. They then use `git stash apply` to re-apply them to the tree. The stash is a stack of changes that can be examined with `git stash list`. The git-stash man page (https://git-scm.com/docs/git-stash) has all the details. This method is suitable when you have tiny tweaks to the tree. When you have anything non trivial, you'll likely be better off keeping a local branch and rebasing. Stashing is also integrated with the `git pull` command: just add `--autostash` to the command line. ===== Keeping a local branch [[keeping_a_local_branch]] It is much easier to keep a local branch with Git than Subversion. In Subversion you need to merge the commit, and resolve the conflicts. This is manageable, but can lead to a convoluted history that's hard to upstream should that ever be necessary, or hard to replicate if you need to do so. Git also allows one to merge, along with the same problems. That's one way to manage the branch, but it's the least flexible. In addition to merging, Git supports the concept of 'rebasing' which avoids these issues. The `git rebase` command replays all the commits of a branch at a newer location on the parent branch. We will cover the most common scenarios that arise using it. ====== Create a branch Let's say you want to make a change to FreeBSD's ls command to never, ever do color. There are many reasons to do this, but this example will use that as a baseline. The FreeBSD ls command changes from time to time, and you'll need to cope with those changes. Fortunately, with Git rebase it usually is automatic. [source,shell] .... % cd src % git checkout main % git checkout -b no-color-ls % cd bin/ls % vi ls.c # hack the changes in % git diff # check the changes diff --git a/bin/ls/ls.c b/bin/ls/ls.c index 7378268867ef..cfc3f4342531 100644 --- a/bin/ls/ls.c +++ b/bin/ls/ls.c @@ -66,6 +66,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#undef COLORLS #ifdef COLORLS #include #include % # these look good, make the commit... % git commit ls.c .... The commit will pop you into an editor to describe what you've done. Once you enter that, you have your own **local** branch in the Git repo. Build and install it like you normally would, following the directions in the handbook. Git differs from other version control systems in that you have to tell it explicitly which files to commit. I have opted to do it on the commit command line, but you can also do it with `git add` which many of the more in depth tutorials cover. ====== Time to update When it is time to bring in a new version, it is almost the same as w/o the branches. You would update like you would above, but there is one extra command before you update, and one after. The following assumes you are starting with an unmodified tree. It is important to start rebasing operations with a clean tree (Git requires this). [source,shell] .... % git checkout main % git pull --ff-only % git rebase -i main no-color-ls .... This will bring up an editor that lists all the commits in it. For this example, do not change it at all. This is typically what you are doing while updating the baseline (though you also use the Git rebase command to curate the commits you have in the branch). Once you are done with the above, you have to move the commits to ls.c forward from the old version of FreeBSD to the newer one. Sometimes there are merge conflicts. That is OK. Do not panic. Instead, handle them the same as any other merge conflicts. To keep it simple, I will just describe a common issue that may arise. A pointer to a complete treatment can be found at the end of this section. Let's say the includes changes upstream in a radical shift to terminfo as well as a name change for the option. When you updated, you might see something like this: [source,shell] .... Auto-merging bin/ls/ls.c CONFLICT (content): Merge conflict in bin/ls/ls.c error: could not apply 646e0f9cda11... no color ls Resolve all conflicts manually, mark them as resolved with "git add/rm ", then run "git rebase --continue". You can instead skip this commit: run "git rebase --skip". To abort and get back to the state before "git rebase", run "git rebase --abort". Could not apply 646e0f9cda11... no color ls .... which looks scary. If you bring up an editor, you will see it is a typical 3-way merge conflict resolution that you may be familiar with from other source code systems (the rest of ls.c has been omitted): [source,shell] <<<<<<< HEAD #ifdef COLORLS_NEW #include ======= #undef COLORLS #ifdef COLORLS #include >>>>>>> 646e0f9cda11... no color ls .... The new code is first, and your code is second. The right fix here is to just add a #undef COLORLS_NEW before #ifdef and then delete the old changes: [source,shell] .... #undef COLORLS_NEW #ifdef COLORLS_NEW #include .... save the file. The rebase was interrupted, so you have to complete it: [source,shell] .... % git add ls.c % git rebase --continue .... which tells Git that ls.c has been fixed and to continue the rebase operation. Since there was a conflict, you will get kicked into the editor to update the commit message if necessary. If the commit message is still accurate, just exit the editor. If you get stuck during the rebase, do not panic. git rebase --abort will take you back to a clean slate. It is important, though, to start with an unmodified tree. An aside: The above mentioned `git reflog` comes in handy here, as it will have a list of all the (intermediate) commits that you can view or inspect or cherry-pick. For more on this topic, https://www.freecodecamp.org/news/the-ultimate-guide-to-git-merge-and-git-rebase/ provides a rather extensive treatment. It is a good resource for issues that arise occasionally but are too obscure for this guide. ===== Switching to a Different FreeBSD Branch If you wish to shift from stable/12 to the current branch. If you have a deep clone, the following will suffice: [source,shell] .... % git checkout main % # build and install here... .... If you have a local branch, though, there are one or two caveats. First, rebase will rewrite history, so you will likely want to do something to save it. Second, jumping branches tends to cause more conflicts. If we pretend the example above was relative to stable/12, then to move to `main`, I'd suggest the following: [source,shell] .... % git checkout no-color-ls % git checkout -b no-color-ls-stable-12 # create another name for this branch % git rebase -i stable/12 no-color-ls --onto main .... What the above does is checkout no-color-ls. Then create a new name for it (no-color-ls-stable-12) in case you need to get back to it. Then you rebase onto the `main` branch. This will find all the commits to the current no-color-ls branch (back to where it meets up with the stable/12 branch) and then it will replay them onto the `main` branch creating a new no-color-ls branch there (which is why I had you create a place holder name). [[mfc-with-git]] === MFC (Merge From Current) Procedures ==== Summary MFC workflow can be summarized as `git cherry-pick -x` plus `git commit --amend` to adjust the commit message. For multiple commits, use `git rebase -i` to squash them together and edit the commit message. ==== Single commit MFC [source,shell] .... % git checkout stable/X % git cherry-pick -x $HASH --edit .... For MFC commits, for example a vendor import, you would need to specify one parent for cherry-pick purposes. Normally, that would be the "first parent" of the branch you are cherry-picking from, so: [source,shell] .... % git checkout stable/X % git cherry-pick -x $HASH -m 1 --edit .... If things go wrong, you'll either need to abort the cherry-pick with `git cherry-pick --abort` or fix it up and do a `git cherry-pick --continue`. Once the cherry-pick is finished, push with `git push`. If you get an error due to losing the commit race, use `git pull --rebase` and try to push again. ==== MFC to RELENG branch MFCs to branches that require approval require a bit more care. The process is the same for either a typical merge or an exceptional direct commit. * Merge or direct commit to the appropriate `stable/X` branch first before merging to the `releng/X.Y` branch. * Use the hash that's in the `stable/X` branch for the MFC to `releng/X.Y` branch. * Leave both "cherry picked from" lines in the commit message. * Be sure to add the `Approved by:` line when you are in the editor. [source,shell] .... % git checkout releng/13.0 % git cherry-pick -x $HASH --edit .... If you forget to to add the `Approved by:` line, you can do a `git commit --amend` to edit the commit message before you push the change. ==== Multiple commit MFC [source,shell] .... % git checkout -b tmp-branch stable/X % for h in $HASH_LIST; do git cherry-pick -x $h; done % git rebase -i stable/X # mark each of the commits after the first as 'squash' # Update the commit message to reflect all elements of commit, if necessary. # Be sure to retain the "cherry picked from" lines. % git push freebsd HEAD:stable/X .... If the push fails due to losing the commit race, rebase and try again: [source,shell] .... % git checkout stable/X % git pull % git checkout tmp-branch % git rebase stable/X % git push freebsd HEAD:stable/X .... Once the MFC is complete, you can delete the temporary branch: [source,shell] .... % git checkout stable/X % git branch -d tmp-branch .... ==== MFC a vendor import Vendor imports are the only thing in the tree that creates a merge commit in the `main` branch. Cherry picking merge commits into stable/XX presents an additional difficulty because there are two parents for a merge commit. Generally, you'll want the first parent's diff since that's the diff to `main` (though there may be some exceptions). [source,shell] .... % git cherry-pick -x -m 1 $HASH .... is typically what you want. This will tell cherry-pick to apply the correct diff. There are some, hopefully, rare cases where it's possible that the `main` branch was merged backwards by the conversion script. Should that be the case (and we've not found any yet), you'd change the above to `-m 2` to pickup the proper parent. Just do: [source,shell] .... % git cherry-pick --abort % git cherry-pick -x -m 2 $HASH .... to do that. The `--abort` will cleanup the failed first attempt. ==== Redoing a MFC If you do a MFC, and it goes horribly wrong and you want to start over, then the easiest way is to use `git reset --hard` like so: [source,shell] .... % git reset --hard freebsd/stable/12 .... though if you have some revs you want to keep, and others you don't, using `git rebase -i` is better. ==== Considerations when MFCing When committing source commits to stable and releng branches, we have the following goals: * Clearly mark direct commits distinct from commits that land a change from another branch. * Avoid introducing known breakage into stable and releng branches. * Allow developers to determine which changes have or have not been landed from one branch to another. With Subversion, we used the following practices to achieve these goals: * Using `MFC` and `MFS` tags to mark commits that merged changes from another branch. * Squashing fixup commits into the main commit when merging a change. * Recording mergeinfo so that `svn mergeinfo --show-revs` worked. With Git, we will need to use different strategies to achieve the same goals. This document aims to define best practices when merging source commits using Git that achieve these goals. In general, we aim to use Git's native support to achieve these goals rather than enforcing practices built on Subversion's model. One general note: due to technical differences with Git, we will not be using Git "merge commits" (created via `git merge`) in stable or releng branches. Instead, when this document refers to "merge commits", it means a commit originally made to `main` that is replicated or "landed" to a stable branch, or a commit from a stable branch that is replicated to a releng branch with some variation of `git cherry-pick`. ==== Finding Eligible Hashes to MFC Git provides some built-in support for this via the `git cherry` and `git log --cherry` commands. These commands compare the raw diffs of commits (but not other metadata such as log messages) to determine if two commits are identical. This works well when each commit from `main` is landed as a single commit to a stable branch, but it falls over if multiple commits from `main` are squashed together as a single commit to a stable branch. The project makes extensive use of `git cherry-pick -x` with all lines preserved to work around these difficulties and is working on automated tooling to take advantage of this. ==== Commit message standards ===== Marking MFCs The project has adopted the following practice for marking MFCs: * Use the `-x` flag with `git cherry-pick`. This adds a line to the commit message that includes the hash of the original commit when merging. Since it is added by Git directly, committers do not have to manually edit the commit log when merging. When merging multiple commits, keep all the "cherry picked from" lines. ===== Trim Metadata? One area that was not clearly documented with Subversion (or even CVS) is how to format metadata in log messages for MFC commits. Should it include the metadata from the original commit unchanged, or should it be altered to reflect information about the MFC commit itself? Historical practice has varied, though some of the variance is by field. For example, MFCs that are relevant to a PR generally include the PR field in the MFC so that MFC commits are included in the bug tracker's audit trail. Other fields are less clear. For example, Phabricator shows the diff of the last commit tagged to a review, so including Phabricator URLs replaces the main commit with the landed commits. The list of reviewers is also not clear. If a reviewer has approved a change to `main`, does that mean they have approved the MFC commit? Is that true if it's identical code only, or with merely trivial rework? It's clearly not true for more extensive reworks. Even for identical code what if the commit doesn't conflict but introduces an ABI change? A reviewer may have ok'd a commit for `main` due to the ABI breakage but may not approve of merging the same commit as-is. One will have to use one's best judgment until clear guidelines can be agreed upon. For MFCs regulated by re@, new metadata fields are added, such as the Approved by tag for approved commits. This new metadata will have to be added via `git commit --amend` or similar after the original commit has been reviewed and approved. We may also want to reserve some metadata fields in MFC commits such as Phabricator URLs for use by re@ in the future. Preserving existing metadata provides a very simple workflow. Developers use `git cherry-pick -x` without having to edit the log message. If instead we choose to adjust metadata in MFCs, developers will have to edit log messages explicitly via the use of `git cherry-pick --edit` or `git commit --amend`. However, as compared to svn, at least the existing commit message can be pre-populated and metadata fields can be added or removed without having to re-enter the entire commit message. The bottom line is that developers will likely need to curate their commit message for MFCs that are non-trivial. [[vendor-import-git]] === Vendor Imports with Git This section describes the vendor import procedure with Git in detail. ==== Branch naming convention All vendor branches and tags start with `vendor/`. These branches and tags are visible by default. [NOTE] ==== This chapter follows the convention that the `freebsd` origin is the origin name for the official FreeBSD Git repository. If you use a different convention, replace `freebsd` with the name you use instead in the examples below. ==== We will explore an example for updating NetBSD's mtree that is in our tree. The vendor branch for this is `vendor/NetBSD/mtree`. ==== Updating an old vendor import The vendor trees usually have only the subset of the third-party software that is appropriate to FreeBSD. These trees are usually tiny in comparison to the FreeBSD tree. Git worktrees are thus quite small and fast and the preferred method to use. Make sure that whatever directory you choose below (the `../mtree`) does not currently exist. [source,shell] .... % git worktree add ../mtree vendor/NetBSD/mtree .... ==== Update the Sources in the Vendor Branch Prepare a full, clean tree of the vendor sources. Import everything but merge only what is needed. This example assumes the NetBSD source is checked out from their GitHub mirror in `~/git/NetBSD`. Note that "upstream" might have added or removed files, so we want to make sure deletions are propagated as well. package:net/rsync[] is commonly installed, so I'll use that. [source,shell] .... % cd ../mtree % rsync -va --del --exclude=".git" ~/git/NetBSD/usr.sbin/mtree/ . % git add -A % git status ... % git diff --staged ... % git commit -m "Vendor import of NetBSD's mtree at 2020-12-11" [vendor/NetBSD/mtree 8e7aa25fcf1] Vendor import of NetBSD's mtree at 2020-12-11 7 files changed, 114 insertions(+), 82 deletions(-) % git tag -a vendor/NetBSD/mtree/20201211 .... It is critical to verify that the source code you are importing comes from a trustworthy source. Many open-source projects use cryptographic signatures to sign code changes, git tags, and/or source code tarballs. Always verify these signatures, and use isolation mechanisms like jails, chroot, in combination with a dedicated, non-privileged user account that is different from the one you regularly use (see the Updating the FreeBSD source tree section below for more details), until you are confident that the source code you are importing looks safe. Following the upstream development and occasionally reviewing the upstream code changes can greatly help in improving code quality and benefit everyone involved. It is also a good idea to examine the git diff results before importing them into the vendor area. Always run the `git diff` and `git status` commands and examine the results carefully. When in doubt, it is useful to do a `git annotate` on the vendor branch or the upstream git repository to see who and why a change was made. In the example above we used `-m` to illustrate, but you should compose a proper message in an editor (using a commit message template). It is also important to create an annotated tag using `git tag -a`, otherwise the push will be rejected. Only annotated tags are allowed to be pushed. The annotated tag gives you a chance to enter a commit message. Enter the version you are importing, along with any salient new features or fixes in that version. ==== Updating the FreeBSD Copy At this point you can push the import to `vendor` into our repo. [source,shell] .... % git push --follow-tags freebsd vendor/NetBSD/mtree .... `--follow-tags` tells `git push` to also push tags associated with the locally committed revision. ==== Updating the FreeBSD source tree Now you need to update the mtree in FreeBSD. The sources live in `contrib/mtree` since it is upstream software. From time to time, we may have to make changes to the contributed code to better satisfy FreeBSD's needs. Whenever possible, please try to contribute the local changes back to the upstream projects, this helps them to better support FreeBSD, and also saves your time for future conflict resolutions when importing updates. [source,shell] .... % cd ../src % git subtree merge -P contrib/mtree vendor/NetBSD/mtree .... This would generate a subtree merge commit of `contrib/mtree` against the local `vendor/NetBSD/mtree` branch. Examine the diff from the merge result and the contents of the upstream branch. If the merge reduced our local changes to more trivial difference like blank line or indenting changes, try amending the local changes to reduce diff against upstream, or try to contribute the remaining changes back to the upstream project. If there were conflicts, you would need to fix them before committing. Include details about the changes being merged in the merge commit message. Some open-source software includes a `configure` script that generates files used to define how the code is built; usually, these generated files like `config.h` should be updated as part of the import process. When doing this, always keep in mind that these scripts are executable code running under the current user's credentials. This process should always be run in an isolated environment, ideally inside a jail that does not have network access, and with an unprivileged account; or, at minimum, a dedicated account that is different from the user account you normally use for everyday purposes or for pushing to the FreeBSD source code repository. This minimizes the risk of encountering bugs that can cause data loss or, in worse cases, maliciously planted code. Using an isolated jail also prevents the configure scripts from detecting locally installed software packages, which may lead to unexpected results. When testing your changes, run them in a chroot or jailed environment, or even within a virtual machine first, especially for kernel or library modifications. This approach helps prevent adverse interactions with your working environment. It can be particularly beneficial for changes to libraries that many base system components use, among others. ==== Rebasing your change against latest FreeBSD source tree Because the current policy recommends against using merges, if the upstream FreeBSD `main` moved forward before you get a chance to push, you would have to redo the merge. Regular `git rebase` or `git pull --rebase` doesn't know how to rebase a merge commit **as a merge commit**, so instead of that you would have to recreate the commit. The following steps should be taken to easily recreate the merge commit as if `git rebase --merge-commits` worked properly: * cd to the top of the repo * Create a side branch `XXX` with the **contents** of the merged tree. * Update this side branch `XXX` to be merged and up-to-date with FreeBSD's `main` branch. ** In the worst case scenario, you would still have to resolve merge conflicts, if there was any, but this should be really rare. ** Resolve conflicts, and collapse multiple commits down to 1 if need be (without conflicts, there's no collapse needed) * checkout `main` * create a branch `YYY` (allows for easier unwinding if things go wrong) * Re-do the subtree merge * Instead of resolving any conflicts from the subtree merge, checkout the contents of XXX on top of it. ** The trailing `.` is important, as is being at the top level of the repo. ** Rather than switching branches to XXX, it splats the contents of XXX on top of the repo * Commit the results with the prior commit message (the example assumes there's only one merge on the XXX branch). * Make sure the branches are the same. * Do whatever review you need, including having others check it out if you think that's needed. * Push the commit, if you 'lost the race' again, just redo these steps again (see below for a recipe) * Delete the branches once the commit is upstream. They are throw-a-way. The commands one would use, following the above example of mtree, would be like so (the `#` starts a comment to help link commands to descriptions above): [source,shell] .... % cd ../src # CD to top of tree % git checkout -b XXX # create new throw-away XXX branch for merge % git fetch freebsd # Get changes from upstream from upstream % git merge freebsd/main # Merge the changes and resolve conflicts % git checkout -b YYY freebsd/main # Create new throw-away YYY branch for redo % git subtree merge -P contrib/mtree vendor/NetBSD/mtree # Redo subtree merge % git checkout XXX . # XXX branch has the conflict resolution % git commit -c XXX~1 # -c reuses the commit message from commit before rebase % git diff XXX YYY # Should be empty % git show YYY # Should only have changes you want, and be a merge commit from vendor branch .... Note: if things go wrong with the commit, you can reset the `YYY` branch by reissuing the checkout command that created it with -B to start over: [source,shell] .... % git checkout -B YYY freebsd/main # Create new throw-away YYY branch if starting over is just going to be easier .... ==== Pushing the changes Once you think you have a set of changes that are good, you can push it to a fork off GitHub or GitLab for others to review. One nice thing about Git is that it allows you to publish rough drafts of your work for others to review. While Phabricator is good for content review, publishing the updated vendor branch and merge commits lets others check the details as they will eventually appear in the repository. After review, when you are sure it is a good change, you can push it to the FreeBSD repo: [source,shell] .... % git push freebsd YYY:main # put the commit on upstream's 'main' branch % git branch -D XXX # Throw away the throw-a-way branches. % git branch -D YYY .... Note: I used `XXX` and `YYY` to make it obvious they are terrible names and should not leave your machine. If you use such names for other work, then you'll need to pick different names, or risk losing the other work. There is nothing magic about these names. Upstream will not allow you to push them, but never the less, please pay attention to the exact commands above. Some commands use syntax that differs only slightly from typical uses and that different behavior is critical to this recipe working. ==== How to redo things if need be If you've tried to do the push in the previous section and it fails, then you should do the following to 'redo' things. This sequence keeps the commit with the commit message always at XXX~1 to make committing easier. [source,shell] .... % git checkout -B XXX YYY # recreate that throw-away-branch XXX and switch to it % git merge freebsd/main # Merge the changes and resolve conflicts % git checkout -B YYY freebsd/main # Recreate new throw-away YYY branch for redo % git subtree merge -P contrib/mtree vendor/NetBSD/mtree # Redo subtree merge % git checkout XXX . # XXX branch has the conflict resolution % git commit -c XXX~1 # -c reuses the commit message from commit before rebase .... Then go check it out as above and push as above when ready. === Creating a new vendor branch There are a number of ways to create a new vendor branch. The recommended way is to create a new repository and then merge that with FreeBSD. If one is importing `glorbnitz` into the FreeBSD tree, release 3.1415. For the sake of simplicity, we will not trim this release. It is a simple user command that puts the nitz device into different magical glorb states and is small enough trimming will not save much. ==== Create the repo [source,shell] .... % cd /some/where % mkdir glorbnitz % cd glorbnitz % git init % git checkout -b vendor/glorbnitz .... At this point, you have a new repo, where all new commits will go on the `vendor/glorbnitz` branch. Git experts can also do this right in their FreeBSD clone, using `git checkout --orphan vendor/glorbnitz` if they are more comfortable with that. ==== Copy the sources in Since this is a new import, you can just cp the sources in, or use tar or even rsync as shown above. And we will add everything, assuming no dot files. [source,shell] .... % cp -r ~/glorbnitz/* . % git add * .... At this point, you should have a pristine copy of glorbnitz ready to commit. [source,shell] .... % git commit -m "Import GlorbNitz frobnosticator revision 3.1415" .... As above, I used `-m` for simplicity, but you should likely create a commit message that explains what a Glorb is and why you'd use a Nitz to get it. Not everybody will know so, for your actual commit, you should follow the crossref:committers-guide[commit-log-message,commit log message] section instead of emulating the brief style used here. ==== Now import it into our repository Now you need to import the branch into our repository. [source,shell] .... % cd /path/to/freebsd/repo/src % git remote add glorbnitz /some/where/glorbnitz % git fetch glorbnitz vendor/glorbnitz .... Note the vendor/glorbnitz branch is in the repo. At this point the `/some/where/glorbnitz` can be deleted, if you like. It was only a means to an end. // perhaps the real treasure was the friends it made along the way... ==== Tag and push Steps from here on out are much the same as they are in the case of updating a vendor branch, though without the updating the vendor branch step. [source,shell] .... % git worktree add ../glorbnitz vendor/glorbnitz % cd ../glorbnitz % git tag --annotate vendor/glorbnitz/3.1415 # Make sure the commit is good with "git show" % git push --follow-tags freebsd vendor/glorbnitz .... By 'good' we mean: . All the right files are present . None of the wrong files are present . The vendor branch points at something sensible . The tag looks good, and is annotated . The commit message for the tag has a quick summary of what's new since the last tag ==== Time to finally merge it into the base tree [source,shell] .... % cd ../src % git subtree add -P contrib/glorbnitz vendor/glorbnitz # Make sure the commit is good with "git show" % git commit --amend # one last sanity check on commit message % git push freebsd .... Here 'good' means: . All the right files, and none of the wrong ones, were merged into contrib/glorbnitz. . No other changes are in the tree. . The commit messages look crossref:committers-guide[commit-log-message,good]. It should contain a summary of what's changed since the last merge to the FreeBSD `main` branch and any caveats. . UPDATING should be updated if there is anything of note, such as user visible changes, important upgrade concerns, etc. [NOTE] ==== This hasn't connected `glorbnitz` to the build yet. How so do that is specific to the software being imported and is beyond the scope of this tutorial. ==== ===== Keeping current So, time passes. It's time now to update the tree for the latest changes upstream. When you checkout `main` make sure that you have no diffs. It's a lot easier to commit those to a branch (or use `git stash`) before doing the following. If you are used to `git pull`, we strongly recommend using the `--ff-only` option, and further setting it as the default option. Alternatively, `git pull --rebase` is useful if you have changes staged in the `main` branch. [source,shell] .... % git config --global pull.ff only .... You may need to omit the --global if you want this setting to apply to only this repository. [source,shell] .... % cd freebsd-src % git checkout main % git pull (--ff-only|--rebase) .... There is a common trap, that the combination command `git pull` will try to perform a merge, which would sometimes creates a merge commit that didn't exist before. This can be harder to recover from. The longer form is also recommended. [source,shell] .... % cd freebsd-src % git checkout main % git fetch freebsd % git merge --ff-only freebsd/main .... These commands reset your tree to the `main` branch, and then update it from where you pulled the tree from originally. It's important to switch to `main` before doing this so it moves forward. Now, it's time to move the changes forward: [source,shell] .... % git rebase -i main working .... This will bring up an interactive screen to change the defaults. For now, just exit the editor. Everything should just apply. If not, then you'll need to resolve the diffs. https://docs.github.com/en/free-pro-team@latest/github/using-git/resolving-merge-conflicts-after-a-git-rebase[This github document] can help you navigate this process. [[git-push-upstream]] ===== Time to push changes upstream First, ensure that the push URL is properly configured for the upstream repository. [source,shell] .... % git remote set-url --push freebsd ssh://git@gitrepo.freebsd.org/src.git .... Then, verify that user name and email are configured right. We require that they exactly match the passwd entry in FreeBSD cluster. Use [source,shell] .... freefall% gen-gitconfig.sh .... on freefall.freebsd.org to get a recipe that you can use directly, assuming /usr/local/bin is in the PATH. The below command merges the `working` branch into the upstream `main` branch. It's important that you curate your changes to be just like you want them in the FreeBSD source repo before doing this. This syntax pushes the `working` branch to `main`, moving the `main` branch forward. You will only be able to do this if this results in a linear change to `main` (e.g. no merges). [source,shell] .... % git push freebsd working:main .... If your push is rejected due to losing a commit race, rebase your branch before trying again: [source,shell] .... % git checkout working % git fetch freebsd % git rebase freebsd/main % git push freebsd working:main .... [[git-push-upstream-alt]] ===== Time to push changes upstream (alternative) Some people find it easier to merge their changes to their local `main` before pushing to the remote repository. Also, `git arc stage` moves changes from a branch to the local `main` when you need to do a subset of a branch. The instructions are similar to the prior section: [source,shell] .... % git checkout main % git merge --ff-only `working` % git push freebsd .... If you lose the race, then try again with [source,shell] .... % git pull --rebase % git push freebsd .... These commands will fetch the most recent `freebsd/main` and then rebase the local `main` changes on top of that, which is what you want when you lose the commit race. Note: merging vendor branch commits will not work with this technique. ===== Finding the Subversion Revision You'll need to make sure that you've fetched the notes (see the crossref:committers-guide[git-mini-daily-use, Daily use]for details). Once you have these, notes will show up in the git log command like so: [source,shell] .... % git log .... If you have a specific version in mind, you can use this construct: [source,shell] .... % git log --grep revision=XXXX .... to find the specific revision. The hex number after 'commit' is the hash you can use to refer to this commit. [[git-faq]] === Git FAQ This section provides a number of targeted answers to questions that are likely to come up often for users and developers. [NOTE] ==== We use the common convention of having the origin for the FreeBSD repository being 'freebsd' rather than the default 'origin' to allow people to use that for their own development and to minimize "whoops" pushes to the wrong repository. ==== ==== Users ===== How do I track -current and -stable with only one copy of the repository? **Q:** Although disk space is not a huge issue, it's more efficient to use only one copy of the repository. With SVN mirroring, I could checkout multiple trees from the same repository. How do I do this with Git? **A:** You can use Git worktrees. There's a number of ways to do this, but the simplest way is to use a clone to track -current, and a worktree to track stable releases. While using a 'bare repository' has been put forward as a way to cope, it's more complicated and will not be documented here. First, you need to clone the FreeBSD repository, shown here cloning into `freebsd-current` to reduce confusion. $URL is whatever mirror works best for you: [source,shell] .... % git clone -o freebsd --config remote.freebsd.fetch='+refs/notes/*:refs/notes/*' $URL freebsd-current .... then once that's cloned, you can simply create a worktree from it: [source,shell] .... % cd freebsd-current % git worktree add ../freebsd-stable-12 stable/12 .... this will checkout `stable/12` into a directory named `freebsd-stable-12` that's a peer to the `freebsd-current` directory. Once created, it's updated very similarly to how you might expect: [source,shell] .... % cd freebsd-current % git checkout main % git pull --ff-only # changes from upstream now local and current tree updated % cd ../freebsd-stable-12 % git merge --ff-only freebsd/stable/12 # now your stable/12 is up to date too .... I recommend using `--ff-only` because it's safer and you avoid accidentally getting into a 'merge nightmare' where you have an extra change in your tree, forcing a complicated merge rather than a simple one. Here's https://adventurist.me/posts/00296[a good writeup] that goes into more detail. ==== Developers ===== Ooops! I committed to `main`, instead of another branch. **Q:** From time to time, I goof up and mistakenly commit to the `main` branch. What do I do? **A:** First, don't panic. Second, don't push. In fact, you can fix almost anything if you haven't pushed. All the answers in this section assume no push has happened. The following answer assumes you committed to `main` and want to create a branch called `issue`: [source,shell] .... % git branch issue # Create the 'issue' branch % git reset --hard freebsd/main # Reset 'main' back to the official tip % git checkout issue # Back to where you were .... ===== Ooops! I committed something to the wrong branch! **Q:** I was working on feature on the `wilma` branch, but accidentally committed a change relevant to the `fred` branch in 'wilma'. What do I do? **A:** The answer is similar to the previous one, but with cherry picking. This assumes there's only one commit on wilma, but will generalize to more complicated situations. It also assumes that it's the last commit on wilma (hence using wilma in the `git cherry-pick` command), but that too can be generalized. [source,shell] .... # We're on branch wilma % git checkout fred # move to fred branch % git cherry-pick wilma # copy the misplaced commit % git checkout wilma # go back to wilma branch % git reset --hard HEAD^ # move what wilma refers to back 1 commit .... Git experts would first rewind the wilma branch by 1 commit, switch over to fred and then use `git reflog` to see what that 1 deleted commit was and cherry-pick it over. **Q:** But what if I want to commit a few changes to `main`, but keep the rest in `wilma` for some reason? **A:** The same technique above also works if you are wanting to 'land' parts of the branch you are working on into `main` before the rest of the branch is ready (say you noticed an unrelated typo, or fixed an incidental bug). You can cherry pick those changes into `main`, then push to the parent repository. Once you've done that, cleanup couldn't be simpler: just `git rebase -i`. Git will notice you've done this and skip the common changes automatically (even if you had to change the commit message or tweak the commit slightly). There's no need to switch back to wilma to adjust it: just rebase! **Q:** I want to split off some changes from branch `wilma` into branch `fred` **A:** The more general answer would be the same as the previous. You'd checkout/create the `fred` branch, cherry pick the changes you want from `wilma` one at a time, then rebase `wilma` to remove those changes you cherry picked. `git rebase -i main wilma` will toss you into an editor, and remove the `pick` lines that correspond to the commits you copied to `fred`. If all goes well, and there are no conflicts, you're done. If not, you'll need to resolve the conflicts as you go. The other way to do this would be to checkout `wilma` and then create the branch `fred` to point to the same point in the tree. You can then `git rebase -i` both these branches, selecting the changes you want in `fred` or `wilma` by retaining the pick likes, and deleting the rest from the editor. Some people would create a tag/branch called `pre-split` before starting in case something goes wrong in the split. You can undo it with the following sequence: [source,shell] .... % git checkout pre-split # Go back % git branch -D fred # delete the fred branch % git checkout -B wilma # reset the wilma branch % git branch -d pre-split # Pretend it didn't happen .... The last step is optional. If you are going to try again to split, you'd omit it. **Q:** But I did things as I read along and didn't see your advice at the end to create a branch, and now `fred` and `wilma` are all screwed up. How do I find what `wilma` was before I started. I don't know how many times I moved things around. **A:** All is not lost. You can figure out it, so long as it hasn't been too long, or too many commits (hundreds). So I created a wilma branch and committed a couple of things to it, then decided I wanted to split it into fred and wilma. Nothing weird happened when I did that, but let's say it did. The way to look at what you've done is with the `git reflog`: [source,shell] .... % git reflog 6ff9c25 (HEAD -> wilma) HEAD@{0}: rebase -i (finish): returning to refs/heads/wilma 6ff9c25 (HEAD -> wilma) HEAD@{1}: rebase -i (start): checkout main 869cbd3 HEAD@{2}: rebase -i (start): checkout wilma a6a5094 (fred) HEAD@{3}: rebase -i (finish): returning to refs/heads/fred a6a5094 (fred) HEAD@{4}: rebase -i (pick): Encourage contributions 1ccd109 (freebsd/main, main) HEAD@{5}: rebase -i (start): checkout main 869cbd3 HEAD@{6}: rebase -i (start): checkout fred 869cbd3 HEAD@{7}: checkout: moving from wilma to fred 869cbd3 HEAD@{8}: commit: Encourage contributions ... % .... Here we see the changes I've made. You can use it to figure out where things went wrong. I'll just point out a few things here. The first one is that HEAD@{X} is a 'commitish' thing, so you can use that as an argument to a command. Although if that command commits anything to the repository, the X numbers change. You can also use the hash (first column). Next, 'Encourage contributions' was the last commit I made to `wilma` before I decided to split things up. You can also see the same hash is there when I created the `fred` branch to do that. I started by rebasing `fred` and you see the 'start', each step, and the 'finish' for that process. While we don't need it here, you can figure out exactly what happened. Fortunately, to fix this, you can follow the prior answer's steps, but with the hash `869cbd3` instead of `pre-split`. While that seems a bit verbose, it's easy to remember since you're doing one thing at a time. You can also stack: [source,shell] .... % git checkout -B wilma 869cbd3 % git branch -D fred .... and you are ready to try again. The `checkout -B` with the hash combines checking out and creating a branch for it. The `-B` instead of `-b` forces the movement of a pre-existing branch. Either way works, which is what's great (and awful) about Git. One reason I tend to use `git checkout -B xxxx hash` instead of checking out the hash, and then creating / moving the branch is purely to avoid the slightly distressing message about detached heads: [source,shell] .... % git checkout 869cbd3 M faq.md Note: checking out '869cbd3'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b HEAD is now at 869cbd3 Encourage contributions % git checkout -B wilma .... this produces the same effect, but I have to read a lot more and severed heads aren't an image I like to contemplate. ===== Ooops! I did a `git pull` and it created a merge commit, what do I do? **Q:** I was on autopilot and did a `git pull` for my development tree and that created a merge commit on `main`. How do I recover? **A:** This can happen when you invoke the pull with your development branch checked out. Right after the pull, you will have the new merge commit checked out. Git supports a `HEAD^#` syntax to examine the parents of a merge commit: [source,shell] .... git log --oneline HEAD^1 # Look at the first parent's commits git log --oneline HEAD^2 # Look at the second parent's commits .... From those logs, you can easily identify which commit is your development work. Then you simply reset your branch to the corresponding `HEAD^#`: [source,shell] .... git reset --hard HEAD^2 .... **Q:** But I also need to fix my `main` branch. How do I do that? **A:** Git keeps track of the remote repository branches in a `freebsd/` namespace. To fix your `main` branch, just make it point to the remote's `main`: [source,shell] .... git branch -f main freebsd/main .... There's nothing magical about branches in Git: they are just labels on a graph that are automatically moved forward by making commits. So the above works because you're just moving a label. There's no metadata about the branch that needs to be preserved due to this. ===== Mixing and matching branches **Q:** So I have two branches `worker` and `async` that I'd like to combine into one branch called `feature` while maintaining the commits in both. **A:** This is a job for cherry pick. [source,shell] .... % git checkout worker % git checkout -b feature # create a new branch % git cherry-pick main..async # bring in the changes .... You now have a new branch called `feature`. This branch combines commits from both branches. You can further curate it with `git rebase`. **Q:** I have a branch called `driver` and I'd like to break it up into `kernel` and `userland` so I can evolve them separately and commit each branch as it becomes ready. **A:** This takes a little bit of prep work, but `git rebase` will do the heavy lifting here. [source,shell] .... % git checkout driver # Checkout the driver % git checkout -b kernel # Create kernel branch % git checkout -b userland # Create userland branch .... Now you have two identical branches. So, it's time to separate out the commits. We'll assume first that all the commits in `driver` go into either the `kernel` or the `userland` branch, but not both. [source,shell] .... % git rebase -i main kernel .... and just include the changes you want (with a 'p' or 'pick' line) and just delete the commits you don't (this sounds scary, but if worse comes to worse, you can throw this all away and start over with the `driver` branch since you've not yet moved it). [source,shell] .... % git rebase -i main userland .... and do the same thing you did with the `kernel` branch. **Q:** Oh great! I followed the above and forgot a commit in the `kernel` branch. How do I recover? **A:** You can use the `driver` branch to find the hash of the commit is missing and cherry pick it. [source,shell] .... % git checkout kernel % git log driver % git cherry-pick $HASH .... **Q:** OK. I have the same situation as the above, but my commits are all mixed up. I need parts of one commit to go to one branch and the rest to go to the other. In fact, I have several. Your rebase method to select sounds tricky. **A:** In this situation, you'd be better off to curate the original branch to separate out the commits, and then use the above method to split the branch. So let's assume that there's just one commit with a clean tree. You can either use `git rebase` with an `edit` line, or you can use this with the commit on the tip. The steps are the same either way. The first thing we need to do is to back up one commit while leaving the changes uncommitted in the tree: [source,shell] .... % git reset HEAD^ .... Note: Do not, repeat do not, add `--hard` here since that also removes the changes from your tree. Now, if you are lucky, the change needing to be split up falls entirely along file lines. In that case you can just do the usual `git add` for the files in each group than do a `git commit`. Note: when you do this, you'll lose the commit message when you do the reset, so if you need it for some reason, you should save a copy (though `git log $HASH` can recover it). If you are not lucky, you'll need to split apart files. There's another tool to do that which you can apply one file at a time. [source,shell] .... git add -i foo/bar.c .... will step through the diffs, prompting you, one at time, whether to include or exclude the hunk. Once you're done, `git commit` and you'll have the remainder in your tree. You can run it multiple times as well, and even over multiple files (though I find it easier to do one file at a time and use the `git rebase -i` to fold the related commits together). ==== Cloning and Mirroring **Q:** I'd like to mirror the entire Git repository, how do I do that? **A:** If all you want to do is mirror, then [source,shell] .... % git clone --mirror $URL .... will do the trick. However, there are two disadvantages to this if you want to use it for anything other than a mirror you'll reclone. First, this is a 'bare repository' which has the repository database, but no checked out worktree. This is great for mirroring, but terrible for day to day work. There's a number of ways around this with `git worktree`: [source,shell] .... % git clone --mirror https://git.freebsd.org/ports.git ports.git % cd ports.git % git worktree add ../ports main % git worktree add ../quarterly branches/2020Q4 % cd ../ports .... But if you aren't using your mirror for further local clones, then it's a poor match. The second disadvantage is that Git normally rewrites the refs (branch name, tags, etc) from upstream so that your local refs can evolve independently of upstream. This means that you'll lose changes if you are committing to this repository on anything other than private project branches. **Q:** So what can I do instead? **A:** Well, you can stuff all of the upstream repository's refs into a private namespace in your local repository. Git clones everything via a 'refspec' and the default refspec is: [source,shell] .... fetch = +refs/heads/*:refs/remotes/freebsd/* .... which says just fetch the branch refs. However, the FreeBSD repository has a number of other things in it. To see those, you can add explicit refspecs for each ref namespace, or you can fetch everything. To setup your repository to do that: [source,shell] .... git config --add remote.freebsd.fetch '+refs/*:refs/freebsd/*' .... which will put everything in the upstream repository into your local repository's `refs/freebsd/` namespace. Please note, that this also grabs all the unconverted vendor branches and the number of refs associated with them is quite large. You'll need to refer to these 'refs' with their full name because they aren't in and of Git's regular namespaces. [source,shell] .... git log refs/freebsd/vendor/zlib/1.2.10 .... would look at the log for the vendor branch for zlib starting at 1.2.10. === Collaborating with others One of the keys to good software development on a project as large as FreeBSD is the ability to collaborate with others before you push your changes to the tree. The FreeBSD project's Git repositories do not, yet, allow user-created branches to be pushed to the repository, and therefore if you wish to share your changes with others you must use another mechanism, such as a hosted GitLab or GitHub, to share changes in a user-generated branch. The following instructions show how to set up a user-generated branch, based on the FreeBSD `main` branch, and push it to GitHub. Before you begin, make sure that your local Git repo is up to date and has the correct origins set crossref:committers-guide[keeping_current,as shown above]. [source,shell] ```` % git remote -v freebsd https://git.freebsd.org/src.git (fetch) freebsd ssh://git@gitrepo.freebsd.org/src.git (push) ```` The first step is to create a fork of https://github.com/freebsd/freebsd-src[FreeBSD] on GitHub following these https://docs.github.com/en/github/getting-started-with-github/fork-a-repo[guidelines]. The destination of the fork should be your own, personal, GitHub account (gvnn3 in my case). Now add a remote on your local system that points to your fork: [source,shell] .... % git remote add github git@github.com:gvnn3/freebsd-src.git % git remote -v github git@github.com:gvnn3/freebsd-src.git (fetch) github git@github.com:gvnn3/freebsd-src.git (push) freebsd https://git.freebsd.org/src.git (fetch) freebsd ssh://git@gitrepo.freebsd.org/src.git (push) .... With this in place you can create a branch crossref:committers-guide[keeping_a_local_branch,as shown above]. [source,shell] .... % git checkout -b gnn-pr2001-fix .... Make whatever modifications you wish in your branch. Build, test, and once you're ready to collaborate with others it's time to push your changes into your hosted branch. Before you can push you'll have to set the appropriate upstream, as Git will tell you the first time you try to push to your +github+ remote: [source,shell] .... % git push github fatal: The current branch gnn-pr2001-fix has no upstream branch. To push the current branch and set the remote as upstream, use git push --set-upstream github gnn-pr2001-fix .... Setting the push as +git+ advises allows it to succeed: [source,shell] .... % git push --set-upstream github gnn-feature Enumerating objects: 20486, done. Counting objects: 100% (20486/20486), done. Delta compression using up to 8 threads Compressing objects: 100% (12202/12202), done. Writing objects: 100% (20180/20180), 56.25 MiB | 13.15 MiB/s, done. Total 20180 (delta 11316), reused 12972 (delta 7770), pack-reused 0 remote: Resolving deltas: 100% (11316/11316), completed with 247 local objects. remote: remote: Create a pull request for 'gnn-feature' on GitHub by visiting: remote: https://github.com/gvnn3/freebsd-src/pull/new/gnn-feature remote: To github.com:gvnn3/freebsd-src.git * [new branch] gnn-feature -> gnn-feature Branch 'gnn-feature' set up to track remote branch 'gnn-feature' from 'github'. .... Subsequent changes to the same branch will push correctly by default: [source,shell] .... % git push Enumerating objects: 4, done. Counting objects: 100% (4/4), done. Delta compression using up to 8 threads Compressing objects: 100% (2/2), done. Writing objects: 100% (3/3), 314 bytes | 1024 bytes/s, done. Total 3 (delta 1), reused 1 (delta 0), pack-reused 0 remote: Resolving deltas: 100% (1/1), completed with 1 local object. To github.com:gvnn3/freebsd-src.git 9e5243d7b659..cf6aeb8d7dda gnn-feature -> gnn-feature .... At this point your work is now in your branch on +GitHub+ and you can share the link with other collaborators. [[github-pull-land]] === Landing a github pull request This section documents how to land a GitHub pull request that's submitted against the FreeBSD Git mirrors at GitHub. While this is not an official way to submit patches at this time, sometimes good fixes come in this way and it is easiest just to bring them into a committer's tree and have them pushed into the FreeBSD's tree from there. Similar steps can be used to pull branches from other repositories and land those. When committing pull requests from others, one should take extra care to examine all the changes to ensure they are exactly as represented. Before beginning, make sure that the local Git repo is up to date and has the correct origins set crossref:committers-guide[keeping_current,as shown above]. In addition, make sure to have the following origins: [source,shell] .... % git remote -v freebsd https://git.freebsd.org/src.git (fetch) freebsd ssh://git@gitrepo.freebsd.org/src.git (push) github https://github.com/freebsd/freebsd-src (fetch) github https://github.com/freebsd/freebsd-src (fetch) .... Often pull requests are simple: requests that contain only a single commit. In this case, a streamlined approach may be used, though the approach in the prior section will also work. Here, a branch is created, the change is cherry picked, the commit message adjusted, and sanity-checked before being pushed. The branch `staging` is used in this example but it can be any name. This technique works for any number of commits in the pull request, especially when the changes apply cleanly to the FreeBSD tree. However, when there's multiple commits, especially when minor adjustments are needed, `git rebase -i` works better than `git cherry-pick`. Briefly, these commands create a branch; cherry-picks the changes from the pull request; tests it; adjusts the commit messages; and fast forward merges it back to `main`. The PR number is `$PR` below. When adjusting the message, add `Pull Request: https://github.com/freebsd-src/pull/$PR`. All pull requests committed to the FreeBSD repository should be reviewed by at least one person. This need not be the person committing it, but in that case the person committing it should trust the other reviewers competence to review the commit. Committers that do a code review of pull requests before pushing them into the repo should add a `Reviewed by:` line to the commit, because in this case it is not implicit. Add anybody that reviews and approves the commit on github to `Reviewed by:` as well. As always, care should be taken to ensure the change does what it is supposed to, and that no malicious code is present. [NOTE] ====== In addition, please check to make sure that the pull request author name is not anonymous. Github's web editing interface generates names like: [source,shell] .... Author: github-user <38923459+github-user@users.noreply.github.com> .... A polite request to the author for a better name and/or email should be made. Extra care should be taken to ensure no style issue or malicious code is introduced. ====== [source,shell] .... % git fetch github pull/$PR/head:staging % git rebase -i main staging # to move the staging branch forward, adjust commit message here % git checkout main % git pull --ff-only # to get the latest if time has passed % git checkout main % git merge --ff-only staging % git push freebsd --push-option=confirm-author .... [.procedure] ==== For complicated pull requests that have multiple commits with conflicts, follow the following outline. . checkout the pull request `git checkout github/pull/XXX` . create a branch to rebase `git checkout -b staging` . rebase the `staging` branch to the latest `main` with `git rebase -i main staging` . resolve conflicts and do whatever testing is needed . fast forward the `staging` branch into `main` as above . final sanity check of changes to make sure all is well . push to FreeBSD's Git repository. This will also work when bringing branches developed elsewhere into the local tree for committing. ==== Once finished with the pull request, close it using GitHub's web interface. It is worth noting that if your `github` origin uses `https://`, the only step you'll need a GitHub account for is closing the pull request. [[vcs-history]] == Version Control History The project has moved to crossref:committers-guide[git-primer,git]. The FreeBSD source repository switched from CVS to Subversion on May 31st, 2008. The first real SVN commit is __r179447__. The source repository switched from Subversion to Git on December 23rd, 2020. The last real svn commit is __r368820__. The first real git commit hash is __5ef5f51d2bef80b0ede9b10ad5b0e9440b60518c__. The FreeBSD `doc/www` repository switched from CVS to Subversion on May 19th, 2012. The first real SVN commit is __r38821__. The documentation repository switched from Subversion to Git on December 8th, 2020. The last SVN commit is __r54737__. The first real git commit hash is __3be01a475855e7511ad755b2defd2e0da5d58bbe__. The FreeBSD `ports` repository switched from CVS to Subversion on July 14th, 2012. The first real SVN commit is __r300894__. The ports repository switched from Subversion to Git on April 6, 2021. The last SVN commit is __r569609__ The first real git commit hash is __ed8d3eda309dd863fb66e04bccaa513eee255cbf__. [[conventions]] == Setup, Conventions, and Traditions There are a number of things to do as a new developer. The first set of steps is specific to committers only. These steps must be done by a mentor for those who are not committers. [[conventions-committers]] === For New Committers Those who have been given commit rights to the FreeBSD repositories must follow these steps. * Get mentor approval before committing each of these changes! * All [.filename]#src# commits go to FreeBSD-CURRENT first before being merged to FreeBSD-STABLE. The FreeBSD-STABLE branch must maintain ABI and API compatibility with earlier versions of that branch. Do not merge changes that break this compatibility. [[commit-steps]] [.procedure] ==== *Steps for New Committers* . Add an Author Entity + [.filename]#doc/shared/authors.adoc# - Add an author entity. Later steps depend on this entity, and missing this step will cause the [.filename]#doc/# build to fail. This is a relatively easy task, but remains a good first test of version control skills. . Update the List of Developers and Contributors + [.filename]#doc/shared/contrib-committers.adoc# - Add an entry, which will then appear in the "Developers" section of the extref:{contributors}[Contributors List, staff-committers]. Entries are sorted by last name. + [.filename]#doc/shared/contrib-additional.adoc# - _Remove_ the entry. Entries are sorted by first name. . Add a News Item + [.filename]#doc/website/data/en/news/news.toml# - Add an entry. Look for the other entries that announce new committers and follow the format. Use the date from the commit bit approval email. . Add a PGP Key + `{des}` has written a shell script ([.filename]#doc/documentation/tools/addkey.sh#) to make this easier. See the https://cgit.freebsd.org/doc/plain/documentation/static/pgpkeys/README[README] file for more information. + Use [.filename]#doc/documentation/tools/checkkey.sh# to verify that keys meet minimal best-practices standards. + After adding and checking a key, add both updated files to source control and then commit them. Entries in this file are sorted by last name. + [NOTE] ====== It is very important to have a current PGP/GnuPG key in the repository. The key may be required for positive identification of a committer. For example, the `{admins}` might need it for account recovery. A complete keyring of `FreeBSD.org` users is available for download from link:https://docs.FreeBSD.org/pgpkeys/pgpkeys.txt[https://docs.FreeBSD.org/pgpkeys/pgpkeys.txt]. ====== . Update Mentor and Mentee Information + [.filename]#src/share/misc/committers-.dot# - Add an entry to the current committers section, where _repository_ is `doc`, `ports`, or `src`, depending on the commit privileges granted. + Add an entry for each additional mentor/mentee relationship in the bottom section. . Generate a Kerberos Password + See crossref:committers-guide[kerberos-ldap, Kerberos and LDAP web Password for FreeBSD Cluster] to generate or set a Kerberos account for use with other FreeBSD services like the link:https://bugs.freebsd.org/bugzilla/[bug-tracking database] (you get a bug-tracking account as part of that step). . Optional: Enable Wiki Account + link:https://wiki.freebsd.org[FreeBSD Wiki] Account - A wiki account allows sharing projects and ideas. Those who do not yet have an account can follow instructions on the link:https://wiki.freebsd.org/Wiki/About[Wiki/About page] to obtain one. Contact mailto:wiki-admin@FreeBSD.org[wiki-admin@FreeBSD.org] if you need help with your Wiki account. . Optional: Update Wiki Information + Wiki Information - After gaining access to the wiki, some people add entries to the https://wiki.freebsd.org/HowWeGotHere[How We Got Here], https://wiki.freebsd.org/IRC/Nicknames[IRC Nicks], https://wiki.freebsd.org/Community/Dogs[Dogs of FreeBSD], and or https://wiki.freebsd.org/Community/Cats[Cats of FreeBSD] pages. . Optional: Update Ports with Personal Information + [.filename]#ports/astro/xearth/files/freebsd.committers.markers# and [.filename]#src/usr.bin/calendar/calendars/calendar.freebsd# - Some people add entries for themselves to these files to show where they are located or the date of their birthday. . Optional: Prevent Duplicate Mailings + Subscribers to {dev-commits-doc-all}, {dev-commits-ports-all} or {dev-commits-src-all} might wish to unsubscribe to avoid receiving duplicate copies of commit messages and followups. ==== [[conventions-everyone]] === For Everyone [[conventions-everyone-steps]] [.procedure] ==== . Introduce yourself to the other developers, otherwise no one will have any idea who you are or what you are working on. The introduction need not be a comprehensive biography, just write a paragraph or two about who you are, what you plan to be working on as a developer in FreeBSD, and who will be your mentor. Email this to the {developers-name} and you will be on your way! . Log into `freefall.FreeBSD.org` and create a [.filename]#/var/forward/user# (where _user_ is your username) file containing the e-mail address where you want mail addressed to _yourusername_@FreeBSD.org to be forwarded. This includes all of the commit messages as well as any other mail addressed to the {committers-name} and the {developers-name}. Really large mailboxes which have taken up permanent residence on `freefall` may get truncated without warning if space needs to be freed, so forward it or save it elsewhere. + [NOTE] ====== If your e-mail system uses SPF with strict rules, you should exclude `mx2.FreeBSD.org` from SPF checks. ====== + Due to the severe load dealing with SPAM places on the central mail servers that do the mailing list processing, the front-end server does do some basic checks and will drop some messages based on these checks. At the moment proper DNS information for the connecting host is the only check in place but that may change. Some people blame these checks for bouncing valid email. To have these checks turned off for your email, create a file named [.filename]#~/.spam_lover# on `freefall.FreeBSD.org`. + [NOTE] ====== Those who are developers but not committers will not be subscribed to the committers or developers mailing lists. The subscriptions are derived from the access rights. ====== ==== [[smtp-setup]] ==== SMTP Access Setup For those willing to send e-mail messages through the FreeBSD.org infrastructure, follow the instructions below: [.procedure] ==== . Point your mail client at `smtp.FreeBSD.org:587`. . Enable STARTTLS. . Ensure your `From:` address is set to `_yourusername_@FreeBSD.org`. . For authentication, you can use your FreeBSD Kerberos username and password (see crossref:committers-guide[kerberos-ldap, Kerberos and LDAP web Password for FreeBSD Cluster]). The `_yourusername_/mail` principal is preferred, as it is only valid for authenticating to mail resources. + [NOTE] ====== Do not include `@FreeBSD.org` when entering in your username. ====== + .Additional Notes [NOTE] ====== * Will only accept mail from `_yourusername_@FreeBSD.org`. If you are authenticated as one user, you are not permitted to send mail from another. * A header will be appended with the SASL username: (`Authenticated sender: _username_`). * Host has various rate limits in place to cut down on brute force attempts. ====== ==== [[smtp-setup-local-mta]] ===== Using a Local MTA to Forward Emails to the FreeBSD.org SMTP Service It is also possible to use a local MTA to forward locally sent emails to the FreeBSD.org SMTP servers. [[smtp-setup-local-postfix]] .Using Postfix [example] ==== To tell a local Postfix instance that anything from `_yourusername_@FreeBSD.org` should be forwarded to the FreeBSD.org servers, add this to your [.filename]#main.cf#: [.programlisting] .... sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/relayhost_maps smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd smtp_use_tls = yes .... Create [.filename]#/usr/local/etc/postfix/relayhost_maps# with the following content: [.programlisting] .... yourusername@FreeBSD.org [smtp.freebsd.org]:587 .... Create [.filename]#/usr/local/etc/postfix/sasl_passwd# with the following content: [.programlisting] .... [smtp.freebsd.org]:587 yourusername:yourpassword .... If the email server is used by other people, you may want to prevent them from sending e-mails from your address. To achieve this, add this to your [.filename]#main.cf#: [.programlisting] .... smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login_maps smtpd_sender_restrictions = reject_known_sender_login_mismatch .... Create [.filename]#/usr/local/etc/postfix/sender_login_maps# with the following content: [.programlisting] .... yourusername@FreeBSD.org yourlocalusername .... Where _yourlocalusername_ is the SASL username used to connect to the local instance of Postfix. ==== [[smtp-setup-local-opensmtpd]] .Using OpenSMTPD [example] ==== To tell a local OpenSMTPD instance that anything from `_yourusername_@FreeBSD.org` should be forwarded to the FreeBSD.org servers, add this to your [.filename]#smtpd.conf#: [.programlisting] .... action "freebsd" relay host smtp+tls://freebsd@smtp.freebsd.org:587 auth match from any auth yourlocalusername mail-from "_yourusername_@freebsd.org" for any action "freebsd" .... Where _yourlocalusername_ is the SASL username used to connect to the local instance of OpenSMTPD. Create [.filename]#/usr/local/etc/mail/secrets# with the following content: [.programlisting] .... freebsd yourusername:yourpassword .... ==== [[smtp-setup-local-exim]] .Using Exim [example] ==== To direct a local Exim instance to forward all mail from `_example_@FreeBSD.org` to FreeBSD.org servers, add this to Exim [.filename]#configuration#: [.programlisting] .... Routers section: (at the top of the list): freebsd_send: driver = manualroute domains = !+local_domains transport = freebsd_smtp route_data = ${lookup {${lc:$sender_address}} lsearch {/usr/local/etc/exim/freebsd_send}} Transport Section: freebsd_smtp: driver = smtp tls_certificate= tls_privatekey= tls_require_ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS dkim_domain = dkim_selector = dkim_private_key= dnssec_request_domains = * hosts_require_auth = smtp.freebsd.org Authenticators: freebsd_plain: driver = plaintext public_name = PLAIN client_send = ^example/mail^examplePassword client_condition = ${if eq{$host}{smtp.freebsd.org}} .... Create [.filename]#/usr/local/etc/exim/freebsd_send# with the following content: [.programlisting] .... example@freebsd.org:smtp.freebsd.org::587 .... ==== [[mentors]] === Mentors All new developers have a mentor assigned to them for the first few months. A mentor is responsible for teaching the mentee the rules and conventions of the project and guiding their first steps in the developer community. The mentor is also personally responsible for the mentee's actions during this initial period. For committers: do not commit anything without first getting mentor approval. Document that approval with an `Approved by:` line in the commit message. When the mentor decides that a mentee has learned the ropes and is ready to commit on their own, the mentor announces it with a commit to [.filename]#mentors#. This file is in the [.filename]#admin# orphan branch of each repository. Detailed information on how to access these branches can be found in crossref:committers-guide[admin-branch, "admin" branch]. [[pre-commit-review]] == Pre-Commit Review Code review is one way to increase the quality of software. The following guidelines apply to commits to the `main` (-CURRENT) branch of the `src` repository. Other branches and the `ports` and `docs` trees have their own review policies, but these guidelines generally apply to commits requiring review: * All non-trivial changes should be reviewed before they are committed to the repository. * Reviews may be conducted by email, in Bugzilla, in Phabricator, or by another mechanism. Where possible, reviews should be public. * The developer responsible for a code change is also responsible for making all necessary review-related changes. * Code review can be an iterative process, which continues until the patch is ready to be committed. Specifically, once a patch is sent out for review, it should receive an explicit "looks good" before it is committed. So long as it is explicit, this can take whatever form makes sense for the review method. * Timeouts are not a substitute for review. Sometimes code reviews will take longer than you would hope for, especially for larger features. Accepted ways to speed up review times for your patches are: * Review other people's patches. If you help out, everybody will be more willing to do the same for you; goodwill is our currency. * Ping the patch. If it is urgent, provide reasons why it is important to you to get this patch landed and ping it every couple of days. If it is not urgent, the common courtesy ping rate is one week. Remember that you are asking for valuable time from other professional developers. * Ask for help on mailing lists, IRC, etc. Others may be able to either help you directly, or suggest a reviewer. * Split your patch into multiple smaller patches that build on each other. The smaller your patch, the higher the probability that somebody will take a quick look at it. + When making large changes, it is helpful to keep this in mind from the beginning of the effort as breaking large changes into smaller ones is often difficult after the fact. Developers should participate in code reviews as both reviewers and reviewees. If someone is kind enough to review your code, you should return the favor for someone else. Note that while anyone is welcome to review and give feedback on a patch, only an appropriate subject-matter expert can approve a change. This will usually be a committer who works with the code in question on a regular basis. In some cases, no subject-matter expert may be available. In those cases, a review by an experienced developer is sufficient when coupled with appropriate testing. [[commit-log-message]] == Commit Log Messages This section contains some suggestions and traditions for how commit logs are formatted. === Why are commit messages important? When you commit a change in Git, Subversion, or another version control system (VCS), you're prompted to write some text describing the commit -- a commit message. How important is this commit message? Should you spend some significant effort writing it? Does it really matter if you write simply `fixed a bug`? Most projects have more than one developer and last for some length of time. Commit messages are a very important method of communicating with other developers, in the present and for the future. FreeBSD has hundreds of active developers and hundreds of thousands of commits spanning decades of history. Over that time the developer community has learned how valuable good commit messages are; sometimes these are hard-learned lessons. Commit messages serve at least three purposes: * Communicating with other developers + FreeBSD commits generate email to various mailing lists. These include the commit message along with a copy of the patch itself. Commit messages are also viewed through commands like git log. These serve to make other developers aware of changes that are ongoing; that other developer may want to test the change, may have an interest in the topic and will want to review in more detail, or may have their own projects underway that would benefit from interaction. * Making Changes Discoverable + In a large project with a long history it may be difficult to find changes of interest when investigating an issue or change in behaviour. Verbose, detailed commit messages allow searches for changes that might be relevant. For example, `git log --since 1year --grep 'USB timeout'`. * Providing historical documentation + Commit messages serve to document changes for future developers, perhaps years or decades later. This future developer may even be you, the original author. A change that seems obvious today may be decidedly not so much later on. The `git blame` command annotates each line of a source file with the change (hash and subject line) that brought it in. Having established the importance, here are elements of a good FreeBSD commit message: === Start with a subject line Commit messages should start with a single-line subject that briefly summarizes the change. The subject should, by itself, allow the reader to quickly determine if the change is of interest or not. === Keep subject lines short The subject line should be as short as possible while still retaining the required information. This is to make browsing Git log more efficient, and so that git log --oneline can display the short hash and subject on a single 80-column line. A good rule of thumb is to stay below 63 characters, and aim for about 50 or fewer if possible. === Prefix the subject line with a component, if applicable If the change relates to a specific component the subject line may be prefixed with that component name and a colon (:). ✓ `foo: Add -k option to keep temporary data` Include the prefix in the 63-character limit suggested above, so that `git log --oneline` avoids wrapping. === Capitalize the first letter of the subject Capitalize the first letter of the subject itself. The prefix, if any, is not capitalized unless necessary (e.g., `USB:` is capitalized). === Do not end the subject line with punctuation Do not end with a period or other punctuation. In this regard the subject line is like a newspaper headline. === Separate the subject and body with a blank line Separate the body from the subject with a blank line. Some trivial commits do not require a body, and will have only a subject. ✓ `ls: Fix typo in usage text` === Limit messages to 72 columns `git log` and `git format-patch` indent the commit message by four spaces. Wrapping at 72 columns provides a matching margin on the right edge. Limiting messages to 72 characters also keeps the commit message in formatted patches below RFC 2822's suggested email line length limit of 78 characters. This limit works well with a variety of tools that may render commit messages; line wrapping might be inconsistent with longer line length. === Use the present tense, imperative mood This facilitates short subject lines and provides consistency, including with automatically generated commit messages (e.g., as generated by git revert). This is important when reading a list of commit subjects. Think of the subject as finishing the sentence "when applied, this change will ...". ✓ `foo: Implement the -k (keep) option` + ✗ `foo: Implemented the -k option` + ✗ `This change implements the -k option in foo` + ✗ `-k option added` === Focus on what and why, not how Explain what the change accomplishes and why it is being done, rather than how. Do not assume that the reader is familiar with the issue. Explain the background and motivation for the change. Include benchmark data if you have it. If there are limitations or incomplete aspects of the change, describe them in the commit message. === Consider whether parts of the commit message could be code comments instead Sometimes while writing a commit message you may find yourself writing a sentence or two explaining some tricky or confusing aspect of the change. When this happens consider whether it would be valuable to have that explanation as a comment in the code itself. === Write commit messages for your future self While writing the commit message for a change you have all of the context in mind - what prompted the change, alternate approaches that were considered and rejected, limitations of the change, and so on. Imagine yourself revisiting the change a year or two in the future, and write the commit message in a way that would provide that necessary context. === Commit messages should stand alone You may include references to mailing list postings, benchmark result web sites, or code review links. However, the commit message should contain all of the relevant information in case these references are no longer available in the future. Similarly, a commit may refer to a previous commit, for example in the case of a bug fix or revert. In addition to the commit identifier (revision or hash), include the subject line from the referenced commit (or another suitable brief reference). With each VCS migration (from CVS to Subversion to Git) revision identifiers from previous systems may become difficult to follow. === Include appropriate metadata in a footer As well as including an informative message with each commit, some additional information may be needed. This information consists of one or more lines containing the key word or phrase, a colon, tabs for formatting, and then the additional information. The key words or phrases are: [.informaltable] [cols="20%,80%", frame="none"] |=== |`PR:` |The problem report (if any) which is affected (typically, by being closed) by this commit. Multiple PRs may be specified on one line, separated by commas or spaces. |`Reported by:` |The name and e-mail address of the person that reported the issue; for developers, just the username on the FreeBSD cluster. Typically used when there is no PR, for example if the issue was reported on a mailing list. |`Submitted by:` + (deprecated) |This has been deprecated with git; submitted patches should have the author set by using `git commit --author` with a full name and valid email. |`Reviewed by:` a| The name and e-mail address of the person or people that reviewed the change; for developers, just the username on the FreeBSD cluster. If a patch was submitted to a mailing list for review, and the review was favorable, then just include the list name. If the reviewer is not a member of the project, provide the name, email, and if ports an external role like maintainer: Reviewed by a developer: [source,shell] .... Reviewed by: username .... Reviewed by a ports maintainer that is not a developer: [source,shell] .... Reviewed by: Full Name (maintainer) .... |`Tested by:` |The name and e-mail address of the person or people that tested the change; for developers, just the username on the FreeBSD cluster. |`Approved by:` a| The name and e-mail address of the person or people that approved the change; for developers, just the username on the FreeBSD cluster. There are several cases where approval is customary: * while a new committer is under mentorship * commits to an area of the tree covered by the LOCKS file (src) * during a release cycle * committing to a repo where you do not hold a commit bit (e.g. src committer committing to docs) * committing to a port maintained by someone else While under mentorship, get mentor approval before the commit. Enter the mentor's username in this field, and note that they are a mentor: [source,shell] .... Approved by: username-of-mentor (mentor) .... If a team approved these commits then include the team name followed by the username of the approver in parentheses. For example: [source,shell] .... Approved by: re (username) .... |`Obtained from:` |The name of the project (if any) from which the code was obtained. Do not use this line for the name of an individual person. |`Fixes:` |The Git short hash and the title line of a commit that is fixed by this change as returned by `git log -n 1 --oneline GIT-COMMIT-HASH`. |`MFC after:` |To receive an e-mail reminder to MFC at a later date, specify the number of days, weeks, or months after which an MFC is planned. |`MFC to:` |If the commit should be merged to a subset of stable branches, specify the branch names. |`MFH:` |If the commit is to be merged into a ports quarterly branch name, specify the quarterly branch. For example `2021Q2`. |`Relnotes:` |If the change is a candidate for inclusion in the release notes for the next release from the branch, set to `yes`. |`Security:` |If the change is related to a security vulnerability or security exposure, include one or more references or a description of the issue. If possible, include a VuXML URL or a CVE ID. |`Event:` |The description for the event where this commit was made. If this is a recurring event, add the year or even the month to it. For example, this could be `FooBSDcon 2019`. The idea behind this line is to put recognition to conferences, gatherings, and other types of meetups and to show that these are useful to have. Please do not use the `Sponsored by:` line for this as that is meant for organizations sponsoring certain features or developers working on them. |`Sponsored by:` |Sponsoring organizations for this change, if any. Separate multiple organizations with commas. If only a portion of the work was sponsored, or different amounts of sponsorship were provided to different authors, please give appropriate credit in parentheses after each sponsor name. For example, `Example.com (alice, code refactoring), Wormulon (bob), Momcorp (cindy)` shows that Alice was sponsored by Example.com to do code refactoring, while Wormulon sponsored Bob's work and Momcorp sponsored Cindy's work. Other authors were either not sponsored or chose not to list sponsorship. |`Pull Request:` |This change was submitted as a pull request or merge request against one of FreeBSD's public read-only Git repositories. It should include the entire URL to the pull request, as these often act as code reviews for the code. For example: `https://github.com/freebsd/freebsd-src/pull/745` |`Co-authored-by:` |The name and email address of an additional author of the commit. GitHub has a detailed description of the Co-authored-by trailer at https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors. |`Signed-off-by:` |ID certifies compliance with https://developercertificate.org/ |`Differential Revision:` |The full URL of the Phabricator review. This line __must be the last line__. For example: `https://reviews.freebsd.org/D1708`. |=== .Commit Log for a Commit Based on a PR [example] ==== The commit is based on a patch from a PR submitted by John Smith. The commit message "PR" field is filled. [.programlisting] .... ... PR: 12345 .... The committer sets the author of the patch with `git commit --author "John Smith "`. ==== .Commit Log for a Commit Needing Review [example] ==== The virtual memory system is being changed. After posting patches to the appropriate mailing list (in this case, `freebsd-arch`) and the changes have been approved. [.programlisting] .... ... Reviewed by: -arch .... ==== .Commit Log for a Commit Needing Approval [example] ==== Commit a port, after working with the listed MAINTAINER, who said to go ahead and commit. [.programlisting] .... ... Approved by: abc (maintainer) .... Where _abc_ is the account name of the person who approved. ==== .Commit Log for a Commit Bringing in Code from OpenBSD [example] ==== Committing some code based on work done in the OpenBSD project. [.programlisting] .... ... Obtained from: OpenBSD .... ==== .Commit Log for a Change to FreeBSD-CURRENT with a Planned Commit to FreeBSD-STABLE to Follow at a Later Date. [example] ==== Committing some code which will be merged from FreeBSD-CURRENT into the FreeBSD-STABLE branch after two weeks. [.programlisting] .... ... MFC after: 2 weeks .... Where _2_ is the number of days, weeks, or months after which an MFC is planned. The _weeks_ option may be `day`, `days`, `week`, `weeks`, `month`, `months`. ==== It is often necessary to combine these. Consider the situation where a user has submitted a PR containing code from the NetBSD project. Looking at the PR, the developer sees it is not an area of the tree they normally work in, so they have the change reviewed by the `arch` mailing list. Since the change is complex, the developer opts to MFC after one month to allow adequate testing. The extra information to include in the commit would look something like .Example Combined Commit Log [example] ==== [.programlisting] .... PR: 54321 Reviewed by: -arch Obtained from: NetBSD MFC after: 1 month Relnotes: yes .... ==== [[pref-license]] == Preferred License for New Files The FreeBSD Project's full license policy can be found at link:https://www.FreeBSD.org/internal/software-license/[https://www.FreeBSD.org/internal/software-license]. The rest of this section is intended to help you get started. As a rule, when in doubt, ask. It is much easier to give advice than to fix the source tree. The FreeBSD Project suggests and uses this text as the preferred license scheme: [.programlisting] .... /*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) [year] [your name] * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * [id for your version control system, if any] */ .... The FreeBSD project strongly discourages the so-called "advertising clause" in new code. Due to the large number of contributors to the FreeBSD project, complying with this clause for many commercial vendors has become difficult. If you have code in the tree with the advertising clause, please consider removing it. In fact, please consider using the above license for your code. The FreeBSD project discourages completely new licenses and variations on the standard licenses. New licenses require the approval of {core-email} to reside in the `src` repository. The more different licenses that are used in the tree, the more problems that this causes to those wishing to utilize this code, typically from unintended consequences from a poorly worded license. Project policy dictates that code under some non-BSD licenses must be placed only in specific sections of the repository, and in some cases, compilation must be conditional or even disabled by default. For example, the GENERIC kernel must be compiled under only licenses identical to or substantially similar to the BSD license. GPL, APSL, CDDL, etc, licensed software must not be compiled into GENERIC. Developers are reminded that in open source, getting "open" right is just as important as getting "source" right, as improper handling of intellectual property has serious consequences. Any questions or concerns should immediately be brought to the attention of the core team. [[tracking.license.grants]] == Keeping Track of Licenses Granted to the FreeBSD Project Various software or data exist in the repositories where the FreeBSD project has been granted a special license to be able to use them. A case in point are the Terminus fonts for use with man:vt[4]. Here the author Dimitar Zhekov has allowed us to use the "Terminus BSD Console" font under a 2-clause BSD license rather than the regular Open Font License he normally uses. It is clearly sensible to keep a record of any such license grants. To that end, the {core-email} has decided to keep an archive of them. Whenever the FreeBSD project is granted a special license we require the {core-email} to be notified. Any developers involved in arranging such a license grant, please send details to the {core-email} including: * Contact details for people or organizations granting the special license. * What files, directories etc. in the repositories are covered by the license grant including the revision numbers where any specially licensed material was committed. * The date the license comes into effect from. Unless otherwise agreed, this will be the date the license was issued by the authors of the software in question. * The license text. * A note of any restrictions, limitations or exceptions that apply specifically to FreeBSD's usage of the licensed material. * Any other relevant information. Once the {core-email} is satisfied that all the necessary details have been gathered and are correct, the secretary will send a PGP-signed acknowledgment of receipt including the license details. This receipt will be persistently archived and serve as our permanent record of the license grant. The license archive should contain only details of license grants; this is not the place for any discussions around licensing or other subjects. Access to data within the license archive will be available on request to the {core-email}. [[spdx.tags]] == SPDX Tags in the tree The project uses https://spdx.dev[SPDX] tags in our source base. At present, these tags are indented to help automated tools reconstruct license requirements mechanically. All _SPDX-License-Identifier_ tags in the tree should be considered to be informative. All files in the FreeBSD source tree with these tags also have a copy of the license which governs use of that file. In the event of a discrepancy, the verbatim license is controlling. The project tries to follow the https://spdx.github.io/spdx-spec/[SPDX Specification, Version 2.2]. How to mark source files and valid algebraic expressions are found in https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/[Appendix IV] and https://spdx.github.io/spdx-spec/appendix-V-using-SPDX-short-identifiers-in-source-files/[Appendix V]. The project draws identifiers from SPDX's list of valid https://spdx.org/licenses/[short license identifiers]. The project uses only the _SPDX-License-Identifier_ tag. As of March 2021, approximately 25,000 out of 90,000 files in the tree have been marked. [[developer.relations]] == Developer Relations When working directly on your own code or on code which is already well established as your responsibility, then there is probably little need to check with other committers before jumping in with a commit. When working on a bug in an area of the system which is clearly orphaned (and there are a few such areas, to our shame), the same applies. When modifying parts of the system which are maintained, formally or informally, consider asking for a review just as a developer would have before becoming a committer. For ports, contact the listed `MAINTAINER` in the [.filename]#Makefile#. To determine if an area of the tree is maintained, check the MAINTAINERS file at the root of the tree. If nobody is listed, scan the revision history to see who has committed changes in the past. To list the names and email addresses of all commit authors for a given file in the last 2 years and the number of commits each has authored, ordered by descending number of commits, use: [source,shell] ---- % git -C /path/to/repo shortlog -sne --since="2 years" -- relative/path/to/file ---- If queries go unanswered or the committer otherwise indicates a lack of interest in the area affected, go ahead and commit it. [IMPORTANT] ==== Avoid sending private emails to maintainers. Other people might be interested in the conversation, not just the final output. ==== If there is any doubt about a commit for any reason at all, have it reviewed before committing. Better to have it flamed then and there rather than when it is part of the repository. If a commit does results in controversy erupting, it may be advisable to consider backing the change out again until the matter is settled. Remember, with a version control system we can always change it back. Do not impugn the intentions of others. If they see a different solution to a problem, or even a different problem, it is probably not because they are stupid, because they have questionable parentage, or because they are trying to destroy hard work, personal image, or FreeBSD, but basically because they have a different outlook on the world. Different is good. Disagree honestly. Argue your position from its merits, be honest about any shortcomings it may have, and be open to seeing their solution, or even their vision of the problem, with an open mind. Accept correction. We are all fallible. When you have made a mistake, apologize and get on with life. Do not beat up yourself, and certainly do not beat up others for your mistake. Do not waste time on embarrassment or recrimination, just fix the problem and move on. Ask for help. Seek out (and give) peer reviews. One of the ways open source software is supposed to excel is in the number of eyeballs applied to it; this does not apply if nobody will review code. [[if-in-doubt]] == If in Doubt... When unsure about something, whether it be a technical issue or a project convention be sure to ask. If you stay silent you will never make progress. If it relates to a technical issue ask on the public mailing lists. Avoid the temptation to email the individual person that knows the answer. This way everyone will be able to learn from the question and the answer. For project specific or administrative questions ask, in order: * Your mentor or former mentor. * An experienced committer on IRC, email, etc. * Any team with a "hat", as they can give you a definitive answer. * If still not sure, ask on {developers-name}. Once your question is answered, if no one pointed you to documentation that spelled out the answer to your question, document it, as others will have the same question. [[bugzilla]] == Bugzilla The FreeBSD Project utilizes Bugzilla for tracking bugs and change requests. If you commit a fix or suggestion found in the PR database, be sure to close the PR. It is also considered nice if you take time to close any other PRs associated with your commits. Committers with non-``FreeBSD.org`` Bugzilla accounts can have the old account merged with the `FreeBSD.org` account by following these steps: [.procedure] ==== . Log in using your old account. . Open new bug. Choose `Services` as the Product, and `Bug Tracker` as the Component. In bug description list accounts you wish to be merged. . Log in using `FreeBSD.org` account and post comment to newly opened bug to confirm ownership. See crossref:committers-guide[kerberos-ldap, Kerberos and LDAP web Password for FreeBSD Cluster] for more details on how to generate or set a password for your `FreeBSD.org` account. . If there are more than two accounts to merge, post comments from each of them. ==== You can find out more about Bugzilla at: * extref:{pr-guidelines}[FreeBSD Problem Report Handling Guidelines] * link:https://www.FreeBSD.org/support/[https://www.FreeBSD.org/support] [[phabricator]] == Phabricator The FreeBSD Project utilizes https://reviews.freebsd.org[Phabricator] for code review requests. See the https://wiki.freebsd.org/Phabricator[Phabricator wiki page] for details. Committers with non-``FreeBSD.org`` Phabricator accounts can have the old account renamed to the ``FreeBSD.org`` account by following these steps: [.procedure] ==== . Change your Phabricator account email to your `FreeBSD.org` email. . Open new bug on our bug tracker using your `FreeBSD.org` account, see crossref:committers-guide[bugzilla, Bugzilla] for more information. Choose `Services` as the Product, and `Code Review` as the Component. In bug description request that your Phabricator account be renamed, and provide a link to your Phabricator user. For example, `https://reviews.freebsd.org/p/bob_example.com/` ==== [IMPORTANT] ==== Phabricator accounts cannot be merged, please do not open a new account. ==== [[people]] == Who's Who Besides the repository meisters, there are other FreeBSD project members and teams whom you will probably get to know in your role as a committer. Briefly, and by no means all-inclusively, these are: `{doceng}`:: doceng is the group responsible for the documentation build infrastructure, approving new documentation committers, and ensuring that the FreeBSD website and documentation on the FTP site is up to date with respect to the Subversion tree. It is not a conflict resolution body. The vast majority of documentation related discussion takes place on the {freebsd-doc}. More details regarding the doceng team can be found in its https://www.FreeBSD.org/internal/doceng/[charter]. Committers interested in contributing to the documentation should familiarize themselves with the extref:{fdp-primer}[Documentation Project Primer]. `{re-members}`:: These are the members of the `{re}`. This team is responsible for setting release deadlines and controlling the release process. During code freezes, the release engineers have final authority on all changes to the system for whichever branch is pending release status. If there is something you want merged from FreeBSD-CURRENT to FreeBSD-STABLE (whatever values those may have at any given time), these are the people to talk to about it. `{so}`:: `{so-name}` is the link:https://www.FreeBSD.org/security/[FreeBSD Security Officer] and oversees the `{security-officer}`. {committers-name}:: {dev-src-all}, {dev-ports-all} and {dev-doc-all} are the mailing lists that the version control system uses to send commit messages to. _Never_ send email directly to these lists. Only send replies to this list when they are short and are directly related to a commit. {developers-name}:: All committers are subscribed to -developers. This list was created to be a forum for the committers "community" issues. Examples are Core voting, announcements, etc. + The {developers-name} is for the exclusive use of FreeBSD committers. To develop FreeBSD, committers must have the ability to openly discuss matters that will be resolved before they are publicly announced. Frank discussions of work in progress are not suitable for open publication and may harm FreeBSD. + All FreeBSD committers are expected not to not publish or forward messages from the {developers-name} outside the list membership without permission of all of the authors. Violators will be removed from the {developers-name}, resulting in a suspension of commit privileges. Repeated or flagrant violations may result in permanent revocation of commit privileges. + This list is _not_ intended as a place for code reviews or for any technical discussion. In fact using it as such hurts the FreeBSD Project as it gives a sense of a closed list where general decisions affecting all of the FreeBSD using community are made without being "open". Last, but not least __never, never ever, email the {developers-name} and CC:/BCC: another FreeBSD list__. Never, ever email another FreeBSD email list and CC:/BCC: the {developers-name}. Doing so can greatly diminish the benefits of this list. [[ssh.guide]] == SSH Quick-Start Guide [.procedure] ==== . If you do not wish to type your password in every time you use man:ssh[1], and you use keys to authenticate, man:ssh-agent[1] is there for your convenience. If you want to use man:ssh-agent[1], make sure that you run it before running other applications. X users, for example, usually do this from their [.filename]#.xsession# or [.filename]#.xinitrc#. See man:ssh-agent[1] for details. . Generate a key pair using man:ssh-keygen[1]. The key pair will wind up in your [.filename]#$HOME/.ssh/# directory. + [IMPORTANT] ====== Only ECDSA, Ed25519 or RSA keys are supported. ====== . Send your public key ([.filename]#$HOME/.ssh/id_ecdsa.pub#, [.filename]#$HOME/.ssh/id_ed25519.pub#, or [.filename]#$HOME/.ssh/id_rsa.pub#) to the person setting you up as a committer so it can be put into [.filename]#yourlogin# in [.filename]#/etc/ssh-keys/# on `freefall`. ==== Now man:ssh-add[1] can be used for authentication once per session. It prompts for the private key's pass phrase, and then stores it in the authentication agent (man:ssh-agent[1]). Use `ssh-add -d` to remove keys stored in the agent. Test with a simple remote command: `ssh freefall.FreeBSD.org ls /usr`. For more information, see package:security/openssh-portable[], man:ssh[1], man:ssh-add[1], man:ssh-agent[1], man:ssh-keygen[1], and man:scp[1]. For information on adding, changing, or removing man:ssh[1] keys, see https://wiki.freebsd.org/clusteradm/ssh-keys[this article]. [[coverity]] == Coverity(R) Availability for FreeBSD Committers All FreeBSD developers can obtain access to Coverity analysis results of all FreeBSD Project software. All who are interested in obtaining access to the analysis results of the automated Coverity runs, can sign up at http://scan.coverity.com/[Coverity Scan]. The FreeBSD wiki includes a mini-guide for developers who are interested in working with the Coverity(R) analysis reports: https://wiki.freebsd.org/CoverityPrevent[https://wiki.freebsd.org/CoverityPrevent]. Please note that this mini-guide is only readable by FreeBSD developers, so if you cannot access this page, you will have to ask someone to add you to the appropriate Wiki access list. Finally, all FreeBSD developers who are going to use Coverity(R) are always encouraged to ask for more details and usage information, by posting any questions to the mailing list of the FreeBSD developers. [[rules]] == The FreeBSD Committers' Big List of Rules Everyone involved with the FreeBSD project is expected to abide by the _Code of Conduct_ available from link:https://www.FreeBSD.org/internal/code-of-conduct/[https://www.FreeBSD.org/internal/code-of-conduct]. As committers, you form the public face of the project, and how you behave has a vital impact on the public perception of it. This guide expands on the parts of the _Code of Conduct_ specific to committers. . Respect other committers. . Respect other contributors. . Discuss any significant change _before_ committing. . Respect existing maintainers (if listed in the `MAINTAINER` field in [.filename]#Makefile# or in [.filename]#MAINTAINER# in the top-level directory). . Any disputed change must be backed out pending resolution of the dispute if requested by a maintainer. Security related changes may override a maintainer's wishes at the Security Officer's discretion. . Changes go to FreeBSD-CURRENT before FreeBSD-STABLE unless specifically permitted by the release engineer or unless they are not applicable to FreeBSD-CURRENT. Any non-trivial or non-urgent change which is applicable should also be allowed to sit in FreeBSD-CURRENT for at least 3 days before merging so that it can be given sufficient testing. The release engineer has the same authority over the FreeBSD-STABLE branch as outlined for the maintainer in rule #5. . Do not fight in public with other committers; it looks bad. . Respect all code freezes and read the `committers` and `developers` mailing lists in a timely manner so you know when a code freeze is in effect. . When in doubt on any procedure, ask first! . Test your changes before committing them. . Do not commit to contributed software without _explicit_ approval from the respective maintainers. As noted, breaking some of these rules can be grounds for suspension or, upon repeated offense, permanent removal of commit privileges. Individual members of core have the power to temporarily suspend commit privileges until core as a whole has the chance to review the issue. In case of an "emergency" (a committer doing damage to the repository), a temporary suspension may also be done by the repository meisters. Only a 2/3 majority of core has the authority to suspend commit privileges for longer than a week or to remove them permanently. This rule does not exist to set core up as a bunch of cruel dictators who can dispose of committers as casually as empty soda cans, but to give the project a kind of safety fuse. If someone is out of control, it is important to be able to deal with this immediately rather than be paralyzed by debate. In all cases, a committer whose privileges are suspended or revoked is entitled to a "hearing" by core, the total duration of the suspension being determined at that time. A committer whose privileges are suspended may also request a review of the decision after 30 days and every 30 days thereafter (unless the total suspension period is less than 30 days). A committer whose privileges have been revoked entirely may request a review after a period of 6 months has elapsed. This review policy is _strictly informal_ and, in all cases, core reserves the right to either act on or disregard requests for review if they feel their original decision to be the right one. In all other aspects of project operation, core is a subset of committers and is bound by the __same rules__. Just because someone is in core this does not mean that they have special dispensation to step outside any of the lines painted here; core's "special powers" only kick in when it acts as a group, not on an individual basis. As individuals, the core team members are all committers first and core second. === Details [[respect]] . Respect other committers. + This means that you need to treat other committers as the peer-group developers that they are. Despite our occasional attempts to prove the contrary, one does not get to be a committer by being stupid and nothing rankles more than being treated that way by one of your peers. Whether we always feel respect for one another or not (and everyone has off days), we still have to _treat_ other committers with respect at all times, on public forums and in private email. + Being able to work together long term is this project's greatest asset, one far more important than any set of changes to the code, and turning arguments about code into issues that affect our long-term ability to work harmoniously together is just not worth the trade-off by any conceivable stretch of the imagination. + To comply with this rule, do not send email when you are angry or otherwise behave in a manner which is likely to strike others as needlessly confrontational. First calm down, then think about how to communicate in the most effective fashion for convincing the other persons that your side of the argument is correct, do not just blow off some steam so you can feel better in the short term at the cost of a long-term flame war. Not only is this very bad "energy economics", but repeated displays of public aggression which impair our ability to work well together will be dealt with severely by the project leadership and may result in suspension or termination of your commit privileges. The project leadership will take into account both public and private communications brought before it. It will not seek the disclosure of private communications, but it will take it into account if it is volunteered by the committers involved in the complaint. + All of this is never an option which the project's leadership enjoys in the slightest, but unity comes first. No amount of code or good advice is worth trading that away. . Respect other contributors. + You were not always a committer. At one time you were a contributor. Remember that at all times. Remember what it was like trying to get help and attention. Do not forget that your work as a contributor was very important to you. Remember what it was like. Do not discourage, belittle, or demean contributors. Treat them with respect. They are our committers in waiting. They are every bit as important to the project as committers. Their contributions are as valid and as important as your own. After all, you made many contributions before you became a committer. Always remember that. + Consider the points raised under crossref:committers-guide[respect,Respect other committers] and apply them also to contributors. . Discuss any significant change _before_ committing. + The repository is not where changes are initially submitted for correctness or argued over, that happens first in the mailing lists or by use of the Phabricator service. The commit will only happen once something resembling consensus has been reached. This does not mean that permission is required before correcting every obvious syntax error or manual page misspelling, just that it is good to develop a feel for when a proposed change is not quite such a no-brainer and requires some feedback first. People really do not mind sweeping changes if the result is something clearly better than what they had before, they just do not like being _surprised_ by those changes. The very best way of making sure that things are on the right track is to have code reviewed by one or more other committers. + When in doubt, ask for review! . Respect existing maintainers if listed. + Many parts of FreeBSD are not "owned" in the sense that any specific individual will jump up and yell if you commit a change to "their" area, but it still pays to check first. One convention we use is to put a maintainer line in the [.filename]#Makefile# for any package or subtree which is being actively maintained by one or more people; see extref:{developers-handbook}[Source Tree Guidelines and Policies, policies] for documentation on this. Where sections of code have several maintainers, commits to affected areas by one maintainer need to be reviewed by at least one other maintainer. In cases where the "maintainer-ship" of something is not clear, look at the repository logs for the files in question and see if someone has been working recently or predominantly in that area. . Any disputed change must be backed out pending resolution of the dispute if requested by a maintainer. Security related changes may override a maintainer's wishes at the Security Officer's discretion. + This may be hard to swallow in times of conflict (when each side is convinced that they are in the right, of course) but a version control system makes it unnecessary to have an ongoing dispute raging when it is far easier to simply reverse the disputed change, get everyone calmed down again and then try to figure out what is the best way to proceed. If the change turns out to be the best thing after all, it can be easily brought back. If it turns out not to be, then the users did not have to live with the bogus change in the tree while everyone was busily debating its merits. People _very_ rarely call for back-outs in the repository since discussion generally exposes bad or controversial changes before the commit even happens, but on such rare occasions the back-out should be done without argument so that we can get immediately on to the topic of figuring out whether it was bogus or not. . Changes go to FreeBSD-CURRENT before FreeBSD-STABLE unless specifically permitted by the release engineer or unless they are not applicable to FreeBSD-CURRENT. Any non-trivial or non-urgent change which is applicable should also be allowed to sit in FreeBSD-CURRENT for at least 3 days before merging so that it can be given sufficient testing. The release engineer has the same authority over the FreeBSD-STABLE branch as outlined in rule #5. + This is another "do not argue about it" issue since it is the release engineer who is ultimately responsible (and gets beaten up) if a change turns out to be bad. Please respect this and give the release engineer your full cooperation when it comes to the FreeBSD-STABLE branch. The management of FreeBSD-STABLE may frequently seem to be overly conservative to the casual observer, but also bear in mind the fact that conservatism is supposed to be the hallmark of FreeBSD-STABLE and different rules apply there than in FreeBSD-CURRENT. There is also really no point in having FreeBSD-CURRENT be a testing ground if changes are merged over to FreeBSD-STABLE immediately. Changes need a chance to be tested by the FreeBSD-CURRENT developers, so allow some time to elapse before merging unless the FreeBSD-STABLE fix is critical, time sensitive or so obvious as to make further testing unnecessary (spelling fixes to manual pages, obvious bug/typo fixes, etc.) In other words, apply common sense. + Changes to the security branches (for example, `releng/9.3`) must be approved by a member of the `{security-officer}`, or in some cases, by a member of the `{re}`. . Do not fight in public with other committers; it looks bad. + This project has a public image to uphold and that image is very important to all of us, especially if we are to continue to attract new members. There will be occasions when, despite everyone's very best attempts at self-control, tempers are lost and angry words are exchanged. The best thing that can be done in such cases is to minimize the effects of this until everyone has cooled back down. Do not air angry words in public and do not forward private correspondence or other private communications to public mailing lists, mail aliases, instant messaging channels or social media sites. What people say one-to-one is often much less sugar-coated than what they would say in public, and such communications therefore have no place there - they only serve to inflame an already bad situation. If the person sending a flame-o-gram at least had the grace to send it privately, then have the grace to keep it private yourself. If you feel you are being unfairly treated by another developer, and it is causing you anguish, bring the matter up with core rather than taking it public. Core will do its best to play peace makers and get things back to sanity. In cases where the dispute involves a change to the codebase and the participants do not appear to be reaching an amicable agreement, core may appoint a mutually-agreeable third party to resolve the dispute. All parties involved must then agree to be bound by the decision reached by this third party. . Respect all code freezes and read the `committers` and `developers` mailing list on a timely basis so you know when a code freeze is in effect. + Committing unapproved changes during a code freeze is a really big mistake and committers are expected to keep up-to-date on what is going on before jumping in after a long absence and committing 10 megabytes worth of accumulated stuff. People who abuse this on a regular basis will have their commit privileges suspended until they get back from the FreeBSD Happy Reeducation Camp we run in Greenland. . When in doubt on any procedure, ask first! + Many mistakes are made because someone is in a hurry and just assumes they know the right way of doing something. If you have not done it before, chances are good that you do not actually know the way we do things and really need to ask first or you are going to completely embarrass yourself in public. There is no shame in asking "how in the heck do I do this?" We already know you are an intelligent person; otherwise, you would not be a committer. . Test your changes before committing them. + If your changes are to the kernel, make sure you can still compile both GENERIC and LINT. If your changes are anywhere else, make sure you can still make world. If your changes are to a branch, make sure your testing occurs with a machine which is running that code. If you have a change which also may break another architecture, be sure and test on all supported architectures. Please ensure your change works for crossref:committers-guide[compilers,supported toolchains]. Please refer to the https://www.FreeBSD.org/internal/[FreeBSD Internal Page] for a list of available resources. As other architectures are added to the FreeBSD supported platforms list, the appropriate shared testing resources will be made available. . Do not commit to contributed software without _explicit_ approval from the respective maintainers. + Contributed software is anything under the [.filename]#src/contrib#, [.filename]#src/crypto#, or [.filename]#src/sys/contrib# trees. + The trees mentioned above are for contributed software usually imported onto a vendor branch. Committing something there may cause unnecessary headaches when importing newer versions of the software. As a general consider sending patches upstream to the vendor. Patches may be committed to FreeBSD first with permission of the maintainer. + Reasons for modifying upstream software range from wanting strict control over a tightly coupled dependency to lack of portability in the canonical repository's distribution of their code. Regardless of the reason, effort to minimize the maintenance burden of fork is helpful to fellow maintainers. Avoid committing trivial or cosmetic changes to files since it makes every merge thereafter more difficult: such patches need to be manually re-verified every import. + If a particular piece of software lacks a maintainer, you are encouraged to take up ownership. If you are unsure of the current maintainership email {freebsd-arch} and ask. === Policy on Multiple Architectures FreeBSD has added several new architecture ports during recent release cycles and is truly no longer an i386(TM) centric operating system. In an effort to make it easier to keep FreeBSD portable across the platforms we support, core has developed this mandate: [.blockquote] Our 32-bit reference platform is i386, and our 64-bit reference platform is amd64. Major design work (including major API and ABI changes) must prove itself on at least one 32-bit and at least one 64-bit platform, preferably the primary reference platforms, before it may be committed to the source tree. Developers should also be aware of our Tier Policy for the long term support of hardware architectures. The rules here are intended to provide guidance during the development process, and are distinct from the requirements for features and architectures listed in that section. The Tier rules for feature support on architectures at release-time are more strict than the rules for changes during the development process. [[compilers]] === Policy on Multiple Compilers FreeBSD builds with both Clang and GCC. The project does this in a careful and controlled way to maximize benefits from this extra work, while keeping the extra work to a minimum. Supporting both Clang and GCC improves the flexibility our users have. These compilers have different strengths and weaknesses, and supporting both allows users to pick the best one for their needs. Clang and GCC support similar dialects of C and C++, necessitating a relatively small amount of conditional code. The project gains increased code coverage and improves the code quality by using features from both compilers. The project is able to build in more user environments and leverage more CI environments by supporting this range, increasing convenience for users and giving them more tools to test with. By carefully constraining the range of versions supported to modern versions of these compilers, the project avoids unduly increasing the testing matrix. Older and obscure compilers, as well as older dialects of the languages, have extremely limited support that allow user programs to build with them, but without constraining the base system to being built with them. The exact balance continues to evolve to ensure the benefits of extra work remain greater than the burdens it imposes. The project used to support really old Intel compilers or old GCC versions, but we traded supporting those obsolete compilers for a carefully selected range of modern compilers. This section documents where we use different compilers, and the expectations around that. The FreeBSD project provides an in-tree Clang compiler. Due to being in the tree, this compiler is the most supported compiler. All changes must compile with it, prior to commit. Complete testing, as appropriate for the change, should be done with this compiler. At any moment in time, the FreeBSD project also supports one or more out-of-tree compilers. At present, this is GCC 12.x. Ideally, committers should test compile with this compiler, especially for large or risky changes. This compiler is available as the `${TARGET_ARCH}-gcc${VERSION}` package, such as package:devel/freebsd-gcc12@aarch64[aarch64-gcc12] or package:devel/freebsd-gcc12@riscv64[riscv64-gcc12]. The project runs automated CI jobs to build everything with these compilers. Committers are expected to fix the jobs they break with their changes. Committers may test build with, for example `CROSS_TOOLCHAIN=aarch64-gcc12` or `CROSS_TOOLCHAIN=llvm15` where necessary. The FreeBSD project also has some CI pipelines on github. For pull requests on github and some branches pushed to the github forks, a number of cross compilation jobs run. These test FreeBSD building using a version of Clang that sometimes lags the in-tree compiler by a major version for a time. The FreeBSD project is also upgrading compilers. Both Clang and GCC are fast moving targets. Some work to change things in the tree, for example removing the old-style K&R function declarations and definitions, will land in the tree prior to the compiler landing. Committers should try to be mindful about this and be receptive to looking into problems with their code or changes with these new compilers. Also, just after a new compiler version hits the tree, people may need to compile things with the old version if there was an undetected regression suspected. In addition to the compiler, LLVM's LLD and GNU's binutils are used indirectly by the compiler. Committers should be mindful of variations in assembler syntax and features of the linkers and ensure both variants work. These components will be tested as part of FreeBSD's CI jobs for Clang or GCC. The FreeBSD project provides headers and libraries that allow other compilers to be used to build software not in the base system. These headers have support for making the environment as strict as the standard, supporting prior dialects of ANSI-C back to C89, and other edge cases our large ports collection has uncovered. This support constrains retirement of older standards in places like header files, but does not constrain updating the base system to newer dialects. Nor does it require the base system to compile with these older standards as a whole. Breaking this support will cause packages in the ports collection to fail, so should be avoided where possible, and promptly fixed when it is easy to do so. The FreeBSD build system currently accommodates these different environments. As new warnings are added to compilers, the project tries to fix them. However, sometimes these warnings require extensive rework, so are suppressed in some way by using make variables that evaluate to the proper thing depending on the compiler version. Developers should be mindful of this, and ensure any compiler specific flags are properly conditionalized. ==== Current Compiler Versions The in-tree compiler is currently Clang 15.x. Currently, GCC 12 and Clang 12, 13, 14 and 15 are tested in the github and project's CI jenkins jobs. Work is underway to get the tree ready for Clang 16. The oldest project supported branch has Clang 12, so the bootstrap portions of the build must work for Clang major versions 12 to 15. === Other Suggestions When committing documentation changes, use a spell checker before committing. For all XML docs, verify that the formatting directives are correct by running `make lint` and package:textproc/igor[]. For manual pages, run package:sysutils/manck[] and package:textproc/igor[] over the manual page to verify all of the cross references and file references are correct and that the man page has all of the appropriate `MLINKS` installed. Do not mix style fixes with new functionality. A style fix is any change which does not modify the functionality of the code. Mixing the changes obfuscates the functionality change when asking for differences between revisions, which can hide any new bugs. Do not include whitespace changes with content changes in commits to [.filename]#doc/#. The extra clutter in the diffs makes the translators' job much more difficult. Instead, make any style or whitespace changes in separate commits that are clearly labeled as such in the commit message. === Deprecating Features When it is necessary to remove functionality from software in the base system, follow these guidelines whenever possible: . Mention is made in the manual page and possibly the release notes that the option, utility, or interface is deprecated. Use of the deprecated feature generates a warning. . The option, utility, or interface is preserved until the next major (point zero) release. . The option, utility, or interface is removed and no longer documented. It is now obsolete. It is also generally a good idea to note its removal in the release notes. === Privacy and Confidentiality . Most FreeBSD business is done in public. + FreeBSD is an _open_ project. Which means that not only can anyone use the source code, but that most of the development process is open to public scrutiny. . Certain sensitive matters must remain private or held under embargo. + There unfortunately cannot be complete transparency. As a FreeBSD developer you will have a certain degree of privileged access to information. Consequently you are expected to respect certain requirements for confidentiality. Sometimes the need for confidentiality comes from external collaborators or has a specific time limit. Mostly though, it is a matter of not releasing private communications. . The Security Officer has sole control over the release of security advisories. + Where there are security problems that affect many different operating systems, FreeBSD frequently depends on early access to be able to prepare advisories for coordinated release. Unless FreeBSD developers can be trusted to maintain security, such early access will not be made available. The Security Officer is responsible for controlling pre-release access to information about vulnerabilities, and for timing the release of all advisories. He may request help under condition of confidentiality from any developer with relevant knowledge to prepare security fixes. . Communications with Core are kept confidential for as long as necessary. + Communications to core will initially be treated as confidential. Eventually however, most of Core's business will be summarized into the monthly or quarterly core reports. Care will be taken to avoid publicising any sensitive details. Records of some particularly sensitive subjects may not be reported on at all and will be retained only in Core's private archives. . Non-disclosure Agreements may be required for access to certain commercially sensitive data. + Access to certain commercially sensitive data may only be available under a Non-Disclosure Agreement. The FreeBSD Foundation legal staff must be consulted before any binding agreements are entered into. . Private communications must not be made public without permission. + Beyond the specific requirements above there is a general expectation not to publish private communications between developers without the consent of all parties involved. Ask permission before forwarding a message onto a public mailing list, or posting it to a forum or website that can be accessed by other than the original correspondents. . Communications on project-only or restricted access channels must be kept private. + Similarly to personal communications, certain internal communications channels, including FreeBSD Committer only mailing lists and restricted access IRC channels are considered private communications. Permission is required to publish material from these sources. . Core may approve publication. + Where it is impractical to obtain permission due to the number of correspondents or where permission to publish is unreasonably withheld, Core may approve release of such private matters that merit more general publication. [[archs]] == Support for Multiple Architectures FreeBSD is a highly portable operating system intended to function on many different types of hardware architectures. Maintaining clean separation of Machine Dependent (MD) and Machine Independent (MI) code, as well as minimizing MD code, is an important part of our strategy to remain agile with regards to current hardware trends. Each new hardware architecture supported by FreeBSD adds substantially to the cost of code maintenance, toolchain support, and release engineering. It also dramatically increases the cost of effective testing of kernel changes. As such, there is strong motivation to differentiate between classes of support for various architectures while remaining strong in a few key architectures that are seen as the FreeBSD "target audience". === Statement of General Intent The FreeBSD Project targets "production quality commercial off-the-shelf (COTS) workstation, server, and high-end embedded systems". By retaining a focus on a narrow set of architectures of interest in these environments, the FreeBSD Project is able to maintain high levels of quality, stability, and performance, as well as minimize the load on various support teams on the project, such as the ports team, documentation team, security officer, and release engineering teams. Diversity in hardware support broadens the options for FreeBSD consumers by offering new features and usage opportunities, but these benefits must always be carefully considered in terms of the real-world maintenance cost associated with additional platform support. The FreeBSD Project differentiates platform targets into four tiers. Each tier includes a list of guarantees consumers may rely on as well as obligations by the Project and developers to fulfill those guarantees. These lists define the minimum guarantees for each tier. The Project and developers may provide additional levels of support beyond the minimum guarantees for a given tier, but such additional support is not guaranteed. Each platform target is assigned to a specific tier for each stable branch. As a result, a platform target might be assigned to different tiers on concurrent stable branches. === Platform Targets Support for a hardware platform consists of two components: kernel support and userland Application Binary Interfaces (ABIs). Kernel platform support includes things needed to run a FreeBSD kernel on a hardware platform such as machine-dependent virtual memory management and device drivers. A userland ABI specifies an interface for user processes to interact with a FreeBSD kernel and base system libraries. A userland ABI includes system call interfaces, the layout and semantics of public data structures, and the layout and semantics of arguments passed to subroutines. Some components of an ABI may be defined by specifications such as the layout of C++ exception objects or calling conventions for C functions. A FreeBSD kernel also uses an ABI (sometimes referred to as the Kernel Binary Interface (KBI)) which includes the semantics and layouts of public data structures and the layout and semantics of arguments to public functions within the kernel itself. A FreeBSD kernel may support multiple userland ABIs. For example, FreeBSD's amd64 kernel supports FreeBSD amd64 and i386 userland ABIs as well as Linux x86_64 and i386 userland ABIs. A FreeBSD kernel should support a "native" ABI as the default ABI. The native "ABI" generally shares certain properties with the kernel ABI such as the C calling convention, sizes of basic types, etc. Tiers are defined for both kernels and userland ABIs. In the common case, a platform's kernel and FreeBSD ABIs are assigned to the same tier. ==== Tier 1: Fully-Supported Architectures Tier 1 platforms are the most mature FreeBSD platforms. They are supported by the security officer, release engineering, and Ports Management Team. Tier 1 architectures are expected to be Production Quality with respect to all aspects of the FreeBSD operating system, including installation and development environments. The FreeBSD Project provides the following guarantees to consumers of Tier 1 platforms: * Official FreeBSD release images will be provided by the release engineering team. * Binary updates and source patches for Security Advisories and Errata Notices will be provided for supported releases. * Source patches for Security Advisories will be provided for supported branches. * Binary updates and source patches for cross-platform Security Advisories will typically be provided at the time of the announcement. * Changes to userland ABIs will generally include compatibility shims to ensure correct operation of binaries compiled against any stable branch where the platform is Tier 1. These shims might not be enabled in the default install. If compatibility shims are not provided for an ABI change, the lack of shims will be clearly documented in the release notes. * Changes to certain portions of the kernel ABI will include compatibility shims to ensure correct operation of kernel modules compiled against the oldest supported release on the branch. Note that not all parts of the kernel ABI are protected. * Official binary packages for third party software will be provided by the ports team. For embedded architectures, these packages may be cross-built from a different architecture. * Most relevant ports should either build or have the appropriate filters to prevent inappropriate ones from building. * New features which are not inherently platform-specific will be fully functional on all Tier 1 architectures. * Features and compatibility shims used by binaries compiled against older stable branches may be removed in newer major versions. Such removals will be clearly documented in the release notes. * Tier 1 platforms should be fully documented. Basic operations will be documented in the FreeBSD Handbook. * Tier 1 platforms will be included in the source tree. * Tier 1 platforms should be self-hosting either via the in-tree toolchain or an external toolchain. If an external toolchain is required, official binary packages for an external toolchain will be provided. To maintain maturity of Tier 1 platforms, the FreeBSD Project will maintain the following resources to support development: * Build and test automation support either in the FreeBSD.org cluster or some other location easily available for all developers. Embedded platforms may substitute an emulator available in the FreeBSD.org cluster for actual hardware. * Inclusion in the `make universe` and `make tinderbox` targets. * Dedicated hardware in one of the FreeBSD clusters for package building (either natively or via qemu-user). Collectively, developers are required to provide the following to maintain the Tier 1 status of a platform: * Changes to the source tree should not knowingly break the build of a Tier 1 platform. * Tier 1 architectures must have a mature, healthy ecosystem of users and active developers. * Developers should be able to build packages on commonly available, non-embedded Tier 1 systems. This can mean either native builds if non-embedded systems are commonly available for the platform in question, or it can mean cross-builds hosted on some other Tier 1 architecture. * Changes cannot break the userland ABI. If an ABI change is required, ABI compatibility for existing binaries should be provided via use of symbol versioning or shared library version bumps. * Changes merged to stable branches cannot break the protected portions of the kernel ABI. If a kernel ABI change is required, the change should be modified to preserve functionality of existing kernel modules. ==== Tier 2: Developmental and Niche Architectures Tier 2 platforms are functional, but less mature FreeBSD platforms. They are not supported by the security officer, release engineering, and Ports Management Team. Tier 2 platforms may be Tier 1 platform candidates that are still under active development. Architectures reaching end of life may also be moved from Tier 1 status to Tier 2 status as the availability of resources to continue to maintain the system in a Production Quality state diminishes. Well-supported niche architectures may also be Tier 2. The FreeBSD Project provides the following guarantees to consumers of Tier 2 platforms: * The ports infrastructure should include basic support for Tier 2 architectures sufficient to support building ports and packages. This includes support for basic packages such as ports-mgmt/pkg, but there is no guarantee that arbitrary ports will be buildable or functional. * New features which are not inherently platform-specific should be feasible on all Tier 2 architectures if not implemented. * Tier 2 platforms will be included in the source tree. * Tier 2 platforms should be self-hosting either via the in-tree toolchain or an external toolchain. If an external toolchain is required, official binary packages for an external toolchain will be provided. * Tier 2 platforms should provide functional kernels and userlands even if an official release distribution is not provided. To maintain maturity of Tier 2 platforms, the FreeBSD Project will maintain the following resources to support development: * Inclusion in the `make universe` and `make tinderbox` targets. Collectively, developers are required to provide the following to maintain the Tier 2 status of a platform: * Changes to the source tree should not knowingly break the build of a Tier 2 platform. * Tier 2 architectures must have an active ecosystem of users and developers. * While changes are permitted to break the userland ABI, the ABI should not be broken gratuitously. Significant userland ABI changes should be restricted to major versions. * New features that are not yet implemented on Tier 2 architectures should provide a means of disabling them on those architectures. ==== Tier 3: Experimental Architectures Tier 3 platforms have at least partial FreeBSD support. They are _not_ supported by the security officer, release engineering, and Ports Management Team. Tier 3 platforms are architectures in the early stages of development, for non-mainstream hardware platforms, or which are considered legacy systems unlikely to see broad future use. Initial support for Tier 3 platforms may exist in a separate repository rather than the main source repository. The FreeBSD Project provides no guarantees to consumers of Tier 3 platforms and is not committed to maintaining resources to support development. Tier 3 platforms may not always be buildable, nor are any kernel or userland ABIs considered stable. ==== Unsupported Architectures Other platforms are not supported in any form by the project. The project previously described these as Tier 4 systems. After a platform transitions to unsupported, all support for the platform is removed from the source, ports and documentation trees. Note that ports support should remain as long as the platform is supported in a branch supported by ports. === Policy on Changing the Tier of an Architecture Systems may only be moved from one tier to another by approval of the FreeBSD Core Team, which shall make that decision in collaboration with the Security Officer, Release Engineering, and ports management teams. For a platform to be promoted to a higher tier, any missing support guarantees must be satisfied before the promotion is completed. [[ports]] == Ports Specific FAQ [[ports-qa-adding]] === Adding a New Port [[ports-qa-add-new]] ==== How do I add a new port? Adding a port to the tree is relatively simple. Once the port is ready to be added, as explained later crossref:committers-guide[ports-qa-add-new-extra,here], you need to add the port's directory entry in the category's [.filename]#Makefile#. In this [.filename]#Makefile#, ports are listed in alphabetical order and added to the `SUBDIR` variable, like this: [.programlisting] .... SUBDIR += newport .... Once the port and its category's Makefile are ready, the new port can be committed: [source,shell] .... % git add category/Makefile category/newport % git commit % git push .... [TIP] ==== Don't forget to crossref:committers-guide[port-commit-message-formats,setup git hooks for the ports tree as explained here]; a specific hook has been developed to verify the category's [.filename]#Makefile#. ==== [[ports-qa-add-new-extra]] ==== Any other things I need to know when I add a new port? Check the port, preferably to make sure it compiles and packages correctly. The extref:{porters-handbook}testing[Porters Handbook's Testing Chapter] contains more detailed instructions. See the extref:{porters-handbook}testing[Portclippy / Portfmt, testing-portclippy] and the extref:{porters-handbook}testing[poudriere, testing-poudriere] sections. You do not necessarily have to eliminate all warnings but make sure you have fixed the simple ones. If the port came from a submitter who has not contributed to the Project before, add that person's name to the extref:{contributors}[Additional Contributors, contrib-additional] section of the FreeBSD Contributors List. Close the PR if the port came in as a PR. To close a PR, change the state to `Issue Resolved` and the resolution as `Fixed`. [NOTE] ==== If for some reason using extref:{porters-handbook}testing[poudriere, testing-poudriere] to test the new port is not possible, the bare minimum of testing includes this sequence: [source,shell] .... # make install # make package # make deinstall # pkg add package you built above # make deinstall # make reinstall # make package .... Note that poudriere is the reference for package building, it the port does not build in poudriere, it will be removed. ==== [[ports-qa-removing]] === Removing an Existing Port [[ports-qa-remove-one]] ==== How do I remove an existing port? First, please read the section about repository copies. Before you remove the port, you have to verify there are no other ports depending on it. * Make sure there is no dependency on the port in the ports collection: ** The port's PKGNAME appears in exactly one line in a recent INDEX file. ** No other ports contains any reference to the port's directory or PKGNAME in their Makefiles + [TIP] ==== When using Git, consider using man:git-grep[1], it is much faster than `grep -r`. ==== + * Then, remove the port: + [.procedure] ==== * Remove the port's files and directory with `git rm`. * Remove the `SUBDIR` listing of the port in the parent directory [.filename]#Makefile#. * Add an entry to [.filename]#ports/MOVED#. * Remove the port from [.filename]#ports/LEGAL# if it is there. ==== Alternatively, you can use the rmport script, from [.filename]#ports/Tools/scripts#. This script was written by {vd}. When sending questions about this script to the {freebsd-ports}, please also CC {crees}, the current maintainer. [[ports-qa-move-port]] === How do I move a port to a new location? [.procedure] ==== . Perform a thorough check of the ports collection for any dependencies on the old port location/name, and update them. Running `grep` on [.filename]#INDEX# is not enough because some ports have dependencies enabled by compile-time options. A full man:git-grep[1] of the ports collection is recommended. . Remove the `SUBDIR` entry from the old category Makefile and add a `SUBDIR` entry to the new category Makefile. . Add an entry to [.filename]#ports/MOVED#. . Search for entries in xml files inside [.filename]#ports/security/vuxml# and adjust them accordingly. In particular, check for previous packages with the new name which version could include the new port. . Move the port with `git mv`. . Commit the changes. ==== [[ports-qa-copy-port]] === How do I copy a port to a new location? [.procedure] ==== . Copy port with `cp -R old-cat/old-port new-cat/new-port`. . Add the new port to the [.filename]#new-cat/Makefile#. . Change stuff in [.filename]#new-cat/new-port#. . Commit the changes. ==== [[ports-qa-freeze]] === Ports Freeze [[ports-qa-freeze-what]] ==== What is a “ports freeze”? A “ports freeze” was a restricted state the ports tree was put in before a release. It was used to ensure a higher quality for the packages shipped with a release. It usually lasted a couple of weeks. During that time, build problems were fixed, and the release packages were built. This practice is no longer used, as the packages for the releases are built from the current stable, quarterly branch. For more information on how to merge commits to the quarterly branch, see crossref:committers-guide[ports-qa-misc-request-mfh, What is the procedure to request authorization for merging a commit to the quarterly branch?]. [[ports-qa-quarterly]] === Quarterly Branches [[ports-qa-misc-request-mfh]] ==== What is the procedure to request authorization for merging a commit to the quarterly branch? As of November 30, 2020, there is no need to seek explicit approval to commit to the quarterly branch. [[ports-qa-misc-commit-mfh]] ==== What is the procedure for merging commits to the quarterly branch? Merging commits to the quarterly branch (a process we call MFH for a historical reason) is very similar to MFC'ing a commit in the src repository, so basically: [source,shell] .... % git checkout 2021Q2 % git cherry-pick -x $HASH (verify everything is OK, for example by doing a build test) % git push .... where `$HASH` is the hash of the commit you want to copy over to the quarterly branch. The `-x` parameter ensures the hash `$HASH` of the `main` branch is included in the new commit message of the quarterly branch. [[ports-qa-new-category]] === Creating a New Category [[ports-qa-new-category-how]] ==== What is the procedure for creating a new category? Please see extref:{porters-handbook}[Proposing a New Category, proposing-categories] in the Porter's Handbook. Once that procedure has been followed and the PR has been assigned to the {portmgr}, it is their decision whether or not to approve it. If they do, it is their responsibility to: [.procedure] ==== . Perform any needed moves. (This only applies to physical categories.) . Update the `VALID_CATEGORIES` definition in [.filename]#ports/Mk/bsd.port.mk#. . Assign the PR back to you. ==== [[ports-qa-new-category-physical]] ==== What do I need to do to implement a new physical category? [.procedure] ==== . Upgrade each moved port's [.filename]#Makefile#. Do not connect the new category to the build yet. + To do this, you will need to: + [.procedure] ====== . Change the port's `CATEGORIES` (this was the point of the exercise, remember?) The new category is listed first. This will help to ensure that the PKGORIGIN is correct. . Run a `make describe`. Since the top-level `make index` that you will be running in a few steps is an iteration of `make describe` over the entire ports hierarchy, catching any errors here will save you having to re-run that step later on. . If you want to be really thorough, now might be a good time to run man:portlint[1]. ====== + . Check that the ``PKGORIGIN``s are correct. The ports system uses each port's `CATEGORIES` entry to create its `PKGORIGIN`, which is used to connect installed packages to the port directory they were built from. If this entry is wrong, common port tools like man:pkg-version[8] and man:portupgrade[1] fail. + To do this, use the [.filename]#chkorigin.sh# tool: `env PORTSDIR=/path/to/ports sh -e /path/to/ports/Tools/scripts/chkorigin.sh`. This will check every port in the ports tree, even those not connected to the build, so you can run it directly after the move operation. Hint: do not forget to look at the ``PKGORIGIN``s of any slave ports of the ports you just moved! . On your own local system, test the proposed changes: first, comment out the SUBDIR entries in the old ports' categories' [.filename]##Makefile##s; then enable building the new category in [.filename]#ports/Makefile#. Run make checksubdirs in the affected category directories to check the SUBDIR entries. Next, in the [.filename]#ports/# directory, run make index. This can take over 40 minutes on even modern systems; however, it is a necessary step to prevent problems for other people. . Once this is done, you can commit the updated [.filename]#ports/Makefile# to connect the new category to the build and also commit the [.filename]#Makefile# changes for the old category or categories. . Add appropriate entries to [.filename]#ports/MOVED#. . Update the documentation by modifying: ** the extref:{porters-handbook}[list of categories, PORTING-CATEGORIES] in the Porter's Handbook + . Only once all the above have been done, and no one is any longer reporting problems with the new ports, should the old ports be deleted from their previous locations in the repository. ==== ==== What do I need to do to implement a new virtual category? This is much simpler than a physical category. Only a few modifications are needed: * the extref:{porters-handbook}[list of categories, PORTING-CATEGORIES] in the Porter's Handbook [[ports-qa-misc-questions]] === Miscellaneous Questions [[ports-qa-misc-blanket-approval]] ==== Are there changes that can be committed without asking the maintainer for approval? Blanket approval for most ports applies to these types of fixes: * Most infrastructure changes to a port (that is, modernizing, but not changing the functionality). For example, the blanket covers converting to new `USES` macros, enabling verbose builds, and switching to new ports system syntaxes. * Trivial and _tested_ build and runtime fixes. * Documentations or metadata changes to ports, like [.filename]#pkg-descr# or `COMMENT`. [IMPORTANT] ==== Exceptions to this are anything maintained by the {portmgr}, or the {security-officer}. No unauthorized commits may ever be made to ports maintained by those groups. ==== [[ports-qa-misc-correctly-building]] ==== How do I know if my port is building correctly or not? The packages are built multiple times each week. If a port fails, the maintainer will receive an email from `pkg-fallout@FreeBSD.org`. Reports for all the package builds (official, experimental, and non-regression) are aggregated at link:pkg-status.FreeBSD.org[pkg-status.FreeBSD.org]. [[ports-qa-misc-INDEX]] ==== I added a new port. Do I need to add it to the [.filename]#INDEX#? No. The file can either be generated by running `make index`, or a pre-generated version can be downloaded with `make fetchindex`. [[ports-qa-misc-no-touch]] ==== Are there any other files I am not allowed to touch? Any file directly under [.filename]#ports/#, or any file under a subdirectory that starts with an uppercase letter ([.filename]#Mk/#, [.filename]#Tools/#, etc.). In particular, the {portmgr} is very protective of [.filename]#ports/Mk/bsd.port*.mk# so do not commit changes to those files unless you want to face their wrath. [[ports-qa-misc-updated-distfile]] ==== What is the proper procedure for updating the checksum for a port distfile when the file changes without a version change? When the checksum for a distribution file is updated due to the author updating the file without changing the port revision, the commit message includes a summary of the relevant diffs between the original and new distfile to ensure that the distfile has not been corrupted or maliciously altered. If the current version of the port has been in the ports tree for a while, a copy of the old distfile will usually be available on the ftp servers; otherwise the author or maintainer should be contacted to find out why the distfile has changed. [[ports-exp-run]] ==== How can an experimental test build of the ports tree (exp-run) be requested? An exp-run must be completed before patches with a significant ports impact are committed. The patch can be against the ports tree or the base system. Full package builds will be done with the patches provided by the submitter, and the submitter is required to fix detected problems _(fallout)_ before commit. [.procedure] ==== . Go to the link:https://bugs.freebsd.org/submit[Bugzilla new PR page]. . Select the product your patch is about. . Fill in the bug report as normal. Remember to attach the patch. . If at the top it says “Show Advanced Fields” click on it. It will now say “Hide Advanced Fields”. Many new fields will be available. If it already says “Hide Advanced Fields”, no need to do anything. . In the “Flags” section, set the “exp-run” one to `?`. As for all other fields, hovering the mouse over any field shows more details. . Submit. Wait for the build to run. . {portmgr} will reply with a possible fallout. . Depending on the fallout: ** If there is no fallout, the procedure stops here, and the change can be committed, pending any other approval required. ... If there is fallout, it _must_ be fixed, either by fixing the ports directly in the ports tree, or adding to the submitted patch. ... When this is done, go back to step 6 saying the fallout was fixed and wait for the exp-run to be run again. Repeat as long as there are broken ports. ==== [[non-committers]] == Issues Specific to Developers Who Are Not Committers A few people who have access to the FreeBSD machines do not have commit bits. Almost all of this document will apply to these developers as well (except things specific to commits and the mailing list memberships that go with them). In particular, we recommend that you read: * crossref:committers-guide[admin, Administrative Details] * crossref:committers-guide[conventions-everyone, For Everyone] + [NOTE] ==== Get your mentor to add you to the "Additional Contributors" ([.filename]#doc/shared/contrib-additional.adoc#), if you are not already listed there. ==== * crossref:committers-guide[developer.relations, Developer Relations] * crossref:committers-guide[ssh.guide, SSH Quick-Start Guide] * crossref:committers-guide[rules, The FreeBSD Committers' Big List of Rules] [[google-analytics]] == Information About Google Analytics As of December 12, 2012, Google Analytics was enabled on the FreeBSD Project website to collect anonymized usage statistics regarding usage of the site. [NOTE] ==== As of March 3, 2022, Google Analytics was removed from the FreeBSD Project. ==== [[misc]] == Miscellaneous Questions === How do I access people.FreeBSD.org to put up personal or project information? `people.FreeBSD.org` is the same as `freefall.FreeBSD.org`. Just create a [.filename]#public_html# directory. Anything you place in that directory will automatically be visible under https://people.FreeBSD.org/[https://people.FreeBSD.org/]. === Where are the mailing list archives stored? The mailing lists are archived under [.filename]#/local/mail# on `freefall.FreeBSD.org`. === I would like to mentor a new committer. What process do I need to follow? See the https://www.freebsd.org/internal/new-account/[New Account Creation Procedure] document on the internal pages. [[benefits]] == Benefits and Perks for FreeBSD Committers [[benefits-recognition]] === Recognition Recognition as a competent software engineer is the longest lasting value. In addition, getting a chance to work with some of the best people that every engineer would dream of meeting is a great perk! [[benefits-freebsdmall]] === FreeBSD Mall FreeBSD committers can get a free 4-CD or DVD set at conferences from http://www.freebsdmall.com[FreeBSD Mall, Inc.]. [[benefits-gandi]] === `Gandi.net` https://gandi.net[Gandi] provides website hosting, cloud computing, domain registration, and X.509 certificate services. Gandi offers an E-rate discount to all FreeBSD developers. To streamline the process of getting the discount first set up a Gandi account, fill in the billing information and select the currency. Then send an mail to mailto:non-profit@gandi.net[non-profit@gandi.net] using your `@freebsd.org` mail address, and indicate your Gandi handle. [[benefits-rsync]] === `rsync.net` https://rsync.net[rsync.net] provides cloud storage for offsite backup that is optimized for UNIX users. Their service runs entirely on FreeBSD and ZFS. rsync.net offers a free-forever 500 GB account to FreeBSD developers. Simply sign up at https://www.rsync.net/freebsd.html[https://www.rsync.net/freebsd.html] using your `@freebsd.org` address to receive this free account. diff --git a/documentation/content/en/articles/committers-guide/_index.po b/documentation/content/en/articles/committers-guide/_index.po index 57e15ce4af..2ec51995ed 100644 --- a/documentation/content/en/articles/committers-guide/_index.po +++ b/documentation/content/en/articles/committers-guide/_index.po @@ -1,8523 +1,8523 @@ # SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-09-14 15:00-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/articles/committers-guide/_index.adoc:1 #, no-wrap msgid "Introductory information for FreeBSD committers" msgstr "" #. type: Title = #: documentation/content/en/articles/committers-guide/_index.adoc:1 #: documentation/content/en/articles/committers-guide/_index.adoc:12 #, no-wrap msgid "Committer's Guide" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:45 msgid "Abstract" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:48 msgid "" "This document provides information for the FreeBSD committer community. All " "new committers should read this document before they start, and existing " "committers are strongly encouraged to review it from time to time." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:53 msgid "" "Almost all FreeBSD developers have commit rights to one or more " "repositories. However, a few developers do not, and some of the information " "here applies to them as well. (For instance, some people only have rights " "to work with the Problem Report database.) Please see crossref:committers-" "guide[non-committers] for more information." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:55 msgid "" "This document may also be of interest to members of the FreeBSD community " "who want to learn more about how the project works." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:57 msgid "'''" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:61 #, no-wrap msgid "Administrative Details" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:68 #, no-wrap msgid "_Login Methods_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:70 #, no-wrap msgid "man:ssh[1], protocol 2 only" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:71 #, no-wrap msgid "_Main Shell Host_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:73 #, no-wrap msgid "`freefall.FreeBSD.org`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:74 #, no-wrap msgid "_Reference Machines_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:76 #, no-wrap msgid "`ref*.FreeBSD.org`, `universe*.freeBSD.org` (see also link:https://www.FreeBSD.org/internal/machines/[FreeBSD Project Hosts])" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:77 #, no-wrap msgid "_SMTP Host_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:79 #, no-wrap msgid "`smtp.FreeBSD.org:587` (see also crossref:committers-guide[smtp-setup])." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:80 #, no-wrap msgid "`_src/_` Git Repository" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:82 #, no-wrap msgid "`ssh://git@gitrepo.FreeBSD.org/src.git`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:83 #, no-wrap msgid "`_doc/_` Git Repository" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:85 #, no-wrap msgid "`ssh://git@gitrepo.FreeBSD.org/doc.git`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:86 #, no-wrap msgid "`_ports/_` Git Repository" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:88 #, no-wrap msgid "`ssh://git@gitrepo.FreeBSD.org/ports.git`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:89 #, no-wrap msgid "_Internal Mailing Lists_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:91 #, no-wrap msgid "developers (technically called all-developers), doc-developers, doc-committers, ports-developers, ports-committers, src-developers, src-committers. (Each project repository has its own -developers and -committers mailing lists. Archives for these lists can be found in the files [.filename]#/local/mail/repository-name-developers-archive# and [.filename]#/local/mail/repository-name-committers-archive# on `freefall.FreeBSD.org`.)" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:92 #, no-wrap msgid "_Core Team monthly reports_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:94 #, no-wrap msgid "[.filename]#/home/core/public/reports# on the `FreeBSD.org` cluster." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:95 #, no-wrap msgid "_Ports Management Team monthly reports_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:97 #, no-wrap msgid "[.filename]#/home/portmgr/public/monthly-reports# on the `FreeBSD.org` cluster." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:98 #, no-wrap msgid "_Noteworthy `src/` Git Branches:_" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:99 #, no-wrap msgid "`stable/n` (`n`-STABLE), `main` (-CURRENT)" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:103 #, no-wrap msgid "" "man:ssh[1] is required to connect to the project hosts. For more information,\n" "\tsee crossref:committers-guide[ssh.guide].\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:105 msgid "Useful links:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:107 msgid "link:https://www.FreeBSD.org/internal/[FreeBSD Project Internal Pages]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:108 msgid "link:https://www.FreeBSD.org/internal/machines/[FreeBSD Project Hosts]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:109 msgid "" "link:https://www.FreeBSD.org/administration/[FreeBSD Project Administrative " "Groups]" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:111 #, no-wrap msgid "OpenPGP Keys for FreeBSD" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:116 msgid "" "Cryptographic keys conforming to the OpenPGP (__Pretty Good Privacy__) " "standard are used by the FreeBSD project to authenticate committers. " "Messages carrying important information like public SSH keys can be signed " "with the OpenPGP key to prove that they are really from the committer. See " "https://nostarch.com/releases/pgp_release.pdf[PGP & GPG: Email for the " -"Practical Paranoid by Michael Lucas] and http://en.wikipedia.org/wiki/" +"Practical Paranoid by Michael Lucas] and https://en.wikipedia.org/wiki/" "Pretty_Good_Privacy[] for more information." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:118 #, no-wrap msgid "Creating a Key" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:122 msgid "" "Existing keys can be used, but should be checked with [." "filename]#documentation/tools/checkkey.sh# first. In this case, make sure " "the key has a FreeBSD user ID." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:124 msgid "" "For those who do not yet have an OpenPGP key, or need a new key to meet " "FreeBSD security requirements, here we show how to generate one." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:129 msgid "" "Install [.filename]#security/gnupg#. Enter these lines in [.filename]#~/." "gnupg/gpg.conf# to set minimum acceptable defaults for signing and new key " "preferences (see the link:https://www.gnupg.org/documentation/manuals/gnupg/" "GPG-Options.html[GnuPG options documentation] for more details):" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:136 #, no-wrap msgid "" "# Sorted list of preferred algorithms for signing (strongest to weakest).\n" "personal-digest-preferences SHA512 SHA384 SHA256 SHA224\n" "# Default preferences for new keys\n" "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 CAST5 BZIP2 ZLIB ZIP Uncompressed\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:138 msgid "Generate a key:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:145 #, no-wrap msgid "" "% gpg --full-gen-key\n" "gpg (GnuPG) 2.1.8; Copyright (C) 2015 Free Software Foundation, Inc.\n" "This is free software: you are free to change and redistribute it.\n" "There is NO WARRANTY, to the extent permitted by law.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:166 #, no-wrap msgid "" "Warning: using insecure memory!\n" "Please select what kind of key you want:\n" " (1) RSA and RSA (default)\n" " (2) DSA and Elgamal\n" " (3) DSA (sign only)\n" " (4) RSA (sign only)\n" "Your selection? 1\n" "RSA keys may be between 1024 and 4096 bits long.\n" "What keysize do you want? (2048) 2048 <.>\n" "Requested keysize is 2048 bits\n" "Please specify how long the key should be valid.\n" "\t 0 = key does not expire\n" " = key expires in n days\n" " w = key expires in n weeks\n" " m = key expires in n months\n" " y = key expires in n years\n" "Key is valid for? (0) 3y <.>\n" "Key expires at Wed Nov 4 17:20:20 2015 MST\n" "Is this correct? (y/N) y\n" "GnuPG needs to construct a user ID to identify your key.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:172 #, no-wrap msgid "" "Real name: Chucky Daemon <.>\n" "Email address: notreal@example.com\n" "Comment:\n" "You selected this USER-ID:\n" "\"Chucky Daemon \"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:175 #, no-wrap msgid "" "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o\n" "You need a Passphrase to protect your secret key.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:178 msgid "" "2048-bit keys with a three-year expiration provide adequate protection at " "present (2022-10)." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:180 msgid "" "A three year key lifespan is short enough to obsolete keys weakened by " "advancing computer power, but long enough to reduce key management problems." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:182 msgid "" "Use your real name here, preferably matching that shown on government-issued " "ID to make it easier for others to verify your identity. Text that may help " "others identify you can be entered in the `Comment` section." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:186 msgid "" "After the email address is entered, a passphrase is requested. Methods of " "creating a secure passphrase are contentious. Rather than suggest a single " "way, here are some links to sites that describe various methods: https://" "world.std.com/~reinhold/diceware.html[], https://www.iusmentis.com/security/" "passphrasefaq/[], https://xkcd.com/936/[], https://en.wikipedia.org/wiki/" "Passphrase[]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:190 msgid "" "Protect the private key and passphrase. If either the private key or " "passphrase may have been compromised or disclosed, immediately notify mailto:" "accounts@FreeBSD.org[accounts@FreeBSD.org] and revoke the key." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:193 msgid "" "Committing the new key is shown in crossref:committers-guide[commit-steps, " "Steps for New Committers]." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:195 #, no-wrap msgid "Kerberos and LDAP web Password for FreeBSD Cluster" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:200 msgid "" "The FreeBSD cluster requires a Kerberos password to access certain " "services. The Kerberos password also serves as the LDAP web password, since " "LDAP is proxying to Kerberos in the cluster. Some of the services which " "require this include:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:202 msgid "https://bugs.freebsd.org/bugzilla[Bugzilla]" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:203 msgid "https://ci.freebsd.org[Jenkins]" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:205 msgid "" "To create a new Kerberos account in the FreeBSD cluster, or to reset a " "Kerberos password for an existing account using a random password generator:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:209 #, no-wrap msgid "% ssh kpasswd.freebsd.org\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:214 msgid "This must be done from a machine outside of the FreeBSD.org cluster." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:217 msgid "" "A Kerberos password can also be set manually by logging into `freefall." "FreeBSD.org` and running:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:221 #, no-wrap msgid "% kpasswd\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:227 msgid "" "Unless the Kerberos-authenticated services of the FreeBSD.org cluster have " "been used previously, `Client unknown` will be shown. This error means that " "the `ssh kpasswd.freebsd.org` method shown above must be used first to " "initialize the Kerberos account." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:230 #, no-wrap msgid "Commit Bit Types" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:236 msgid "" "The FreeBSD repository has a number of components which, when combined, " "support the basic operating system source, documentation, third party " "application ports infrastructure, and various maintained utilities. When " "FreeBSD commit bits are allocated, the areas of the tree where the bit may " "be used are specified. Generally, the areas associated with a bit reflect " "who authorized the allocation of the commit bit. Additional areas of " "authority may be added at a later date: when this occurs, the committer " "should follow normal commit bit allocation procedures for that area of the " "tree, seeking approval from the appropriate entity and possibly getting a " "mentor for that area for some period of time." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:242 #, no-wrap msgid "__Committer Type__" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:243 #, no-wrap msgid "__Responsible__" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:245 #, no-wrap msgid "__Tree Components__" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:246 #, no-wrap msgid "src" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:247 #, no-wrap msgid "core@" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:249 #, no-wrap msgid "src/" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:250 #, no-wrap msgid "doc" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:251 #, no-wrap msgid "doceng@" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:253 #, no-wrap msgid "doc/, ports/, src/ documentation" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:254 #, no-wrap msgid "ports" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:255 #, no-wrap msgid "portmgr@" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:256 #, no-wrap msgid "ports/" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:261 msgid "" "Commit bits allocated prior to the development of the notion of areas of " "authority may be appropriate for use in many parts of the tree. However, " "common sense dictates that a committer who has not previously worked in an " "area of the tree seek review prior to committing, seek approval from the " "appropriate responsible party, and/or work with a mentor. Since the rules " "regarding code maintenance differ by area of the tree, this is as much for " "the benefit of the committer working in an area of less familiarity as it is " "for others working on the tree." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:263 msgid "" "Committers are encouraged to seek review for their work as part of the " "normal development process, regardless of the area of the tree where the " "work is occurring." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:264 #, no-wrap msgid "Policy for Committer Activity in Other Trees" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:267 msgid "" "All committers may modify [.filename]#src/share/misc/committers-*.dot#, [." "filename]#src/usr.bin/calendar/calendars/calendar.freebsd#, and [." "filename]#ports/astro/xearth/files#." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:268 msgid "" "doc committers may commit documentation changes to [.filename]#src# files, " "such as manual pages, READMEs, fortune databases, calendar files, and " "comment fixes without approval from a src committer, subject to the normal " "care and tending of commits." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:270 msgid "" "Any committer may make changes to any other tree with an \"Approved by\" " "from a non-mentored committer with the appropriate bit. Mentored committers " "can provide a \"Reviewed by\" but not an \"Approved by\"." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:271 msgid "" "Committers can acquire an additional bit by the usual process of finding a " "mentor who will propose them to core, doceng, or portmgr, as appropriate. " "When approved, they will be added to 'access' and the normal mentoring " "period will ensue, which will involve a continuing of \"Approved by\" for " "some period." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:273 #, no-wrap msgid "Documentation Implicit (Blanket) Approval" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:277 msgid "" "Some types of fixes have \"blanket approval\" from the {doceng}, allowing " "any committer to fix those categories of problems on any part of the doc " "tree. These fixes do not need approval or review from a doc committer if " "the author doesn't have a doc commit bit." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:279 msgid "Blanket approval applies to these types of fixes:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:281 msgid "Typos" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:282 msgid "Trivial fixes" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:284 msgid "" "Punctuation, URLs, dates, paths and file names with outdated or incorrect " "information, and other common mistakes that may confound the readers." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:287 msgid "" "Over the years, some implicit approvals were granted in the doc tree. This " "list shows the most common cases:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:289 msgid "" "Changes in [.filename]#documentation/content/en/books/porters-handbook/" "versions/_index.adoc#" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:291 msgid "" "extref:{porters-handbook}versions/[__FreeBSD_version Values (Porter's " "Handbook)], mainly used for src committers." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:292 msgid "Changes in [.filename]#doc/shared/contrib-additional.adoc#" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:294 msgid "" "extref:{contributors}[Additional FreeBSD Contributors, contrib-additional] " "maintenance." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:295 msgid "All link:#commit-steps[Steps for New Committers], doc related" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:296 msgid "Security advisories; Errata Notices; Releases;" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:298 msgid "Used by {security-officer} and {re}." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:299 msgid "Changes in [.filename]#website/content/en/donations/donors.adoc#" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:301 msgid "Used by {donations}." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:303 msgid "" "Before any commit, a build test is necessary; see the 'Overview' and 'The " "FreeBSD Documentation Build Process' sections of the extref:{fdp-primer}" "[FreeBSD Documentation Project Primer for New Contributors] for more details." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:305 #, no-wrap msgid "Git Primer" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:308 #, no-wrap msgid "Git basics" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:315 msgid "" "When one searches for \"Git Primer\" a number of good ones come up. Daniel " "Miessler's link:https://danielmiessler.com/study/git/[A git primer] and " "Willie Willus' link:https://gist.github.com/" "williewillus/068e9a8543de3a7ef80adb2938657b6b[Git - Quick Primer] are both " "good overviews. The Git book is also complete, but much longer https://git-" "scm.com/book/en/v2. There is also this website https://dangitgit.com/ for " "common traps and pitfalls of Git, in case you need guidance to fix things " "up. Finally, an introduction link:https://eagain.net/articles/git-for-" "computer-scientists/[targeted at computer scientists] has proven helpful to " "some at explaining the Git world view." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:317 msgid "" "This document will assume that you've read through it and will try not to " "belabor the basics (though it will cover them briefly)." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:319 #, no-wrap msgid "Git Mini Primer" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:322 msgid "" "This primer is less ambitiously scoped than the old Subversion Primer, but " "should cover the basics." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:323 #, no-wrap msgid "Scope" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:329 msgid "" "If you want to download FreeBSD, compile it from sources, and generally keep " "up to date that way, this primer is for you. It covers getting the sources, " "updating the sources, bisecting and touches briefly on how to cope with a " "few local changes. It covers the basics, and tries to give good pointers to " "more in-depth treatment for when the reader finds the basics insufficient. " "Other sections of this guide cover more advanced topics related to " "contributing to the project." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:333 msgid "" "The goal of this section is to highlight those bits of Git needed to track " "sources. They assume a basic understanding of Git. There are many primers " "for Git on the web, but the https://git-scm.com/book/en/v2[Git Book] " "provides one of the better treatments." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:335 #, no-wrap msgid "Getting Started For Developers" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:338 msgid "" "This section describes the read-write access for committers to push the " "commits from developers or contributors." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:340 #, no-wrap msgid "Daily use" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:345 msgid "" "In the examples below, replace `${repo}` with the name of the desired " "FreeBSD repository: `doc`, `ports`, or `src`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:348 msgid "Clone the repository:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:352 #, no-wrap msgid "% git clone -o freebsd --config remote.freebsd.fetch='+refs/notes/*:refs/notes/*' https://git.freebsd.org/${repo}.git\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:355 msgid "Then you should have the official mirrors as your remote:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:361 #, no-wrap msgid "" "% git remote -v\n" "freebsd https://git.freebsd.org/${repo}.git (fetch)\n" "freebsd https://git.freebsd.org/${repo}.git (push)\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:364 msgid "Configure the FreeBSD committer data:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:367 msgid "" "The commit hook in repo.freebsd.org checks the \"Commit\" field matches the " "committer's information in FreeBSD.org. The easiest way to get the " "suggested config is by executing `/usr/local/bin/gen-gitconfig.sh` script on " "freefall:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:374 #, no-wrap msgid "" "% gen-gitconfig.sh\n" "[...]\n" "% git config user.name (your name in gecos)\n" "% git config user.email (your login)@FreeBSD.org\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:377 msgid "Set the push URL:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:381 #, no-wrap msgid "% git remote set-url --push freebsd git@gitrepo.freebsd.org:${repo}.git\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:384 msgid "" "Then you should have separated fetch and push URLs as the most efficient " "setup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:390 #, no-wrap msgid "" "% git remote -v\n" "freebsd https://git.freebsd.org/${repo}.git (fetch)\n" "freebsd git@gitrepo.freebsd.org:${repo}.git (push)\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:393 msgid "" "Again, note that `gitrepo.freebsd.org` has been canonicalized to `repo." "freebsd.org`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:395 msgid "Install commit message template hook:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:397 msgid "For doc repository:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:402 #, no-wrap msgid "" "% cd .git/hooks\n" "% ln -s ../../.hooks/prepare-commit-msg\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:405 msgid "For ports repository:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:409 #, no-wrap msgid "% git config --add core.hooksPath .hooks\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:412 msgid "For src repository:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:417 #, no-wrap msgid "" "% cd .git/hooks\n" "% ln -s ../../tools/tools/git/hooks/prepare-commit-msg\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:420 #, no-wrap msgid "\"admin\" branch" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:423 msgid "" "The `access` and `mentors` files are stored in an orphan branch, `internal/" "admin`, in each repository." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:425 msgid "" "Following example is how to check out the `internal/admin` branch to a local " "branch named `admin`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:431 #, no-wrap msgid "" "% git config --add remote.freebsd.fetch '+refs/internal/*:refs/internal/*'\n" "% git fetch\n" "% git checkout -b admin internal/admin\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:433 msgid "Alternatively, you can add a worktree for the `admin` branch:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:437 #, no-wrap msgid "git worktree add -b admin ../${repo}-admin internal/admin\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:441 msgid "" "For browsing `internal/admin` branch on web: `https://cgit.freebsd.org/" "${repo}/log/?h=internal/admin`" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:443 msgid "For pushing, specify the full refspec:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:447 #, no-wrap msgid "git push freebsd HEAD:refs/internal/admin\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:449 #, no-wrap msgid "Keeping Current With The FreeBSD src Tree" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:456 msgid "" "First step: cloning a tree. This downloads the entire tree. There are two " "ways to download. Most people will want to do a deep clone of the " "repository. However, there are times when you may wish to do a shallow " "clone." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:457 #, no-wrap msgid "Branch Names" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:459 msgid "FreeBSD-CURRENT uses the `main` branch." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:461 msgid "`main` is the default branch." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:463 msgid "For FreeBSD-STABLE, branch names include `stable/12` and `stable/13`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:465 msgid "" "For FreeBSD-RELEASE, release engineering branch names include `releng/12.4` " "and `releng/13.2`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:467 msgid "https://www.freebsd.org/releng/[] shows:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:469 msgid "`main` and `stable/⋯` branches open" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:470 msgid "`releng/⋯` branches, each of which is frozen when a release is tagged." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:472 msgid "Examples:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:474 msgid "" "tag https://cgit.freebsd.org/src/tag/?h=release/13.1.0[release/13.1.0] on " "the https://cgit.freebsd.org/src/log/?h=releng/13.1[releng/13.1] branch" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:475 msgid "" "tag https://cgit.freebsd.org/src/tag/?h=release/13.2.0[release/13.2.0] on " "the https://cgit.freebsd.org/src/log/?h=releng/13.2[releng/13.2] branch." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:476 #, no-wrap msgid "Repositories" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:479 msgid "" "Please see the crossref:committers-guide[admin,Administrative Details] for " "the latest information on where to get FreeBSD sources. $URL below can be " "obtained from that page." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:482 msgid "" "Note: The project doesn't use submodules as they are a poor fit for our " "workflows and development model. How we track changes in third-party " "applications is discussed elsewhere and generally of little concern to the " "casual user." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:483 #, no-wrap msgid "Deep Clone" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:487 msgid "" "A deep clone pulls in the entire tree, as well as all the history and " "branches. It is the easiest to do. It also allows you to use Git's " "worktree feature to have all your active branches checked out into separate " "directories but with only one copy of the repository." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:490 #, no-wrap msgid "% git clone -o freebsd $URL -b branch []\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:495 msgid "" "will create a deep clone. `branch` should be one of the branches listed in " "the previous section. If no `branch` is given: the default (`main`) will be " "used. If no `` is given: the name of the new directory will " "match the name of the repo ([.filename]#doc#, [.filename]#ports# or [." "filename]#src#)." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:500 msgid "" "You will want a deep clone if you are interested in the history, plan on " "making local changes, or plan on working on more than one branch. It is the " "easiest to keep up to date as well. If you are interested in the history, " "but are working with only one branch and are short on space, you can also " "use --single-branch to only download the one branch (though some merge " "commits will not reference the merged-from branch which may be important for " "some users who are interested in detailed versions of history)." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:501 #, no-wrap msgid "Shallow Clone" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:507 msgid "" "A shallow clone copies just the most current code, but none or little of the " "history. This can be useful when you need to build a specific revision of " "FreeBSD, or when you are just starting out and plan to track the tree more " "fully. You can also use it to limit history to only so many revisions. " "However, see below for a significant limitation of this approach." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:511 #, no-wrap msgid "% git clone -o freebsd -b branch --depth 1 $URL [dir]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:516 msgid "" "This clones the repository, but only has the most recent version in the " "repository. The rest of the history is not downloaded. Should you change " "your mind later, you can do `git fetch --unshallow` to get the old history." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:521 msgid "" "When you make a shallow clone, you will lose the commit count in your uname " "output. This can make it more difficult to determine if your system needs " "to be updated when a security advisory is issued." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:523 #, no-wrap msgid "Building" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:527 msgid "" "Once you've downloaded, building is done as described in the handbook, e.g.:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:534 #, no-wrap msgid "" "% cd src\n" "% make buildworld\n" "% make buildkernel\n" "% make installkernel\n" "% make installworld\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:536 msgid "so that won't be covered in depth here." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:539 msgid "" "If you want to build a custom kernel, extref:{handbook}[the kernel config " "section, kernelconfig] of the FreeBSD Handbook recommends creating a file " "MYKERNEL under sys/${ARCH}/conf with your changes against GENERIC. To have " "MYKERNEL disregarded by Git, it can be added to .git/info/exclude." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:540 #, no-wrap msgid "Updating" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:544 msgid "" "To update both types of trees uses the same commands. This pulls in all the " "revisions since your last update." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:547 #, no-wrap msgid "% git pull --ff-only\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:552 msgid "" "will update the tree. In Git, a 'fast forward' merge is one that only needs " "to set a new branch pointer and doesn't need to re-create the commits. By " "always doing a fast forward merge/pull, you'll ensure that you have an exact " "copy of the FreeBSD tree. This will be important if you want to maintain " "local patches." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:555 msgid "" "See below for how to manage local changes. The simplest is to use `--" "autostash` on the `git pull` command, but more sophisticated options are " "available." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:556 #, no-wrap msgid "Selecting a Specific Version" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:560 msgid "" "In Git, `git checkout` checks out both branches and specific versions. " "Git's versions are the long hashes rather than a sequential number." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:562 msgid "" "When you checkout a specific version, just specify the hash you want on the " "command line (the git log command can help you decide which hash you might " "want):" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:565 #, no-wrap msgid "% git checkout 08b8197a74\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:568 msgid "" "and you have that checked out. You will be greeted with a message similar " "to the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:571 #, no-wrap msgid "Note: checking out '08b8197a742a96964d2924391bf9fdfeb788865d'.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:575 #, no-wrap msgid "" "You are in a 'detached HEAD' state. You can look around, make experimental\n" "changes and commit them, and you can discard any commits you make in this\n" "state without impacting any branches by performing another checkout.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:578 #, no-wrap msgid "" "If you want to create a new branch to retain commits you create, you may\n" "do so (now or later) by using -b with the checkout command again. Example:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:580 #: documentation/content/en/articles/committers-guide/_index.adoc:1737 #, no-wrap msgid " git checkout -b \n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:582 #, no-wrap msgid "HEAD is now at 08b8197a742a hook gpiokeys.4 to the build\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:586 msgid "" "where the last line is generated from the hash you are checking out and the " "first line of the commit message from that revision. The hash can be " "abbreviated to the shortest unique length. Git itself is inconsistent about " "how many digits it displays." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:587 #, no-wrap msgid "Bisecting" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:591 msgid "" "Sometimes, things go wrong. The last version worked, but the one you just " "updated to does not. A developer may ask you to bisect the problem to track " "down which commit caused the regression." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:596 msgid "" "Git makes bisecting changes easy with a powerful `git bisect` command. " "Here's a brief outline of how to use it. For more information, you can view " "https://www.metaltoad.com/blog/beginners-guide-git-bisect-process-" "elimination or https://git-scm.com/docs/git-bisect for more details. The " "man git-bisect page is good at describing what can go wrong, what to do when " "versions won't build, when you want to use terms other than 'good' and " "'bad', etc, none of which will be covered here." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:603 msgid "" "`git bisect start --first-parent` will start the bisection process. Next, " "you need to tell a range to go through. `git bisect good XXXXXX` will tell " "it the working version and `git bisect bad XXXXX` will tell it the bad " "version. The bad version will almost always be HEAD (a special tag for what " "you have checked out). The good version will be the last one you checked " "out. The `--first-parent` argument is necessary so that subsequent `git " "bisect` commands do not try to check out a vendor branch which lacks the " "full FreeBSD source tree." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:607 msgid "" "If you want to know the last version you checked out, you should use `git " "reflog`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:612 #, no-wrap msgid "" "5ef0bd68b515 (HEAD -> main, freebsd/main, freebsd/HEAD) HEAD@{0}: pull --ff-only: Fast-forward\n" "a8163e165c5b (upstream/main) HEAD@{1}: checkout: moving from b6fb97efb682994f59b21fe4efb3fcfc0e5b9eeb to main\n" "...\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:616 msgid "" "shows me moving the working tree to the `main` branch (a816...) and then " "updating from upstream (to 5ef0...). In this case, bad would be HEAD (or " "5ef0bd68b515) and good would be a8163e165c5b. As you can see from the " "output, HEAD@{1} also often works, but isn't foolproof if you have done " "other things to your Git tree after updating, but before you discover the " "need to bisect." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:620 msgid "" "Set the 'good' version first, then set the bad (though the order doesn't " "matter). When you set the bad version, it will give you some statistics on " "the process:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:627 #, no-wrap msgid "" "% git bisect start --first-parent\n" "% git bisect good a8163e165c5b\n" "% git bisect bad HEAD\n" "Bisecting: 1722 revisions left to test after this (roughly 11 steps)\n" "[c427b3158fd8225f6afc09e7e6f62326f9e4de7e] Fixup r361997 by balancing parens. Duh.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:636 msgid "" "You would then build/install that version. If it's good you'd type `git " "bisect good` otherwise `git bisect bad`. If the version doesn't compile, " "type `git bisect skip`. You will get a similar message to the above after " "each step. When you are done, report the bad version to the developer (or " "fix the bug yourself and send a patch). `git bisect reset` will end the " "process and return you back to where you started (usually tip of `main`). " "Again, the git-bisect manual (linked above) is a good resource for when " "things go wrong or for unusual cases." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:638 #, no-wrap msgid "Signing the commits, tags, and pushes, with GnuPG" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:643 msgid "" "Git knows how to sign commits, tags, and pushes. When you sign a Git commit " "or a tag, you can prove that the code you submitted came from you and wasn't " "altered while you were transferring it. You also can prove that you " "submitted the code and not someone else." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:645 msgid "" "A more in-depth documentation on signing commits and tags can be found in " "the https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work[Git Tools - " "Signing Your Work] chapter of the Git's book." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:647 msgid "" "The rationale behind signing pushes can be found in the https://github.com/" "git/git/commit/a85b377d0419a9dfaca8af2320cc33b051cbed04[commit that " "introduced the feature]." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:650 msgid "" "The best way is to simply tell Git you always want to sign commits, tags, " "and pushes. You can do this by setting a few configuration variables:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:657 #, no-wrap msgid "" "% git config --add user.signingKey LONG-KEY-ID\n" "% git config --add commit.gpgSign true\n" "% git config --add tag.gpgSign true\n" "% git config --add push.gpgSign if-asked\n" msgstr "" #. push.gpgSign should probably be set to `yes` once we enable it, or be set with --global, so that it is enabled for all repositories. #. type: delimited block = 6 #: documentation/content/en/articles/committers-guide/_index.adoc:665 msgid "" "To avoid possible collisions, make sure you give a long key id to Git. You " "can get the long id with: `gpg --list-secret-keys --keyid-format LONG`." msgstr "" #. type: delimited block = 6 #: documentation/content/en/articles/committers-guide/_index.adoc:671 msgid "" "To use specific subkeys, and not have GnuPG to resolve the subkey to a " "primary key, attach `!` to the key. For example, to encrypt for the subkey " "`DEADBEEF`, use `DEADBEEF!`." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:673 #, no-wrap msgid "Verifying signatures" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:676 msgid "" "Commit signatures can be verified by running either `git verify-commit " "`, or `git log --show-signature`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:678 msgid "" "Tag signatures can be verified with `git verify-tag `, or `git tag " "-v `." msgstr "" # # #. Commented out for now until we decide what to do. #. Git pushes are a bit different, they live in a special ref in the repository. #. TODO: write how to verify them #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:687 #, no-wrap msgid "Ports Considerations" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:690 msgid "" "The ports tree operates the same way. The branch names are different and " "the repositories are in different locations." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:693 msgid "" "The cgit repository web interface for use with web browsers is at https://" "cgit.FreeBSD.org/ports/ . The production Git repository is at https://git." "FreeBSD.org/ports.git and at ssh://anongit@git.FreeBSD.org/ports.git (or " "anongit@git.FreeBSD.org:ports.git)." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:697 msgid "" "There is also a mirror on GitHub, see extref:{handbook}/mirrors[External " "mirrors, mirrors] for an overview. The _latest_ branch is `main`. The " "_quarterly_ branches are named `yyyyQn` for year 'yyyy' and quarter 'n'." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:699 #, no-wrap msgid "Commit message formats" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:703 msgid "" "A hook is available in the ports repository to help you write up your commit " "messages in https://cgit.freebsd.org/ports/tree/.hooks/prepare-commit-msg[." "hooks/prepare-commit-message]. It can be enabled by running ``git config --" "add core.hooksPath .hooks``." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:705 msgid "" "The main point being that a commit message should be formatted in the " "following way:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:708 #, no-wrap msgid "category/port: Summary.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:710 #, no-wrap msgid "Description of why the changes where made.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:712 #, no-wrap msgid "PR:\t 12345\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:718 msgid "" "The first line is the subject of the commit, it contains what port was " "changed, and a summary of the commit. It should contain 50 characters or " "less." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:720 msgid "A blank line should separate it from the rest of the commit message." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:722 msgid "" "The rest of the commit message should be wrapped at the 72 characters " "boundary." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:724 msgid "" "Another blank line should be added if there are any metadata fields, so that " "they are easily distinguishable from the commit message." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:726 #, no-wrap msgid "Managing Local Changes" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:729 msgid "" "This section addresses tracking local changes. If you have no local changes " "you can skip this section." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:735 msgid "" "One item that is important for all of them: all changes are local until " "pushed. Unlike Subversion, Git uses a distributed model. For users, for " "most things, there is very little difference. However, if you have local " "changes, you can use the same tool to manage them as you use to pull in " "changes from FreeBSD. All changes that you have not pushed are local and " "can easily be modified (git rebase, discussed below does this)." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:736 #, no-wrap msgid "Keeping local changes" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:743 msgid "" "The simplest way to keep local changes (especially trivial ones) is to use " "`git stash`. In its simplest form, you use `git stash` to record the " "changes (which pushes them onto the stash stack). Most people use this to " "save changes before updating the tree as described above. They then use " "`git stash apply` to re-apply them to the tree. The stash is a stack of " "changes that can be examined with `git stash list`. The git-stash man page " "(https://git-scm.com/docs/git-stash) has all the details." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:747 msgid "" "This method is suitable when you have tiny tweaks to the tree. When you " "have anything non trivial, you'll likely be better off keeping a local " "branch and rebasing. Stashing is also integrated with the `git pull` " "command: just add `--autostash` to the command line." msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:748 #, no-wrap msgid "Keeping a local branch" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:755 msgid "" "It is much easier to keep a local branch with Git than Subversion. In " "Subversion you need to merge the commit, and resolve the conflicts. This is " "manageable, but can lead to a convoluted history that's hard to upstream " "should that ever be necessary, or hard to replicate if you need to do so. " "Git also allows one to merge, along with the same problems. That's one way " "to manage the branch, but it's the least flexible." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:759 msgid "" "In addition to merging, Git supports the concept of 'rebasing' which avoids " "these issues. The `git rebase` command replays all the commits of a branch " "at a newer location on the parent branch. We will cover the most common " "scenarios that arise using it." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:761 msgid "====== Create a branch" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:766 msgid "" "Let's say you want to make a change to FreeBSD's ls command to never, ever " "do color. There are many reasons to do this, but this example will use that " "as a baseline. The FreeBSD ls command changes from time to time, and you'll " "need to cope with those changes. Fortunately, with Git rebase it usually is " "automatic." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:788 #, no-wrap msgid "" "% cd src\n" "% git checkout main\n" "% git checkout -b no-color-ls\n" "% cd bin/ls\n" "% vi ls.c # hack the changes in\n" "% git diff # check the changes\n" "diff --git a/bin/ls/ls.c b/bin/ls/ls.c\n" "index 7378268867ef..cfc3f4342531 100644\n" "--- a/bin/ls/ls.c\n" "+++ b/bin/ls/ls.c\n" "@@ -66,6 +66,7 @@ __FBSDID(\"$FreeBSD$\");\n" " #include \n" " #include \n" " #include \n" "+#undef COLORLS\n" " #ifdef COLORLS\n" " #include \n" " #include \n" "% # these look good, make the commit...\n" "% git commit ls.c\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:795 msgid "" "The commit will pop you into an editor to describe what you've done. Once " "you enter that, you have your own **local** branch in the Git repo. Build " "and install it like you normally would, following the directions in the " "handbook. Git differs from other version control systems in that you have " "to tell it explicitly which files to commit. I have opted to do it on the " "commit command line, but you can also do it with `git add` which many of the " "more in depth tutorials cover." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:797 msgid "====== Time to update" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:802 msgid "" "When it is time to bring in a new version, it is almost the same as w/o the " "branches. You would update like you would above, but there is one extra " "command before you update, and one after. The following assumes you are " "starting with an unmodified tree. It is important to start rebasing " "operations with a clean tree (Git requires this)." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:808 #, no-wrap msgid "" "% git checkout main\n" "% git pull --ff-only\n" "% git rebase -i main no-color-ls\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:813 msgid "" "This will bring up an editor that lists all the commits in it. For this " "example, do not change it at all. This is typically what you are doing " "while updating the baseline (though you also use the Git rebase command to " "curate the commits you have in the branch)." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:815 msgid "" "Once you are done with the above, you have to move the commits to ls.c " "forward from the old version of FreeBSD to the newer one." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:822 msgid "" "Sometimes there are merge conflicts. That is OK. Do not panic. Instead, " "handle them the same as any other merge conflicts. To keep it simple, I " "will just describe a common issue that may arise. A pointer to a complete " "treatment can be found at the end of this section." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:825 msgid "" "Let's say the includes changes upstream in a radical shift to terminfo as " "well as a name change for the option. When you updated, you might see " "something like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:835 #, no-wrap msgid "" "Auto-merging bin/ls/ls.c\n" "CONFLICT (content): Merge conflict in bin/ls/ls.c\n" "error: could not apply 646e0f9cda11... no color ls\n" "Resolve all conflicts manually, mark them as resolved with\n" "\"git add/rm \", then run \"git rebase --continue\".\n" "You can instead skip this commit: run \"git rebase --skip\".\n" "To abort and get back to the state before \"git rebase\", run \"git rebase --abort\".\n" "Could not apply 646e0f9cda11... no color ls\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:838 msgid "" "which looks scary. If you bring up an editor, you will see it is a typical " "3-way merge conflict resolution that you may be familiar with from other " "source code systems (the rest of ls.c has been omitted):" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:847 #, no-wrap msgid "" " <<<<<<< HEAD\n" " #ifdef COLORLS_NEW\n" " #include \n" " =======\n" " #undef COLORLS\n" " #ifdef COLORLS\n" " #include \n" " >>>>>>> 646e0f9cda11... no color ls\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:851 #, no-wrap msgid "" "The new code is first, and your code is second.\n" "The right fix here is to just add a #undef COLORLS_NEW before #ifdef and then delete the old changes:\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:855 msgid "#undef COLORLS_NEW #ifdef COLORLS_NEW #include " msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:859 #, no-wrap msgid "" "save the file.\n" "The rebase was interrupted, so you have to complete it:\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:862 msgid "% git add ls.c % git rebase --continue" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:867 #, no-wrap msgid "" "which tells Git that ls.c has been fixed and to continue the rebase operation.\n" "Since there was a conflict, you will get kicked into the editor to update the commit message if necessary.\n" "If the commit message is still accurate, just exit the editor.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:872 #, no-wrap msgid "" "If you get stuck during the rebase, do not panic.\n" "git rebase --abort will take you back to a clean slate.\n" "It is important, though, to start with an unmodified tree.\n" "An aside: The above mentioned `git reflog` comes in handy here, as it will have a list of all the (intermediate) commits that you can view or inspect or cherry-pick.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:875 #, no-wrap msgid "" "For more on this topic, https://www.freecodecamp.org/news/the-ultimate-guide-to-git-merge-and-git-rebase/ provides a rather extensive treatment.\n" "It is a good resource for issues that arise occasionally but are too obscure for this guide.\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:876 #, no-wrap msgid "Switching to a Different FreeBSD Branch" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:880 msgid "" "If you wish to shift from stable/12 to the current branch. If you have a " "deep clone, the following will suffice: [source,shell]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:883 msgid "% git checkout main % # build and install here..." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:889 #, no-wrap msgid "" "If you have a local branch, though, there are one or two caveats.\n" "First, rebase will rewrite history, so you will likely want to do something to save it.\n" "Second, jumping branches tends to cause more conflicts.\n" "If we pretend the example above was relative to stable/12, then to move to `main`, I'd suggest the following:\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:893 #, no-wrap msgid "" "% git checkout no-color-ls\n" "% git checkout -b no-color-ls-stable-12 # create another name for this branch\n" "% git rebase -i stable/12 no-color-ls --onto main\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:900 #, no-wrap msgid "" "What the above does is checkout no-color-ls.\n" "Then create a new name for it (no-color-ls-stable-12) in case you need to get back to it.\n" "Then you rebase onto the `main` branch.\n" "This will find all the commits to the current no-color-ls branch (back to where it meets up with the stable/12 branch) and then it will\n" "replay them onto the `main` branch creating a new no-color-ls branch there (which is why I had you create a place holder name).\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:902 #, no-wrap msgid "[[mfc-with-git]]\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:902 #, no-wrap msgid "MFC (Merge From Current) Procedures" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:903 #, no-wrap msgid "Summary" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:907 msgid "" "MFC workflow can be summarized as `git cherry-pick -x` plus `git commit --" "amend` to adjust the commit message. For multiple commits, use `git rebase -" "i` to squash them together and edit the commit message." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:908 #, no-wrap msgid "Single commit MFC" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:911 #: documentation/content/en/articles/committers-guide/_index.adoc:951 #: documentation/content/en/articles/committers-guide/_index.adoc:987 #: documentation/content/en/articles/committers-guide/_index.adoc:1103 #: documentation/content/en/articles/committers-guide/_index.adoc:1116 #: documentation/content/en/articles/committers-guide/_index.adoc:1159 #: documentation/content/en/articles/committers-guide/_index.adoc:1177 #: documentation/content/en/articles/committers-guide/_index.adoc:1269 #: documentation/content/en/articles/committers-guide/_index.adoc:1287 #: documentation/content/en/articles/committers-guide/_index.adoc:1309 #: documentation/content/en/articles/committers-guide/_index.adoc:1327 #: documentation/content/en/articles/committers-guide/_index.adoc:1348 #: documentation/content/en/articles/committers-guide/_index.adoc:1363 #: documentation/content/en/articles/committers-guide/_index.adoc:1382 #: documentation/content/en/articles/committers-guide/_index.adoc:1414 #: documentation/content/en/articles/committers-guide/_index.adoc:1461 #: documentation/content/en/articles/committers-guide/_index.adoc:1525 msgid "[source,shell]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:914 msgid "% git checkout stable/X % git cherry-pick -x $HASH --edit" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:918 #, no-wrap msgid "" "For MFC commits, for example a vendor import, you would need to specify one parent for cherry-pick purposes.\n" "Normally, that would be the \"first parent\" of the branch you are cherry-picking from, so:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:920 #: documentation/content/en/articles/committers-guide/_index.adoc:941 #: documentation/content/en/articles/committers-guide/_index.adoc:964 #: documentation/content/en/articles/committers-guide/_index.adoc:975 #: documentation/content/en/articles/committers-guide/_index.adoc:1241 #: documentation/content/en/articles/committers-guide/_index.adoc:1335 #: documentation/content/en/articles/committers-guide/_index.adoc:1421 #: documentation/content/en/articles/committers-guide/_index.adoc:1433 #: documentation/content/en/articles/committers-guide/_index.adoc:1445 #: documentation/content/en/articles/committers-guide/_index.adoc:1471 #: documentation/content/en/articles/committers-guide/_index.adoc:1483 #: documentation/content/en/articles/committers-guide/_index.adoc:1490 #: documentation/content/en/articles/committers-guide/_index.adoc:1532 #: documentation/content/en/articles/committers-guide/_index.adoc:1566 #: documentation/content/en/articles/committers-guide/_index.adoc:1573 #: documentation/content/en/articles/committers-guide/_index.adoc:1582 #: documentation/content/en/articles/committers-guide/_index.adoc:1611 #: documentation/content/en/articles/committers-guide/_index.adoc:1627 #: documentation/content/en/articles/committers-guide/_index.adoc:1660 #: documentation/content/en/articles/committers-guide/_index.adoc:1681 #: documentation/content/en/articles/committers-guide/_index.adoc:1712 #: documentation/content/en/articles/committers-guide/_index.adoc:1724 #: documentation/content/en/articles/committers-guide/_index.adoc:1755 #: documentation/content/en/articles/committers-guide/_index.adoc:1764 #: documentation/content/en/articles/committers-guide/_index.adoc:1774 #: documentation/content/en/articles/committers-guide/_index.adoc:1790 #: documentation/content/en/articles/committers-guide/_index.adoc:1806 #: documentation/content/en/articles/committers-guide/_index.adoc:1817 #: documentation/content/en/articles/committers-guide/_index.adoc:1824 #: documentation/content/en/articles/committers-guide/_index.adoc:1837 #: documentation/content/en/articles/committers-guide/_index.adoc:1857 #: documentation/content/en/articles/committers-guide/_index.adoc:1871 #: documentation/content/en/articles/committers-guide/_index.adoc:1887 #: documentation/content/en/articles/committers-guide/_index.adoc:1899 #: documentation/content/en/articles/committers-guide/_index.adoc:1918 #: documentation/content/en/articles/committers-guide/_index.adoc:1929 #: documentation/content/en/articles/committers-guide/_index.adoc:1939 #: documentation/content/en/articles/committers-guide/_index.adoc:1979 #: documentation/content/en/articles/committers-guide/_index.adoc:1987 #: documentation/content/en/articles/committers-guide/_index.adoc:1998 #: documentation/content/en/articles/committers-guide/_index.adoc:2019 #: documentation/content/en/articles/committers-guide/_index.adoc:2080 #, no-wrap msgid "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:923 msgid "% git checkout stable/X % git cherry-pick -x $HASH -m 1 --edit" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:926 #, no-wrap msgid "If things go wrong, you'll either need to abort the cherry-pick with `git cherry-pick --abort` or fix it up and do a `git cherry-pick --continue`.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:929 #, no-wrap msgid "" "Once the cherry-pick is finished, push with `git push`.\n" "If you get an error due to losing the commit race, use `git pull --rebase` and try to push again.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:930 #, no-wrap msgid "MFC to RELENG branch" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:934 msgid "" "MFCs to branches that require approval require a bit more care. The process " "is the same for either a typical merge or an exceptional direct commit." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:939 #, no-wrap msgid "" "* Merge or direct commit to the appropriate `stable/X` branch first before merging to the `releng/X.Y` branch.\n" "* Use the hash that's in the `stable/X` branch for the MFC to `releng/X.Y` branch.\n" "* Leave both \"cherry picked from\" lines in the commit message.\n" "* Be sure to add the `Approved by:` line when you are in the editor.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:944 msgid "% git checkout releng/13.0 % git cherry-pick -x $HASH --edit" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:947 #, no-wrap msgid "If you forget to to add the `Approved by:` line, you can do a `git commit --amend` to edit the commit message before you push the change.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:948 #, no-wrap msgid "Multiple commit MFC" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:959 msgid "" "% git checkout -b tmp-branch stable/X % for h in $HASH_LIST; do git cherry-" "pick -x $h; done % git rebase -i stable/X # mark each of the commits after " "the first as 'squash' # Update the commit message to reflect all elements of " "commit, if necessary. # Be sure to retain the \"cherry picked from\" " "lines. % git push freebsd HEAD:stable/X" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:962 #, no-wrap msgid "If the push fails due to losing the commit race, rebase and try again:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:970 msgid "" "% git checkout stable/X % git pull % git checkout tmp-branch % git rebase " "stable/X % git push freebsd HEAD:stable/X" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:973 #, no-wrap msgid "Once the MFC is complete, you can delete the temporary branch:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:978 msgid "% git checkout stable/X % git branch -d tmp-branch" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:980 #, no-wrap msgid "MFC a vendor import" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:985 msgid "" "Vendor imports are the only thing in the tree that creates a merge commit in " "the `main` branch. Cherry picking merge commits into stable/XX presents an " "additional difficulty because there are two parents for a merge commit. " "Generally, you'll want the first parent's diff since that's the diff to " "`main` (though there may be some exceptions)." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:989 msgid "% git cherry-pick -x -m 1 $HASH" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:992 #, no-wrap msgid "" "is typically what you want.\n" "This will tell cherry-pick to apply the correct diff.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:997 #, no-wrap msgid "" "There are some, hopefully, rare cases where it's possible that the `main` branch was merged backwards by the conversion script.\n" "Should that be the case (and we've not found any yet), you'd change the above to `-m 2` to pickup the proper parent.\n" "Just do:\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1000 msgid "% git cherry-pick --abort % git cherry-pick -x -m 2 $HASH" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1002 #, no-wrap msgid "to do that. The `--abort` will cleanup the failed first attempt.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1003 #, no-wrap msgid "Redoing a MFC" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1008 msgid "" "If you do a MFC, and it goes horribly wrong and you want to start over, then " "the easiest way is to use `git reset --hard` like so: [source,shell]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1010 msgid "% git reset --hard freebsd/stable/12" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1013 #, no-wrap msgid "" "though if you have some revs you want to keep, and others you don't,\n" "using `git rebase -i` is better.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1014 #, no-wrap msgid "Considerations when MFCing" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1017 msgid "" "When committing source commits to stable and releng branches, we have the " "following goals:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1021 #, no-wrap msgid "" "* Clearly mark direct commits distinct from commits that land a change from another branch.\n" "* Avoid introducing known breakage into stable and releng branches.\n" "* Allow developers to determine which changes have or have not been landed from one branch to another.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1023 #, no-wrap msgid "With Subversion, we used the following practices to achieve these goals:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1027 #, no-wrap msgid "" "* Using `MFC` and `MFS` tags to mark commits that merged changes from another branch.\n" "* Squashing fixup commits into the main commit when merging a change.\n" "* Recording mergeinfo so that `svn mergeinfo --show-revs` worked.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1031 #, no-wrap msgid "" "With Git, we will need to use different strategies to achieve the same goals.\n" "This document aims to define best practices when merging source commits using Git that achieve these goals.\n" "In general, we aim to use Git's native support to achieve these goals rather than enforcing practices built on Subversion's model.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1034 #, no-wrap msgid "" "One general note: due to technical differences with Git, we will not be using Git \"merge commits\" (created via `git merge`) in stable or releng branches.\n" "Instead, when this document refers to \"merge commits\", it means a commit originally made to `main` that is replicated or \"landed\" to a stable branch, or a commit from a stable branch that is replicated to a releng branch with some variation of `git cherry-pick`.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1035 #, no-wrap msgid "Finding Eligible Hashes to MFC" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1041 msgid "" "Git provides some built-in support for this via the `git cherry` and `git " "log --cherry` commands. These commands compare the raw diffs of commits " "(but not other metadata such as log messages) to determine if two commits " "are identical. This works well when each commit from `main` is landed as a " "single commit to a stable branch, but it falls over if multiple commits from " "`main` are squashed together as a single commit to a stable branch. The " "project makes extensive use of `git cherry-pick -x` with all lines preserved " "to work around these difficulties and is working on automated tooling to " "take advantage of this." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1042 #, no-wrap msgid "Commit message standards" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1043 #, no-wrap msgid "Marking MFCs" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1046 msgid "The project has adopted the following practice for marking MFCs:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1048 #, no-wrap msgid "* Use the `-x` flag with `git cherry-pick`. This adds a line to the commit message that includes the hash of the original commit when merging. Since it is added by Git directly, committers do not have to manually edit the commit log when merging.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1050 #, no-wrap msgid "When merging multiple commits, keep all the \"cherry picked from\" lines.\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1051 #, no-wrap msgid "Trim Metadata?" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1055 msgid "" "One area that was not clearly documented with Subversion (or even CVS) is " "how to format metadata in log messages for MFC commits. Should it include " "the metadata from the original commit unchanged, or should it be altered to " "reflect information about the MFC commit itself?" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1064 msgid "" "Historical practice has varied, though some of the variance is by field. " "For example, MFCs that are relevant to a PR generally include the PR field " "in the MFC so that MFC commits are included in the bug tracker's audit " "trail. Other fields are less clear. For example, Phabricator shows the " "diff of the last commit tagged to a review, so including Phabricator URLs " "replaces the main commit with the landed commits. The list of reviewers is " "also not clear. If a reviewer has approved a change to `main`, does that " "mean they have approved the MFC commit? Is that true if it's identical code " "only, or with merely trivial rework? It's clearly not true for more " "extensive reworks. Even for identical code what if the commit doesn't " "conflict but introduces an ABI change? A reviewer may have ok'd a commit for " "`main` due to the ABI breakage but may not approve of merging the same " "commit as-is. One will have to use one's best judgment until clear " "guidelines can be agreed upon." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1068 msgid "" "For MFCs regulated by re@, new metadata fields are added, such as the " "Approved by tag for approved commits. This new metadata will have to be " "added via `git commit --amend` or similar after the original commit has been " "reviewed and approved. We may also want to reserve some metadata fields in " "MFC commits such as Phabricator URLs for use by re@ in the future." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1071 msgid "" "Preserving existing metadata provides a very simple workflow. Developers " "use `git cherry-pick -x` without having to edit the log message." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1074 msgid "" "If instead we choose to adjust metadata in MFCs, developers will have to " "edit log messages explicitly via the use of `git cherry-pick --edit` or `git " "commit --amend`. However, as compared to svn, at least the existing commit " "message can be pre-populated and metadata fields can be added or removed " "without having to re-enter the entire commit message." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1076 msgid "" "The bottom line is that developers will likely need to curate their commit " "message for MFCs that are non-trivial." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1078 msgid "[[vendor-import-git]]" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:1078 #, no-wrap msgid "Vendor Imports with Git" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1081 msgid "This section describes the vendor import procedure with Git in detail." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1082 #, no-wrap msgid "Branch naming convention" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1085 msgid "" "All vendor branches and tags start with `vendor/`. These branches and tags " "are visible by default." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1091 msgid "" "[NOTE] ==== This chapter follows the convention that the `freebsd` origin is " "the origin name for the official FreeBSD Git repository. If you use a " "different convention, replace `freebsd` with the name you use instead in the " "examples below. ====" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1094 msgid "" "We will explore an example for updating NetBSD's mtree that is in our tree. " "The vendor branch for this is `vendor/NetBSD/mtree`." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1095 #, no-wrap msgid "Updating an old vendor import" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1101 msgid "" "The vendor trees usually have only the subset of the third-party software " "that is appropriate to FreeBSD. These trees are usually tiny in comparison " "to the FreeBSD tree. Git worktrees are thus quite small and fast and the " "preferred method to use. Make sure that whatever directory you choose below " "(the `../mtree`) does not currently exist." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1105 msgid "% git worktree add ../mtree vendor/NetBSD/mtree" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1107 #, no-wrap msgid "Update the Sources in the Vendor Branch" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1110 msgid "" "Prepare a full, clean tree of the vendor sources. Import everything but " "merge only what is needed." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1114 msgid "" "This example assumes the NetBSD source is checked out from their GitHub " "mirror in `~/git/NetBSD`. Note that \"upstream\" might have added or " "removed files, so we want to make sure deletions are propagated as well. " "package:net/rsync[] is commonly installed, so I'll use that." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1128 #, no-wrap msgid "" "% cd ../mtree\n" "% rsync -va --del --exclude=\".git\" ~/git/NetBSD/usr.sbin/mtree/ .\n" "% git add -A\n" "% git status\n" "...\n" "% git diff --staged\n" "...\n" "% git commit -m \"Vendor import of NetBSD's mtree at 2020-12-11\"\n" "[vendor/NetBSD/mtree 8e7aa25fcf1] Vendor import of NetBSD's mtree at 2020-12-11\n" " 7 files changed, 114 insertions(+), 82 deletions(-)\n" "% git tag -a vendor/NetBSD/mtree/20201211\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1141 #, no-wrap msgid "" "It is critical to verify that the source code you are importing comes from a\n" "trustworthy source. Many open-source projects use cryptographic signatures to\n" "sign code changes, git tags, and/or source code tarballs. Always verify these\n" "signatures, and use isolation mechanisms like jails, chroot, in combination with\n" "a dedicated, non-privileged user account that is different from the one you\n" "regularly use (see the Updating the FreeBSD source tree section below for\n" "more details), until you are confident that the source code you are importing\n" "looks safe. Following the upstream development and occasionally reviewing the\n" "upstream code changes can greatly help in improving code quality and benefit\n" "everyone involved. It is also a good idea to examine the git diff results\n" "before importing them into the vendor area.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1145 #, no-wrap msgid "" "Always run the `git diff` and `git status` commands and examine the results\n" "carefully. When in doubt, it is useful to do a `git annotate` on the vendor\n" "branch or the upstream git repository to see who and why a change was made.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1148 #, no-wrap msgid "" "In the example above we used `-m` to illustrate, but you should compose a\n" "proper message in an editor (using a commit message template).\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1153 #, no-wrap msgid "" "It is also important to create an annotated tag using `git tag -a`, otherwise the push will be rejected.\n" "Only annotated tags are allowed to be pushed.\n" "The annotated tag gives you a chance to enter a commit message.\n" "Enter the version you are importing, along with any salient new features or fixes in that version.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1154 #, no-wrap msgid "Updating the FreeBSD Copy" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1157 msgid "At this point you can push the import to `vendor` into our repo." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1161 msgid "% git push --follow-tags freebsd vendor/NetBSD/mtree" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1164 #, no-wrap msgid "`--follow-tags` tells `git push` to also push tags associated with the locally committed revision.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1165 #, no-wrap msgid "Updating the FreeBSD source tree" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1169 msgid "" "Now you need to update the mtree in FreeBSD. The sources live in `contrib/" "mtree` since it is upstream software." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1175 msgid "" "From time to time, we may have to make changes to the contributed code to " "better satisfy FreeBSD's needs. Whenever possible, please try to contribute " "the local changes back to the upstream projects, this helps them to better " "support FreeBSD, and also saves your time for future conflict resolutions " "when importing updates." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1180 msgid "% cd ../src % git subtree merge -P contrib/mtree vendor/NetBSD/mtree" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1190 #, no-wrap msgid "" "This would generate a subtree merge commit of `contrib/mtree` against the local `vendor/NetBSD/mtree` branch.\n" "Examine the diff from the merge result and the contents of the\n" "upstream branch. If the merge reduced our local changes to more\n" "trivial difference like blank line or indenting changes, try amending\n" "the local changes to reduce diff against upstream, or try to\n" "contribute the remaining changes back to the upstream project.\n" "If there were conflicts, you would need to fix them before committing.\n" "Include details about the changes being merged in the merge commit message.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1204 #, no-wrap msgid "" "Some open-source software includes a `configure` script that generates files\n" "used to define how the code is built; usually, these generated files like\n" "`config.h` should be updated as part of the import process. When doing\n" "this, always keep in mind that these scripts are executable code running\n" "under the current user's credentials. This process should always be run\n" "in an isolated environment, ideally inside a jail that does not have\n" "network access, and with an unprivileged account; or, at minimum, a\n" "dedicated account that is different from the user account you normally\n" "use for everyday purposes or for pushing to the FreeBSD source\n" "code repository. This minimizes the risk of encountering bugs that can\n" "cause data loss or, in worse cases, maliciously planted code. Using an\n" "isolated jail also prevents the configure scripts from detecting locally\n" "installed software packages, which may lead to unexpected results.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1211 #, no-wrap msgid "" "When testing your changes, run them in a chroot or jailed environment,\n" "or even within a virtual machine first, especially for kernel or library\n" "modifications. This approach helps prevent adverse interactions with\n" "your working environment. It can be particularly beneficial for\n" "changes to libraries that many base system components use,\n" "among others.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1212 #, no-wrap msgid "Rebasing your change against latest FreeBSD source tree" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1215 msgid "" "Because the current policy recommends against using merges, if the upstream " "FreeBSD `main` moved forward before you get a chance to push, you would have " "to redo the merge." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1218 msgid "" "Regular `git rebase` or `git pull --rebase` doesn't know how to rebase a " "merge commit **as a merge commit**, so instead of that you would have to " "recreate the commit." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1220 msgid "" "The following steps should be taken to easily recreate the merge commit as " "if `git rebase --merge-commits` worked properly:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1237 #, no-wrap msgid "" "* cd to the top of the repo\n" "* Create a side branch `XXX` with the **contents** of the merged tree.\n" "* Update this side branch `XXX` to be merged and up-to-date with FreeBSD's `main` branch.\n" "** In the worst case scenario, you would still have to resolve merge conflicts, if there was any, but this should be really rare.\n" "** Resolve conflicts, and collapse multiple commits down to 1 if need be (without conflicts, there's no collapse needed)\n" "* checkout `main`\n" "* create a branch `YYY` (allows for easier unwinding if things go wrong)\n" "* Re-do the subtree merge\n" "* Instead of resolving any conflicts from the subtree merge, checkout the contents of XXX on top of it.\n" "** The trailing `.` is important, as is being at the top level of the repo.\n" "** Rather than switching branches to XXX, it splats the contents of XXX on top of the repo\n" "* Commit the results with the prior commit message (the example assumes there's only one merge on the XXX branch).\n" "* Make sure the branches are the same.\n" "* Do whatever review you need, including having others check it out if you think that's needed.\n" "* Push the commit, if you 'lost the race' again, just redo these steps again (see below for a recipe)\n" "* Delete the branches once the commit is upstream. They are throw-a-way.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1239 #, no-wrap msgid "The commands one would use, following the above example of mtree, would be like so (the `#` starts a comment to help link commands to descriptions above):\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1252 #, no-wrap msgid "" "% cd ../src\t\t\t# CD to top of tree\n" "% git checkout -b XXX\t\t# create new throw-away XXX branch for merge\n" "% git fetch freebsd\t\t# Get changes from upstream from upstream\n" "% git merge freebsd/main\t# Merge the changes and resolve conflicts\n" "% git checkout -b YYY freebsd/main # Create new throw-away YYY branch for redo\n" "% git subtree merge -P contrib/mtree vendor/NetBSD/mtree # Redo subtree merge\n" "% git checkout XXX .\t\t# XXX branch has the conflict resolution\n" "% git commit -c XXX~1\t\t# -c reuses the commit message from commit before rebase\n" "% git diff XXX YYY\t\t# Should be empty\n" "% git show YYY\t\t\t# Should only have changes you want, and be a merge commit from vendor branch\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1256 #, no-wrap msgid "" "Note: if things go wrong with the commit, you can reset the `YYY` branch by reissuing the checkout command that created it with -B to start over:\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1258 msgid "" "% git checkout -B YYY freebsd/main # Create new throw-away YYY branch if " "starting over is just going to be easier" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1260 #, no-wrap msgid "Pushing the changes" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1265 msgid "" "Once you think you have a set of changes that are good, you can push it to a " "fork off GitHub or GitLab for others to review. One nice thing about Git is " "that it allows you to publish rough drafts of your work for others to " "review. While Phabricator is good for content review, publishing the " "updated vendor branch and merge commits lets others check the details as " "they will eventually appear in the repository." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1267 msgid "" "After review, when you are sure it is a good change, you can push it to the " "FreeBSD repo:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1273 msgid "" "% git push freebsd YYY:main\t# put the commit on upstream's 'main' branch % " "git branch -D XXX\t\t# Throw away the throw-a-way branches. % git branch -D " "YYY" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1280 #, no-wrap msgid "" "Note: I used `XXX` and `YYY` to make it obvious they are terrible names and should not leave your machine.\n" "If you use such names for other work, then you'll need to pick different names, or risk losing the other work.\n" "There is nothing magic about these names.\n" "Upstream will not allow you to push them, but never the less, please pay attention to the exact commands above.\n" "Some commands use syntax that differs only slightly from typical uses and that different behavior is critical to this recipe working.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1281 #, no-wrap msgid "How to redo things if need be" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1285 msgid "" "If you've tried to do the push in the previous section and it fails, then " "you should do the following to 'redo' things. This sequence keeps the " "commit with the commit message always at XXX~1 to make committing easier." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1294 msgid "" "% git checkout -B XXX YYY\t# recreate that throw-away-branch XXX and switch " "to it % git merge freebsd/main\t# Merge the changes and resolve conflicts % " "git checkout -B YYY freebsd/main # Recreate new throw-away YYY branch for " "redo % git subtree merge -P contrib/mtree vendor/NetBSD/mtree # Redo subtree " "merge % git checkout XXX .\t\t# XXX branch has the conflict resolution % git " "commit -c XXX~1\t\t# -c reuses the commit message from commit before rebase" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1297 #, no-wrap msgid "Then go check it out as above and push as above when ready.\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:1298 #, no-wrap msgid "Creating a new vendor branch" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1305 msgid "" "There are a number of ways to create a new vendor branch. The recommended " "way is to create a new repository and then merge that with FreeBSD. If one " "is importing `glorbnitz` into the FreeBSD tree, release 3.1415. For the " "sake of simplicity, we will not trim this release. It is a simple user " "command that puts the nitz device into different magical glorb states and is " "small enough trimming will not save much." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1306 #, no-wrap msgid "Create the repo" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1315 msgid "" "% cd /some/where % mkdir glorbnitz % cd glorbnitz % git init % git checkout -" "b vendor/glorbnitz" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1318 #, no-wrap msgid "At this point, you have a new repo, where all new commits will go on the `vendor/glorbnitz` branch.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1320 #, no-wrap msgid "Git experts can also do this right in their FreeBSD clone, using `git checkout --orphan vendor/glorbnitz` if they are more comfortable with that.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1321 #, no-wrap msgid "Copy the sources in" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1325 msgid "" "Since this is a new import, you can just cp the sources in, or use tar or " "even rsync as shown above. And we will add everything, assuming no dot " "files." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1330 msgid "% cp -r ~/glorbnitz/* . % git add *" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1333 #, no-wrap msgid "At this point, you should have a pristine copy of glorbnitz ready to commit.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1337 msgid "% git commit -m \"Import GlorbNitz frobnosticator revision 3.1415\"" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1342 #, no-wrap msgid "" "As above, I used `-m` for simplicity, but you should likely create a commit message that explains what a Glorb is and why you'd use a Nitz to get it.\n" "Not everybody will know so, for your actual commit, you should follow the\n" "crossref:committers-guide[commit-log-message,commit log message] section instead of emulating the brief style used here.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1343 #, no-wrap msgid "Now import it into our repository" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1346 msgid "Now you need to import the branch into our repository." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1352 msgid "" "% cd /path/to/freebsd/repo/src % git remote add glorbnitz /some/where/" "glorbnitz % git fetch glorbnitz vendor/glorbnitz" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1357 #, no-wrap msgid "" "Note the vendor/glorbnitz branch is in the repo. At this point the `/some/where/glorbnitz` can be deleted, if you like.\n" "It was only a means to an end.\n" "// perhaps the real treasure was the friends it made along the way...\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1358 #, no-wrap msgid "Tag and push" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1361 msgid "" "Steps from here on out are much the same as they are in the case of updating " "a vendor branch, though without the updating the vendor branch step." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1369 msgid "" "% git worktree add ../glorbnitz vendor/glorbnitz % cd ../glorbnitz % git tag " "--annotate vendor/glorbnitz/3.1415 # Make sure the commit is good with \"git " "show\" % git push --follow-tags freebsd vendor/glorbnitz" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1372 #, no-wrap msgid "By 'good' we mean:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1378 #, no-wrap msgid "" ". All the right files are present\n" ". None of the wrong files are present\n" ". The vendor branch points at something sensible\n" ". The tag looks good, and is annotated\n" ". The commit message for the tag has a quick summary of what's new since the last tag\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1379 #, no-wrap msgid "Time to finally merge it into the base tree" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1388 #, no-wrap msgid "" "% cd ../src\n" "% git subtree add -P contrib/glorbnitz vendor/glorbnitz\n" "# Make sure the commit is good with \"git show\"\n" "% git commit --amend # one last sanity check on commit message\n" "% git push freebsd\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1391 #, no-wrap msgid "Here 'good' means:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1396 #, no-wrap msgid "" ". All the right files, and none of the wrong ones, were merged into contrib/glorbnitz.\n" ". No other changes are in the tree.\n" ". The commit messages look crossref:committers-guide[commit-log-message,good]. It should contain a summary of what's changed since the last merge to the FreeBSD `main` branch and any caveats.\n" ". UPDATING should be updated if there is anything of note, such as user visible changes, important upgrade concerns, etc.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1402 #, no-wrap msgid "" "[NOTE]\n" "====\n" "This hasn't connected `glorbnitz` to the build yet.\n" "How so do that is specific to the software being imported and is beyond the scope of this tutorial.\n" "====\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1403 #, no-wrap msgid "Keeping current" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1409 msgid "" "So, time passes. It's time now to update the tree for the latest changes " "upstream. When you checkout `main` make sure that you have no diffs. It's " "a lot easier to commit those to a branch (or use `git stash`) before doing " "the following." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1412 msgid "" "If you are used to `git pull`, we strongly recommend using the `--ff-only` " "option, and further setting it as the default option. Alternatively, `git " "pull --rebase` is useful if you have changes staged in the `main` branch." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1416 msgid "% git config --global pull.ff only" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1419 #, no-wrap msgid "You may need to omit the --global if you want this setting to apply to only this repository.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1425 msgid "% cd freebsd-src % git checkout main % git pull (--ff-only|--rebase)" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1429 #, no-wrap msgid "" "There is a common trap, that the combination command `git pull` will try to perform a merge, which would sometimes creates a merge commit that didn't exist before.\n" "This can be harder to recover from.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1431 #, no-wrap msgid "The longer form is also recommended.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1438 msgid "" "% cd freebsd-src % git checkout main % git fetch freebsd % git merge --ff-" "only freebsd/main" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1443 #, no-wrap msgid "" "These commands reset your tree to the `main` branch, and then update it from where you pulled the tree from originally.\n" "It's important to switch to `main` before doing this so it moves forward.\n" "Now, it's time to move the changes forward:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1447 msgid "% git rebase -i main working" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1454 #, no-wrap msgid "" "This will bring up an interactive screen to change the defaults.\n" "For now, just exit the editor.\n" "Everything should just apply.\n" "If not, then you'll need to resolve the diffs.\n" "https://docs.github.com/en/free-pro-team@latest/github/using-git/resolving-merge-conflicts-after-a-git-rebase[This github document] can help you navigate this process.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1456 #, no-wrap msgid "[[git-push-upstream]]\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1456 #, no-wrap msgid "Time to push changes upstream" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1459 msgid "" "First, ensure that the push URL is properly configured for the upstream " "repository." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1463 msgid "" "% git remote set-url --push freebsd ssh://git@gitrepo.freebsd.org/src.git" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1467 #, no-wrap msgid "" "Then, verify that user name and email are configured right.\n" "We require that they exactly match the passwd entry in FreeBSD cluster.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1469 #, no-wrap msgid "Use\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1473 msgid "freefall% gen-gitconfig.sh" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1476 #, no-wrap msgid "on freefall.freebsd.org to get a recipe that you can use directly, assuming /usr/local/bin is in the PATH.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1481 #, no-wrap msgid "" "The below command merges the `working` branch into the upstream `main` branch.\n" "It's important that you curate your changes to be just like you want them in the FreeBSD source repo before doing this.\n" "This syntax pushes the `working` branch to `main`, moving the `main` branch forward.\n" "You will only be able to do this if this results in a linear change to `main` (e.g. no merges).\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1485 msgid "% git push freebsd working:main" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1488 #, no-wrap msgid "If your push is rejected due to losing a commit race, rebase your branch before trying again:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1495 msgid "" "% git checkout working % git fetch freebsd % git rebase freebsd/main % git " "push freebsd working:main" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1498 #, no-wrap msgid "[[git-push-upstream-alt]]\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1498 #, no-wrap msgid "Time to push changes upstream (alternative)" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1504 msgid "" "Some people find it easier to merge their changes to their local `main` " "before pushing to the remote repository. Also, `git arc stage` moves " "changes from a branch to the local `main` when you need to do a subset of a " "branch. The instructions are similar to the prior section: [source,shell]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1508 msgid "% git checkout main % git merge --ff-only `working` % git push freebsd" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1512 #, no-wrap msgid "" "If you lose the race, then try again with\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1515 msgid "% git pull --rebase % git push freebsd" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1518 #, no-wrap msgid "" "These commands will fetch the most recent `freebsd/main` and then rebase the local `main` changes on top of that, which is what you want when you lose the commit race.\n" "Note: merging vendor branch commits will not work with this technique.\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1519 #, no-wrap msgid "Finding the Subversion Revision" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1523 msgid "" "You'll need to make sure that you've fetched the notes (see the crossref:" "committers-guide[git-mini-daily-use]for details). Once you have these, " "notes will show up in the git log command like so:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1527 msgid "% git log" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1530 #, no-wrap msgid "If you have a specific version in mind, you can use this construct:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1534 msgid "% git log --grep revision=XXXX" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1538 #, no-wrap msgid "" "to find the specific revision.\n" "The hex number after 'commit' is the hash you can use to refer to this commit.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1540 #, no-wrap msgid "[[git-faq]]\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:1540 #, no-wrap msgid "Git FAQ" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1543 msgid "" "This section provides a number of targeted answers to questions that are " "likely to come up often for users and developers." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1549 msgid "" "[NOTE] ==== We use the common convention of having the origin for the " "FreeBSD repository being 'freebsd' rather than the default 'origin' to allow " "people to use that for their own development and to minimize \"whoops\" " "pushes to the wrong repository. ====" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1550 #, no-wrap msgid "Users" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1552 #, no-wrap msgid "How do I track -current and -stable with only one copy of the repository?" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1557 #, no-wrap msgid "" "**Q:** Although disk space is not a huge issue, it's more efficient to use only one copy of the repository.\n" "With SVN mirroring, I could checkout multiple trees from the same repository.\n" "How do I do this with Git?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1561 #, no-wrap msgid "" "**A:** You can use Git worktrees.\n" "There's a number of ways to do this, but the simplest way is to use a clone to track -current, and a worktree to track stable releases.\n" "While using a 'bare repository' has been put forward as a way to cope, it's more complicated and will not be documented here.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1564 #, no-wrap msgid "" "First, you need to clone the FreeBSD repository, shown here cloning into `freebsd-current` to reduce confusion.\n" "$URL is whatever mirror works best for you:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1568 msgid "" "% git clone -o freebsd --config remote.freebsd.fetch='+refs/notes/*:refs/" "notes/*' $URL freebsd-current" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1571 #, no-wrap msgid "then once that's cloned, you can simply create a worktree from it:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1576 msgid "% cd freebsd-current % git worktree add ../freebsd-stable-12 stable/12" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1580 #, no-wrap msgid "" "this will checkout `stable/12` into a directory named `freebsd-stable-12` that's a peer to the `freebsd-current` directory.\n" "Once created, it's updated very similarly to how you might expect:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1590 msgid "" "% cd freebsd-current % git checkout main % git pull --ff-only # changes from " "upstream now local and current tree updated % cd ../freebsd-stable-12 % git " "merge --ff-only freebsd/stable/12 # now your stable/12 is up to date too" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1593 #, no-wrap msgid "I recommend using `--ff-only` because it's safer and you avoid accidentally getting into a 'merge nightmare' where you have an extra change in your tree, forcing a complicated merge rather than a simple one.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1595 #, no-wrap msgid "Here's https://adventurist.me/posts/00296[a good writeup] that goes into more detail.\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1596 #, no-wrap msgid "Developers" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1598 #, no-wrap msgid "Ooops! I committed to `main`, instead of another branch." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1601 #, no-wrap msgid "**Q:** From time to time, I goof up and mistakenly commit to the `main` branch. What do I do?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1603 #, no-wrap msgid "**A:** First, don't panic.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1607 #, no-wrap msgid "" "Second, don't push.\n" "In fact, you can fix almost anything if you haven't pushed.\n" "All the answers in this section assume no push has happened.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1609 #, no-wrap msgid "The following answer assumes you committed to `main` and want to create a branch called `issue`:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1615 #, no-wrap msgid "" "% git branch issue # Create the 'issue' branch\n" "% git reset --hard freebsd/main # Reset 'main' back to the official tip\n" "% git checkout issue # Back to where you were\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1617 #, no-wrap msgid "Ooops! I committed something to the wrong branch!" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1621 #, no-wrap msgid "" "**Q:** I was working on feature on the `wilma` branch, but accidentally committed a change relevant to the `fred` branch in 'wilma'.\n" "What do I do?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1625 #, no-wrap msgid "" "**A:** The answer is similar to the previous one, but with cherry picking.\n" "This assumes there's only one commit on wilma, but will generalize to more complicated situations.\n" "It also assumes that it's the last commit on wilma (hence using wilma in the `git cherry-pick` command), but that too can be generalized.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1633 msgid "" "# We're on branch wilma % git checkout fred\t\t# move to fred branch % git " "cherry-pick wilma\t\t# copy the misplaced commit % git checkout wilma\t\t# " "go back to wilma branch % git reset --hard HEAD^\t# move what wilma refers " "to back 1 commit" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1637 #, no-wrap msgid "" "Git experts would first rewind the wilma branch by 1 commit, switch over to fred and then use `git reflog` to see what that 1 deleted commit was and\n" "cherry-pick it over.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1639 #, no-wrap msgid "**Q:** But what if I want to commit a few changes to `main`, but keep the rest in `wilma` for some reason?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1645 #, no-wrap msgid "" "**A:** The same technique above also works if you are wanting to 'land' parts of the branch you are working on into `main` before the rest of the branch is ready (say you noticed an unrelated typo, or fixed an incidental bug).\n" "You can cherry pick those changes into `main`, then push to the parent repository.\n" "Once you've done that, cleanup couldn't be simpler: just `git rebase -i`.\n" "Git will notice you've done this and skip the common changes automatically (even if you had to change the commit message or tweak the commit slightly).\n" "There's no need to switch back to wilma to adjust it: just rebase!\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1647 #, no-wrap msgid "**Q:** I want to split off some changes from branch `wilma` into branch `fred`\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1653 #, no-wrap msgid "" "**A:** The more general answer would be the same as the previous.\n" "You'd checkout/create the `fred` branch, cherry pick the changes you want from `wilma` one at a time, then rebase `wilma` to remove those changes you cherry picked.\n" "`git rebase -i main wilma` will toss you into an editor, and remove the `pick` lines that correspond to the commits you copied to `fred`.\n" "If all goes well, and there are no conflicts, you're done.\n" "If not, you'll need to resolve the conflicts as you go.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1658 #, no-wrap msgid "" "The other way to do this would be to checkout `wilma` and then create the branch `fred` to point to the same point in the tree.\n" "You can then `git rebase -i` both these branches, selecting the changes you want in `fred` or `wilma` by retaining the pick likes, and deleting the rest from the editor.\n" "Some people would create a tag/branch called `pre-split` before starting in case something goes wrong in the split.\n" "You can undo it with the following sequence:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1665 msgid "" "% git checkout pre-split\t# Go back % git branch -D fred\t\t# delete the " "fred branch % git checkout -B wilma\t\t# reset the wilma branch % git branch " "-d pre-split\t# Pretend it didn't happen" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1669 #, no-wrap msgid "" "The last step is optional.\n" "If you are going to try again to split, you'd omit it.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1673 #, no-wrap msgid "" "**Q:** But I did things as I read along and didn't see your advice at the end to create a branch, and now `fred` and `wilma` are all screwed up.\n" "How do I find what `wilma` was before I started.\n" "I don't know how many times I moved things around.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1675 #, no-wrap msgid "**A:** All is not lost. You can figure out it, so long as it hasn't been too long, or too many commits (hundreds).\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1679 #, no-wrap msgid "" "So I created a wilma branch and committed a couple of things to it, then decided I wanted to split it into fred and wilma.\n" "Nothing weird happened when I did that, but let's say it did.\n" "The way to look at what you've done is with the `git reflog`:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1694 msgid "" "% git reflog 6ff9c25 (HEAD -> wilma) HEAD@{0}: rebase -i (finish): returning " "to refs/heads/wilma 6ff9c25 (HEAD -> wilma) HEAD@{1}: rebase -i (start): " "checkout main 869cbd3 HEAD@{2}: rebase -i (start): checkout wilma a6a5094 " "(fred) HEAD@{3}: rebase -i (finish): returning to refs/heads/fred a6a5094 " "(fred) HEAD@{4}: rebase -i (pick): Encourage contributions 1ccd109 (freebsd/" "main, main) HEAD@{5}: rebase -i (start): checkout main 869cbd3 HEAD@{6}: " "rebase -i (start): checkout fred 869cbd3 HEAD@{7}: checkout: moving from " "wilma to fred 869cbd3 HEAD@{8}: commit: Encourage contributions ... %" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1702 #, no-wrap msgid "" "Here we see the changes I've made.\n" "You can use it to figure out where things went wrong.\n" "I'll just point out a few things here.\n" "The first one is that HEAD@{X} is a 'commitish' thing, so you can use that as an argument to a command.\n" "Although if that command commits anything to the repository, the X numbers change.\n" "You can also use the hash (first column).\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1710 #, no-wrap msgid "" "Next, 'Encourage contributions' was the last commit I made to `wilma` before I decided to split things up.\n" "You can also see the same hash is there when I created the `fred` branch to do that.\n" "I started by rebasing `fred` and you see the 'start', each step, and the 'finish' for that process.\n" "While we don't need it here, you can figure out exactly what happened.\n" "Fortunately, to fix this, you can follow the prior answer's steps, but with the hash `869cbd3` instead of `pre-split`.\n" "While that seems a bit verbose, it's easy to remember since you're doing one thing at a time.\n" "You can also stack:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1715 msgid "% git checkout -B wilma 869cbd3 % git branch -D fred" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1722 #, no-wrap msgid "" "and you are ready to try again.\n" "The `checkout -B` with the hash combines checking out and creating a branch for it.\n" "The `-B` instead of `-b` forces the movement of a pre-existing branch.\n" "Either way works, which is what's great (and awful) about Git.\n" "One reason I tend to use `git checkout -B xxxx hash` instead of checking out the hash, and then creating / moving the branch is purely to avoid the slightly distressing message about detached heads:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1728 msgid "% git checkout 869cbd3 M\tfaq.md Note: checking out '869cbd3'." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1732 msgid "" "You are in 'detached HEAD' state. You can look around, make experimental " "changes and commit them, and you can discard any commits you make in this " "state without impacting any branches by performing another checkout." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1735 msgid "" "If you want to create a new branch to retain commits you create, you may do " "so (now or later) by using -b with the checkout command again. Example:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1740 msgid "HEAD is now at 869cbd3 Encourage contributions % git checkout -B wilma" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1743 #, no-wrap msgid "this produces the same effect, but I have to read a lot more and severed heads aren't an image I like to contemplate.\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1744 #, no-wrap msgid "Ooops! I did a `git pull` and it created a merge commit, what do I do?" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1748 #, no-wrap msgid "" "**Q:** I was on autopilot and did a `git pull` for my development tree and that created a merge commit on `main`.\n" "How do I recover?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1750 #, no-wrap msgid "**A:** This can happen when you invoke the pull with your development branch checked out.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1753 #, no-wrap msgid "" "Right after the pull, you will have the new merge commit checked out.\n" "Git supports a `HEAD^#` syntax to examine the parents of a merge commit:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1758 #, no-wrap msgid "" "git log --oneline HEAD^1 # Look at the first parent's commits\n" "git log --oneline HEAD^2 # Look at the second parent's commits\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1762 #, no-wrap msgid "" "From those logs, you can easily identify which commit is your development work.\n" "Then you simply reset your branch to the corresponding `HEAD^#`:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1766 msgid "git reset --hard HEAD^2" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1769 #, no-wrap msgid "**Q:** But I also need to fix my `main` branch. How do I do that?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1772 #, no-wrap msgid "" "**A:** Git keeps track of the remote repository branches in a `freebsd/` namespace.\n" "To fix your `main` branch, just make it point to the remote's `main`:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1776 msgid "git branch -f main freebsd/main" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1781 #, no-wrap msgid "" "There's nothing magical about branches in Git: they are just labels on a graph that are automatically moved forward by making commits.\n" "So the above works because you're just moving a label.\n" "There's no metadata about the branch that needs to be preserved due to this.\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:1782 #, no-wrap msgid "Mixing and matching branches" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1786 #, no-wrap msgid "" "**Q:** So I have two branches `worker` and `async` that I'd like to combine into one branch called `feature`\n" "while maintaining the commits in both.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1788 #, no-wrap msgid "**A:** This is a job for cherry pick.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1794 msgid "" "% git checkout worker % git checkout -b feature\t# create a new branch % git " "cherry-pick main..async\t# bring in the changes" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1799 #, no-wrap msgid "" "You now have a new branch called `feature`.\n" "This branch combines commits from both branches.\n" "You can further curate it with `git rebase`.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1801 #, no-wrap msgid "**Q:** I have a branch called `driver` and I'd like to break it up into `kernel` and `userland` so I can evolve them separately and commit each branch as it becomes ready.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1804 #, no-wrap msgid "" "**A:** This takes a little bit of prep work, but `git rebase` will do the heavy\n" "lifting here.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1810 msgid "" "% git checkout driver\t\t# Checkout the driver % git checkout -b kernel\t# " "Create kernel branch % git checkout -b userland\t# Create userland branch" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1815 #, no-wrap msgid "" "Now you have two identical branches.\n" "So, it's time to separate out the commits.\n" "We'll assume first that all the commits in `driver` go into either the `kernel` or the `userland` branch, but not both.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1819 msgid "% git rebase -i main kernel" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1822 #, no-wrap msgid "and just include the changes you want (with a 'p' or 'pick' line) and just delete the commits you don't (this sounds scary, but if worse comes to worse, you can throw this all away and start over with the `driver` branch since you've not yet moved it).\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1826 msgid "% git rebase -i main userland" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1829 #, no-wrap msgid "and do the same thing you did with the `kernel` branch.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1832 #, no-wrap msgid "" "**Q:** Oh great! I followed the above and forgot a commit in the `kernel` branch.\n" "How do I recover?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1835 #, no-wrap msgid "" "**A:** You can use the `driver` branch to find the hash of the commit is missing and\n" "cherry pick it.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1841 msgid "% git checkout kernel % git log driver % git cherry-pick $HASH" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1847 #, no-wrap msgid "" "**Q:** OK. I have the same situation as the above, but my commits are all mixed up.\n" "I need parts of one commit to go to one branch and the rest to go to the other.\n" "In fact, I have several.\n" "Your rebase method to select sounds tricky.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1850 #, no-wrap msgid "" "**A:** In this situation, you'd be better off to curate the original branch to separate\n" "out the commits, and then use the above method to split the branch.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1855 #, no-wrap msgid "" "So let's assume that there's just one commit with a clean tree.\n" "You can either use `git rebase` with an `edit` line, or you can use this with the commit on the tip.\n" "The steps are the same either way.\n" "The first thing we need to do is to back up one commit while leaving the changes uncommitted in the tree:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1859 msgid "% git reset HEAD^" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1862 #, no-wrap msgid "Note: Do not, repeat do not, add `--hard` here since that also removes the changes from your tree.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1866 #, no-wrap msgid "" "Now, if you are lucky, the change needing to be split up falls entirely along file lines.\n" "In that case you can just do the usual `git add` for the files in each group than do a `git commit`.\n" "Note: when you do this, you'll lose the commit message when you do the reset, so if you need it for some reason, you should save a copy (though `git log $HASH` can recover it).\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1869 #, no-wrap msgid "" "If you are not lucky, you'll need to split apart files.\n" "There's another tool to do that which you can apply one file at a time.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1873 msgid "git add -i foo/bar.c" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1879 #, no-wrap msgid "" "will step through the diffs, prompting you, one at time, whether to include or exclude the hunk.\n" "Once you're done, `git commit` and you'll have the remainder in your tree.\n" "You can run it multiple times as well, and even over multiple files (though I find it easier to do one file at a time\n" "and use the `git rebase -i` to fold the related commits together).\n" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:1880 #, no-wrap msgid "Cloning and Mirroring" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1883 #, no-wrap msgid "**Q:** I'd like to mirror the entire Git repository, how do I do that?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1885 #, no-wrap msgid "**A:** If all you want to do is mirror, then\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1889 msgid "% git clone --mirror $URL" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1893 #, no-wrap msgid "" "will do the trick.\n" "However, there are two disadvantages to this if you want to use it for anything other than a mirror you'll reclone.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1897 #, no-wrap msgid "" "First, this is a 'bare repository' which has the repository database, but no checked out worktree.\n" "This is great for mirroring, but terrible for day to day work.\n" "There's a number of ways around this with `git worktree`:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1905 msgid "" "% git clone --mirror https://git.freebsd.org/ports.git ports.git % cd ports." "git % git worktree add ../ports main % git worktree add ../quarterly " "branches/2020Q4 % cd ../ports" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1908 #, no-wrap msgid "But if you aren't using your mirror for further local clones, then it's a poor match.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1911 #, no-wrap msgid "" "The second disadvantage is that Git normally rewrites the refs (branch name, tags, etc) from upstream so that your local refs can evolve independently of upstream.\n" "This means that you'll lose changes if you are committing to this repository on anything other than private project branches.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1913 #, no-wrap msgid "**Q:** So what can I do instead?\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1916 #, no-wrap msgid "" "**A:** Well, you can stuff all of the upstream repository's refs into a private namespace in your local repository.\n" "Git clones everything via a 'refspec' and the default refspec is:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1920 #, no-wrap msgid " fetch = +refs/heads/*:refs/remotes/freebsd/*\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1923 #, no-wrap msgid "which says just fetch the branch refs.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1927 #, no-wrap msgid "" "However, the FreeBSD repository has a number of other things in it.\n" "To see those, you can add explicit refspecs for each ref namespace, or you can fetch everything.\n" "To setup your repository to do that:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1931 msgid "git config --add remote.freebsd.fetch '+refs/*:refs/freebsd/*'" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1935 #, no-wrap msgid "" "which will put everything in the upstream repository into your local repository's `refs/freebsd/` namespace.\n" "Please note, that this also grabs all the unconverted vendor branches and the number of refs associated with them is quite large.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1937 #, no-wrap msgid "You'll need to refer to these 'refs' with their full name because they aren't in and of Git's regular namespaces.\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1941 msgid "git log refs/freebsd/vendor/zlib/1.2.10" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1944 #, no-wrap msgid "would look at the log for the vendor branch for zlib starting at 1.2.10.\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:1945 #, no-wrap msgid "Collaborating with others" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1949 msgid "" "One of the keys to good software development on a project as large as " "FreeBSD is the ability to collaborate with others before you push your " "changes to the tree. The FreeBSD project's Git repositories do not, yet, " "allow user-created branches to be pushed to the repository, and therefore if " "you wish to share your changes with others you must use another mechanism, " "such as a hosted GitLab or GitHub, to share changes in a user-generated " "branch." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1951 msgid "" "The following instructions show how to set up a user-generated branch, based " "on the FreeBSD `main` branch, and push it to GitHub." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1954 msgid "" "Before you begin, make sure that your local Git repo is up to date and has " "the correct origins set crossref:committers-guide[keeping_current,as shown " "above]." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1961 msgid "" "[source,shell] ```` % git remote -v freebsd https://git.freebsd.org/src.git " "(fetch) freebsd ssh://git@gitrepo.freebsd.org/src.git (push) ````" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1964 msgid "" "The first step is to create a fork of https://github.com/freebsd/freebsd-" "src[FreeBSD] on GitHub following these https://docs.github.com/en/github/" "getting-started-with-github/fork-a-repo[guidelines]. The destination of the " "fork should be your own, personal, GitHub account (gvnn3 in my case)." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1967 msgid "" "Now add a remote on your local system that points to your fork: [source," "shell]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1974 msgid "" "% git remote add github git@github.com:gvnn3/freebsd-src.git % git remote -v " "github\tgit@github.com:gvnn3/freebsd-src.git (fetch) github\tgit@github.com:" "gvnn3/freebsd-src.git (push) freebsd\thttps://git.freebsd.org/src.git " "(fetch) freebsd\tssh://git@gitrepo.freebsd.org/src.git (push)" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1977 #, no-wrap msgid "" "With this in place you can create a branch\n" "crossref:committers-guide[keeping_a_local_branch,as shown above].\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1981 msgid "% git checkout -b gnn-pr2001-fix" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1985 #, no-wrap msgid "" "Make whatever modifications you wish in your branch. Build, test, and once you're ready to collaborate with others it's time to push your changes into your hosted branch.\n" "Before you can push you'll have to set the appropriate upstream, as Git will tell you the first time you try to push to your +github+ remote:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1991 msgid "" "% git push github fatal: The current branch gnn-pr2001-fix has no upstream " "branch. To push the current branch and set the remote as upstream, use" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:1993 #, no-wrap msgid " git push --set-upstream github gnn-pr2001-fix\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:1996 #, no-wrap msgid "Setting the push as +git+ advises allows it to succeed:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2012 #, no-wrap msgid "" "% git push --set-upstream github gnn-feature\n" "Enumerating objects: 20486, done.\n" "Counting objects: 100% (20486/20486), done.\n" "Delta compression using up to 8 threads\n" "Compressing objects: 100% (12202/12202), done.\n" "Writing objects: 100% (20180/20180), 56.25 MiB | 13.15 MiB/s, done.\n" "Total 20180 (delta 11316), reused 12972 (delta 7770), pack-reused 0\n" "remote: Resolving deltas: 100% (11316/11316), completed with 247 local objects.\n" "remote:\n" "remote: Create a pull request for 'gnn-feature' on GitHub by visiting:\n" "remote: https://github.com/gvnn3/freebsd-src/pull/new/gnn-feature\n" "remote:\n" "To github.com:gvnn3/freebsd-src.git\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2014 #, no-wrap msgid "" "[new branch] gnn-feature -> gnn-feature\n" "Branch 'gnn-feature' set up to track remote branch 'gnn-feature' from 'github'.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2017 #, no-wrap msgid "Subsequent changes to the same branch will push correctly by default:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2030 #, no-wrap msgid "" "% git push\n" "Enumerating objects: 4, done.\n" "Counting objects: 100% (4/4), done.\n" "Delta compression using up to 8 threads\n" "Compressing objects: 100% (2/2), done.\n" "Writing objects: 100% (3/3), 314 bytes | 1024 bytes/s, done.\n" "Total 3 (delta 1), reused 1 (delta 0), pack-reused 0\n" "remote: Resolving deltas: 100% (1/1), completed with 1 local object.\n" "To github.com:gvnn3/freebsd-src.git\n" " 9e5243d7b659..cf6aeb8d7dda gnn-feature -> gnn-feature\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2034 #, no-wrap msgid "" "At this point your work is now in your branch on +GitHub+ and you can\n" "share the link with other collaborators.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2036 #, no-wrap msgid "[[github-pull-land]]\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2036 #, no-wrap msgid "Landing a github pull request" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2041 msgid "" "This section documents how to land a GitHub pull request that's submitted " "against the FreeBSD Git mirrors at GitHub. While this is not an official " "way to submit patches at this time, sometimes good fixes come in this way " "and it is easiest just to bring them into a committer's tree and have them " "pushed into the FreeBSD's tree from there. Similar steps can be used to " "pull branches from other repositories and land those. When committing pull " "requests from others, one should take extra care to examine all the changes " "to ensure they are exactly as represented." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2046 msgid "" "Before beginning, make sure that the local Git repo is up to date and has " "the correct origins set crossref:committers-guide[keeping_current,as shown " "above]. In addition, make sure to have the following origins: [source,shell]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2052 msgid "" "% git remote -v freebsd https://git.freebsd.org/src.git (fetch) freebsd " "ssh://git@gitrepo.freebsd.org/src.git (push) github https://github.com/" "freebsd/freebsd-src (fetch) github https://github.com/freebsd/freebsd-src " "(fetch)" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2072 #, no-wrap msgid "" "Often pull requests are simple: requests that contain only a single commit.\n" "In this case, a streamlined approach may be used, though the approach in the prior section will also work.\n" "Here, a branch is created, the change is cherry picked, the commit message adjusted, and sanity-checked before being pushed.\n" "The branch `staging` is used in this example but it can be any name.\n" "This technique works for any number of commits in the pull request, especially when the changes apply cleanly to the FreeBSD tree.\n" "However, when there's multiple commits, especially when minor adjustments are needed, `git rebase -i` works better than `git cherry-pick`.\n" "Briefly, these commands create a branch; cherry-picks the changes from the pull request; tests it; adjusts the commit messages; and fast forward merges it back to `main`.\n" "The PR number is `$PR` below.\n" "When adjusting the message, add `Pull Request: https://github.com/freebsd-src/pull/$PR`.\n" "All pull requests committed to the FreeBSD repository should be reviewed by at least one person.\n" "This need not be the person committing it, but in that case the person committing it should trust the other reviewers competence to review the commit.\n" "Committers that do a code review of pull requests before pushing them into the repo should add a `Reviewed by:` line to the commit, because in this case it is not implicit.\n" "Add anybody that reviews and approves the commit on github to `Reviewed by:` as well.\n" "As always, care should be taken to ensure the change does what it is supposed to, and that no malicious code is present.\n" "[NOTE]\n" "======\n" "In addition, please check to make sure that the pull request author name is not anonymous.\n" "Github's web editing interface generates names like:\n" "[source,shell]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2074 #, no-wrap msgid "Author: github-user <38923459+github-user@users.noreply.github.com>\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2078 #, no-wrap msgid "" "A polite request to the author for a better name and/or email should be made.\n" "Extra care should be taken to ensure no style issue or malicious code is introduced.\n" "======\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2090 msgid "" "% git fetch github pull/$PR/head:staging % git rebase -i main staging\t# to " "move the staging branch forward, adjust commit message here % git checkout main % git pull --ff-only\t\t# to get the " "latest if time has passed % git checkout main % git merge --ff-only staging " " % git push freebsd --push-option=confirm-author" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2095 #, no-wrap msgid "" "[.procedure]\n" "====\n" "For complicated pull requests that have multiple commits with conflicts, follow the following outline.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2103 #, no-wrap msgid "" ". checkout the pull request `git checkout github/pull/XXX`\n" ". create a branch to rebase `git checkout -b staging`\n" ". rebase the `staging` branch to the latest `main` with `git rebase -i main staging`\n" ". resolve conflicts and do whatever testing is needed\n" ". fast forward the `staging` branch into `main` as above\n" ". final sanity check of changes to make sure all is well\n" ". push to FreeBSD's Git repository.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2108 #, no-wrap msgid "" "This will also work when bringing branches developed elsewhere into the local tree for committing.\n" "====\n" "Once finished with the pull request, close it using GitHub's web interface.\n" "It is worth noting that if your `github` origin uses `https://`, the only step you'll need a GitHub account for is closing the pull request.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2110 #, no-wrap msgid "[[vcs-history]]\n" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2110 #, no-wrap msgid "Version Control History" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2113 msgid "The project has moved to crossref:committers-guide[git-primer,git]." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2119 msgid "" "The FreeBSD source repository switched from CVS to Subversion on May 31st, " "2008. The first real SVN commit is __r179447__. The source repository " "switched from Subversion to Git on December 23rd, 2020. The last real svn " "commit is __r368820__. The first real git commit hash is " "__5ef5f51d2bef80b0ede9b10ad5b0e9440b60518c__." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2125 msgid "" "The FreeBSD `doc/www` repository switched from CVS to Subversion on May " "19th, 2012. The first real SVN commit is __r38821__. The documentation " "repository switched from Subversion to Git on December 8th, 2020. The last " "SVN commit is __r54737__. The first real git commit hash is " "__3be01a475855e7511ad755b2defd2e0da5d58bbe__." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2131 msgid "" "The FreeBSD `ports` repository switched from CVS to Subversion on July 14th, " "2012. The first real SVN commit is __r300894__. The ports repository " "switched from Subversion to Git on April 6, 2021. The last SVN commit is " "__r569609__ The first real git commit hash is " "__ed8d3eda309dd863fb66e04bccaa513eee255cbf__." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2133 msgid "[[conventions]]" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2133 #, no-wrap msgid "Setup, Conventions, and Traditions" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2138 msgid "" "There are a number of things to do as a new developer. The first set of " "steps is specific to committers only. These steps must be done by a mentor " "for those who are not committers." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2140 msgid "[[conventions-committers]]" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2140 #, no-wrap msgid "For New Committers" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2143 msgid "" "Those who have been given commit rights to the FreeBSD repositories must " "follow these steps." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2146 #, no-wrap msgid "" "* Get mentor approval before committing each of these changes!\n" "* All [.filename]#src# commits go to FreeBSD-CURRENT first before being merged to FreeBSD-STABLE. The FreeBSD-STABLE branch must maintain ABI and API compatibility with earlier versions of that branch. Do not merge changes that break this compatibility.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2151 #, no-wrap msgid "" "[[commit-steps]]\n" "[.procedure]\n" "====\n" "*Steps for New Committers*\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2198 #, no-wrap msgid "" ". Add an Author Entity\n" "+\n" "[.filename]#doc/shared/authors.adoc# - Add an author entity. Later steps depend on this entity, and missing this step will cause the [.filename]#doc/# build to fail. This is a relatively easy task, but remains a good first test of version control skills.\n" ". Update the List of Developers and Contributors\n" "+\n" "[.filename]#doc/shared/contrib-committers.adoc# - Add an entry, which will then appear in the \"Developers\" section of the extref:{contributors}[Contributors List, staff-committers]. Entries are sorted by last name.\n" "+\n" "[.filename]#doc/shared/contrib-additional.adoc# - _Remove_ the entry. Entries are sorted by first name.\n" ". Add a News Item\n" "+\n" "[.filename]#doc/website/data/en/news/news.toml# - Add an entry. Look for the other entries that announce new committers and follow the format. Use the date from the commit bit approval email.\n" ". Add a PGP Key\n" "+\n" "`{des}` has written a shell script ([.filename]#doc/documentation/tools/addkey.sh#) to make this easier. See the https://cgit.freebsd.org/doc/plain/documentation/static/pgpkeys/README[README] file for more information.\n" "+\n" "Use [.filename]#doc/documentation/tools/checkkey.sh# to verify that keys meet minimal best-practices standards.\n" "+\n" "After adding and checking a key, add both updated files to source control and then commit them. Entries in this file are sorted by last name.\n" "+\n" "[NOTE]\n" "======\n" "It is very important to have a current PGP/GnuPG key in the repository. The key may be required for positive identification of a committer. For example, the `{admins}` might need it for account recovery. A complete keyring of `FreeBSD.org` users is available for download from link:https://docs.FreeBSD.org/pgpkeys/pgpkeys.txt[https://docs.FreeBSD.org/pgpkeys/pgpkeys.txt].\n" "======\n" ". Update Mentor and Mentee Information\n" "+\n" "[.filename]#src/share/misc/committers-.dot# - Add an entry to the current committers section, where _repository_ is `doc`, `ports`, or `src`, depending on the commit privileges granted.\n" "+\n" "Add an entry for each additional mentor/mentee relationship in the bottom section.\n" ". Generate a Kerberos Password\n" "+\n" "See crossref:committers-guide[kerberos-ldap] to generate or set a Kerberos account for use with other FreeBSD services like the link:https://bugs.freebsd.org/bugzilla/[bug-tracking database] (you get a bug-tracking account as part of that step).\n" ". Optional: Enable Wiki Account\n" "+\n" "link:https://wiki.freebsd.org[FreeBSD Wiki] Account - A wiki account allows sharing projects and ideas.\n" "Those who do not yet have an account can follow instructions on the link:https://wiki.freebsd.org/Wiki/About[Wiki/About page] to obtain one.\n" "Contact mailto:wiki-admin@FreeBSD.org[wiki-admin@FreeBSD.org] if you need help with your Wiki account.\n" ". Optional: Update Wiki Information\n" "+\n" "Wiki Information - After gaining access to the wiki, some people add entries to the https://wiki.freebsd.org/HowWeGotHere[How We Got Here], https://wiki.freebsd.org/IRC/Nicknames[IRC Nicks], https://wiki.freebsd.org/Community/Dogs[Dogs of FreeBSD], and or https://wiki.freebsd.org/Community/Cats[Cats of FreeBSD] pages.\n" ". Optional: Update Ports with Personal Information\n" "+\n" "[.filename]#ports/astro/xearth/files/freebsd.committers.markers# and [.filename]#src/usr.bin/calendar/calendars/calendar.freebsd# - Some people add entries for themselves to these files to show where they are located or the date of their birthday.\n" ". Optional: Prevent Duplicate Mailings\n" "+\n" "Subscribers to {dev-commits-doc-all}, {dev-commits-ports-all} or {dev-commits-src-all} might wish to unsubscribe to avoid receiving duplicate copies of commit messages and followups.\n" "====\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2200 #, no-wrap msgid "[[conventions-everyone]]\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2200 #, no-wrap msgid "For Everyone" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2220 msgid "" "[[conventions-everyone-steps]] [.procedure] ==== . Introduce yourself to the " "other developers, otherwise no one will have any idea who you are or what " "you are working on. The introduction need not be a comprehensive biography, " "just write a paragraph or two about who you are, what you plan to be working " "on as a developer in FreeBSD, and who will be your mentor. Email this to the " "{developers-name} and you will be on your way! . Log into `freefall.FreeBSD." "org` and create a [.filename]#/var/forward/user# (where _user_ is your " "username) file containing the e-mail address where you want mail addressed " "to _yourusername_@FreeBSD.org to be forwarded. This includes all of the " "commit messages as well as any other mail addressed to the {committers-name} " "and the {developers-name}. Really large mailboxes which have taken up " "permanent residence on `freefall` may get truncated without warning if space " "needs to be freed, so forward it or save it elsewhere. + [NOTE] ====== If " "your e-mail system uses SPF with strict rules, you should exclude `mx2." "FreeBSD.org` from SPF checks. ====== + Due to the severe load dealing with " "SPAM places on the central mail servers that do the mailing list processing, " "the front-end server does do some basic checks and will drop some messages " "based on these checks. At the moment proper DNS information for the " "connecting host is the only check in place but that may change. Some people " "blame these checks for bouncing valid email. To have these checks turned off " "for your email, create a file named [.filename]#~/.spam_lover# on `freefall." "FreeBSD.org`. + [NOTE] ====== Those who are developers but not committers " "will not be subscribed to the committers or developers mailing lists. The " "subscriptions are derived from the access rights. ====== ====" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2222 msgid "[[smtp-setup]]" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:2222 #, no-wrap msgid "SMTP Access Setup" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2225 msgid "" "For those willing to send e-mail messages through the FreeBSD.org " "infrastructure, follow the instructions below:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2247 #, no-wrap msgid "" "[.procedure]\n" "====\n" ". Point your mail client at `smtp.FreeBSD.org:587`.\n" ". Enable STARTTLS.\n" ". Ensure your `From:` address is set to `_yourusername_@FreeBSD.org`.\n" ". For authentication, you can use your FreeBSD Kerberos username and password\n" " (see crossref:committers-guide[kerberos-ldap]). The `_yourusername_/mail` principal is preferred, as it is only valid for authenticating to mail resources.\n" "+\n" "[NOTE]\n" "======\n" "Do not include `@FreeBSD.org` when entering in your username.\n" "======\n" "+\n" ".Additional Notes\n" "[NOTE]\n" "======\n" "* Will only accept mail from `_yourusername_@FreeBSD.org`. If you are authenticated as one user, you are not permitted to send mail from another.\n" "* A header will be appended with the SASL username: (`Authenticated sender: _username_`).\n" "* Host has various rate limits in place to cut down on brute force attempts.\n" "======\n" "====\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2249 #, no-wrap msgid "[[smtp-setup-local-mta]]\n" msgstr "" #. type: Title ===== #: documentation/content/en/articles/committers-guide/_index.adoc:2249 #, no-wrap msgid "Using a Local MTA to Forward Emails to the FreeBSD.org SMTP Service" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2252 msgid "" "It is also possible to use a local MTA to forward locally sent emails to the " "FreeBSD.org SMTP servers." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2257 msgid "[[smtp-setup-local-postfix]] .Using Postfix [example] ====" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2259 msgid "" "To tell a local Postfix instance that anything from `_yourusername_@FreeBSD." "org` should be forwarded to the FreeBSD.org servers, add this to your [." "filename]#main.cf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2261 msgid "[.programlisting]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2267 msgid "" "sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/relayhost_maps " "smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous " "smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd " "smtp_use_tls = yes" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2270 #, no-wrap msgid "Create [.filename]#/usr/local/etc/postfix/relayhost_maps# with the following content:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2272 #: documentation/content/en/articles/committers-guide/_index.adoc:2279 #: documentation/content/en/articles/committers-guide/_index.adoc:2286 #: documentation/content/en/articles/committers-guide/_index.adoc:2294 #: documentation/content/en/articles/committers-guide/_index.adoc:2309 #: documentation/content/en/articles/committers-guide/_index.adoc:2319 #: documentation/content/en/articles/committers-guide/_index.adoc:2333 #: documentation/content/en/articles/committers-guide/_index.adoc:2364 #, no-wrap msgid "[.programlisting]\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2274 msgid "yourusername@FreeBSD.org [smtp.freebsd.org]:587" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2277 #, no-wrap msgid "Create [.filename]#/usr/local/etc/postfix/sasl_passwd# with the following content:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2281 #, no-wrap msgid "[smtp.freebsd.org]:587 yourusername:yourpassword\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2284 #, no-wrap msgid "If the email server is used by other people, you may want to prevent them from sending e-mails from your address. To achieve this, add this to your [.filename]#main.cf#:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2289 msgid "" "smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login_maps " "smtpd_sender_restrictions = reject_known_sender_login_mismatch" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2292 #, no-wrap msgid "Create [.filename]#/usr/local/etc/postfix/sender_login_maps# with the following content:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2296 msgid "yourusername@FreeBSD.org yourlocalusername" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2300 #, no-wrap msgid "" "Where _yourlocalusername_ is the SASL username used to connect to the local instance of Postfix.\n" "====\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2305 #, no-wrap msgid "" "[[smtp-setup-local-opensmtpd]]\n" ".Using OpenSMTPD\n" "[example]\n" "====\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2307 #, no-wrap msgid "To tell a local OpenSMTPD instance that anything from `_yourusername_@FreeBSD.org` should be forwarded to the FreeBSD.org servers, add this to your [.filename]#smtpd.conf#:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2312 msgid "" "action \"freebsd\" relay host smtp+tls://freebsd@smtp.freebsd.org:587 auth " " match from any auth yourlocalusername mail-from " "\"_yourusername_@freebsd.org\" for any action \"freebsd\"" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2315 #, no-wrap msgid "Where _yourlocalusername_ is the SASL username used to connect to the local instance of OpenSMTPD.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2317 #, no-wrap msgid "Create [.filename]#/usr/local/etc/mail/secrets# with the following content:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2321 msgid "freebsd\tyourusername:yourpassword" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2328 #, no-wrap msgid "" "====\n" "[[smtp-setup-local-exim]]\n" ".Using Exim\n" "[example]\n" "====\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2331 #, no-wrap msgid "" "To direct a local Exim instance to forward all mail from `_example_@FreeBSD.org`\n" " to FreeBSD.org servers, add this to Exim [.filename]#configuration#:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2340 #, no-wrap msgid "" "Routers section: (at the top of the list):\n" "freebsd_send:\n" " driver = manualroute\n" " domains = !+local_domains\n" " transport = freebsd_smtp\n" " route_data = ${lookup {${lc:$sender_address}} lsearch {/usr/local/etc/exim/freebsd_send}}\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2352 #, no-wrap msgid "" "Transport Section:\n" "freebsd_smtp:\n" " driver = smtp\n" " tls_certificate=\n" " tls_privatekey=\n" " tls_require_ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS\n" " dkim_domain = \n" " dkim_selector = \n" " dkim_private_key= \n" " dnssec_request_domains = *\n" " hosts_require_auth = smtp.freebsd.org\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2359 #, no-wrap msgid "" "Authenticators:\n" "freebsd_plain:\n" " driver = plaintext\n" " public_name = PLAIN\n" " client_send = ^example/mail^examplePassword\n" " client_condition = ${if eq{$host}{smtp.freebsd.org}}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2362 #, no-wrap msgid "Create [.filename]#/usr/local/etc/exim/freebsd_send# with the following content:\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2366 msgid "example@freebsd.org:smtp.freebsd.org::587" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2369 #, no-wrap msgid "====\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2371 #, no-wrap msgid "[[mentors]]\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2371 #, no-wrap msgid "Mentors" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2376 msgid "" "All new developers have a mentor assigned to them for the first few months. " "A mentor is responsible for teaching the mentee the rules and conventions of " "the project and guiding their first steps in the developer community. The " "mentor is also personally responsible for the mentee's actions during this " "initial period." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2379 msgid "" "For committers: do not commit anything without first getting mentor " "approval. Document that approval with an `Approved by:` line in the commit " "message." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2384 msgid "" "When the mentor decides that a mentee has learned the ropes and is ready to " "commit on their own, the mentor announces it with a commit to [." "filename]#mentors#. This file is in the [.filename]#admin# orphan branch of " "each repository. Detailed information on how to access these branches can " "be found in crossref:committers-guide[admin-branch]." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2386 msgid "[[pre-commit-review]]" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2386 #, no-wrap msgid "Pre-Commit Review" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2391 msgid "" "Code review is one way to increase the quality of software. The following " "guidelines apply to commits to the `main` (-CURRENT) branch of the `src` " "repository. Other branches and the `ports` and `docs` trees have their own " "review policies, but these guidelines generally apply to commits requiring " "review:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2397 #, no-wrap msgid "" "* All non-trivial changes should be reviewed before they are committed to the repository.\n" "* Reviews may be conducted by email, in Bugzilla, in Phabricator, or by another mechanism. Where possible, reviews should be public.\n" "* The developer responsible for a code change is also responsible for making all necessary review-related changes.\n" "* Code review can be an iterative process, which continues until the patch is ready to be committed. Specifically, once a patch is sent out for review, it should receive an explicit \"looks good\" before it is committed. So long as it is explicit, this can take whatever form makes sense for the review method.\n" "* Timeouts are not a substitute for review.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2399 #, no-wrap msgid "Sometimes code reviews will take longer than you would hope for, especially for larger features. Accepted ways to speed up review times for your patches are:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2406 #, no-wrap msgid "" "* Review other people's patches. If you help out, everybody will be more willing to do the same for you; goodwill is our currency.\n" "* Ping the patch. If it is urgent, provide reasons why it is important to you to get this patch landed and ping it every couple of days. If it is not urgent, the common courtesy ping rate is one week. Remember that you are asking for valuable time from other professional developers.\n" "* Ask for help on mailing lists, IRC, etc. Others may be able to either help you directly, or suggest a reviewer.\n" "* Split your patch into multiple smaller patches that build on each other. The smaller your patch, the higher the probability that somebody will take a quick look at it.\n" "+\n" "When making large changes, it is helpful to keep this in mind from the beginning of the effort as breaking large changes into smaller ones is often difficult after the fact.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2411 #, no-wrap msgid "" "Developers should participate in code reviews as both reviewers and reviewees.\n" "If someone is kind enough to review your code, you should return the favor for someone else.\n" "Note that while anyone is welcome to review and give feedback on a patch, only an appropriate subject-matter expert can approve a change.\n" "This will usually be a committer who works with the code in question on a regular basis.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2414 #, no-wrap msgid "" "In some cases, no subject-matter expert may be available.\n" "In those cases, a review by an experienced developer is sufficient when coupled with appropriate testing.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2416 #, no-wrap msgid "[[commit-log-message]]\n" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2416 #, no-wrap msgid "Commit Log Messages" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2419 msgid "" "This section contains some suggestions and traditions for how commit logs " "are formatted." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2420 #, no-wrap msgid "Why are commit messages important?" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2424 msgid "" "When you commit a change in Git, Subversion, or another version control " "system (VCS), you're prompted to write some text describing the commit -- a " "commit message. How important is this commit message? Should you spend some " "significant effort writing it? Does it really matter if you write simply " "`fixed a bug`?" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2427 msgid "" "Most projects have more than one developer and last for some length of " "time. Commit messages are a very important method of communicating with " "other developers, in the present and for the future." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2430 msgid "" "FreeBSD has hundreds of active developers and hundreds of thousands of " "commits spanning decades of history. Over that time the developer community " "has learned how valuable good commit messages are; sometimes these are hard-" "learned lessons." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2432 msgid "Commit messages serve at least three purposes:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2439 #, no-wrap msgid "" "* Communicating with other developers\n" "+\n" "FreeBSD commits generate email to various mailing lists.\n" "These include the commit message along with a copy of the patch itself.\n" "Commit messages are also viewed through commands like git log.\n" "These serve to make other developers aware of changes that are ongoing; that other developer may want to test the change, may have an interest in the topic and will want to review in more detail, or may have their own projects underway that would benefit from interaction.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2445 #, no-wrap msgid "" "* Making Changes Discoverable\n" "+\n" "In a large project with a long history it may be difficult to find changes of interest when investigating an issue or change in behaviour.\n" "Verbose, detailed commit messages allow searches for changes that might be relevant.\n" "For example, `git log --since 1year --grep 'USB timeout'`.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2451 #, no-wrap msgid "" "* Providing historical documentation\n" "+\n" "Commit messages serve to document changes for future developers, perhaps years or decades later.\n" "This future developer may even be you, the original author.\n" "A change that seems obvious today may be decidedly not so much later on.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2453 #, no-wrap msgid "The `git blame` command annotates each line of a source file with the change (hash and subject line) that brought it in.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2455 #, no-wrap msgid "Having established the importance, here are elements of a good FreeBSD commit message:\n" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2456 #, no-wrap msgid "Start with a subject line" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2460 msgid "" "Commit messages should start with a single-line subject that briefly " "summarizes the change. The subject should, by itself, allow the reader to " "quickly determine if the change is of interest or not." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2461 #, no-wrap msgid "Keep subject lines short" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2466 msgid "" "The subject line should be as short as possible while still retaining the " "required information. This is to make browsing Git log more efficient, and " "so that git log --oneline can display the short hash and subject on a single " "80-column line. A good rule of thumb is to stay below 63 characters, and " "aim for about 50 or fewer if possible." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2467 #, no-wrap msgid "Prefix the subject line with a component, if applicable" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2470 msgid "" "If the change relates to a specific component the subject line may be " "prefixed with that component name and a colon (:)." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2472 msgid "✓ `foo: Add -k option to keep temporary data`" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2474 msgid "" "Include the prefix in the 63-character limit suggested above, so that `git " "log --oneline` avoids wrapping." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2475 #, no-wrap msgid "Capitalize the first letter of the subject" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2479 msgid "" "Capitalize the first letter of the subject itself. The prefix, if any, is " "not capitalized unless necessary (e.g., `USB:` is capitalized)." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2480 #, no-wrap msgid "Do not end the subject line with punctuation" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2484 msgid "" "Do not end with a period or other punctuation. In this regard the subject " "line is like a newspaper headline." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2485 #, no-wrap msgid "Separate the subject and body with a blank line" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2488 msgid "Separate the body from the subject with a blank line." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2490 msgid "" "Some trivial commits do not require a body, and will have only a subject." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2492 msgid "✓ `ls: Fix typo in usage text`" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2493 #, no-wrap msgid "Limit messages to 72 columns" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2499 msgid "" "`git log` and `git format-patch` indent the commit message by four spaces. " "Wrapping at 72 columns provides a matching margin on the right edge. " "Limiting messages to 72 characters also keeps the commit message in " "formatted patches below RFC 2822's suggested email line length limit of 78 " "characters. This limit works well with a variety of tools that may render " "commit messages; line wrapping might be inconsistent with longer line length." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2500 #, no-wrap msgid "Use the present tense, imperative mood" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2505 msgid "" "This facilitates short subject lines and provides consistency, including " "with automatically generated commit messages (e.g., as generated by git " "revert). This is important when reading a list of commit subjects. Think " "of the subject as finishing the sentence \"when applied, this change will ..." "\"." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2510 #, no-wrap msgid "" "✓ `foo: Implement the -k (keep) option`\n" "✗ `foo: Implemented the -k option`\n" "✗ `This change implements the -k option in foo`\n" "✗ `-k option added`" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2511 #, no-wrap msgid "Focus on what and why, not how" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2514 msgid "" "Explain what the change accomplishes and why it is being done, rather than " "how." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2518 msgid "" "Do not assume that the reader is familiar with the issue. Explain the " "background and motivation for the change. Include benchmark data if you " "have it." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2520 msgid "" "If there are limitations or incomplete aspects of the change, describe them " "in the commit message." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2521 #, no-wrap msgid "Consider whether parts of the commit message could be code comments instead" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2524 msgid "" "Sometimes while writing a commit message you may find yourself writing a " "sentence or two explaining some tricky or confusing aspect of the change. " "When this happens consider whether it would be valuable to have that " "explanation as a comment in the code itself." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2525 #, no-wrap msgid "Write commit messages for your future self" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2529 msgid "" "While writing the commit message for a change you have all of the context in " "mind - what prompted the change, alternate approaches that were considered " "and rejected, limitations of the change, and so on. Imagine yourself " "revisiting the change a year or two in the future, and write the commit " "message in a way that would provide that necessary context." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2530 #, no-wrap msgid "Commit messages should stand alone" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2534 msgid "" "You may include references to mailing list postings, benchmark result web " "sites, or code review links. However, the commit message should contain all " "of the relevant information in case these references are no longer available " "in the future." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2538 msgid "" "Similarly, a commit may refer to a previous commit, for example in the case " "of a bug fix or revert. In addition to the commit identifier (revision or " "hash), include the subject line from the referenced commit (or another " "suitable brief reference). With each VCS migration (from CVS to Subversion " "to Git) revision identifiers from previous systems may become difficult to " "follow." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:2539 #, no-wrap msgid "Include appropriate metadata in a footer" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2542 msgid "" "As well as including an informative message with each commit, some " "additional information may be needed." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2544 msgid "" "This information consists of one or more lines containing the key word or " "phrase, a colon, tabs for formatting, and then the additional information." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2546 msgid "The key words or phrases are:" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2551 #, no-wrap msgid "" "[.informaltable]\n" "[cols=\"20%,80%\", frame=\"none\"]" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2552 #, no-wrap msgid "`PR:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2554 #, no-wrap msgid "The problem report (if any) which is affected (typically, by being closed) by this commit. Multiple PRs may be specified on one line, separated by commas or spaces." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2555 #, no-wrap msgid "`Reported by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2559 #, no-wrap msgid "" "The name and e-mail address of the person that reported the issue; for developers, just the username on the FreeBSD cluster.\n" "Typically used when there is no PR, for example if the issue was reported on\n" "a mailing list." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2561 #, no-wrap msgid "" "`Submitted by:` +\n" "(deprecated)" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2563 #, no-wrap msgid "This has been deprecated with git; submitted patches should have the author set by using `git commit --author` with a full name and valid email." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2564 #, no-wrap msgid "`Reviewed by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2579 #, no-wrap msgid "" "The name and e-mail address of the person or people that reviewed the change; for developers, just the username on the FreeBSD cluster. If a patch was submitted to a mailing list for review, and the review was favorable, then just include the list name. If the reviewer is not a member of the project, provide the name, email, and if ports an external role like maintainer:\n" "\n" "Reviewed by a developer:\n" "[source,shell]\n" "....\n" "Reviewed by: username\n" "....\n" "\n" "Reviewed by a ports maintainer that is not a developer:\n" "[source,shell]\n" "....\n" "Reviewed by: Full Name (maintainer)\n" "...." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2580 #, no-wrap msgid "`Tested by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2582 #, no-wrap msgid "The name and e-mail address of the person or people that tested the change; for developers, just the username on the FreeBSD cluster." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2583 #, no-wrap msgid "`Approved by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2609 #, no-wrap msgid "" "The name and e-mail address of the person or people that approved the change; for developers, just the username on the FreeBSD cluster.\n" "\n" "There are several cases where approval is customary:\n" "\n" "* while a new committer is under mentorship\n" "* commits to an area of the tree covered by the LOCKS file (src)\n" "* during a release cycle\n" "* committing to a repo where you do not hold a commit bit (e.g. src committer committing to docs)\n" "* committing to a port maintained by someone else\n" "\n" "While under mentorship, get mentor approval before the commit. Enter the mentor's username in this field, and note that they are a mentor:\n" "\n" "[source,shell]\n" "....\n" "Approved by: username-of-mentor (mentor)\n" "....\n" "\n" "If a team approved these commits then include the team name followed by the username of the approver in parentheses. For example:\n" "\n" "[source,shell]\n" "....\n" "Approved by: re (username)\n" "...." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2610 #, no-wrap msgid "`Obtained from:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2612 #, no-wrap msgid "The name of the project (if any) from which the code was obtained. Do not use this line for the name of an individual person." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2613 #, no-wrap msgid "`Fixes:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2615 #, no-wrap msgid "The Git short hash and the title line of a commit that is fixed by this change as returned by `git log -n 1 --oneline GIT-COMMIT-HASH`." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2616 #, no-wrap msgid "`MFC after:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2618 #, no-wrap msgid "To receive an e-mail reminder to MFC at a later date, specify the number of days, weeks, or months after which an MFC is planned." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2619 #, no-wrap msgid "`MFC to:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2621 #, no-wrap msgid "If the commit should be merged to a subset of stable branches, specify the branch names." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2622 #, no-wrap msgid "`MFH:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2624 #, no-wrap msgid "If the commit is to be merged into a ports quarterly branch name, specify the quarterly branch. For example `2021Q2`." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2625 #, no-wrap msgid "`Relnotes:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2627 #, no-wrap msgid "If the change is a candidate for inclusion in the release notes for the next release from the branch, set to `yes`." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2628 #, no-wrap msgid "`Security:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2630 #, no-wrap msgid "If the change is related to a security vulnerability or security exposure, include one or more references or a description of the issue. If possible, include a VuXML URL or a CVE ID." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2631 #, no-wrap msgid "`Event:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2633 #, no-wrap msgid "The description for the event where this commit was made. If this is a recurring event, add the year or even the month to it. For example, this could be `FooBSDcon 2019`. The idea behind this line is to put recognition to conferences, gatherings, and other types of meetups and to show that these are useful to have. Please do not use the `Sponsored by:` line for this as that is meant for organizations sponsoring certain features or developers working on them." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2634 #, no-wrap msgid "`Sponsored by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2636 #, no-wrap msgid "Sponsoring organizations for this change, if any. Separate multiple organizations with commas. If only a portion of the work was sponsored, or different amounts of sponsorship were provided to different authors, please give appropriate credit in parentheses after each sponsor name. For example, `Example.com (alice, code refactoring), Wormulon (bob), Momcorp (cindy)` shows that Alice was sponsored by Example.com to do code refactoring, while Wormulon sponsored Bob's work and Momcorp sponsored Cindy's work. Other authors were either not sponsored or chose not to list sponsorship." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2637 #, no-wrap msgid "`Pull Request:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2641 #, no-wrap msgid "" "This change was submitted as a pull request or merge request against one of FreeBSD's public read-only Git repositories.\n" "It should include the entire URL to the pull request, as these often act as code reviews for the code.\n" "For example: `https://github.com/freebsd/freebsd-src/pull/745`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2642 #, no-wrap msgid "`Co-authored-by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2645 #, no-wrap msgid "" "The name and email address of an additional author of the commit.\n" "GitHub has a detailed description of the Co-authored-by trailer at https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors." msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2646 #, no-wrap msgid "`Signed-off-by:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2648 #, no-wrap msgid "ID certifies compliance with https://developercertificate.org/" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2649 #, no-wrap msgid "`Differential Revision:`" msgstr "" #. type: Table #: documentation/content/en/articles/committers-guide/_index.adoc:2651 #, no-wrap msgid "The full URL of the Phabricator review. This line __must be the last line__. For example: `https://reviews.freebsd.org/D1708`." msgstr "" #. type: Block title #: documentation/content/en/articles/committers-guide/_index.adoc:2653 #, no-wrap msgid "Commit Log for a Commit Based on a PR" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2659 msgid "" "The commit is based on a patch from a PR submitted by John Smith. The " "commit message \"PR\" field is filled." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2663 #: documentation/content/en/articles/committers-guide/_index.adoc:2681 #: documentation/content/en/articles/committers-guide/_index.adoc:2696 #: documentation/content/en/articles/committers-guide/_index.adoc:2712 #: documentation/content/en/articles/committers-guide/_index.adoc:2727 #, no-wrap msgid "...\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2665 #, no-wrap msgid "PR:\t\t12345\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2668 msgid "" "The committer sets the author of the patch with `git commit --author \"John " "Smith \"`." msgstr "" #. type: Block title #: documentation/content/en/articles/committers-guide/_index.adoc:2671 #, no-wrap msgid "Commit Log for a Commit Needing Review" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2677 msgid "" "The virtual memory system is being changed. After posting patches to the " "appropriate mailing list (in this case, `freebsd-arch`) and the changes have " "been approved." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2683 #, no-wrap msgid "Reviewed by:\t-arch\n" msgstr "" #. type: Block title #: documentation/content/en/articles/committers-guide/_index.adoc:2687 #, no-wrap msgid "Commit Log for a Commit Needing Approval" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2692 msgid "" "Commit a port, after working with the listed MAINTAINER, who said to go " "ahead and commit." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2698 #, no-wrap msgid "Approved by:\tabc (maintainer)\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2701 msgid "Where _abc_ is the account name of the person who approved." msgstr "" #. type: Block title #: documentation/content/en/articles/committers-guide/_index.adoc:2703 #, no-wrap msgid "Commit Log for a Commit Bringing in Code from OpenBSD" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2708 msgid "Committing some code based on work done in the OpenBSD project." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2714 #, no-wrap msgid "Obtained from:\tOpenBSD\n" msgstr "" #. type: Block title #: documentation/content/en/articles/committers-guide/_index.adoc:2718 #, no-wrap msgid "Commit Log for a Change to FreeBSD-CURRENT with a Planned Commit to FreeBSD-STABLE to Follow at a Later Date." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2723 msgid "" "Committing some code which will be merged from FreeBSD-CURRENT into the " "FreeBSD-STABLE branch after two weeks." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2729 #, no-wrap msgid "MFC after:\t2 weeks\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2732 msgid "" "Where _2_ is the number of days, weeks, or months after which an MFC is " "planned. The _weeks_ option may be `day`, `days`, `week`, `weeks`, `month`, " "`months`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2735 msgid "It is often necessary to combine these." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2739 msgid "" "Consider the situation where a user has submitted a PR containing code from " "the NetBSD project. Looking at the PR, the developer sees it is not an area " "of the tree they normally work in, so they have the change reviewed by the " "`arch` mailing list. Since the change is complex, the developer opts to MFC " "after one month to allow adequate testing." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2741 msgid "" "The extra information to include in the commit would look something like" msgstr "" #. type: Block title #: documentation/content/en/articles/committers-guide/_index.adoc:2742 #, no-wrap msgid "Example Combined Commit Log" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2753 #, no-wrap msgid "" "PR:\t\t54321\n" "Reviewed by:\t-arch\n" "Obtained from:\tNetBSD\n" "MFC after:\t1 month\n" "Relnotes:\tyes\n" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2758 #, no-wrap msgid "Preferred License for New Files" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2764 msgid "" "The FreeBSD Project's full license policy can be found at link:https://www." "FreeBSD.org/internal/software-license/[https://www.FreeBSD.org/internal/" "software-license]. The rest of this section is intended to help you get " "started. As a rule, when in doubt, ask. It is much easier to give advice " "than to fix the source tree." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2766 msgid "" "The FreeBSD Project suggests and uses this text as the preferred license " "scheme:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2797 #, no-wrap msgid "" "/*-\n" " * SPDX-License-Identifier: BSD-2-Clause\n" " *\n" " * Copyright (c) [year] [your name]\n" " *\n" " * Redistribution and use in source and binary forms, with or without\n" " * modification, are permitted provided that the following conditions\n" " * are met:\n" " * 1. Redistributions of source code must retain the above copyright\n" " * notice, this list of conditions and the following disclaimer.\n" " * 2. Redistributions in binary form must reproduce the above copyright\n" " * notice, this list of conditions and the following disclaimer in the\n" " * documentation and/or other materials provided with the distribution.\n" " *\n" " * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND\n" " * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n" " * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n" " * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\n" " * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n" " * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n" " * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n" " * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n" " * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n" " * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n" " * SUCH DAMAGE.\n" " *\n" " * [id for your version control system, if any]\n" " */\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2803 msgid "" "The FreeBSD project strongly discourages the so-called \"advertising " "clause\" in new code. Due to the large number of contributors to the " "FreeBSD project, complying with this clause for many commercial vendors has " "become difficult. If you have code in the tree with the advertising clause, " "please consider removing it. In fact, please consider using the above " "license for your code." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2807 msgid "" "The FreeBSD project discourages completely new licenses and variations on " "the standard licenses. New licenses require the approval of {core-email} to " "reside in the `src` repository. The more different licenses that are used " "in the tree, the more problems that this causes to those wishing to utilize " "this code, typically from unintended consequences from a poorly worded " "license." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2811 msgid "" "Project policy dictates that code under some non-BSD licenses must be placed " "only in specific sections of the repository, and in some cases, compilation " "must be conditional or even disabled by default. For example, the GENERIC " "kernel must be compiled under only licenses identical to or substantially " "similar to the BSD license. GPL, APSL, CDDL, etc, licensed software must " "not be compiled into GENERIC." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2814 msgid "" "Developers are reminded that in open source, getting \"open\" right is just " "as important as getting \"source\" right, as improper handling of " "intellectual property has serious consequences. Any questions or concerns " "should immediately be brought to the attention of the core team." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2816 #, no-wrap msgid "Keeping Track of Licenses Granted to the FreeBSD Project" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2821 msgid "" "Various software or data exist in the repositories where the FreeBSD project " "has been granted a special license to be able to use them. A case in point " "are the Terminus fonts for use with man:vt[4]. Here the author Dimitar " "Zhekov has allowed us to use the \"Terminus BSD Console\" font under a 2-" "clause BSD license rather than the regular Open Font License he normally " "uses." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2826 msgid "" "It is clearly sensible to keep a record of any such license grants. To that " "end, the {core-email} has decided to keep an archive of them. Whenever the " "FreeBSD project is granted a special license we require the {core-email} to " "be notified. Any developers involved in arranging such a license grant, " "please send details to the {core-email} including:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2828 msgid "" "Contact details for people or organizations granting the special license." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2829 msgid "" "What files, directories etc. in the repositories are covered by the license " "grant including the revision numbers where any specially licensed material " "was committed." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2830 msgid "" "The date the license comes into effect from. Unless otherwise agreed, this " "will be the date the license was issued by the authors of the software in " "question." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2831 msgid "The license text." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2832 msgid "" "A note of any restrictions, limitations or exceptions that apply " "specifically to FreeBSD's usage of the licensed material." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2833 msgid "Any other relevant information." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2836 msgid "" "Once the {core-email} is satisfied that all the necessary details have been " "gathered and are correct, the secretary will send a PGP-signed " "acknowledgment of receipt including the license details. This receipt will " "be persistently archived and serve as our permanent record of the license " "grant." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2839 msgid "" "The license archive should contain only details of license grants; this is " "not the place for any discussions around licensing or other subjects. " "Access to data within the license archive will be available on request to " "the {core-email}." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2841 #, no-wrap msgid "SPDX Tags in the tree" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2852 msgid "" "The project uses https://spdx.dev[SPDX] tags in our source base. At " "present, these tags are indented to help automated tools reconstruct license " "requirements mechanically. All _SPDX-License-Identifier_ tags in the tree " "should be considered to be informative. All files in the FreeBSD source " "tree with these tags also have a copy of the license which governs use of " "that file. In the event of a discrepancy, the verbatim license is " "controlling. The project tries to follow the https://spdx.github.io/spdx-" "spec/[SPDX Specification, Version 2.2]. How to mark source files and valid " "algebraic expressions are found in https://spdx.github.io/spdx-spec/appendix-" "IV-SPDX-license-expressions/[Appendix IV] and https://spdx.github.io/spdx-" "spec/appendix-V-using-SPDX-short-identifiers-in-source-files/[Appendix V]. " "The project draws identifiers from SPDX's list of valid https://spdx.org/" "licenses/[short license identifiers]. The project uses only the _SPDX-" "License-Identifier_ tag." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2854 msgid "" "As of March 2021, approximately 25,000 out of 90,000 files in the tree have " "been marked." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2855 #, no-wrap msgid "Developer Relations" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2861 msgid "" "When working directly on your own code or on code which is already well " "established as your responsibility, then there is probably little need to " "check with other committers before jumping in with a commit. When working " "on a bug in an area of the system which is clearly orphaned (and there are a " "few such areas, to our shame), the same applies. When modifying parts of " "the system which are maintained, formally or informally, consider asking for " "a review just as a developer would have before becoming a committer. For " "ports, contact the listed `MAINTAINER` in the [.filename]#Makefile#." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2865 msgid "" "To determine if an area of the tree is maintained, check the MAINTAINERS " "file at the root of the tree. If nobody is listed, scan the revision " "history to see who has committed changes in the past. To list the names and " "email addresses of all commit authors for a given file in the last 2 years " "and the number of commits each has authored, ordered by descending number of " "commits, use:" msgstr "" #. type: delimited block - 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2869 #, no-wrap msgid "% git -C /path/to/repo shortlog -sne --since=\"2 years\" -- relative/path/to/file\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2872 msgid "" "If queries go unanswered or the committer otherwise indicates a lack of " "interest in the area affected, go ahead and commit it." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2877 msgid "" "Avoid sending private emails to maintainers. Other people might be " "interested in the conversation, not just the final output." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2883 msgid "" "If there is any doubt about a commit for any reason at all, have it reviewed " "before committing. Better to have it flamed then and there rather than when " "it is part of the repository. If a commit does results in controversy " "erupting, it may be advisable to consider backing the change out again until " "the matter is settled. Remember, with a version control system we can " "always change it back." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2887 msgid "" "Do not impugn the intentions of others. If they see a different solution to " "a problem, or even a different problem, it is probably not because they are " "stupid, because they have questionable parentage, or because they are trying " "to destroy hard work, personal image, or FreeBSD, but basically because they " "have a different outlook on the world. Different is good." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2890 msgid "" "Disagree honestly. Argue your position from its merits, be honest about any " "shortcomings it may have, and be open to seeing their solution, or even " "their vision of the problem, with an open mind." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2896 msgid "" "Accept correction. We are all fallible. When you have made a mistake, " "apologize and get on with life. Do not beat up yourself, and certainly do " "not beat up others for your mistake. Do not waste time on embarrassment or " "recrimination, just fix the problem and move on." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2900 msgid "" "Ask for help. Seek out (and give) peer reviews. One of the ways open " "source software is supposed to excel is in the number of eyeballs applied to " "it; this does not apply if nobody will review code." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2902 #, no-wrap msgid "If in Doubt..." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2906 msgid "" "When unsure about something, whether it be a technical issue or a project " "convention be sure to ask. If you stay silent you will never make progress." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2910 msgid "" "If it relates to a technical issue ask on the public mailing lists. Avoid " "the temptation to email the individual person that knows the answer. This " "way everyone will be able to learn from the question and the answer." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2912 msgid "For project specific or administrative questions ask, in order:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2914 msgid "Your mentor or former mentor." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2915 msgid "An experienced committer on IRC, email, etc." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2916 msgid "Any team with a \"hat\", as they can give you a definitive answer." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2917 msgid "If still not sure, ask on {developers-name}." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2919 msgid "" "Once your question is answered, if no one pointed you to documentation that " "spelled out the answer to your question, document it, as others will have " "the same question." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2921 #, no-wrap msgid "Bugzilla" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2926 msgid "" "The FreeBSD Project utilizes Bugzilla for tracking bugs and change " "requests. If you commit a fix or suggestion found in the PR database, be " "sure to close the PR. It is also considered nice if you take time to close " "any other PRs associated with your commits." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2928 msgid "" "Committers with non-``FreeBSD.org`` Bugzilla accounts can have the old " "account merged with the `FreeBSD.org` account by following these steps:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2932 msgid "Log in using your old account." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2933 msgid "" "Open new bug. Choose `Services` as the Product, and `Bug Tracker` as the " "Component. In bug description list accounts you wish to be merged." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2935 msgid "" "Log in using `FreeBSD.org` account and post comment to newly opened bug to " "confirm ownership. See crossref:committers-guide[kerberos-ldap] for more " "details on how to generate or set a password for your `FreeBSD.org` account." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2936 msgid "" "If there are more than two accounts to merge, post comments from each of " "them." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2939 msgid "You can find out more about Bugzilla at:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2941 msgid "extref:{pr-guidelines}[FreeBSD Problem Report Handling Guidelines]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2942 msgid "link:https://www.FreeBSD.org/support/[https://www.FreeBSD.org/support]" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2944 #, no-wrap msgid "Phabricator" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2948 msgid "" "The FreeBSD Project utilizes https://reviews.freebsd.org[Phabricator] for " "code review requests. See the https://wiki.freebsd.org/" "Phabricator[Phabricator wiki page] for details." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2950 msgid "" "Committers with non-``FreeBSD.org`` Phabricator accounts can have the old " "account renamed to the ``FreeBSD.org`` account by following these steps:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2954 msgid "Change your Phabricator account email to your `FreeBSD.org` email." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2956 msgid "" "Open new bug on our bug tracker using your `FreeBSD.org` account, see " "crossref:committers-guide[bugzilla] for more information. Choose `Services` " "as the Product, and `Code Review` as the Component. In bug description " "request that your Phabricator account be renamed, and provide a link to your " "Phabricator user. For example, `https://reviews.freebsd.org/p/bob_example." "com/`" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:2961 msgid "" "Phabricator accounts cannot be merged, please do not open a new account." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:2964 #, no-wrap msgid "Who's Who" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2967 msgid "" "Besides the repository meisters, there are other FreeBSD project members and " "teams whom you will probably get to know in your role as a committer. " "Briefly, and by no means all-inclusively, these are:" msgstr "" #. type: Labeled list #: documentation/content/en/articles/committers-guide/_index.adoc:2968 #, no-wrap msgid "`{doceng}`" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2974 msgid "" "doceng is the group responsible for the documentation build infrastructure, " "approving new documentation committers, and ensuring that the FreeBSD " "website and documentation on the FTP site is up to date with respect to the " "Subversion tree. It is not a conflict resolution body. The vast majority " "of documentation related discussion takes place on the {freebsd-doc}. More " "details regarding the doceng team can be found in its https://www.FreeBSD." "org/internal/doceng/[charter]. Committers interested in contributing to the " "documentation should familiarize themselves with the extref:{fdp-primer}" "[Documentation Project Primer]." msgstr "" #. type: Labeled list #: documentation/content/en/articles/committers-guide/_index.adoc:2975 #, no-wrap msgid "`{re-members}`" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2980 msgid "" "These are the members of the `{re}`. This team is responsible for setting " "release deadlines and controlling the release process. During code freezes, " "the release engineers have final authority on all changes to the system for " "whichever branch is pending release status. If there is something you want " "merged from FreeBSD-CURRENT to FreeBSD-STABLE (whatever values those may " "have at any given time), these are the people to talk to about it." msgstr "" #. type: Labeled list #: documentation/content/en/articles/committers-guide/_index.adoc:2981 #, no-wrap msgid "`{so}`" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2983 msgid "" "`{so-name}` is the link:https://www.FreeBSD.org/security/[FreeBSD Security " "Officer] and oversees the `{security-officer}`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2988 msgid "" "{committers-name}:: {dev-src-all}, {dev-ports-all} and {dev-doc-all} are the " "mailing lists that the version control system uses to send commit messages " "to. _Never_ send email directly to these lists. Only send replies to this " "list when they are short and are directly related to a commit." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2993 msgid "" "{developers-name}:: All committers are subscribed to -developers. This list " "was created to be a forum for the committers \"community\" issues. Examples " "are Core voting, announcements, etc." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:2997 msgid "" "The {developers-name} is for the exclusive use of FreeBSD committers. To " "develop FreeBSD, committers must have the ability to openly discuss matters " "that will be resolved before they are publicly announced. Frank discussions " "of work in progress are not suitable for open publication and may harm " "FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3001 msgid "" "All FreeBSD committers are expected not to not publish or forward messages " "from the {developers-name} outside the list membership without permission of " "all of the authors. Violators will be removed from the {developers-name}, " "resulting in a suspension of commit privileges. Repeated or flagrant " "violations may result in permanent revocation of commit privileges." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3007 msgid "" "This list is _not_ intended as a place for code reviews or for any technical " "discussion. In fact using it as such hurts the FreeBSD Project as it gives " "a sense of a closed list where general decisions affecting all of the " "FreeBSD using community are made without being \"open\". Last, but not " "least __never, never ever, email the {developers-name} and CC:/BCC: another " "FreeBSD list__. Never, ever email another FreeBSD email list and CC:/BCC: " "the {developers-name}. Doing so can greatly diminish the benefits of this " "list." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3008 #, no-wrap msgid "SSH Quick-Start Guide" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3013 msgid "" "If you do not wish to type your password in every time you use man:ssh[1], " "and you use keys to authenticate, man:ssh-agent[1] is there for your " "convenience. If you want to use man:ssh-agent[1], make sure that you run it " "before running other applications. X users, for example, usually do this " "from their [.filename]#.xsession# or [.filename]#.xinitrc#. See man:ssh-" "agent[1] for details." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3014 msgid "" "Generate a key pair using man:ssh-keygen[1]. The key pair will wind up in " "your [.filename]#$HOME/.ssh/# directory." msgstr "" #. type: delimited block = 6 #: documentation/content/en/articles/committers-guide/_index.adoc:3018 msgid "Only ECDSA, Ed25519 or RSA keys are supported." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3020 msgid "" "Send your public key ([.filename]#$HOME/.ssh/id_ecdsa.pub#, [." "filename]#$HOME/.ssh/id_ed25519.pub#, or [.filename]#$HOME/.ssh/id_rsa.pub#) " "to the person setting you up as a committer so it can be put into [." "filename]#yourlogin# in [.filename]#/etc/ssh-keys/# on `freefall`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3025 msgid "" "Now man:ssh-add[1] can be used for authentication once per session. It " "prompts for the private key's pass phrase, and then stores it in the " "authentication agent (man:ssh-agent[1]). Use `ssh-add -d` to remove keys " "stored in the agent." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3027 msgid "Test with a simple remote command: `ssh freefall.FreeBSD.org ls /usr`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3029 msgid "" "For more information, see package:security/openssh-portable[], man:ssh[1], " "man:ssh-add[1], man:ssh-agent[1], man:ssh-keygen[1], and man:scp[1]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3031 msgid "" "For information on adding, changing, or removing man:ssh[1] keys, see " "https://wiki.freebsd.org/clusteradm/ssh-keys[this article]." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3033 #, no-wrap msgid "Coverity(R) Availability for FreeBSD Committers" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3037 msgid "" "All FreeBSD developers can obtain access to Coverity analysis results of all " "FreeBSD Project software. All who are interested in obtaining access to the " "analysis results of the automated Coverity runs, can sign up at http://scan." "coverity.com/[Coverity Scan]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3040 msgid "" "The FreeBSD wiki includes a mini-guide for developers who are interested in " "working with the Coverity(R) analysis reports: https://wiki.freebsd.org/" "CoverityPrevent[https://wiki.freebsd.org/CoverityPrevent]. Please note that " "this mini-guide is only readable by FreeBSD developers, so if you cannot " "access this page, you will have to ask someone to add you to the appropriate " "Wiki access list." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3042 msgid "" "Finally, all FreeBSD developers who are going to use Coverity(R) are always " "encouraged to ask for more details and usage information, by posting any " "questions to the mailing list of the FreeBSD developers." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3044 #, no-wrap msgid "The FreeBSD Committers' Big List of Rules" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3049 msgid "" "Everyone involved with the FreeBSD project is expected to abide by the _Code " "of Conduct_ available from link:https://www.FreeBSD.org/internal/code-of-" "conduct/[https://www.FreeBSD.org/internal/code-of-conduct]. As committers, " "you form the public face of the project, and how you behave has a vital " "impact on the public perception of it. This guide expands on the parts of " "the _Code of Conduct_ specific to committers." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3051 #: documentation/content/en/articles/committers-guide/_index.adoc:3081 msgid "Respect other committers." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3052 #: documentation/content/en/articles/committers-guide/_index.adoc:3097 msgid "Respect other contributors." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3053 #: documentation/content/en/articles/committers-guide/_index.adoc:3112 msgid "Discuss any significant change _before_ committing." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3054 msgid "" "Respect existing maintainers (if listed in the `MAINTAINER` field in [." "filename]#Makefile# or in [.filename]#MAINTAINER# in the top-level " "directory)." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3055 #: documentation/content/en/articles/committers-guide/_index.adoc:3127 msgid "" "Any disputed change must be backed out pending resolution of the dispute if " "requested by a maintainer. Security related changes may override a " "maintainer's wishes at the Security Officer's discretion." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3056 msgid "" "Changes go to FreeBSD-CURRENT before FreeBSD-STABLE unless specifically " "permitted by the release engineer or unless they are not applicable to " "FreeBSD-CURRENT. Any non-trivial or non-urgent change which is applicable " "should also be allowed to sit in FreeBSD-CURRENT for at least 3 days before " "merging so that it can be given sufficient testing. The release engineer has " "the same authority over the FreeBSD-STABLE branch as outlined for the " "maintainer in rule #5." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3057 #: documentation/content/en/articles/committers-guide/_index.adoc:3142 msgid "Do not fight in public with other committers; it looks bad." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3058 msgid "" "Respect all code freezes and read the `committers` and `developers` mailing " "lists in a timely manner so you know when a code freeze is in effect." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3059 #: documentation/content/en/articles/committers-guide/_index.adoc:3157 msgid "When in doubt on any procedure, ask first!" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3060 #: documentation/content/en/articles/committers-guide/_index.adoc:3162 msgid "Test your changes before committing them." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3061 #: documentation/content/en/articles/committers-guide/_index.adoc:3172 msgid "" "Do not commit to contributed software without _explicit_ approval from the " "respective maintainers." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3072 msgid "" "As noted, breaking some of these rules can be grounds for suspension or, " "upon repeated offense, permanent removal of commit privileges. Individual " "members of core have the power to temporarily suspend commit privileges " "until core as a whole has the chance to review the issue. In case of an " "\"emergency\" (a committer doing damage to the repository), a temporary " "suspension may also be done by the repository meisters. Only a 2/3 majority " "of core has the authority to suspend commit privileges for longer than a " "week or to remove them permanently. This rule does not exist to set core up " "as a bunch of cruel dictators who can dispose of committers as casually as " "empty soda cans, but to give the project a kind of safety fuse. If someone " "is out of control, it is important to be able to deal with this immediately " "rather than be paralyzed by debate. In all cases, a committer whose " "privileges are suspended or revoked is entitled to a \"hearing\" by core, " "the total duration of the suspension being determined at that time. A " "committer whose privileges are suspended may also request a review of the " "decision after 30 days and every 30 days thereafter (unless the total " "suspension period is less than 30 days). A committer whose privileges have " "been revoked entirely may request a review after a period of 6 months has " "elapsed. This review policy is _strictly informal_ and, in all cases, core " "reserves the right to either act on or disregard requests for review if they " "feel their original decision to be the right one." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3076 msgid "" "In all other aspects of project operation, core is a subset of committers " "and is bound by the __same rules__. Just because someone is in core this " "does not mean that they have special dispensation to step outside any of the " "lines painted here; core's \"special powers\" only kick in when it acts as a " "group, not on an individual basis. As individuals, the core team members " "are all committers first and core second." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3077 #, no-wrap msgid "Details" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3085 msgid "" "This means that you need to treat other committers as the peer-group " "developers that they are. Despite our occasional attempts to prove the " "contrary, one does not get to be a committer by being stupid and nothing " "rankles more than being treated that way by one of your peers. Whether we " "always feel respect for one another or not (and everyone has off days), we " "still have to _treat_ other committers with respect at all times, on public " "forums and in private email." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3087 msgid "" "Being able to work together long term is this project's greatest asset, one " "far more important than any set of changes to the code, and turning " "arguments about code into issues that affect our long-term ability to work " "harmoniously together is just not worth the trade-off by any conceivable " "stretch of the imagination." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3093 msgid "" "To comply with this rule, do not send email when you are angry or otherwise " "behave in a manner which is likely to strike others as needlessly " "confrontational. First calm down, then think about how to communicate in " "the most effective fashion for convincing the other persons that your side " "of the argument is correct, do not just blow off some steam so you can feel " "better in the short term at the cost of a long-term flame war. Not only is " "this very bad \"energy economics\", but repeated displays of public " "aggression which impair our ability to work well together will be dealt with " "severely by the project leadership and may result in suspension or " "termination of your commit privileges. The project leadership will take " "into account both public and private communications brought before it. It " "will not seek the disclosure of private communications, but it will take it " "into account if it is volunteered by the committers involved in the " "complaint." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3096 msgid "" "All of this is never an option which the project's leadership enjoys in the " "slightest, but unity comes first. No amount of code or good advice is worth " "trading that away." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3109 msgid "" "You were not always a committer. At one time you were a contributor. " "Remember that at all times. Remember what it was like trying to get help " "and attention. Do not forget that your work as a contributor was very " "important to you. Remember what it was like. Do not discourage, belittle, " "or demean contributors. Treat them with respect. They are our committers in " "waiting. They are every bit as important to the project as committers. " "Their contributions are as valid and as important as your own. After all, " "you made many contributions before you became a committer. Always remember " "that." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3111 msgid "" "Consider the points raised under crossref:committers-guide[respect,Respect " "other committers] and apply them also to contributors." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3118 msgid "" "The repository is not where changes are initially submitted for correctness " "or argued over, that happens first in the mailing lists or by use of the " "Phabricator service. The commit will only happen once something resembling " "consensus has been reached. This does not mean that permission is required " "before correcting every obvious syntax error or manual page misspelling, " "just that it is good to develop a feel for when a proposed change is not " "quite such a no-brainer and requires some feedback first. People really do " "not mind sweeping changes if the result is something clearly better than " "what they had before, they just do not like being _surprised_ by those " "changes. The very best way of making sure that things are on the right " "track is to have code reviewed by one or more other committers." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3120 msgid "When in doubt, ask for review!" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3121 msgid "Respect existing maintainers if listed." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3126 msgid "" "Many parts of FreeBSD are not \"owned\" in the sense that any specific " "individual will jump up and yell if you commit a change to \"their\" area, " "but it still pays to check first. One convention we use is to put a " "maintainer line in the [.filename]#Makefile# for any package or subtree " "which is being actively maintained by one or more people; see extref:" "{developers-handbook}[Source Tree Guidelines and Policies, policies] for " "documentation on this. Where sections of code have several maintainers, " "commits to affected areas by one maintainer need to be reviewed by at least " "one other maintainer. In cases where the \"maintainer-ship\" of something " "is not clear, look at the repository logs for the files in question and see " "if someone has been working recently or predominantly in that area." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3132 msgid "" "This may be hard to swallow in times of conflict (when each side is " "convinced that they are in the right, of course) but a version control " "system makes it unnecessary to have an ongoing dispute raging when it is far " "easier to simply reverse the disputed change, get everyone calmed down again " "and then try to figure out what is the best way to proceed. If the change " "turns out to be the best thing after all, it can be easily brought back. If " "it turns out not to be, then the users did not have to live with the bogus " "change in the tree while everyone was busily debating its merits. People " "_very_ rarely call for back-outs in the repository since discussion " "generally exposes bad or controversial changes before the commit even " "happens, but on such rare occasions the back-out should be done without " "argument so that we can get immediately on to the topic of figuring out " "whether it was bogus or not." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3133 msgid "" "Changes go to FreeBSD-CURRENT before FreeBSD-STABLE unless specifically " "permitted by the release engineer or unless they are not applicable to " "FreeBSD-CURRENT. Any non-trivial or non-urgent change which is applicable " "should also be allowed to sit in FreeBSD-CURRENT for at least 3 days before " "merging so that it can be given sufficient testing. The release engineer has " "the same authority over the FreeBSD-STABLE branch as outlined in rule #5." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3139 msgid "" "This is another \"do not argue about it\" issue since it is the release " "engineer who is ultimately responsible (and gets beaten up) if a change " "turns out to be bad. Please respect this and give the release engineer your " "full cooperation when it comes to the FreeBSD-STABLE branch. The management " "of FreeBSD-STABLE may frequently seem to be overly conservative to the " "casual observer, but also bear in mind the fact that conservatism is " "supposed to be the hallmark of FreeBSD-STABLE and different rules apply " "there than in FreeBSD-CURRENT. There is also really no point in having " "FreeBSD-CURRENT be a testing ground if changes are merged over to FreeBSD-" "STABLE immediately. Changes need a chance to be tested by the FreeBSD-" "CURRENT developers, so allow some time to elapse before merging unless the " "FreeBSD-STABLE fix is critical, time sensitive or so obvious as to make " "further testing unnecessary (spelling fixes to manual pages, obvious bug/" "typo fixes, etc.) In other words, apply common sense." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3141 msgid "" "Changes to the security branches (for example, `releng/9.3`) must be " "approved by a member of the `{security-officer}`, or in some cases, by a " "member of the `{re}`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3152 msgid "" "This project has a public image to uphold and that image is very important " "to all of us, especially if we are to continue to attract new members. " "There will be occasions when, despite everyone's very best attempts at self-" "control, tempers are lost and angry words are exchanged. The best thing " "that can be done in such cases is to minimize the effects of this until " "everyone has cooled back down. Do not air angry words in public and do not " "forward private correspondence or other private communications to public " "mailing lists, mail aliases, instant messaging channels or social media " "sites. What people say one-to-one is often much less sugar-coated than what " "they would say in public, and such communications therefore have no place " "there - they only serve to inflame an already bad situation. If the person " "sending a flame-o-gram at least had the grace to send it privately, then " "have the grace to keep it private yourself. If you feel you are being " "unfairly treated by another developer, and it is causing you anguish, bring " "the matter up with core rather than taking it public. Core will do its best " "to play peace makers and get things back to sanity. In cases where the " "dispute involves a change to the codebase and the participants do not appear " "to be reaching an amicable agreement, core may appoint a mutually-agreeable " "third party to resolve the dispute. All parties involved must then agree to " "be bound by the decision reached by this third party." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3153 msgid "" "Respect all code freezes and read the `committers` and `developers` mailing " "list on a timely basis so you know when a code freeze is in effect." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3156 msgid "" "Committing unapproved changes during a code freeze is a really big mistake " "and committers are expected to keep up-to-date on what is going on before " "jumping in after a long absence and committing 10 megabytes worth of " "accumulated stuff. People who abuse this on a regular basis will have their " "commit privileges suspended until they get back from the FreeBSD Happy " "Reeducation Camp we run in Greenland." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3161 msgid "" "Many mistakes are made because someone is in a hurry and just assumes they " "know the right way of doing something. If you have not done it before, " "chances are good that you do not actually know the way we do things and " "really need to ask first or you are going to completely embarrass yourself " "in public. There is no shame in asking \"how in the heck do I do this?\" We " "already know you are an intelligent person; otherwise, you would not be a " "committer." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3171 msgid "" "If your changes are to the kernel, make sure you can still compile both " "GENERIC and LINT. If your changes are anywhere else, make sure you can " "still make world. If your changes are to a branch, make sure your testing " "occurs with a machine which is running that code. If you have a change " "which also may break another architecture, be sure and test on all supported " "architectures. Please ensure your change works for crossref:committers-" "guide[compilers,supported toolchains]. Please refer to the https://www." "FreeBSD.org/internal/[FreeBSD Internal Page] for a list of available " "resources. As other architectures are added to the FreeBSD supported " "platforms list, the appropriate shared testing resources will be made " "available." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3174 msgid "" "Contributed software is anything under the [.filename]#src/contrib#, [." "filename]#src/crypto#, or [.filename]#src/sys/contrib# trees." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3179 msgid "" "The trees mentioned above are for contributed software usually imported onto " "a vendor branch. Committing something there may cause unnecessary headaches " "when importing newer versions of the software. As a general consider " "sending patches upstream to the vendor. Patches may be committed to FreeBSD " "first with permission of the maintainer." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3183 msgid "" "Reasons for modifying upstream software range from wanting strict control " "over a tightly coupled dependency to lack of portability in the canonical " "repository's distribution of their code. Regardless of the reason, effort " "to minimize the maintenance burden of fork is helpful to fellow " "maintainers. Avoid committing trivial or cosmetic changes to files since it " "makes every merge thereafter more difficult: such patches need to be " "manually re-verified every import." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3186 msgid "" "If a particular piece of software lacks a maintainer, you are encouraged to " "take up ownership. If you are unsure of the current maintainership email " "{freebsd-arch} and ask." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3187 #, no-wrap msgid "Policy on Multiple Architectures" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3191 msgid "" "FreeBSD has added several new architecture ports during recent release " "cycles and is truly no longer an i386(TM) centric operating system. In an " "effort to make it easier to keep FreeBSD portable across the platforms we " "support, core has developed this mandate:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3195 msgid "" "Our 32-bit reference platform is i386, and our 64-bit reference platform is " "amd64. Major design work (including major API and ABI changes) must prove " "itself on at least one 32-bit and at least one 64-bit platform, preferably " "the primary reference platforms, before it may be committed to the source " "tree." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3199 msgid "" "Developers should also be aware of our Tier Policy for the long term support " "of hardware architectures. The rules here are intended to provide guidance " "during the development process, and are distinct from the requirements for " "features and architectures listed in that section. The Tier rules for " "feature support on architectures at release-time are more strict than the " "rules for changes during the development process." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3201 #, no-wrap msgid "Policy on Multiple Compilers" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3215 msgid "" "FreeBSD builds with both Clang and GCC. The project does this in a careful " "and controlled way to maximize benefits from this extra work, while keeping " "the extra work to a minimum. Supporting both Clang and GCC improves the " "flexibility our users have. These compilers have different strengths and " "weaknesses, and supporting both allows users to pick the best one for their " "needs. Clang and GCC support similar dialects of C and C++, necessitating a " "relatively small amount of conditional code. The project gains increased " "code coverage and improves the code quality by using features from both " "compilers. The project is able to build in more user environments and " "leverage more CI environments by supporting this range, increasing " "convenience for users and giving them more tools to test with. By carefully " "constraining the range of versions supported to modern versions of these " "compilers, the project avoids unduly increasing the testing matrix. Older " "and obscure compilers, as well as older dialects of the languages, have " "extremely limited support that allow user programs to build with them, but " "without constraining the base system to being built with them. The exact " "balance continues to evolve to ensure the benefits of extra work remain " "greater than the burdens it imposes. The project used to support really old " "Intel compilers or old GCC versions, but we traded supporting those obsolete " "compilers for a carefully selected range of modern compilers. This section " "documents where we use different compilers, and the expectations around that." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3220 msgid "" "The FreeBSD project provides an in-tree Clang compiler. Due to being in the " "tree, this compiler is the most supported compiler. All changes must " "compile with it, prior to commit. Complete testing, as appropriate for the " "change, should be done with this compiler." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3228 msgid "" "At any moment in time, the FreeBSD project also supports one or more out-of-" "tree compilers. At present, this is GCC 12.x. Ideally, committers should " "test compile with this compiler, especially for large or risky changes. " "This compiler is available as the `${TARGET_ARCH}-gcc${VERSION}` package, " "such as package:devel/freebsd-gcc12@aarch64[aarch64-gcc12] or package:devel/" "freebsd-gcc12@riscv64[riscv64-gcc12]. The project runs automated CI jobs to " "build everything with these compilers. Committers are expected to fix the " "jobs they break with their changes. Committers may test build with, for " "example `CROSS_TOOLCHAIN=aarch64-gcc12` or `CROSS_TOOLCHAIN=llvm15` where " "necessary." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3232 msgid "" "The FreeBSD project also has some CI pipelines on github. For pull requests " "on github and some branches pushed to the github forks, a number of cross " "compilation jobs run. These test FreeBSD building using a version of Clang " "that sometimes lags the in-tree compiler by a major version for a time." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3238 msgid "" "The FreeBSD project is also upgrading compilers. Both Clang and GCC are " "fast moving targets. Some work to change things in the tree, for example " "removing the old-style K&R function declarations and definitions, will land " "in the tree prior to the compiler landing. Committers should try to be " "mindful about this and be receptive to looking into problems with their code " "or changes with these new compilers. Also, just after a new compiler " "version hits the tree, people may need to compile things with the old " "version if there was an undetected regression suspected." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3242 msgid "" "In addition to the compiler, LLVM's LLD and GNU's binutils are used " "indirectly by the compiler. Committers should be mindful of variations in " "assembler syntax and features of the linkers and ensure both variants work. " "These components will be tested as part of FreeBSD's CI jobs for Clang or " "GCC." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3248 msgid "" "The FreeBSD project provides headers and libraries that allow other " "compilers to be used to build software not in the base system. These " "headers have support for making the environment as strict as the standard, " "supporting prior dialects of ANSI-C back to C89, and other edge cases our " "large ports collection has uncovered. This support constrains retirement of " "older standards in places like header files, but does not constrain updating " "the base system to newer dialects. Nor does it require the base system to " "compile with these older standards as a whole. Breaking this support will " "cause packages in the ports collection to fail, so should be avoided where " "possible, and promptly fixed when it is easy to do so." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3253 msgid "" "The FreeBSD build system currently accommodates these different " "environments. As new warnings are added to compilers, the project tries to " "fix them. However, sometimes these warnings require extensive rework, so " "are suppressed in some way by using make variables that evaluate to the " "proper thing depending on the compiler version. Developers should be " "mindful of this, and ensure any compiler specific flags are properly " "conditionalized." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3254 #, no-wrap msgid "Current Compiler Versions" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3259 msgid "" "The in-tree compiler is currently Clang 15.x. Currently, GCC 12 and Clang " "12, 13, 14 and 15 are tested in the github and project's CI jenkins jobs. " "Work is underway to get the tree ready for Clang 16. The oldest project " "supported branch has Clang 12, so the bootstrap portions of the build must " "work for Clang major versions 12 to 15." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3260 #, no-wrap msgid "Other Suggestions" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3264 msgid "" "When committing documentation changes, use a spell checker before " "committing. For all XML docs, verify that the formatting directives are " "correct by running `make lint` and package:textproc/igor[]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3266 msgid "" "For manual pages, run package:sysutils/manck[] and package:textproc/igor[] " "over the manual page to verify all of the cross references and file " "references are correct and that the man page has all of the appropriate " "`MLINKS` installed." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3273 msgid "" "Do not mix style fixes with new functionality. A style fix is any change " "which does not modify the functionality of the code. Mixing the changes " "obfuscates the functionality change when asking for differences between " "revisions, which can hide any new bugs. Do not include whitespace changes " "with content changes in commits to [.filename]#doc/#. The extra clutter in " "the diffs makes the translators' job much more difficult. Instead, make any " "style or whitespace changes in separate commits that are clearly labeled as " "such in the commit message." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3274 #, no-wrap msgid "Deprecating Features" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3277 msgid "" "When it is necessary to remove functionality from software in the base " "system, follow these guidelines whenever possible:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3279 msgid "" "Mention is made in the manual page and possibly the release notes that the " "option, utility, or interface is deprecated. Use of the deprecated feature " "generates a warning." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3280 msgid "" "The option, utility, or interface is preserved until the next major (point " "zero) release." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3281 msgid "" "The option, utility, or interface is removed and no longer documented. It is " "now obsolete. It is also generally a good idea to note its removal in the " "release notes." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3282 #, no-wrap msgid "Privacy and Confidentiality" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3285 msgid "Most FreeBSD business is done in public." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3288 msgid "" "FreeBSD is an _open_ project. Which means that not only can anyone use the " "source code, but that most of the development process is open to public " "scrutiny." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3289 msgid "Certain sensitive matters must remain private or held under embargo." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3295 msgid "" "There unfortunately cannot be complete transparency. As a FreeBSD developer " "you will have a certain degree of privileged access to information. " "Consequently you are expected to respect certain requirements for " "confidentiality. Sometimes the need for confidentiality comes from external " "collaborators or has a specific time limit. Mostly though, it is a matter " "of not releasing private communications." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3296 msgid "" "The Security Officer has sole control over the release of security " "advisories." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3301 msgid "" "Where there are security problems that affect many different operating " "systems, FreeBSD frequently depends on early access to be able to prepare " "advisories for coordinated release. Unless FreeBSD developers can be " "trusted to maintain security, such early access will not be made available. " "The Security Officer is responsible for controlling pre-release access to " "information about vulnerabilities, and for timing the release of all " "advisories. He may request help under condition of confidentiality from any " "developer with relevant knowledge to prepare security fixes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3302 msgid "" "Communications with Core are kept confidential for as long as necessary." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3307 msgid "" "Communications to core will initially be treated as confidential. " "Eventually however, most of Core's business will be summarized into the " "monthly or quarterly core reports. Care will be taken to avoid publicising " "any sensitive details. Records of some particularly sensitive subjects may " "not be reported on at all and will be retained only in Core's private " "archives." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3308 msgid "" "Non-disclosure Agreements may be required for access to certain commercially " "sensitive data." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3311 msgid "" "Access to certain commercially sensitive data may only be available under a " "Non-Disclosure Agreement. The FreeBSD Foundation legal staff must be " "consulted before any binding agreements are entered into." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3312 msgid "Private communications must not be made public without permission." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3315 msgid "" "Beyond the specific requirements above there is a general expectation not to " "publish private communications between developers without the consent of all " "parties involved. Ask permission before forwarding a message onto a public " "mailing list, or posting it to a forum or website that can be accessed by " "other than the original correspondents." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3316 msgid "" "Communications on project-only or restricted access channels must be kept " "private." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3319 msgid "" "Similarly to personal communications, certain internal communications " "channels, including FreeBSD Committer only mailing lists and restricted " "access IRC channels are considered private communications. Permission is " "required to publish material from these sources." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3320 msgid "Core may approve publication." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3322 msgid "" "Where it is impractical to obtain permission due to the number of " "correspondents or where permission to publish is unreasonably withheld, Core " "may approve release of such private matters that merit more general " "publication." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3324 #, no-wrap msgid "Support for Multiple Architectures" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3331 msgid "" "FreeBSD is a highly portable operating system intended to function on many " "different types of hardware architectures. Maintaining clean separation of " "Machine Dependent (MD) and Machine Independent (MI) code, as well as " "minimizing MD code, is an important part of our strategy to remain agile " "with regards to current hardware trends. Each new hardware architecture " "supported by FreeBSD adds substantially to the cost of code maintenance, " "toolchain support, and release engineering. It also dramatically increases " "the cost of effective testing of kernel changes. As such, there is strong " "motivation to differentiate between classes of support for various " "architectures while remaining strong in a few key architectures that are " "seen as the FreeBSD \"target audience\"." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3332 #, no-wrap msgid "Statement of General Intent" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3337 msgid "" "The FreeBSD Project targets \"production quality commercial off-the-shelf " "(COTS) workstation, server, and high-end embedded systems\". By retaining a " "focus on a narrow set of architectures of interest in these environments, " "the FreeBSD Project is able to maintain high levels of quality, stability, " "and performance, as well as minimize the load on various support teams on " "the project, such as the ports team, documentation team, security officer, " "and release engineering teams. Diversity in hardware support broadens the " "options for FreeBSD consumers by offering new features and usage " "opportunities, but these benefits must always be carefully considered in " "terms of the real-world maintenance cost associated with additional platform " "support." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3344 msgid "" "The FreeBSD Project differentiates platform targets into four tiers. Each " "tier includes a list of guarantees consumers may rely on as well as " "obligations by the Project and developers to fulfill those guarantees. " "These lists define the minimum guarantees for each tier. The Project and " "developers may provide additional levels of support beyond the minimum " "guarantees for a given tier, but such additional support is not guaranteed. " "Each platform target is assigned to a specific tier for each stable branch. " "As a result, a platform target might be assigned to different tiers on " "concurrent stable branches." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3345 #, no-wrap msgid "Platform Targets" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3352 msgid "" "Support for a hardware platform consists of two components: kernel support " "and userland Application Binary Interfaces (ABIs). Kernel platform support " "includes things needed to run a FreeBSD kernel on a hardware platform such " "as machine-dependent virtual memory management and device drivers. A " "userland ABI specifies an interface for user processes to interact with a " "FreeBSD kernel and base system libraries. A userland ABI includes system " "call interfaces, the layout and semantics of public data structures, and the " "layout and semantics of arguments passed to subroutines. Some components of " "an ABI may be defined by specifications such as the layout of C++ exception " "objects or calling conventions for C functions." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3354 msgid "" "A FreeBSD kernel also uses an ABI (sometimes referred to as the Kernel " "Binary Interface (KBI)) which includes the semantics and layouts of public " "data structures and the layout and semantics of arguments to public " "functions within the kernel itself." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3359 msgid "" "A FreeBSD kernel may support multiple userland ABIs. For example, FreeBSD's " "amd64 kernel supports FreeBSD amd64 and i386 userland ABIs as well as Linux " "x86_64 and i386 userland ABIs. A FreeBSD kernel should support a \"native\" " "ABI as the default ABI. The native \"ABI\" generally shares certain " "properties with the kernel ABI such as the C calling convention, sizes of " "basic types, etc." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3361 msgid "" "Tiers are defined for both kernels and userland ABIs. In the common case, a " "platform's kernel and FreeBSD ABIs are assigned to the same tier." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3362 #, no-wrap msgid "Tier 1: Fully-Supported Architectures" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3367 msgid "" "Tier 1 platforms are the most mature FreeBSD platforms. They are supported " "by the security officer, release engineering, and Ports Management Team. " "Tier 1 architectures are expected to be Production Quality with respect to " "all aspects of the FreeBSD operating system, including installation and " "development environments." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3369 msgid "" "The FreeBSD Project provides the following guarantees to consumers of Tier 1 " "platforms:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3371 msgid "" "Official FreeBSD release images will be provided by the release engineering " "team." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3372 msgid "" "Binary updates and source patches for Security Advisories and Errata Notices " "will be provided for supported releases." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3373 msgid "" "Source patches for Security Advisories will be provided for supported " "branches." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3374 msgid "" "Binary updates and source patches for cross-platform Security Advisories " "will typically be provided at the time of the announcement." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3375 msgid "" "Changes to userland ABIs will generally include compatibility shims to " "ensure correct operation of binaries compiled against any stable branch " "where the platform is Tier 1. These shims might not be enabled in the " "default install. If compatibility shims are not provided for an ABI change, " "the lack of shims will be clearly documented in the release notes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3376 msgid "" "Changes to certain portions of the kernel ABI will include compatibility " "shims to ensure correct operation of kernel modules compiled against the " "oldest supported release on the branch. Note that not all parts of the " "kernel ABI are protected." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3377 msgid "" "Official binary packages for third party software will be provided by the " "ports team. For embedded architectures, these packages may be cross-built " "from a different architecture." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3378 msgid "" "Most relevant ports should either build or have the appropriate filters to " "prevent inappropriate ones from building." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3379 msgid "" "New features which are not inherently platform-specific will be fully " "functional on all Tier 1 architectures." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3380 msgid "" "Features and compatibility shims used by binaries compiled against older " "stable branches may be removed in newer major versions. Such removals will " "be clearly documented in the release notes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3381 msgid "" "Tier 1 platforms should be fully documented. Basic operations will be " "documented in the FreeBSD Handbook." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3382 msgid "Tier 1 platforms will be included in the source tree." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3383 msgid "" "Tier 1 platforms should be self-hosting either via the in-tree toolchain or " "an external toolchain. If an external toolchain is required, official binary " "packages for an external toolchain will be provided." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3385 msgid "" "To maintain maturity of Tier 1 platforms, the FreeBSD Project will maintain " "the following resources to support development:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3387 msgid "" "Build and test automation support either in the FreeBSD.org cluster or some " "other location easily available for all developers. Embedded platforms may " "substitute an emulator available in the FreeBSD.org cluster for actual " "hardware." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3388 #: documentation/content/en/articles/committers-guide/_index.adoc:3418 msgid "Inclusion in the `make universe` and `make tinderbox` targets." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3389 msgid "" "Dedicated hardware in one of the FreeBSD clusters for package building " "(either natively or via qemu-user)." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3391 msgid "" "Collectively, developers are required to provide the following to maintain " "the Tier 1 status of a platform:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3393 msgid "" "Changes to the source tree should not knowingly break the build of a Tier 1 " "platform." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3394 msgid "" "Tier 1 architectures must have a mature, healthy ecosystem of users and " "active developers." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3395 msgid "" "Developers should be able to build packages on commonly available, non-" "embedded Tier 1 systems. This can mean either native builds if non-embedded " "systems are commonly available for the platform in question, or it can mean " "cross-builds hosted on some other Tier 1 architecture." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3396 msgid "" "Changes cannot break the userland ABI. If an ABI change is required, ABI " "compatibility for existing binaries should be provided via use of symbol " "versioning or shared library version bumps." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3397 msgid "" "Changes merged to stable branches cannot break the protected portions of the " "kernel ABI. If a kernel ABI change is required, the change should be " "modified to preserve functionality of existing kernel modules." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3398 #, no-wrap msgid "Tier 2: Developmental and Niche Architectures" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3402 msgid "" "Tier 2 platforms are functional, but less mature FreeBSD platforms. They " "are not supported by the security officer, release engineering, and Ports " "Management Team." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3406 msgid "" "Tier 2 platforms may be Tier 1 platform candidates that are still under " "active development. Architectures reaching end of life may also be moved " "from Tier 1 status to Tier 2 status as the availability of resources to " "continue to maintain the system in a Production Quality state diminishes. " "Well-supported niche architectures may also be Tier 2." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3408 msgid "" "The FreeBSD Project provides the following guarantees to consumers of Tier 2 " "platforms:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3410 msgid "" "The ports infrastructure should include basic support for Tier 2 " "architectures sufficient to support building ports and packages. This " "includes support for basic packages such as ports-mgmt/pkg, but there is no " "guarantee that arbitrary ports will be buildable or functional." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3411 msgid "" "New features which are not inherently platform-specific should be feasible " "on all Tier 2 architectures if not implemented." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3412 msgid "Tier 2 platforms will be included in the source tree." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3413 msgid "" "Tier 2 platforms should be self-hosting either via the in-tree toolchain or " "an external toolchain. If an external toolchain is required, official binary " "packages for an external toolchain will be provided." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3414 msgid "" "Tier 2 platforms should provide functional kernels and userlands even if an " "official release distribution is not provided." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3416 msgid "" "To maintain maturity of Tier 2 platforms, the FreeBSD Project will maintain " "the following resources to support development:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3420 msgid "" "Collectively, developers are required to provide the following to maintain " "the Tier 2 status of a platform:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3422 msgid "" "Changes to the source tree should not knowingly break the build of a Tier 2 " "platform." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3423 msgid "" "Tier 2 architectures must have an active ecosystem of users and developers." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3424 msgid "" "While changes are permitted to break the userland ABI, the ABI should not be " "broken gratuitously. Significant userland ABI changes should be restricted " "to major versions." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3425 msgid "" "New features that are not yet implemented on Tier 2 architectures should " "provide a means of disabling them on those architectures." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3426 #, no-wrap msgid "Tier 3: Experimental Architectures" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3430 msgid "" "Tier 3 platforms have at least partial FreeBSD support. They are _not_ " "supported by the security officer, release engineering, and Ports Management " "Team." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3433 msgid "" "Tier 3 platforms are architectures in the early stages of development, for " "non-mainstream hardware platforms, or which are considered legacy systems " "unlikely to see broad future use. Initial support for Tier 3 platforms may " "exist in a separate repository rather than the main source repository." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3436 msgid "" "The FreeBSD Project provides no guarantees to consumers of Tier 3 platforms " "and is not committed to maintaining resources to support development. Tier " "3 platforms may not always be buildable, nor are any kernel or userland ABIs " "considered stable." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3437 #, no-wrap msgid "Unsupported Architectures" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3441 msgid "" "Other platforms are not supported in any form by the project. The project " "previously described these as Tier 4 systems." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3444 msgid "" "After a platform transitions to unsupported, all support for the platform is " "removed from the source, ports and documentation trees. Note that ports " "support should remain as long as the platform is supported in a branch " "supported by ports." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3445 #, no-wrap msgid "Policy on Changing the Tier of an Architecture" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3449 msgid "" "Systems may only be moved from one tier to another by approval of the " "FreeBSD Core Team, which shall make that decision in collaboration with the " "Security Officer, Release Engineering, and ports management teams. For a " "platform to be promoted to a higher tier, any missing support guarantees " "must be satisfied before the promotion is completed." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3451 #, no-wrap msgid "Ports Specific FAQ" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3454 #, no-wrap msgid "Adding a New Port" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3457 #, no-wrap msgid "How do I add a new port?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3462 msgid "" "Adding a port to the tree is relatively simple. Once the port is ready to be " "added, as explained later crossref:committers-guide[ports-qa-add-new-extra," "here], you need to add the port's directory entry in the category's [." "filename]#Makefile#. In this [.filename]#Makefile#, ports are listed in " "alphabetical order and added to the `SUBDIR` variable, like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3466 #, no-wrap msgid "\tSUBDIR += newport\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3469 msgid "" "Once the port and its category's Makefile are ready, the new port can be " "committed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3474 #, no-wrap msgid "" "% git add category/Makefile category/newport\n" "% git commit\n" "% git push\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3478 msgid "" "Don't forget to crossref:committers-guide[port-commit-message-formats,setup " "git hooks for the ports tree as explained here]; a specific hook has been " "developed to verify the category's [.filename]#Makefile#." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3481 #, no-wrap msgid "Any other things I need to know when I add a new port?" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3484 msgid "" "Check the port, preferably to make sure it compiles and packages correctly." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3487 msgid "" "The extref:{porters-handbook}testing[Porters Handbook's Testing Chapter] " "contains more detailed instructions. See the extref:{porters-handbook}" "testing[Portclippy / Portfmt, testing-portclippy] and the extref:{porters-" "handbook}testing[poudriere, testing-poudriere] sections." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3489 msgid "" "You do not necessarily have to eliminate all warnings but make sure you have " "fixed the simple ones." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3491 msgid "" "If the port came from a submitter who has not contributed to the Project " "before, add that person's name to the extref:{contributors}[Additional " "Contributors, contrib-additional] section of the FreeBSD Contributors List." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3494 msgid "" "Close the PR if the port came in as a PR. To close a PR, change the state " "to `Issue Resolved` and the resolution as `Fixed`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3498 msgid "" "If for some reason using extref:{porters-handbook}testing[poudriere, testing-" "poudriere] to test the new port is not possible, the bare minimum of testing " "includes this sequence:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3508 #, no-wrap msgid "" "# make install\n" "# make package\n" "# make deinstall\n" "# pkg add package you built above\n" "# make deinstall\n" "# make reinstall\n" "# make package\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3511 msgid "" "Note that poudriere is the reference for package building, it the port does " "not build in poudriere, it will be removed." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3514 #, no-wrap msgid "Removing an Existing Port" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3517 #, no-wrap msgid "How do I remove an existing port?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3520 msgid "" "First, please read the section about repository copies. Before you remove " "the port, you have to verify there are no other ports depending on it." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3522 msgid "Make sure there is no dependency on the port in the ports collection:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3523 msgid "The port's PKGNAME appears in exactly one line in a recent INDEX file." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3524 msgid "" "No other ports contains any reference to the port's directory or PKGNAME in " "their Makefiles" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3528 msgid "" "When using Git, consider using man:git-grep[1], it is much faster than `grep " "-r`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3531 msgid "Then, remove the port:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3535 msgid "Remove the port's files and directory with `git rm`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3536 msgid "" "Remove the `SUBDIR` listing of the port in the parent directory [." "filename]#Makefile#." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3537 #: documentation/content/en/articles/committers-guide/_index.adoc:3552 msgid "Add an entry to [.filename]#ports/MOVED#." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3538 msgid "Remove the port from [.filename]#ports/LEGAL# if it is there." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3543 msgid "" "Alternatively, you can use the rmport script, from [.filename]#ports/Tools/" "scripts#. This script was written by {vd}. When sending questions about " "this script to the {freebsd-ports}, please also CC {crees}, the current " "maintainer." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3545 #, no-wrap msgid "How do I move a port to a new location?" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3550 msgid "" "Perform a thorough check of the ports collection for any dependencies on the " "old port location/name, and update them. Running `grep` on [." "filename]#INDEX# is not enough because some ports have dependencies enabled " "by compile-time options. A full man:git-grep[1] of the ports collection is " "recommended." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3551 msgid "" "Remove the `SUBDIR` entry from the old category Makefile and add a `SUBDIR` " "entry to the new category Makefile." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3553 msgid "" "Search for entries in xml files inside [.filename]#ports/security/vuxml# and " "adjust them accordingly. In particular, check for previous packages with the " "new name which version could include the new port." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3554 msgid "Move the port with `git mv`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3555 #: documentation/content/en/articles/committers-guide/_index.adoc:3566 msgid "Commit the changes." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3558 #, no-wrap msgid "How do I copy a port to a new location?" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3563 msgid "Copy port with `cp -R old-cat/old-port new-cat/new-port`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3564 msgid "Add the new port to the [.filename]#new-cat/Makefile#." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3565 msgid "Change stuff in [.filename]#new-cat/new-port#." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3569 #, no-wrap msgid "Ports Freeze" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3572 #, no-wrap msgid "What is a “ports freeze”?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3579 msgid "" "A “ports freeze” was a restricted state the ports tree was put in before a " "release. It was used to ensure a higher quality for the packages shipped " "with a release. It usually lasted a couple of weeks. During that time, " "build problems were fixed, and the release packages were built. This " "practice is no longer used, as the packages for the releases are built from " "the current stable, quarterly branch." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3582 msgid "" "For more information on how to merge commits to the quarterly branch, see " "crossref:committers-guide[ports-qa-misc-request-mfh]." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3584 #, no-wrap msgid "Quarterly Branches" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3587 #, no-wrap msgid "What is the procedure to request authorization for merging a commit to the quarterly branch?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3590 msgid "" "As of November 30, 2020, there is no need to seek explicit approval to " "commit to the quarterly branch." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3592 #, no-wrap msgid "What is the procedure for merging commits to the quarterly branch?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3595 msgid "" "Merging commits to the quarterly branch (a process we call MFH for a " "historical reason) is very similar to MFC'ing a commit in the src " "repository, so basically:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3601 #, no-wrap msgid "" "% git checkout 2021Q2\n" "% git cherry-pick -x $HASH\n" "(verify everything is OK, for example by doing a build test)\n" "% git push\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3605 msgid "" "where `$HASH` is the hash of the commit you want to copy over to the " "quarterly branch. The `-x` parameter ensures the hash `$HASH` of the `main` " "branch is included in the new commit message of the quarterly branch." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3607 #, no-wrap msgid "Creating a New Category" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3610 #, no-wrap msgid "What is the procedure for creating a new category?" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3615 msgid "" "Please see extref:{porters-handbook}[Proposing a New Category, proposing-" "categories] in the Porter's Handbook. Once that procedure has been followed " "and the PR has been assigned to the {portmgr}, it is their decision whether " "or not to approve it. If they do, it is their responsibility to:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3619 msgid "Perform any needed moves. (This only applies to physical categories.)" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3620 msgid "" "Update the `VALID_CATEGORIES` definition in [.filename]#ports/Mk/bsd.port." "mk#." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3621 msgid "Assign the PR back to you." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3624 #, no-wrap msgid "What do I need to do to implement a new physical category?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3629 msgid "" "Upgrade each moved port's [.filename]#Makefile#. Do not connect the new " "category to the build yet." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3631 msgid "To do this, you will need to:" msgstr "" #. type: delimited block = 6 #: documentation/content/en/articles/committers-guide/_index.adoc:3635 msgid "" "Change the port's `CATEGORIES` (this was the point of the exercise, " "remember?) The new category is listed first. This will help to ensure that " "the PKGORIGIN is correct." msgstr "" #. type: delimited block = 6 #: documentation/content/en/articles/committers-guide/_index.adoc:3636 msgid "" "Run a `make describe`. Since the top-level `make index` that you will be " "running in a few steps is an iteration of `make describe` over the entire " "ports hierarchy, catching any errors here will save you having to re-run " "that step later on." msgstr "" #. type: delimited block = 6 #: documentation/content/en/articles/committers-guide/_index.adoc:3637 msgid "" "If you want to be really thorough, now might be a good time to run man:" "portlint[1]." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3640 msgid "" "Check that the ``PKGORIGIN``s are correct. The ports system uses each port's " "`CATEGORIES` entry to create its `PKGORIGIN`, which is used to connect " "installed packages to the port directory they were built from. If this entry " "is wrong, common port tools like man:pkg-version[8] and man:portupgrade[1] " "fail." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3642 msgid "" "To do this, use the [.filename]#chkorigin.sh# tool: `env PORTSDIR=/path/to/" "ports sh -e /path/to/ports/Tools/scripts/chkorigin.sh`. This will check " "every port in the ports tree, even those not connected to the build, so you " "can run it directly after the move operation. Hint: do not forget to look at " "the ``PKGORIGIN``s of any slave ports of the ports you just moved!" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3643 msgid "" "On your own local system, test the proposed changes: first, comment out the " "SUBDIR entries in the old ports' categories' [.filename]##Makefile##s; then " "enable building the new category in [.filename]#ports/Makefile#. Run make " "checksubdirs in the affected category directories to check the SUBDIR " "entries. Next, in the [.filename]#ports/# directory, run make index. This " "can take over 40 minutes on even modern systems; however, it is a necessary " "step to prevent problems for other people." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3644 msgid "" "Once this is done, you can commit the updated [.filename]#ports/Makefile# to " "connect the new category to the build and also commit the [." "filename]#Makefile# changes for the old category or categories." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3645 msgid "Add appropriate entries to [.filename]#ports/MOVED#." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3646 msgid "Update the documentation by modifying:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3647 #: documentation/content/en/articles/committers-guide/_index.adoc:3656 msgid "" "the extref:{porters-handbook}[list of categories, PORTING-CATEGORIES] in the " "Porter's Handbook" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3649 msgid "" "Only once all the above have been done, and no one is any longer reporting " "problems with the new ports, should the old ports be deleted from their " "previous locations in the repository." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3651 #, no-wrap msgid "What do I need to do to implement a new virtual category?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3654 msgid "" "This is much simpler than a physical category. Only a few modifications are " "needed:" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3658 #: documentation/content/en/articles/committers-guide/_index.adoc:3752 #, no-wrap msgid "Miscellaneous Questions" msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3661 #, no-wrap msgid "Are there changes that can be committed without asking the maintainer for approval?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3664 msgid "Blanket approval for most ports applies to these types of fixes:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3666 msgid "" "Most infrastructure changes to a port (that is, modernizing, but not " "changing the functionality). For example, the blanket covers converting to " "new `USES` macros, enabling verbose builds, and switching to new ports " "system syntaxes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3667 msgid "Trivial and _tested_ build and runtime fixes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3668 msgid "" "Documentations or metadata changes to ports, like [.filename]#pkg-descr# or " "`COMMENT`." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3673 msgid "" "Exceptions to this are anything maintained by the {portmgr}, or the " "{security-officer}. No unauthorized commits may ever be made to ports " "maintained by those groups." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3676 #, no-wrap msgid "How do I know if my port is building correctly or not?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3680 msgid "" "The packages are built multiple times each week. If a port fails, the " "maintainer will receive an email from `pkg-fallout@FreeBSD.org`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3682 msgid "" "Reports for all the package builds (official, experimental, and non-" "regression) are aggregated at link:pkg-status.FreeBSD.org[pkg-status.FreeBSD." "org]." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3684 #, no-wrap msgid "I added a new port. Do I need to add it to the [.filename]#INDEX#?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3687 msgid "" "No. The file can either be generated by running `make index`, or a pre-" "generated version can be downloaded with `make fetchindex`." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3689 #, no-wrap msgid "Are there any other files I am not allowed to touch?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3693 msgid "" "Any file directly under [.filename]#ports/#, or any file under a " "subdirectory that starts with an uppercase letter ([.filename]#Mk/#, [." "filename]#Tools/#, etc.). In particular, the {portmgr} is very protective " "of [.filename]#ports/Mk/bsd.port*.mk# so do not commit changes to those " "files unless you want to face their wrath." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3695 #, no-wrap msgid "What is the proper procedure for updating the checksum for a port distfile when the file changes without a version change?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3699 msgid "" "When the checksum for a distribution file is updated due to the author " "updating the file without changing the port revision, the commit message " "includes a summary of the relevant diffs between the original and new " "distfile to ensure that the distfile has not been corrupted or maliciously " "altered. If the current version of the port has been in the ports tree for " "a while, a copy of the old distfile will usually be available on the ftp " "servers; otherwise the author or maintainer should be contacted to find out " "why the distfile has changed." msgstr "" #. type: Title ==== #: documentation/content/en/articles/committers-guide/_index.adoc:3701 #, no-wrap msgid "How can an experimental test build of the ports tree (exp-run) be requested?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3705 msgid "" "An exp-run must be completed before patches with a significant ports impact " "are committed. The patch can be against the ports tree or the base system." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3707 msgid "" "Full package builds will be done with the patches provided by the submitter, " "and the submitter is required to fix detected problems _(fallout)_ before " "commit." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3711 msgid "Go to the link:https://bugs.freebsd.org/submit[Bugzilla new PR page]." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3712 msgid "Select the product your patch is about." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3713 msgid "Fill in the bug report as normal. Remember to attach the patch." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3714 msgid "" "If at the top it says “Show Advanced Fields” click on it. It will now say " "“Hide Advanced Fields”. Many new fields will be available. If it already " "says “Hide Advanced Fields”, no need to do anything." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3715 msgid "" "In the “Flags” section, set the “exp-run” one to `?`. As for all other " "fields, hovering the mouse over any field shows more details." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3716 msgid "Submit. Wait for the build to run." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3717 msgid "{portmgr} will reply with a possible fallout." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3718 msgid "Depending on the fallout:" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3719 msgid "" "If there is no fallout, the procedure stops here, and the change can be " "committed, pending any other approval required." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3720 msgid "" "If there is fallout, it _must_ be fixed, either by fixing the ports directly " "in the ports tree, or adding to the submitted patch." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3721 msgid "" "When this is done, go back to step 6 saying the fallout was fixed and wait " "for the exp-run to be run again. Repeat as long as there are broken ports." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3724 #, no-wrap msgid "Issues Specific to Developers Who Are Not Committers" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3729 msgid "" "A few people who have access to the FreeBSD machines do not have commit " "bits. Almost all of this document will apply to these developers as well " "(except things specific to commits and the mailing list memberships that go " "with them). In particular, we recommend that you read:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3731 msgid "crossref:committers-guide[admin]" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3732 msgid "crossref:committers-guide[conventions-everyone]" msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3736 msgid "" "Get your mentor to add you to the \"Additional Contributors\" ([." "filename]#doc/shared/contrib-additional.adoc#), if you are not already " "listed there." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3738 msgid "crossref:committers-guide[developer.relations]" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3739 msgid "crossref:committers-guide[ssh.guide]" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3740 msgid "crossref:committers-guide[rules]" msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3742 #, no-wrap msgid "Information About Google Analytics" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3745 msgid "" "As of December 12, 2012, Google Analytics was enabled on the FreeBSD Project " "website to collect anonymized usage statistics regarding usage of the site." msgstr "" #. type: Plain text #: documentation/content/en/articles/committers-guide/_index.adoc:3749 msgid "" "As of March 3, 2022, Google Analytics was removed from the FreeBSD Project." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3754 #, no-wrap msgid "How do I access people.FreeBSD.org to put up personal or project information?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3758 msgid "" "`people.FreeBSD.org` is the same as `freefall.FreeBSD.org`. Just create a [." "filename]#public_html# directory. Anything you place in that directory will " "automatically be visible under https://people.FreeBSD.org/[https://people." "FreeBSD.org/]." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3759 #, no-wrap msgid "Where are the mailing list archives stored?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3762 msgid "" "The mailing lists are archived under [.filename]#/local/mail# on `freefall." "FreeBSD.org`." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3763 #, no-wrap msgid "I would like to mentor a new committer. What process do I need to follow?" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3766 msgid "" "See the https://www.freebsd.org/internal/new-account/[New Account Creation " "Procedure] document on the internal pages." msgstr "" #. type: Title == #: documentation/content/en/articles/committers-guide/_index.adoc:3768 #, no-wrap msgid "Benefits and Perks for FreeBSD Committers" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3771 #, no-wrap msgid "Recognition" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3775 msgid "" "Recognition as a competent software engineer is the longest lasting value. " "In addition, getting a chance to work with some of the best people that " "every engineer would dream of meeting is a great perk!" msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3777 #, no-wrap msgid "FreeBSD Mall" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3780 msgid "" "FreeBSD committers can get a free 4-CD or DVD set at conferences from http://" "www.freebsdmall.com[FreeBSD Mall, Inc.]." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3782 #, no-wrap msgid "`Gandi.net`" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3785 msgid "" "https://gandi.net[Gandi] provides website hosting, cloud computing, domain " "registration, and X.509 certificate services." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3789 msgid "" "Gandi offers an E-rate discount to all FreeBSD developers. To streamline " "the process of getting the discount first set up a Gandi account, fill in " "the billing information and select the currency. Then send an mail to " "mailto:non-profit@gandi.net[non-profit@gandi.net] using your `@freebsd.org` " "mail address, and indicate your Gandi handle." msgstr "" #. type: Title === #: documentation/content/en/articles/committers-guide/_index.adoc:3791 #, no-wrap msgid "`rsync.net`" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3794 msgid "" "https://rsync.net[rsync.net] provides cloud storage for offsite backup that " "is optimized for UNIX users. Their service runs entirely on FreeBSD and ZFS." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/committers-guide/_index.adoc:3795 msgid "" "rsync.net offers a free-forever 500 GB account to FreeBSD developers. Simply " "sign up at https://www.rsync.net/freebsd.html[https://www.rsync.net/freebsd." "html] using your `@freebsd.org` address to receive this free account." msgstr "" diff --git a/documentation/content/en/books/handbook/disks/_index.adoc b/documentation/content/en/books/handbook/disks/_index.adoc index 2d1f162193..bc03eedbfb 100644 --- a/documentation/content/en/books/handbook/disks/_index.adoc +++ b/documentation/content/en/books/handbook/disks/_index.adoc @@ -1,2572 +1,2572 @@ --- title: Chapter 20. Storage part: Part III. System Administration prev: books/handbook/audit next: books/handbook/geom description: This chapter covers the use of disks and storage media in FreeBSD. This includes SCSI and IDE disks, CD and DVD media, memory-backed disks, and USB storage devices. tags: ["storage", "disks", "gpart", "mount", "quotas", "encrypt", "GPT", "cdrecord", "NTFS", "quotas", "swap", "HAST", "CD", "DVD", "resizing", "growing"] showBookMenu: true weight: 24 path: "/books/handbook/disks/" --- [[disks]] = Storage :doctype: book :toc: macro :toclevels: 1 :icons: font :sectnums: :sectnumlevels: 6 :sectnumoffset: 20 :partnums: :source-highlighter: rouge :experimental: :images-path: books/handbook/disks/ ifdef::env-beastie[] ifdef::backend-html5[] :imagesdir: ../../../../images/{images-path} endif::[] ifndef::book[] include::shared/authors.adoc[] include::shared/mirrors.adoc[] include::shared/releases.adoc[] include::shared/attributes/attributes-{{% lang %}}.adoc[] include::shared/{{% lang %}}/teams.adoc[] include::shared/{{% lang %}}/mailing-lists.adoc[] include::shared/{{% lang %}}/urls.adoc[] toc::[] endif::[] ifdef::backend-pdf,backend-epub3[] include::../../../../../shared/asciidoctor.adoc[] endif::[] endif::[] ifndef::env-beastie[] toc::[] include::../../../../../shared/asciidoctor.adoc[] endif::[] [[disks-synopsis]] == Synopsis This chapter covers the use of disks and storage media in FreeBSD. This includes SCSI and IDE disks, CD and DVD media, memory-backed disks, and USB storage devices. After reading this chapter, you will know: * How to add additional hard disks to a FreeBSD system. * How to grow the size of a disk's partition on FreeBSD. * How to configure FreeBSD to use USB storage devices. * How to use CD and DVD media on a FreeBSD system. * How to use the backup programs available under FreeBSD. * How to set up memory disks. * What file system snapshots are and how to use them efficiently. * How to use quotas to limit disk space usage. * How to encrypt disks and swap to secure them against attackers. * How to configure a highly available storage network. Before reading this chapter, you should: * Know how to crossref:kernelconfig[kernelconfig,configure and install a new FreeBSD kernel]. [[disks-adding]] == Adding Disks This section describes how to add a new SATA disk to a machine that currently only has a single drive. First, turn off the computer and install the drive in the computer following the instructions of the computer, controller, and drive manufacturers. Reboot the system and become `root`. Inspect [.filename]#/var/run/dmesg.boot# to ensure the new disk was found. In this example, the newly added SATA drive will appear as [.filename]#ada1#. For this example, a single large partition will be created on the new disk. -The http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme will be used in preference to the older and less versatile MBR scheme. +The https://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme will be used in preference to the older and less versatile MBR scheme. [NOTE] ==== If the disk to be added is not blank, old partition information can be removed with `gpart delete`. See man:gpart[8] for details. ==== The partition scheme is created, and then a single partition is added. To improve performance on newer disks with larger hardware block sizes, the partition is aligned to one megabyte boundaries: [source,shell] .... # gpart create -s GPT ada1 # gpart add -t freebsd-ufs -a 1M ada1 .... Depending on use, several smaller partitions may be desired. See man:gpart[8] for options to create partitions smaller than a whole disk. The disk partition information can be viewed with `gpart show`: [source,shell] .... % gpart show ada1 => 34 1465146988 ada1 GPT (699G) 34 2014 - free - (1.0M) 2048 1465143296 1 freebsd-ufs (699G) 1465145344 1678 - free - (839K) .... A file system is created in the new partition on the new disk: [source,shell] .... # newfs -U /dev/ada1p1 .... An empty directory is created as a _mountpoint_, a location for mounting the new disk in the original disk's file system: [source,shell] .... # mkdir /newdisk .... Finally, an entry is added to [.filename]#/etc/fstab# so the new disk will be mounted automatically at startup: [.programlisting] .... /dev/ada1p1 /newdisk ufs rw 2 2 .... The new disk can be mounted manually, without restarting the system: [source,shell] .... # mount /newdisk .... [[disks-growing]] == Resizing and Growing Disks A disk's capacity can increase without any changes to the data already present. This happens commonly with virtual machines, when the virtual disk turns out to be too small and is enlarged. Sometimes a disk image is written to a USB memory stick, but does not use the full capacity. Here we describe how to resize or _grow_ disk contents to take advantage of increased capacity. Determine the device name of the disk to be resized by inspecting [.filename]#/var/run/dmesg.boot#. In this example, there is only one SATA disk in the system, so the drive will appear as [.filename]#ada0#. List the partitions on the disk to see the current configuration: [source,shell] .... # gpart show ada0 => 34 83886013 ada0 GPT (48G) [CORRUPT] 34 128 1 freebsd-boot (64k) 162 79691648 2 freebsd-ufs (38G) 79691810 4194236 3 freebsd-swap (2G) 83886046 1 - free - (512B) .... [NOTE] ==== -If the disk was formatted with the http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme, it may show as "corrupted" because the GPT backup partition table is no longer at the end of the drive. +If the disk was formatted with the https://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme, it may show as "corrupted" because the GPT backup partition table is no longer at the end of the drive. Fix the backup partition table with `gpart`: [source,shell] .... # gpart recover ada0 ada0 recovered .... ==== Now the additional space on the disk is available for use by a new partition, or an existing partition can be expanded: [source,shell] .... # gpart show ada0 => 34 102399933 ada0 GPT (48G) 34 128 1 freebsd-boot (64k) 162 79691648 2 freebsd-ufs (38G) 79691810 4194236 3 freebsd-swap (2G) 83886046 18513921 - free - (8.8G) .... Partitions can only be resized into contiguous free space. Here, the last partition on the disk is the swap partition, but the second partition is the one that needs to be resized. Swap partitions only contain temporary data, so it can safely be unmounted, deleted, and then recreate the third partition after resizing the second partition. Disable the swap partition: [source,shell] .... # swapoff /dev/ada0p3 .... Delete the third partition, specified by the `-i` flag, from the disk _ada0_. [source,shell] .... # gpart delete -i 3 ada0 ada0p3 deleted # gpart show ada0 => 34 102399933 ada0 GPT (48G) 34 128 1 freebsd-boot (64k) 162 79691648 2 freebsd-ufs (38G) 79691810 22708157 - free - (10G) .... [WARNING] ==== There is risk of data loss when modifying the partition table of a mounted file system. It is best to perform the following steps on an unmounted file system while running from a live CD-ROM or USB device. However, if absolutely necessary, a mounted file system can be resized after disabling GEOM safety features: [source,shell] .... # sysctl kern.geom.debugflags=16 .... ==== Resize the partition, leaving room to recreate a swap partition of the desired size. The partition to resize is specified with `-i`, and the new desired size with `-s`. Optionally, alignment of the partition is controlled with `-a`. This only modifies the size of the partition. The file system in the partition will be expanded in a separate step. [source,shell] .... # gpart resize -i 2 -s 47G -a 4k ada0 ada0p2 resized # gpart show ada0 => 34 102399933 ada0 GPT (48G) 34 128 1 freebsd-boot (64k) 162 98566144 2 freebsd-ufs (47G) 98566306 3833661 - free - (1.8G) .... Recreate the swap partition and activate it. If no size is specified with `-s`, all remaining space is used: [source,shell] .... # gpart add -t freebsd-swap -a 4k ada0 ada0p3 added # gpart show ada0 => 34 102399933 ada0 GPT (48G) 34 128 1 freebsd-boot (64k) 162 98566144 2 freebsd-ufs (47G) 98566306 3833661 3 freebsd-swap (1.8G) # swapon /dev/ada0p3 .... Grow the UFS file system to use the new capacity of the resized partition: [source,shell] .... # growfs /dev/ada0p2 Device is mounted read-write; resizing will result in temporary write suspension for /. It's strongly recommended to make a backup before growing the file system. OK to grow file system on /dev/ada0p2, mounted on /, from 38GB to 47GB? [Yes/No] Yes super-block backups (for fsck -b #) at: 80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752, 89756992, 91039232, 92321472, 93603712, 94885952, 96168192, 97450432 .... If the file system is ZFS, the resize is triggered by running the `online` subcommand with `-e`: [source,shell] .... # zpool online -e zroot /dev/ada0p2 .... Both the partition and the file system on it have now been resized to use the newly-available disk space. [[usb-disks]] == USB Storage Devices Many external storage solutions, such as hard drives, USB thumbdrives, and CD and DVD burners, use the Universal Serial Bus (USB). FreeBSD provides support for USB 1.x, 2.0, and 3.0 devices. [NOTE] ==== USB 3.0 support is not compatible with some hardware, including Haswell (Lynx point) chipsets. If FreeBSD boots with a `failed with error 19` message, disable xHCI/USB3 in the system BIOS. ==== Support for USB storage devices is built into the [.filename]#GENERIC# kernel. For a custom kernel, be sure that the following lines are present in the kernel configuration file: [.programlisting] .... device scbus # SCSI bus (required for ATA/SCSI) device da # Direct Access (disks) device pass # Passthrough device (direct ATA/SCSI access) device uhci # provides USB 1.x support device ohci # provides USB 1.x support device ehci # provides USB 2.0 support device xhci # provides USB 3.0 support device usb # USB Bus (required) device umass # Disks/Mass storage - Requires scbus and da device cd # needed for CD and DVD burners .... FreeBSD uses the man:umass[4] driver which uses the SCSI subsystem to access USB storage devices. Since any USB device will be seen as a SCSI device by the system, if the USB device is a CD or DVD burner, do _not_ include `device atapicam` in a custom kernel configuration file. The rest of this section demonstrates how to verify that a USB storage device is recognized by FreeBSD and how to configure the device so that it can be used. === Device Configuration To test the USB configuration, plug in the USB device. Use `dmesg` to confirm that the drive appears in the system message buffer. It should look something like this: [source,shell] .... umass0: on usbus0 umass0: SCSI over Bulk-Only; quirks = 0x0100 umass0:4:0:-1: Attached to scbus4 da0 at umass-sim0 bus 0 scbus4 target 0 lun 0 da0: Fixed Direct Access SCSI-4 device da0: Serial Number WD-WXE508CAN263 da0: 40.000MB/s transfers da0: 152627MB (312581808 512 byte sectors: 255H 63S/T 19457C) da0: quirks=0x2 .... The brand, device node ([.filename]#da0#), speed, and size will differ according to the device. Since the USB device is seen as a SCSI one, `camcontrol` can be used to list the USB storage devices attached to the system: [source,shell] .... # camcontrol devlist at scbus4 target 0 lun 0 (pass3,da0) .... Alternately, `usbconfig` can be used to list the device. Refer to man:usbconfig[8] for more information about this command. [source,shell] .... # usbconfig ugen0.3: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (2mA) .... If the device has not been formatted, refer to crossref:disks[disks-adding, Adding Disks] for instructions on how to format and create partitions on the USB drive. If the drive comes with a file system, it can be mounted by `root` using the instructions in crossref:basics[mount-unmount,“Mounting and Unmounting File Systems”]. [WARNING] ==== Allowing untrusted users to mount arbitrary media, by enabling `vfs.usermount` as described below, should not be considered safe from a security point of view. Most file systems were not built to safeguard against malicious devices. ==== To make the device mountable as a normal user, one solution is to make all users of the device a member of the `operator` group using man:pw[8]. Next, ensure that `operator` is able to read and write the device by adding these lines to [.filename]#/etc/devfs.rules#: [.programlisting] .... [localrules=5] add path 'da*' mode 0660 group operator .... [NOTE] ==== If internal SCSI disks are also installed in the system, change the second line as follows: [.programlisting] .... add path 'da[3-9]*' mode 0660 group operator .... This will exclude the first three SCSI disks ([.filename]#da0# to [.filename]#da2#) from belonging to the `operator` group. Replace _3_ with the number of internal SCSI disks. Refer to man:devfs.rules[5] for more information about this file. ==== Next, enable the ruleset in [.filename]#/etc/rc.conf#: [.programlisting] .... devfs_system_ruleset="localrules" .... Then, instruct the system to allow regular users to mount file systems by adding the following line to [.filename]#/etc/sysctl.conf#: [.programlisting] .... vfs.usermount=1 .... Since this only takes effect after the next reboot, use `sysctl` to set this variable now: [source,shell] .... # sysctl vfs.usermount=1 vfs.usermount: 0 -> 1 .... The final step is to create a directory where the file system is to be mounted. This directory needs to be owned by the user that is to mount the file system. One way to do that is for `root` to create a subdirectory owned by that user as [.filename]#/mnt/username#. In the following example, replace _username_ with the login name of the user and _usergroup_ with the user's primary group: [source,shell] .... # mkdir /mnt/username # chown username:usergroup /mnt/username .... Suppose a USB thumbdrive is plugged in, and a device [.filename]#/dev/da0s1# appears. If the device is formatted with a FAT file system, the user can mount it using: [source,shell] .... % mount -t msdosfs -o -m=644,-M=755 /dev/da0s1 /mnt/username .... Before the device can be unplugged, it _must_ be unmounted first: [source,shell] .... % umount /mnt/username .... After device removal, the system message buffer will show messages similar to the following: [source,shell] .... umass0: at uhub3, port 2, addr 3 (disconnected) da0 at umass-sim0 bus 0 scbus4 target 0 lun 0 da0: s/n WD-WXE508CAN263 detached (da0:umass-sim0:0:0:0): Periph destroyed .... === Automounting Removable Media USB devices can be automatically mounted by uncommenting this line in [.filename]#/etc/auto_master#: [source,shell] .... /media -media -nosuid .... Then add these lines to [.filename]#/etc/devd.conf#: [source,shell] .... notify 100 { match "system" "GEOM"; match "subsystem" "DEV"; action "/usr/sbin/automount -c"; }; .... Reload the configuration if man:autofs[5] and man:devd[8] are already running: [source,shell] .... # service automount restart # service devd restart .... man:autofs[5] can be set to start at boot by adding this line to [.filename]#/etc/rc.conf#: [.programlisting] .... autofs_enable="YES" .... man:autofs[5] requires man:devd[8] to be enabled, as it is by default. Start the services immediately with: [source,shell] .... # service automount start # service automountd start # service autounmountd start # service devd start .... Each file system that can be automatically mounted appears as a directory in [.filename]#/media/#. The directory is named after the file system label. If the label is missing, the directory is named after the device node. The file system is transparently mounted on the first access, and unmounted after a period of inactivity. Automounted drives can also be unmounted manually: [source,shell] .... # automount -fu .... This mechanism is typically used for memory cards and USB memory sticks. It can be used with any block device, including optical drives or iSCSILUNs. [[creating-cds]] == Creating and Using CD Media Compact Disc (CD) media provide a number of features that differentiate them from conventional disks. They are designed so that they can be read continuously without delays to move the head between tracks. While CD media do have tracks, these refer to a section of data to be read continuously, and not a physical property of the disk. The ISO 9660 file system was designed to deal with these differences. The FreeBSD Ports Collection provides several utilities for burning and duplicating audio and data CDs. This chapter demonstrates the use of several command line utilities. For CD burning software with a graphical utility, consider installing the package:sysutils/xcdroast[] or package:sysutils/k3b[] packages or ports. [[atapicam]] === Supported Devices The [.filename]#GENERIC# kernel provides support for SCSI, USB, and ATAPICD readers and burners. If a custom kernel is used, the options that need to be present in the kernel configuration file vary by the type of device. For a SCSI burner, make sure these options are present: [.programlisting] .... device scbus # SCSI bus (required for ATA/SCSI) device da # Direct Access (disks) device pass # Passthrough device (direct ATA/SCSI access) device cd # needed for CD and DVD burners .... For a USB burner, make sure these options are present: [.programlisting] .... device scbus # SCSI bus (required for ATA/SCSI) device da # Direct Access (disks) device pass # Passthrough device (direct ATA/SCSI access) device cd # needed for CD and DVD burners device uhci # provides USB 1.x support device ohci # provides USB 1.x support device ehci # provides USB 2.0 support device xhci # provides USB 3.0 support device usb # USB Bus (required) device umass # Disks/Mass storage - Requires scbus and da .... For an ATAPI burner, make sure these options are present: [.programlisting] .... device ata # Legacy ATA/SATA controllers device scbus # SCSI bus (required for ATA/SCSI) device pass # Passthrough device (direct ATA/SCSI access) device cd # needed for CD and DVD burners .... [NOTE] ==== On FreeBSD versions prior to 10.x, this line is also needed in the kernel configuration file if the burner is an ATAPI device: [.programlisting] .... device atapicam .... Alternately, this driver can be loaded at boot time by adding the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... atapicam_load="YES" .... This will require a reboot of the system as this driver can only be loaded at boot time. ==== To verify that FreeBSD recognizes the device, run `dmesg` and look for an entry for the device. On systems prior to 10.x, the device name in the first line of the output will be [.filename]#acd0# instead of [.filename]#cd0#. [source,shell] .... % dmesg | grep cd cd0 at ahcich1 bus 0 scbus1 target 0 lun 0 cd0: Removable CD-ROM SCSI-0 device cd0: Serial Number M3OD3S34152 cd0: 150.000MB/s transfers (SATA 1.x, UDMA6, ATAPI 12bytes, PIO 8192bytes) cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed .... [[cdrecord]] === Burning a CD In FreeBSD, `cdrecord` can be used to burn CDs. This command is installed with the package:sysutils/cdrtools[] package or port. While `cdrecord` has many options, basic usage is simple. Specify the name of the ISO file to burn and, if the system has multiple burner devices, specify the name of the device to use: [source,shell] .... # cdrecord dev=device imagefile.iso .... To determine the device name of the burner, use `-scanbus` which might produce results like this: [source,shell] .... # cdrecord -scanbus ProDVD-ProBD-Clone 3.00 (amd64-unknown-freebsd10.0) Copyright (C) 1995-2010 Jörg Schilling Using libscg version 'schily-0.9' scsibus0: 0,0,0 0) 'SEAGATE ' 'ST39236LW ' '0004' Disk 0,1,0 1) 'SEAGATE ' 'ST39173W ' '5958' Disk 0,2,0 2) * 0,3,0 3) 'iomega ' 'jaz 1GB ' 'J.86' Removable Disk 0,4,0 4) 'NEC ' 'CD-ROM DRIVE:466' '1.26' Removable CD-ROM 0,5,0 5) * 0,6,0 6) * 0,7,0 7) * scsibus1: 1,0,0 100) * 1,1,0 101) * 1,2,0 102) * 1,3,0 103) * 1,4,0 104) * 1,5,0 105) 'YAMAHA ' 'CRW4260 ' '1.0q' Removable CD-ROM 1,6,0 106) 'ARTEC ' 'AM12S ' '1.06' Scanner 1,7,0 107) * .... Locate the entry for the CD burner and use the three numbers separated by commas as the value for `dev`. In this case, the Yamaha burner device is `1,5,0`, so the appropriate input to specify that device is `dev=1,5,0`. Refer to the manual page for `cdrecord` for other ways to specify this value and for information on writing audio tracks and controlling the write speed. Alternately, run the following command to get the device address of the burner: [source,shell] .... # camcontrol devlist at scbus1 target 0 lun 0 (cd0,pass0) .... Use the numeric values for `scbus`, `target`, and `lun`. For this example, `1,0,0` is the device name to use. [[mkisofs]] === Writing Data to an ISO File System In order to produce a data CD, the data files that are going to make up the tracks on the CD must be prepared before they can be burned to the CD. In FreeBSD, package:sysutils/cdrtools[] installs `mkisofs`, which can be used to produce an ISO 9660 file system that is an image of a directory tree within a UNIX(R) file system. The simplest usage is to specify the name of the ISO file to create and the path to the files to place into the ISO 9660 file system: [source,shell] .... # mkisofs -o imagefile.iso /path/to/tree .... This command maps the file names in the specified path to names that fit the limitations of the standard ISO 9660 file system, and will exclude files that do not meet the standard for ISO file systems. A number of options are available to overcome the restrictions imposed by the standard. In particular, `-R` enables the Rock Ridge extensions common to UNIX(R) systems and `-J` enables Joliet extensions used by Microsoft(R) systems. For CDs that are going to be used only on FreeBSD systems, `-U` can be used to disable all filename restrictions. When used with `-R`, it produces a file system image that is identical to the specified FreeBSD tree, even if it violates the ISO 9660 standard. The last option of general use is `-b`. This is used to specify the location of a boot image for use in producing an "El Torito" bootable CD. This option takes an argument which is the path to a boot image from the top of the tree being written to the CD. By default, `mkisofs` creates an ISO image in "floppy disk emulation" mode, and thus expects the boot image to be exactly 1200, 1440 or 2880 KB in size. Some boot loaders, like the one used by the FreeBSD distribution media, do not use emulation mode. In this case, `-no-emul-boot` should be used. So, if [.filename]#/tmp/myboot# holds a bootable FreeBSD system with the boot image in [.filename]#/tmp/myboot/boot/cdboot#, this command would produce [.filename]#/tmp/bootable.iso#: [source,shell] .... # mkisofs -R -no-emul-boot -b boot/cdboot -o /tmp/bootable.iso /tmp/myboot .... The resulting ISO image can be mounted as a memory disk with: [source,shell] .... # mdconfig -a -t vnode -f /tmp/bootable.iso -u 0 # mount -t cd9660 /dev/md0 /mnt .... One can then verify that [.filename]#/mnt# and [.filename]#/tmp/myboot# are identical. There are many other options available for `mkisofs` to fine-tune its behavior. Refer to man:mkisofs[8] for details. [NOTE] ==== It is possible to copy a data CD to an image file that is functionally equivalent to the image file created with `mkisofs`. To do so, use [.filename]#dd# with the device name as the input file and the name of the ISO to create as the output file: [source,shell] .... # dd if=/dev/cd0 of=file.iso bs=2048 .... The resulting image file can be burned to CD as described in crossref:disks[cdrecord, Burning a CD]. ==== [[mounting-cd]] === Using Data CDs Once an ISO has been burned to a CD, it can be mounted by specifying the file system type, the name of the device containing the CD, and an existing mount point: [source,shell] .... # mount -t cd9660 /dev/cd0 /mnt .... Since `mount` assumes that a file system is of type `ufs`, an `Incorrect super block` error will occur if `-t cd9660` is not included when mounting a data CD. While any data CD can be mounted this way, disks with certain ISO 9660 extensions might behave oddly. For example, Joliet disks store all filenames in two-byte Unicode characters. If some non-English characters show up as question marks, specify the local charset with `-C`. For more information, refer to man:mount_cd9660[8]. [NOTE] ==== In order to do this character conversion with the help of `-C`, the kernel requires the [.filename]#cd9660_iconv.ko# module to be loaded. This can be done either by adding this line to [.filename]#loader.conf#: [.programlisting] .... cd9660_iconv_load="YES" .... and then rebooting the machine, or by directly loading the module with `kldload`. ==== Occasionally, `Device not configured` will be displayed when trying to mount a data CD. This usually means that the CD drive has not detected a disk in the tray, or that the drive is not visible on the bus. It can take a couple of seconds for a CD drive to detect media, so be patient. Sometimes, a SCSICD drive may be missed because it did not have enough time to answer the bus reset. To resolve this, a custom kernel can be created which increases the default SCSI delay. Add the following option to the custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig-building,“Building and Installing a Custom Kernel”]: [.programlisting] .... options SCSI_DELAY=15000 .... This tells the SCSI bus to pause 15 seconds during boot, to give the CD drive every possible chance to answer the bus reset. [NOTE] ==== It is possible to burn a file directly to CD, without creating an ISO 9660 file system. This is known as burning a raw data CD and some people do this for backup purposes. This type of disk can not be mounted as a normal data CD. In order to retrieve the data burned to such a CD, the data must be read from the raw device node. For example, this command will extract a compressed tar file located on the second CD device into the current working directory: [source,shell] .... # tar xzvf /dev/cd1 .... In order to mount a data CD, the data must be written using `mkisofs`. ==== [[duplicating-audiocds]] === Duplicating Audio CDs To duplicate an audio CD, extract the audio data from the CD to a series of files, then write these files to a blank CD. crossref:disks[using-cdrecord, Duplicating an Audio CD] describes how to duplicate and burn an audio CD. If the FreeBSD version is less than 10.0 and the device is ATAPI, the `atapicam` module must be first loaded using the instructions in crossref:disks[atapicam, Supported Devices]. [[using-cdrecord]] [.procedure] .Procedure: Duplicating an Audio CD . The package:sysutils/cdrtools[] package or port installs `cdda2wav`. This command can be used to extract all of the audio tracks, with each track written to a separate WAV file in the current working directory: + [source,shell] .... % cdda2wav -vall -B -Owav .... + A device name does not need to be specified if there is only one CD device on the system. Refer to the `cdda2wav` manual page for instructions on how to specify a device and to learn more about the other options available for this command. . Use `cdrecord` to write the [.filename]#.wav# files: + [source,shell] .... % cdrecord -v dev=2,0 -dao -useinfo *.wav .... + Make sure that _2,0_ is set appropriately, as described in crossref:disks[cdrecord, Burning a CD]. [[creating-dvds]] == Creating and Using DVD Media Compared to the CD, the DVD is the next generation of optical media storage technology. The DVD can hold more data than any CD and is the standard for video publishing. Five physical recordable formats can be defined for a recordable DVD: * DVD-R: This was the first DVD recordable format available. The DVD-R standard is defined by the http://www.dvdforum.org/forum.shtml[DVD Forum]. This format is write once. * DVD-RW: This is the rewritable version of the DVD-R standard. A DVD-RW can be rewritten about 1000 times. * DVD-RAM: This is a rewritable format which can be seen as a removable hard drive. However, this media is not compatible with most DVD-ROM drives and DVD-Video players as only a few DVD writers support the DVD-RAM format. Refer to crossref:disks[creating-dvd-ram, Using a DVD-RAM] for more information on DVD-RAM use. * DVD+RW: This is a rewritable format defined by the https://en.wikipedia.org/wiki/DVD%2BRW_Alliance[DVD+RW Alliance]. A DVD+RW can be rewritten about 1000 times. * DVD+R: This format is the write once variation of the DVD+RW format. A single layer recordable DVD can hold up to 4,700,000,000 bytes which is actually 4.38 GB or 4485 MB as 1 kilobyte is 1024 bytes. [NOTE] ==== A distinction must be made between the physical media and the application. For example, a DVD-Video is a specific file layout that can be written on any recordable DVD physical media such as DVD-R, DVD+R, or DVD-RW. Before choosing the type of media, ensure that both the burner and the DVD-Video player are compatible with the media under consideration. ==== === Configuration To perform DVD recording, use man:growisofs[1]. This command is part of the package:sysutils/dvd+rw-tools[] utilities which support all DVD media types. These tools use the SCSI subsystem to access the devices, therefore crossref:disks[atapicam,ATAPI/CAM support] must be loaded or statically compiled into the kernel. This support is not needed if the burner uses the USB interface. Refer to crossref:disks[usb-disks, USB Storage Devices] for more details on USB device configuration. DMA access must also be enabled for ATAPI devices, by adding the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... hw.ata.atapi_dma="1" .... Before attempting to use dvd+rw-tools, consult the http://fy.chalmers.se/~appro/linux/DVD+RW/hcn.html[Hardware Compatibility Notes]. [NOTE] ==== For a graphical user interface, consider using package:sysutils/k3b[] which provides a user friendly interface to man:growisofs[1] and many other burning tools. ==== === Burning Data DVDs Since man:growisofs[1] is a front-end to crossref:disks[mkisofs,mkisofs], it will invoke man:mkisofs[8] to create the file system layout and perform the write on the DVD. This means that an image of the data does not need to be created before the burning process. To burn to a DVD+R or a DVD-R the data in [.filename]#/path/to/data#, use the following command: [source,shell] .... # growisofs -dvd-compat -Z /dev/cd0 -J -R /path/to/data .... In this example, `-J -R` is passed to man:mkisofs[8] to create an ISO 9660 file system with Joliet and Rock Ridge extensions. Refer to man:mkisofs[8] for more details. For the initial session recording, `-Z` is used for both single and multiple sessions. Replace _/dev/cd0_, with the name of the DVD device. Using `-dvd-compat` indicates that the disk will be closed and that the recording will be unappendable. This should also provide better media compatibility with DVD-ROM drives. To burn a pre-mastered image, such as _imagefile.iso_, use: [source,shell] .... # growisofs -dvd-compat -Z /dev/cd0=imagefile.iso .... The write speed should be detected and automatically set according to the media and the drive being used. To force the write speed, use `-speed=`. Refer to man:growisofs[1] for example usage. [NOTE] ==== In order to support working files larger than 4.38GB, an UDF/ISO-9660 hybrid file system must be created by passing `-udf -iso-level 3` to man:mkisofs[8] and all related programs, such as man:growisofs[1]. This is required only when creating an ISO image file or when writing files directly to a disk. Since a disk created this way must be mounted as an UDF file system with man:mount_udf[8], it will be usable only on an UDF aware operating system. Otherwise it will look as if it contains corrupted files. To create this type of ISO file: [source,shell] .... % mkisofs -R -J -udf -iso-level 3 -o imagefile.iso /path/to/data .... To burn files directly to a disk: [source,shell] .... # growisofs -dvd-compat -udf -iso-level 3 -Z /dev/cd0 -J -R /path/to/data .... When an ISO image already contains large files, no additional options are required for man:growisofs[1] to burn that image on a disk. Be sure to use an up-to-date version of package:sysutils/cdrtools[], which contains man:mkisofs[8], as an older version may not contain large files support. If the latest version does not work, install package:sysutils/cdrtools-devel[] and read its man:mkisofs[8]. ==== === Burning a DVD-Video A DVD-Video is a specific file layout based on the ISO 9660 and micro-UDF (M-UDF) specifications. Since DVD-Video presents a specific data structure hierarchy, a particular program such as package:multimedia/dvdauthor[] is needed to author the DVD. If an image of the DVD-Video file system already exists, it can be burned in the same way as any other image. If `dvdauthor` was used to make the DVD and the result is in [.filename]#/path/to/video#, the following command should be used to burn the DVD-Video: [source,shell] .... # growisofs -Z /dev/cd0 -dvd-video /path/to/video .... `-dvd-video` is passed to man:mkisofs[8] to instruct it to create a DVD-Video file system layout. This option implies the `-dvd-compat` man:growisofs[1] option. === Using a DVD+RW Unlike CD-RW, a virgin DVD+RW needs to be formatted before first use. It is _recommended_ to let man:growisofs[1] take care of this automatically whenever appropriate. However, it is possible to use `dvd+rw-format` to format the DVD+RW: [source,shell] .... # dvd+rw-format /dev/cd0 .... Only perform this operation once and keep in mind that only virgin DVD+RW medias need to be formatted. Once formatted, the DVD+RW can be burned as usual. To burn a totally new file system and not just append some data onto a DVD+RW, the media does not need to be blanked first. Instead, write over the previous recording like this: [source,shell] .... # growisofs -Z /dev/cd0 -J -R /path/to/newdata .... The DVD+RW format supports appending data to a previous recording. This operation consists of merging a new session to the existing one as it is not considered to be multi-session writing. man:growisofs[1] will _grow_ the ISO 9660 file system present on the media. For example, to append data to a DVD+RW, use the following: [source,shell] .... # growisofs -M /dev/cd0 -J -R /path/to/nextdata .... The same man:mkisofs[8] options used to burn the initial session should be used during next writes. [NOTE] ==== Use `-dvd-compat` for better media compatibility with DVD-ROM drives. When using DVD+RW, this option will not prevent the addition of data. ==== To blank the media, use: [source,shell] .... # growisofs -Z /dev/cd0=/dev/zero .... === Using a DVD-RW A DVD-RW accepts two disc formats: incremental sequential and restricted overwrite. By default, DVD-RW discs are in sequential format. A virgin DVD-RW can be directly written without being formatted. However, a non-virgin DVD-RW in sequential format needs to be blanked before writing a new initial session. To blank a DVD-RW in sequential mode: [source,shell] .... # dvd+rw-format -blank=full /dev/cd0 .... [NOTE] ==== A full blanking using `-blank=full` will take about one hour on a 1x media. A fast blanking can be performed using `-blank`, if the DVD-RW will be recorded in Disk-At-Once (DAO) mode. To burn the DVD-RW in DAO mode, use the command: [source,shell] .... # growisofs -use-the-force-luke=dao -Z /dev/cd0=imagefile.iso .... Since man:growisofs[1] automatically attempts to detect fast blanked media and engage DAO write, `-use-the-force-luke=dao` should not be required. One should instead use restricted overwrite mode with any DVD-RW as this format is more flexible than the default of incremental sequential. ==== To write data on a sequential DVD-RW, use the same instructions as for the other DVD formats: [source,shell] .... # growisofs -Z /dev/cd0 -J -R /path/to/data .... To append some data to a previous recording, use `-M` with man:growisofs[1]. However, if data is appended on a DVD-RW in incremental sequential mode, a new session will be created on the disc and the result will be a multi-session disc. A DVD-RW in restricted overwrite format does not need to be blanked before a new initial session. Instead, overwrite the disc with `-Z`. It is also possible to grow an existing ISO 9660 file system written on the disc with `-M`. The result will be a one-session DVD. To put a DVD-RW in restricted overwrite format, the following command must be used: [source,shell] .... # dvd+rw-format /dev/cd0 .... To change back to sequential format, use: [source,shell] .... # dvd+rw-format -blank=full /dev/cd0 .... === Multi-Session Few DVD-ROM drives support multi-session DVDs and most of the time only read the first session. DVD+R, DVD-R and DVD-RW in sequential format can accept multiple sessions. The notion of multiple sessions does not exist for the DVD+RW and the DVD-RW restricted overwrite formats. Using the following command after an initial non-closed session on a DVD+R, DVD-R, or DVD-RW in sequential format, will add a new session to the disc: [source,shell] .... # growisofs -M /dev/cd0 -J -R /path/to/nextdata .... Using this command with a DVD+RW or a DVD-RW in restricted overwrite mode will append data while merging the new session to the existing one. The result will be a single-session disc. Use this method to add data after an initial write on these types of media. [NOTE] ==== Since some space on the media is used between each session to mark the end and start of sessions, one should add sessions with a large amount of data to optimize media space. The number of sessions is limited to 154 for a DVD+R, about 2000 for a DVD-R, and 127 for a DVD+R Double Layer. ==== === For More Information To obtain more information about a DVD, use `dvd+rw-mediainfo _/dev/cd0_` while the disc in the specified drive. More information about dvd+rw-tools can be found in man:growisofs[1], on the http://fy.chalmers.se/~appro/linux/DVD+RW/[dvd+rw-tools web site], and in the http://lists.debian.org/cdwrite/[cdwrite mailing list] archives. [NOTE] ==== When creating a problem report related to the use of dvd+rw-tools, always include the output of `dvd+rw-mediainfo`. ==== [[creating-dvd-ram]] === Using a DVD-RAM DVD-RAM writers can use either a SCSI or ATAPI interface. For ATAPI devices, DMA access has to be enabled by adding the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... hw.ata.atapi_dma="1" .... A DVD-RAM can be seen as a removable hard drive. Like any other hard drive, the DVD-RAM must be formatted before it can be used. In this example, the whole disk space will be formatted with a standard UFS2 file system: [source,shell] .... # dd if=/dev/zero of=/dev/acd0 bs=2k count=1 # bsdlabel -Bw acd0 # newfs /dev/acd0 .... The DVD device, [.filename]#acd0#, must be changed according to the configuration. Once the DVD-RAM has been formatted, it can be mounted as a normal hard drive: [source,shell] .... # mount /dev/acd0 /mnt .... Once mounted, the DVD-RAM will be both readable and writeable. [[floppies]] == Creating and Using Floppy Disks This section explains how to format a 3.5 inch floppy disk in FreeBSD. [.procedure] ==== *Procedure: Steps to Format a Floppy* A floppy disk needs to be low-level formatted before it can be used. This is usually done by the vendor, but formatting is a good way to check media integrity. To low-level format the floppy disk on FreeBSD, use man:fdformat[1]. When using this utility, make note of any error messages, as these can help determine if the disk is good or bad. . To format the floppy, insert a new 3.5 inch floppy disk into the first floppy drive and issue: + [source,shell] .... # /usr/sbin/fdformat -f 1440 /dev/fd0 .... + . After low-level formatting the disk, create a disk label as it is needed by the system to determine the size of the disk and its geometry. The supported geometry values are listed in [.filename]#/etc/disktab#. + To write the disk label, use man:bsdlabel[8]: + [source,shell] .... # /sbin/bsdlabel -B -w /dev/fd0 fd1440 .... + . The floppy is now ready to be high-level formatted with a file system. The floppy's file system can be either UFS or FAT, where FAT is generally a better choice for floppies. + To format the floppy with FAT, issue: + [source,shell] .... # /sbin/newfs_msdos /dev/fd0 .... ==== The disk is now ready for use. To use the floppy, mount it with man:mount_msdosfs[8]. One can also install and use package:emulators/mtools[] from the Ports Collection. [[using-ntfs]] == Using NTFS Disks This section explains how to mount NTFS disks in FreeBSD. NTFS (New Technology File System) is a proprietary journaling file system developed by Microsoft(R). It has been the default file system in Microsoft Windows(R) for many years. FreeBSD can mount NTFS volumes using a FUSE file system. These file systems are implemented as user space programs which interact with the man:fusefs[5] kernel module via a well defined interface. [.procedure] ==== *Procedure: Steps to Mount a NTFS Disk* . Before using a FUSE file system we need to load the man:fusefs[5] kernel module: + [source,shell] .... # kldload fusefs .... + Use man:sysrc[8] to load the module at startup: + [source,shell] .... # sysrc kld_list+=fusefs .... . Install the actual NTFS file system from packages as in the example (see crossref:ports[pkgng-intro,Using pkg for Binary Package Management]) or from ports (see crossref:ports[ports-using,Using the Ports Collection]): + [source,shell] .... # pkg install fusefs-ntfs .... . Last we need to create a directory where the file system will be mounted: + [source,shell] .... # mkdir /mnt/usb .... . Suppose a USB disk is plugged in. The disk partition information can be viewed with man:gpart[8]: + [source,shell] .... # gpart show da0 => 63 1953525105 da0 MBR (932G) 63 1953525105 1 ntfs (932G) .... . We can mount the disk using the following command: + [source,shell] .... # ntfs-3g /dev/da0s1 /mnt/usb/ .... The disk is now ready to use. + . Additionally, an entry can be added to /etc/fstab: + [.programlisting] .... /dev/da0s1 /mnt/usb ntfs mountprog=/usr/local/bin/ntfs-3g,noauto,rw 0 0 .... + Now the disk can be now mounted with: + [source,shell] .... # mount /mnt/usb .... . The disk can be unmounted with: + [source,shell] .... # umount /mnt/usb/ .... ==== [[backup-basics]] == Backup Basics Implementing a backup plan is essential in order to have the ability to recover from disk failure, accidental file deletion, random file corruption, or complete machine destruction, including destruction of on-site backups. The backup type and schedule will vary, depending upon the importance of the data, the granularity needed for file restores, and the amount of acceptable downtime. Some possible backup techniques include: * Archives of the whole system, backed up onto permanent, off-site media. This provides protection against all of the problems listed above, but is slow and inconvenient to restore from, especially for non-privileged users. * File system snapshots, which are useful for restoring deleted files or previous versions of files. * Copies of whole file systems or disks which are synchronized with another system on the network using a scheduled package:net/rsync[]. * Hardware or software RAID, which minimizes or avoids downtime when a disk fails. Typically, a mix of backup techniques is used. For example, one could create a schedule to automate a weekly, full system backup that is stored off-site and to supplement this backup with hourly ZFS snapshots. In addition, one could make a manual backup of individual directories or files before making file edits or deletions. This section describes some of the utilities which can be used to create and manage backups on a FreeBSD system. === File System Backups The traditional UNIX(R) programs for backing up a file system are man:dump[8], which creates the backup, and man:restore[8], which restores the backup. These utilities work at the disk block level, below the abstractions of the files, links, and directories that are created by file systems. Unlike other backup software, `dump` backs up an entire file system and is unable to backup only part of a file system or a directory tree that spans multiple file systems. Instead of writing files and directories, `dump` writes the raw data blocks that comprise files and directories. [NOTE] ==== If `dump` is used on the root directory, it will not back up [.filename]#/home#, [.filename]#/usr#, or many other directories since these are typically mount points for other file systems or symbolic links into those file systems. ==== When used to restore data, `restore` stores temporary files in [.filename]#/tmp/# by default. When using a recovery disk with a small [.filename]#/tmp#, set `TMPDIR` to a directory with more free space for the restore to succeed. When using `dump`, be aware that some quirks remain from its early days in Version 6 of AT&T UNIX(R),circa 1975. The default parameters assume a backup to a 9-track tape, rather than to another type of media or to the high-density tapes available today. These defaults must be overridden on the command line. It is possible to backup a file system across the network to another system or a tape drive attached to another computer. While the man:rdump[8] and man:rrestore[8] utilities can be used for this purpose, they are not considered to be secure. Instead, one can use `dump` and `restore` more securely over an SSH connection. This example creates a full, compressed backup of [.filename]#/usr# and sends the backup file to the specified host over an SSH connection. .Using `dump` over ssh [example] ==== [source,shell] .... # /sbin/dump -0uan -f - /usr | gzip -2 | ssh -c blowfish \ targetuser@targetmachine.example.com dd of=/mybigfiles/dump-usr-l0.gz .... ==== This example sets `RSH` in order to write the backup to a tape drive on a remote system over an SSH connection: .Using `dump` over ssh with `RSH` Set [example] ==== [source,shell] .... # env RSH=/usr/bin/ssh /sbin/dump -0uan -f targetuser@targetmachine.example.com:/dev/sa0 /usr .... ==== [TIP] ==== Systems using the crossref:zfs[,Z file system (ZFS)] can make use of man:zfs[8] for creating snapshots, as well as crossref:zfs[zfs-zfs-send,sending and receiving] them to/from remote systems. ==== === Directory Backups Several built-in utilities are available for backing up and restoring specified files and directories as needed. A good choice for making a backup of all of the files in a directory is man:tar[1]. This utility dates back to Version 6 of AT&T UNIX(R) and by default assumes a recursive backup to a local tape device. Switches can be used to instead specify the name of a backup file. This example creates a compressed backup of the current directory and saves it to [.filename]#/tmp/mybackup.tgz#. When creating a backup file, make sure that the backup is not saved to the same directory that is being backed up. .Backing Up the Current Directory with `tar` [example] ==== [source,shell] .... # tar czvf /tmp/mybackup.tgz . .... ==== To restore the entire backup, `cd` into the directory to restore into and specify the name of the backup. Note that this will overwrite any newer versions of files in the restore directory. When in doubt, restore to a temporary directory or specify the name of the file within the backup to restore. .Restoring Up the Current Directory with `tar` [example] ==== [source,shell] .... # tar xzvf /tmp/mybackup.tgz .... ==== There are dozens of available switches which are described in man:tar[1]. This utility also supports the use of exclude patterns to specify which files should not be included when backing up the specified directory or restoring files from a backup. To create a backup using a specified list of files and directories, man:cpio[1] is a good choice. Unlike `tar`, `cpio` does not know how to walk the directory tree and it must be provided the list of files to backup. For example, a list of files can be created using `ls` or `find`. This example creates a recursive listing of the current directory which is then piped to `cpio` in order to create an output backup file named [.filename]#/tmp/mybackup.cpio#. .Using `ls` and `cpio` to Make a Recursive Backup of the Current Directory [example] ==== [source,shell] .... # ls -R | cpio -ovF /tmp/mybackup.cpio .... ==== A backup utility which tries to bridge the features provided by `tar` and `cpio` is man:pax[1]. Over the years, the various versions of `tar` and `cpio` became slightly incompatible. POSIX(R) created `pax` which attempts to read and write many of the various `cpio` and `tar` formats, plus new formats of its own. The `pax` equivalent to the previous examples would be: .Backing Up the Current Directory with `pax` [example] ==== [source,shell] .... # pax -wf /tmp/mybackup.pax . .... ==== [[backups-tapebackups]] === Using Data Tapes for Backups While tape technology has continued to evolve, modern backup systems tend to combine off-site backups with local removable media. FreeBSD supports any tape drive that uses SCSI, such as LTO or DAT. There is limited support for SATA and USB tape drives. For SCSI tape devices, FreeBSD uses the man:sa[4] driver and the [.filename]#/dev/sa0#, [.filename]#/dev/nsa0#, and [.filename]#/dev/esa0# devices. The physical device name is [.filename]#/dev/sa0#. When [.filename]#/dev/nsa0# is used, the backup application will not rewind the tape after writing a file, which allows writing more than one file to a tape. Using [.filename]#/dev/esa0# ejects the tape after the device is closed. In FreeBSD, `mt` is used to control operations of the tape drive, such as seeking through files on a tape or writing tape control marks to the tape. For example, the first three files on a tape can be preserved by skipping past them before writing a new file: [source,shell] .... # mt -f /dev/nsa0 fsf 3 .... This utility supports many operations. Refer to man:mt[1] for details. To write a single file to tape using `tar`, specify the name of the tape device and the file to backup: [source,shell] .... # tar cvf /dev/sa0 file .... To recover files from a `tar` archive on tape into the current directory: [source,shell] .... # tar xvf /dev/sa0 .... To backup a UFS file system, use `dump`. This examples backs up [.filename]#/usr# without rewinding the tape when finished: [source,shell] .... # dump -0aL -b64 -f /dev/nsa0 /usr .... To interactively restore files from a `dump` file on tape into the current directory: [source,shell] .... # restore -i -f /dev/nsa0 .... [[backups-programs-amanda]] === Third-Party Backup Utilities The FreeBSD Ports Collection provides many third-party utilities which can be used to schedule the creation of backups, simplify tape backup, and make backups easier and more convenient. Many of these applications are client/server based and can be used to automate the backups of a single system or all of the computers in a network. Popular utilities include: * Amanda (package:misc/amanda-server[] and package:misc/amanda-client[]), * Bacula (package:sysutils/bacula13-server[] and package:sysutils/bacula13-client[]), * Bareos (package:sysutils/bareos-server[] and package:sysutils/bareos-client[]), * package:net/rsync[], * package:sysutils/duply[], and * package:sysutils/duplicity[]. === Emergency Recovery In addition to regular backups, it is recommended to perform the following steps as part of an emergency preparedness plan. Create a print copy of the output of the following commands: * `gpart show` * `more /etc/fstab` * `pkg prime-list` * `dmesg` Store this printout and a copy of the installation media in a secure location. Should an emergency restore be needed, boot into the installation media and select `Live CD` to access a rescue shell. This rescue mode can be used to view the current state of the system, and if needed, to reformat disks and restore data from backups. Next, test the rescue shell and the backups. Make notes of the procedure. Store these notes with the media, the printouts, and the backups. These notes may prevent the inadvertent destruction of the backups while under the stress of performing an emergency recovery. For an added measure of security, store the latest backup at a remote location which is physically separated from the computers and disk drives by a significant distance. [[disks-virtual]] == Memory Disks In addition to physical disks, FreeBSD also supports the creation and use of memory disks. One possible use for a memory disk is to access the contents of an ISO file system without the overhead of first burning it to a CD or DVD, then mounting the CD/DVD media. In FreeBSD, the man:md[4] driver is used to provide support for memory disks. The [.filename]#GENERIC# kernel includes this driver. When using a custom kernel configuration file, ensure it includes this line: [.programlisting] .... device md .... [[disks-mdconfig]] === Attaching and Detaching Existing Images To mount an existing file system image, use `mdconfig` to specify the name of the ISO file and a free unit number. Then, refer to that unit number to mount it on an existing mount point. Once mounted, the files in the ISO will appear in the mount point. This example attaches _diskimage.iso_ to the memory device [.filename]#/dev/md0# then mounts that memory device on [.filename]#/mnt#: [source,shell] .... # mdconfig -f diskimage.iso -u 0 # mount -t cd9660 /dev/md0 /mnt .... Notice that `-t cd9660` was used to mount an ISO format. If a unit number is not specified with `-u`, `mdconfig` will automatically allocate an unused memory device and output the name of the allocated unit, such as [.filename]#md4#. Refer to man:mdconfig[8] for more details about this command and its options. When a memory disk is no longer in use, its resources should be released back to the system. First, unmount the file system, then use `mdconfig` to detach the disk from the system and release its resources. To continue this example: [source,shell] .... # umount /mnt # mdconfig -d -u 0 .... To determine if any memory disks are still attached to the system, type `mdconfig -l`. [[disks-md-freebsd5]] === Creating a File- or Memory-Backed Memory Disk FreeBSD also supports memory disks where the storage to use is allocated from either a hard disk or an area of memory. The first method is commonly referred to as a file-backed file system and the second method as a memory-backed file system. Both types can be created using `mdconfig`. To create a new memory-backed file system, specify a type of `swap` and the size of the memory disk to create. Then, format the memory disk with a file system and mount as usual. This example creates a 5M memory disk on unit `1`. That memory disk is then formatted with the UFS file system before it is mounted: [source,shell] .... # mdconfig -a -t swap -s 5m -u 1 # newfs -U md1 /dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 1.27MB, 81 blks, 192 inodes. with soft updates super-block backups (for fsck -b #) at: 160, 2752, 5344, 7936 # mount /dev/md1 /mnt # df /mnt Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/md1 4718 4 4338 0% /mnt .... To create a new file-backed memory disk, first allocate an area of disk to use. This example creates an empty 5MB file named [.filename]#newimage#: [source,shell] .... # dd if=/dev/zero of=newimage bs=1k count=5k 5120+0 records in 5120+0 records out .... Next, attach that file to a memory disk, label the memory disk and format it with the UFS file system, mount the memory disk, and verify the size of the file-backed disk: [source,shell] .... # mdconfig -f newimage -u 0 # bsdlabel -w md0 auto # newfs -U md0a /dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes. super-block backups (for fsck -b #) at: 160, 2720, 5280, 7840 # mount /dev/md0a /mnt # df /mnt Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/md0a 4710 4 4330 0% /mnt .... It takes several commands to create a file- or memory-backed file system using `mdconfig`. FreeBSD also comes with `mdmfs` which automatically configures a memory disk, formats it with the UFS file system, and mounts it. For example, after creating _newimage_ with `dd`, this one command is equivalent to running the `bsdlabel`, `newfs`, and `mount` commands shown above: [source,shell] .... # mdmfs -F newimage -s 5m md0 /mnt .... To instead create a new memory-based memory disk with `mdmfs`, use this one command: [source,shell] .... # mdmfs -s 5m md1 /mnt .... If the unit number is not specified, `mdmfs` will automatically select an unused memory device. For more details about `mdmfs`, refer to man:mdmfs[8]. [[snapshots]] == File System Snapshots FreeBSD offers a feature in conjunction with crossref:config[soft-updates,Soft Updates]: file system snapshots. UFS snapshots allow a user to create images of specified file systems, and treat them as a file. If you are using the crossref:zfs[,Z file system (ZFS)], refer to crossref:zfs[zfs-zfs-snapshot,"Managing Snapshots"] on how to use snapshots. Snapshot files must be created in the file system that the action is performed on, and a user may create no more than 20 snapshots per file system. Active snapshots are recorded in the superblock so they are persistent across unmount and remount operations along with system reboots. When a snapshot is no longer required, it can be removed using man:rm[1]. While snapshots may be removed in any order, all the used space may not be acquired because another snapshot will possibly claim some of the released blocks. The un-alterable `snapshot` file flag is set by man:mksnap_ffs[8] after initial creation of a snapshot file. man:unlink[1] makes an exception for snapshot files since it allows them to be removed. Snapshots are created using man:mount[8]. To place a snapshot of [.filename]#/var# in the file [.filename]#/var/snapshot/snap#, use the following command: [source,shell] .... # mount -u -o snapshot /var/snapshot/snap /var .... Alternatively, use man:mksnap_ffs[8] to create the snapshot: [source,shell] .... # mksnap_ffs /var /var/snapshot/snap .... One can find snapshot files on a file system, such as [.filename]#/var#, using man:find[1]: [source,shell] .... # find /var -flags snapshot .... Once a snapshot has been created, it has several uses: * Some administrators will use a snapshot file for backup purposes, because the snapshot can be transferred to CDs or tape. * The file system integrity checker, man:fsck[8], may be run on the snapshot. Assuming that the file system was clean when it was mounted, this should always provide a clean and unchanging result. * Running man:dump[8] on the snapshot will produce a dump file that is consistent with the file system and the timestamp of the snapshot. man:dump[8] can also take a snapshot, create a dump image, and then remove the snapshot in one command by using `-L`. * The snapshot can be mounted as a frozen image of the file system. To man:mount[8] the snapshot [.filename]#/var/snapshot/snap# run: + [source,shell] .... # mdconfig -a -t vnode -o readonly -f /var/snapshot/snap -u 4 # mount -r /dev/md4 /mnt .... The frozen [.filename]#/var# is now available through [.filename]#/mnt#. Everything will initially be in the same state it was during the snapshot creation time. The only exception is that any earlier snapshots will appear as zero length files. To unmount the snapshot, use: [source,shell] .... # umount /mnt # mdconfig -d -u 4 .... For more information about `softupdates` and file system snapshots, including technical papers, visit Marshall Kirk McKusick's website at http://www.mckusick.com/[http://www.mckusick.com/]. [[quotas]] == Disk Quotas Disk quotas can be used to limit the amount of disk space or the number of files a user or members of a group may allocate on a per-file system basis. This prevents one user or group of users from consuming all of the available disk space. This section describes how to configure disk quotas for the UFS file system. To configure quotas on the ZFS file system, refer to crossref:zfs[zfs-zfs-quota,"Dataset, User, and Group Quotas"] === Enabling Disk Quotas To determine if the FreeBSD kernel provides support for disk quotas: [source,shell] .... % sysctl kern.features.ufs_quota kern.features.ufs_quota: 1 .... In this example, the `1` indicates quota support. If the value is instead `0`, add the following line to a custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: [.programlisting] .... options QUOTA .... Next, enable disk quotas in [.filename]#/etc/rc.conf#: [.programlisting] .... quota_enable="YES" .... Normally on bootup, the quota integrity of each file system is checked by man:quotacheck[8]. This program insures that the data in the quota database properly reflects the data on the file system. This is a time consuming process that will significantly affect the time the system takes to boot. To skip this step, add this variable to [.filename]#/etc/rc.conf#: [.programlisting] .... check_quotas="NO" .... Finally, edit [.filename]#/etc/fstab# to enable disk quotas on a per-file system basis. To enable per-user quotas on a file system, add `userquota` to the options field in the [.filename]#/etc/fstab# entry for the file system to enable quotas on. For example: [.programlisting] .... /dev/da1s2g /home ufs rw,userquota 1 2 .... To enable group quotas, use `groupquota` instead. To enable both user and group quotas, separate the options with a comma: [.programlisting] .... /dev/da1s2g /home ufs rw,userquota,groupquota 1 2 .... By default, quota files are stored in the root directory of the file system as [.filename]#quota.user# and [.filename]#quota.group#. Refer to man:fstab[5] for more information. Specifying an alternate location for the quota files is not recommended. Once the configuration is complete, reboot the system and [.filename]#/etc/rc# will automatically run the appropriate commands to create the initial quota files for all of the quotas enabled in [.filename]#/etc/fstab#. In the normal course of operations, there should be no need to manually run man:quotacheck[8], man:quotaon[8], or man:quotaoff[8]. However, one should read these manual pages to be familiar with their operation. === Setting Quota Limits To verify that quotas are enabled, run: [source,shell] .... # quota -v .... There should be a one line summary of disk usage and current quota limits for each file system that quotas are enabled on. The system is now ready to be assigned quota limits with `edquota`. Several options are available to enforce limits on the amount of disk space a user or group may allocate, and how many files they may create. Allocations can be limited based on disk space (block quotas), number of files (inode quotas), or a combination of both. Each limit is further broken down into two categories: hard and soft limits. A hard limit may not be exceeded. Once a user reaches a hard limit, no further allocations can be made on that file system by that user. For example, if the user has a hard limit of 500 kbytes on a file system and is currently using 490 kbytes, the user can only allocate an additional 10 kbytes. Attempting to allocate an additional 11 kbytes will fail. Soft limits can be exceeded for a limited amount of time, known as the grace period, which is one week by default. If a user stays over their limit longer than the grace period, the soft limit turns into a hard limit and no further allocations are allowed. When the user drops back below the soft limit, the grace period is reset. In the following example, the quota for the `test` account is being edited. When `edquota` is invoked, the editor specified by `EDITOR` is opened in order to edit the quota limits. The default editor is set to vi. [source,shell] .... # edquota -u test Quotas for user test: /usr: kbytes in use: 65, limits (soft = 50, hard = 75) inodes in use: 7, limits (soft = 50, hard = 60) /usr/var: kbytes in use: 0, limits (soft = 50, hard = 75) inodes in use: 0, limits (soft = 50, hard = 60) .... There are normally two lines for each file system that has quotas enabled. One line represents the block limits and the other represents the inode limits. Change the value to modify the quota limit. For example, to raise the block limit on [.filename]#/usr# to a soft limit of `500` and a hard limit of `600`, change the values in that line as follows: [.programlisting] .... /usr: kbytes in use: 65, limits (soft = 500, hard = 600) .... The new quota limits take effect upon exiting the editor. Sometimes it is desirable to set quota limits on a range of users. This can be done by first assigning the desired quota limit to a user. Then, use `-p` to duplicate that quota to a specified range of user IDs (UIDs). The following command will duplicate those quota limits for UIDs `10,000` through `19,999`: [source,shell] .... # edquota -p test 10000-19999 .... For more information, refer to man:edquota[8]. === Checking Quota Limits and Disk Usage To check individual user or group quotas and disk usage, use man:quota[1]. A user may only examine their own quota and the quota of a group they are a member of. Only the superuser may view all user and group quotas. To get a summary of all quotas and disk usage for file systems with quotas enabled, use man:repquota[8]. Normally, file systems that the user is not using any disk space on will not show in the output of `quota`, even if the user has a quota limit assigned for that file system. Use `-v` to display those file systems. The following is sample output from `quota -v` for a user that has quota limits on two file systems. [.programlisting] .... Disk quotas for user test (uid 1002): Filesystem usage quota limit grace files quota limit grace /usr 65* 50 75 5days 7 50 60 /usr/var 0 50 75 0 50 60 .... In this example, the user is currently 15 kbytes over the soft limit of 50 kbytes on [.filename]#/usr# and has 5 days of grace period left. The asterisk `*` indicates that the user is currently over the quota limit. === Quotas over NFS Quotas are enforced by the quota subsystem on the NFS server. The man:rpc.rquotad[8] daemon makes quota information available to `quota` on NFS clients, allowing users on those machines to see their quota statistics. On the NFS server, enable `rpc.rquotad` by removing the `+#+` from this line in [.filename]*/etc/inetd.conf*: [.programlisting] .... rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad .... Then, restart `inetd`: [source,shell] .... # service inetd restart .... [[disks-encrypting]] == Encrypting Disk Partitions FreeBSD offers excellent online protections against unauthorized data access. File permissions and crossref:mac[mac,Mandatory Access Control] (MAC) help prevent unauthorized users from accessing data while the operating system is active and the computer is powered up. However, the permissions enforced by the operating system are irrelevant if an attacker has physical access to a computer and can move the computer's hard drive to another system to copy and analyze the data. Regardless of how an attacker may have come into possession of a hard drive or powered-down computer, the GEOM-based cryptographic subsystems built into FreeBSD are able to protect the data on the computer's file systems against even highly-motivated attackers with significant resources. Unlike encryption methods that encrypt individual files, the built-in `gbde` and `geli` utilities can be used to transparently encrypt entire file systems. No cleartext ever touches the hard drive's platter. This chapter demonstrates how to create an encrypted file system on FreeBSD. It first demonstrates the process using `gbde` and then demonstrates the same example using `geli`. === Disk Encryption with gbde The objective of the man:gbde[4] facility is to provide a formidable challenge for an attacker to gain access to the contents of a _cold_ storage device. However, if the computer is compromised while up and running and the storage device is actively attached, or the attacker has access to a valid passphrase, it offers no protection to the contents of the storage device. Thus, it is important to provide physical security while the system is running and to protect the passphrase used by the encryption mechanism. This facility provides several barriers to protect the data stored in each disk sector. It encrypts the contents of a disk sector using 128-bit AES in CBC mode. Each sector on the disk is encrypted with a different AES key. For more information on the cryptographic design, including how the sector keys are derived from the user-supplied passphrase, refer to man:gbde[4]. FreeBSD provides a kernel module for gbde which can be loaded with this command: [source,shell] .... # kldload geom_bde .... If using a custom kernel configuration file, ensure it contains this line: `options GEOM_BDE` The following example demonstrates adding a new hard drive to a system that will hold a single encrypted partition that will be mounted as [.filename]#/private#. [.procedure] .Procedure: Encrypting a Partition with gbde . Add the New Hard Drive + Install the new drive to the system as explained in crossref:disks[disks-adding, Adding Disks]. For the purposes of this example, a new hard drive partition has been added as [.filename]#/dev/ad4s1c# and [.filename]#/dev/ad0s1*# represents the existing standard FreeBSD partitions. + [source,shell] .... # ls /dev/ad* /dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1 /dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c /dev/ad0s1a /dev/ad0s1d /dev/ad4 .... . Create a Directory to Hold `gbde` Lock Files + [source,shell] .... # mkdir /etc/gbde .... + The gbde lock file contains information that gbde requires to access encrypted partitions. Without access to the lock file, gbde will not be able to decrypt the data contained in the encrypted partition without significant manual intervention which is not supported by the software. Each encrypted partition uses a separate lock file. . Initialize the `gbde` Partition + A gbde partition must be initialized before it can be used. This initialization needs to be performed only once. This command will open the default editor, in order to set various configuration options in a template. For use with the UFS file system, set the sector_size to 2048: + [source,shell] .... # gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock # # Sector size is the smallest unit of data which can be read or written. # Making it too small decreases performance and decreases available space. # Making it too large may prevent filesystems from working. 512 is the # minimum and always safe. For UFS, use the fragment size # sector_size = 2048 [...] .... + Once the edit is saved, the user will be asked twice to type the passphrase used to secure the data. The passphrase must be the same both times. The ability of gbde to protect data depends entirely on the quality of the passphrase. For tips on how to select a secure passphrase that is easy to remember, see http://world.std.com/\~reinhold/diceware.html[http://world.std.com/~reinhold/diceware.htm]. + This initialization creates a lock file for the gbde partition. In this example, it is stored as [.filename]#/etc/gbde/ad4s1c.lock#. Lock files must end in ".lock" in order to be correctly detected by the [.filename]#/etc/rc.d/gbde# start up script. + [CAUTION] ==== Lock files _must_ be backed up together with the contents of any encrypted partitions. Without the lock file, the legitimate owner will be unable to access the data on the encrypted partition. ==== . Attach the Encrypted Partition to the Kernel + [source,shell] .... # gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock .... + This command will prompt to input the passphrase that was selected during the initialization of the encrypted partition. The new encrypted device will appear in [.filename]#/dev# as [.filename]#/dev/device_name.bde#: + [source,shell] .... # ls /dev/ad* /dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1 /dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c /dev/ad0s1a /dev/ad0s1d /dev/ad4 /dev/ad4s1c.bde .... . Create a File System on the Encrypted Device + Once the encrypted device has been attached to the kernel, a file system can be created on the device. This example creates a UFS file system with soft updates enabled. Be sure to specify the partition which has a [.filename]#*.bde# extension: + [source,shell] .... # newfs -U /dev/ad4s1c.bde .... . Mount the Encrypted Partition + Create a mount point and mount the encrypted file system: + [source,shell] .... # mkdir /private # mount /dev/ad4s1c.bde /private .... . Verify That the Encrypted File System is Available + The encrypted file system should now be visible and available for use: + [source,shell] .... % df -H Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 1037M 72M 883M 8% / /devfs 1.0K 1.0K 0B 100% /dev /dev/ad0s1f 8.1G 55K 7.5G 0% /home /dev/ad0s1e 1037M 1.1M 953M 0% /tmp /dev/ad0s1d 6.1G 1.9G 3.7G 35% /usr /dev/ad4s1c.bde 150G 4.1K 138G 0% /private .... After each boot, any encrypted file systems must be manually re-attached to the kernel, checked for errors, and mounted, before the file systems can be used. To configure these steps, add the following lines to [.filename]#/etc/rc.conf#: [.programlisting] .... gbde_autoattach_all="YES" gbde_devices="ad4s1c" gbde_lockdir="/etc/gbde" .... This requires that the passphrase be entered at the console at boot time. After typing the correct passphrase, the encrypted partition will be mounted automatically. Additional gbde boot options are available and listed in man:rc.conf[5]. [NOTE] ==== sysinstall is incompatible with gbde-encrypted devices. All [.filename]#*.bde# devices must be detached from the kernel before starting sysinstall or it will crash during its initial probing for devices. To detach the encrypted device used in the example, use the following command: [source,shell] .... # gbde detach /dev/ad4s1c .... ==== [[disks-encrypting-geli]] === Disk Encryption with `geli` An alternative cryptographic GEOM class is available using `geli`. This control utility adds some features and uses a different scheme for doing cryptographic work. It provides the following features: * Utilizes the man:crypto[9] framework and automatically uses cryptographic hardware when it is available. * Supports multiple cryptographic algorithms such as AES-XTS, AES-CBC, and Camellia-CBCAES. * Allows the root partition to be encrypted. The passphrase used to access the encrypted root partition will be requested during system boot. * Allows the use of two independent keys. * It is fast as it performs simple sector-to-sector encryption. * Allows backup and restore of master keys. If a user destroys their keys, it is still possible to get access to the data by restoring keys from the backup. * Allows a disk to attach with a random, one-time key which is useful for swap partitions and temporary file systems. More features and usage examples can be found in man:geli[8]. The following example describes how to generate a key file which will be used as part of the master key for the encrypted provider mounted under [.filename]#/private#. The key file will provide some random data used to encrypt the master key. The master key will also be protected by a passphrase. The provider's sector size will be 4kB. The example describes how to attach to the `geli` provider, create a file system on it, mount it, work with it, and finally, how to detach it. [.procedure] .Procedure: Encrypting a Partition with `geli` . Load `geli` Support + Support for `geli` is available as a loadable kernel module. To configure the system to automatically load the module at boot time, add the following line to [.filename]#/boot/loader.conf#: + [.programlisting] .... geom_eli_load="YES" .... + To load the kernel module now: + [source,shell] .... # kldload geom_eli .... + For a custom kernel, ensure the kernel configuration file contains these lines: + [.programlisting] .... options GEOM_ELI device crypto .... . Generate the Master Key + The following commands generate a master key that all data will be encrypted with. This key can never be changed. Rather than using it directly, it is encrypted with one or more user keys. The user keys are made up of an optional combination of random bytes from a file, [.filename]#/root/da2.key#, and/or a passphrase. In this case, the data source for the key file is [.filename]#/dev/random#. This command also configures the sector size of the provider ([.filename]#/dev/da2.eli#) as 4kB, for better performance: + [source,shell] .... # dd if=/dev/random of=/root/da2.key bs=64 count=1 # geli init -K /root/da2.key -s 4096 /dev/da2 Enter new passphrase: Reenter new passphrase: .... + It is not mandatory to use both a passphrase and a key file as either method of securing the master key can be used in isolation. + If the key file is given as "-", standard input will be used. For example, this command generates three key files: + [source,shell] .... # cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2 .... . Attach the Provider with the Generated Key + To attach the provider, specify the key file, the name of the disk, and the passphrase: + [source,shell] .... # geli attach -k /root/da2.key /dev/da2 Enter passphrase: .... + This creates a new device with an [.filename]#.eli# extension: + [source,shell] .... # ls /dev/da2* /dev/da2 /dev/da2.eli .... . Create the New File System + Next, format the device with the UFS file system and mount it on an existing mount point: + [source,shell] .... # dd if=/dev/random of=/dev/da2.eli bs=1m # newfs /dev/da2.eli # mount /dev/da2.eli /private .... + The encrypted file system should now be available for use: + [source,shell] .... # df -H Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 248M 89M 139M 38% / /devfs 1.0K 1.0K 0B 100% /dev /dev/ad0s1f 7.7G 2.3G 4.9G 32% /usr /dev/ad0s1d 989M 1.5M 909M 0% /tmp /dev/ad0s1e 3.9G 1.3G 2.3G 35% /var /dev/da2.eli 150G 4.1K 138G 0% /private .... Once the work on the encrypted partition is done, and the [.filename]#/private# partition is no longer needed, it is prudent to put the device into cold storage by unmounting and detaching the `geli` encrypted partition from the kernel: [source,shell] .... # umount /private # geli detach da2.eli .... An [.filename]#rc.d# script is provided to simplify the mounting of `geli`-encrypted devices at boot time. For this example, add these lines to [.filename]#/etc/rc.conf#: [.programlisting] .... geli_devices="da2" geli_da2_flags="-k /root/da2.key" .... This configures [.filename]#/dev/da2# as a `geli` provider with a master key of [.filename]#/root/da2.key#. The system will automatically detach the provider from the kernel before the system shuts down. During the startup process, the script will prompt for the passphrase before attaching the provider. Other kernel messages might be shown before and after the password prompt. If the boot process seems to stall, look carefully for the password prompt among the other messages. Once the correct passphrase is entered, the provider is attached. The file system is then mounted, typically by an entry in [.filename]#/etc/fstab#. Refer to crossref:basics[mount-unmount,“Mounting and Unmounting File Systems”] for instructions on how to configure a file system to mount at boot time. [[swap-encrypting]] == Encrypting Swap Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario. This section demonstrates how to configure an encrypted swap partition using man:gbde[8] or man:geli[8] encryption. It assumes that [.filename]#/dev/ada0s1b# is the swap partition. === Configuring Encrypted Swap Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap partition with random garbage, execute the following command: [source,shell] .... # dd if=/dev/random of=/dev/ada0s1b bs=1m .... To encrypt the swap partition using man:gbde[8], add the `.bde` suffix to the swap line in [.filename]#/etc/fstab#: [.programlisting] .... # Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.bde none swap sw 0 0 .... To instead encrypt the swap partition using man:geli[8], use the `.eli` suffix: [.programlisting] .... # Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.eli none swap sw 0 0 .... By default, man:geli[8] uses the AES algorithm with a key length of 128 bits. Normally the default settings will suffice. If desired, these defaults can be altered in the options field in [.filename]#/etc/fstab#. The possible flags are: aalgo:: Data integrity verification algorithm used to ensure that the encrypted data has not been tampered with. See man:geli[8] for a list of supported algorithms. ealgo:: Encryption algorithm used to protect the data. See man:geli[8] for a list of supported algorithms. keylen:: The length of the key used for the encryption algorithm. See man:geli[8] for the key lengths that are supported by each encryption algorithm. sectorsize:: The size of the blocks data is broken into before it is encrypted. Larger sector sizes increase performance at the cost of higher storage overhead. The recommended size is 4096 bytes. This example configures an encrypted swap partition using the AES-XTS algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes: [.programlisting] .... # Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.eli none swap sw,ealgo=AES-XTS,keylen=128,sectorsize=4096 0 0 .... === Encrypted Swap Verification Once the system has rebooted, proper operation of the encrypted swap can be verified using `swapinfo`. If man:gbde[8] is being used: [source,shell] .... % swapinfo Device 1K-blocks Used Avail Capacity /dev/ada0s1b.bde 542720 0 542720 0 .... If man:geli[8] is being used: [source,shell] .... % swapinfo Device 1K-blocks Used Avail Capacity /dev/ada0s1b.eli 542720 0 542720 0 .... [[disks-hast]] == Highly Available Storage (HAST) High availability is one of the main requirements in serious business applications and highly-available storage is a key component in such environments. In FreeBSD, the Highly Available STorage (HAST) framework allows transparent storage of the same data across several physically separated machines connected by a TCP/IP network. HAST can be understood as a network-based RAID1 (mirror), and is similar to the DRBD(R) storage system used in the GNU/Linux(R) platform. In combination with other high-availability features of FreeBSD like CARP, HAST makes it possible to build a highly-available storage cluster that is resistant to hardware failures. The following are the main features of HAST: * Can be used to mask I/O errors on local hard drives. * File system agnostic as it works with any file system supported by FreeBSD. * Efficient and quick resynchronization as only the blocks that were modified during the downtime of a node are synchronized. * Can be used in an already deployed environment to add additional redundancy. * Together with CARP, Heartbeat, or other tools, it can be used to build a robust and durable storage system. After reading this section, you will know: * What HAST is, how it works, and which features it provides. * How to set up and use HAST on FreeBSD. * How to integrate CARP and man:devd[8] to build a robust storage system. Before reading this section, you should: * Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD Basics]). * Know how to configure network interfaces and other core FreeBSD subsystems (crossref:config[config-tuning,Configuration and Tuning]). * Have a good understanding of FreeBSD networking (crossref:partiv[network-communication,"Network Communication"]). The HAST project was sponsored by The FreeBSD Foundation with support from http://www.omc.net/[http://www.omc.net/] and http://www.transip.nl/[http://www.transip.nl/]. === HAST Operation HAST provides synchronous block-level replication between two physical machines: the _primary_ node and the _secondary_ node. These two machines together are referred to as a cluster. Since HAST works in a primary-secondary configuration, it allows only one of the cluster nodes to be active at any given time. The primary node, also called _active_, is the one which will handle all the I/O requests to HAST-managed devices. The secondary node is automatically synchronized from the primary node. The physical components of the HAST system are the local disk on primary node, and the disk on the remote, secondary node. HAST operates synchronously on a block level, making it transparent to file systems and applications. HAST provides regular GEOM providers in [.filename]#/dev/hast/# for use by other tools or applications. There is no difference between using HAST-provided devices and raw disks or partitions. Each write, delete, or flush operation is sent to both the local disk and to the remote disk over TCP/IP. Each read operation is served from the local disk, unless the local disk is not up-to-date or an I/O error occurs. In such cases, the read operation is sent to the secondary node. HAST tries to provide fast failure recovery. For this reason, it is important to reduce synchronization time after a node's outage. To provide fast synchronization, HAST manages an on-disk bitmap of dirty extents and only synchronizes those during a regular synchronization, with an exception of the initial sync. There are many ways to handle synchronization. HAST implements several replication modes to handle different synchronization methods: * _memsync_: This mode reports a write operation as completed when the local write operation is finished and when the remote node acknowledges data arrival, but before actually storing the data. The data on the remote node will be stored directly after sending the acknowledgement. This mode is intended to reduce latency, but still provides good reliability. This mode is the default. * _fullsync_: This mode reports a write operation as completed when both the local write and the remote write complete. This is the safest and the slowest replication mode. * _async_: This mode reports a write operation as completed when the local write completes. This is the fastest and the most dangerous replication mode. It should only be used when replicating to a distant node where latency is too high for other modes. === HAST Configuration The HAST framework consists of several components: * The man:hastd[8] daemon which provides data synchronization. When this daemon is started, it will automatically load `geom_gate.ko`. * The userland management utility, man:hastctl[8]. * The man:hast.conf[5] configuration file. This file must exist before starting hastd. Users who prefer to statically build `GEOM_GATE` support into the kernel should add this line to the custom kernel configuration file, then rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: [.programlisting] .... options GEOM_GATE .... The following example describes how to configure two nodes in primary-secondary operation using HAST to replicate the data between the two. The nodes will be called `hasta`, with an IP address of `172.16.0.1`, and `hastb`, with an IP address of `172.16.0.2`. Both nodes will have a dedicated hard drive [.filename]#/dev/ad6# of the same size for HAST operation. The HAST pool, sometimes referred to as a resource or the GEOM provider in [.filename]#/dev/hast/#, will be called `test`. Configuration of HAST is done using [.filename]#/etc/hast.conf#. This file should be identical on both nodes. The simplest configuration is: [.programlisting] .... resource test { on hasta { local /dev/ad6 remote 172.16.0.2 } on hastb { local /dev/ad6 remote 172.16.0.1 } } .... For more advanced configuration, refer to man:hast.conf[5]. [TIP] ==== It is also possible to use host names in the `remote` statements if the hosts are resolvable and defined either in [.filename]#/etc/hosts# or in the local DNS. ==== Once the configuration exists on both nodes, the HAST pool can be created. Run these commands on both nodes to place the initial metadata onto the local disk and to start man:hastd[8]: [source,shell] .... # hastctl create test # service hastd onestart .... [NOTE] ==== It is _not_ possible to use GEOM providers with an existing file system or to convert an existing storage to a HAST-managed pool. This procedure needs to store some metadata on the provider and there will not be enough required space available on an existing provider. ==== A HAST node's `primary` or `secondary` role is selected by an administrator, or software like Heartbeat, using man:hastctl[8]. On the primary node, `hasta`, issue this command: [source,shell] .... # hastctl role primary test .... Run this command on the secondary node, `hastb`: [source,shell] .... # hastctl role secondary test .... Verify the result by running `hastctl` on each node: [source,shell] .... # hastctl status test .... Check the `status` line in the output. If it says `degraded`, something is wrong with the configuration file. It should say `complete` on each node, meaning that the synchronization between the nodes has started. The synchronization completes when `hastctl status` reports 0 bytes of `dirty` extents. The next step is to create a file system on the GEOM provider and mount it. This must be done on the `primary` node. Creating the file system can take a few minutes, depending on the size of the hard drive. This example creates a UFS file system on [.filename]#/dev/hast/test#: [source,shell] .... # newfs -U /dev/hast/test # mkdir /hast/test # mount /dev/hast/test /hast/test .... Once the HAST framework is configured properly, the final step is to make sure that HAST is started automatically during system boot. Add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... hastd_enable="YES" .... ==== Failover Configuration The goal of this example is to build a robust storage system which is resistant to the failure of any given node. If the primary node fails, the secondary node is there to take over seamlessly, check and mount the file system, and continue to work without missing a single bit of data. To accomplish this task, the Common Address Redundancy Protocol (CARP) is used to provide for automatic failover at the IP layer. CARP allows multiple hosts on the same network segment to share an IP address. Set up CARP on both nodes of the cluster according to the documentation available in crossref:advanced-networking[carp,“Common Address Redundancy Protocol (CARP)”]. In this example, each node will have its own management IP address and a shared IP address of _172.16.0.254_. The primary HAST node of the cluster must be the primary CARP node. The HAST pool created in the previous section is now ready to be exported to the other hosts on the network. This can be accomplished by exporting it through NFS or Samba, using the shared IP address _172.16.0.254_. The only problem which remains unresolved is an automatic failover should the primary node fail. In the event of CARP interfaces going up or down, the FreeBSD operating system generates a man:devd[8] event, making it possible to watch for state changes on the CARP interfaces. A state change on the CARP interface is an indication that one of the nodes failed or came back online. These state change events make it possible to run a script which will automatically handle the HAST failover. To catch state changes on the CARP interfaces, add this configuration to [.filename]#/etc/devd.conf# on each node, while replacing `` with the virtual host id and `` with the associated interface name: [.programlisting] .... notify 30 { match "system" "CARP"; match "subsystem" "@"; match "type" "MASTER"; action "/usr/local/sbin/carp-hast-switch primary"; }; notify 30 { match "system" "CARP"; match "subsystem" "@"; match "type" "BACKUP"; action "/usr/local/sbin/carp-hast-switch secondary"; }; .... Restart man:devd[8] on both nodes to put the new configuration into effect: [source,shell] .... # service devd restart .... When the specified interface state changes by going up or down , the system generates a notification, allowing the man:devd[8] subsystem to run the specified automatic failover script, [.filename]#/usr/local/sbin/carp-hast-switch#. For further clarification about this configuration, refer to man:devd.conf[5]. Here is an example of an automated failover script: [.programlisting] .... #!/bin/sh # Original script by Freddie Cash # Modified by Michael W. Lucas # and Viktor Petersson # The names of the HAST resources, as listed in /etc/hast.conf resources="test" # delay in mounting HAST resource after becoming primary # make your best guess delay=3 # logging log="local0.debug" name="carp-hast" # end of user configurable stuff case "$1" in primary) logger -p $log -t $name "Switching to primary provider for ${resources}." sleep ${delay} # Wait for any "hastd secondary" processes to stop for disk in ${resources}; do while $( pgrep -lf "hastd: ${disk} \(secondary\)" > /dev/null 2>&1 ); do sleep 1 done # Switch role for each disk hastctl role primary ${disk} if [ $? -ne 0 ]; then logger -p $log -t $name "Unable to change role to primary for resource ${disk}." exit 1 fi done # Wait for the /dev/hast/* devices to appear for disk in ${resources}; do for I in $( jot 60 ); do [ -c "/dev/hast/${disk}" ] && break sleep 0.5 done if [ ! -c "/dev/hast/${disk}" ]; then logger -p $log -t $name "GEOM provider /dev/hast/${disk} did not appear." exit 1 fi done logger -p $log -t $name "Role for HAST resources ${resources} switched to primary." logger -p $log -t $name "Mounting disks." for disk in ${resources}; do mkdir -p /hast/${disk} fsck -p -y -t ufs /dev/hast/${disk} mount /dev/hast/${disk} /hast/${disk} done ;; secondary) logger -p $log -t $name "Switching to secondary provider for ${resources}." # Switch roles for the HAST resources for disk in ${resources}; do if ! mount | grep -q "^/dev/hast/${disk} on " then else umount -f /hast/${disk} fi sleep $delay hastctl role secondary ${disk} 2>&1 if [ $? -ne 0 ]; then logger -p $log -t $name "Unable to switch role to secondary for resource ${disk}." exit 1 fi logger -p $log -t $name "Role switched to secondary for resource ${disk}." done ;; esac .... In a nutshell, the script takes these actions when a node becomes primary: * Promotes the HAST pool to primary on the other node. * Checks the file system under the HAST pool. * Mounts the pool. When a node becomes secondary: * Unmounts the HAST pool. * Degrades the HAST pool to secondary. [CAUTION] ==== This is just an example script which serves as a proof of concept. It does not handle all the possible scenarios and can be extended or altered in any way, for example, to start or stop required services. ==== [TIP] ==== For this example, a standard UFS file system was used. To reduce the time needed for recovery, a journal-enabled UFS or ZFS file system can be used instead. ==== Instead of using the highly available storage locally, it can also be shared to other computers on a network via crossref:network-servers[network-nfs,NFS], crossref:network-servers[network-iscsi,iSCSI], man:sshfs[1], or programs in ports (i.e. package:net/samba419[]). More detailed information with additional examples can be found at http://wiki.FreeBSD.org/HAST[http://wiki.FreeBSD.org/HAST]. === Troubleshooting HAST should generally work without issues. However, as with any other software product, there may be times when it does not work as supposed. The sources of the problems may be different, but the rule of thumb is to ensure that the time is synchronized between the nodes of the cluster. When troubleshooting HAST, the debugging level of man:hastd[8] should be increased by starting `hastd` with `-d`. This argument may be specified multiple times to further increase the debugging level. Consider also using `-F`, which starts `hastd` in the foreground. [[disks-hast-sb]] ==== Recovering from the Split-brain Condition _Split-brain_ occurs when the nodes of the cluster are unable to communicate with each other, and both are configured as primary. This is a dangerous condition because it allows both nodes to make incompatible changes to the data. This problem must be corrected manually by the system administrator. The administrator must either decide which node has more important changes, or perform the merge manually. Then, let HAST perform full synchronization of the node which has the broken data. To do this, issue these commands on the node which needs to be resynchronized: [source,shell] .... # hastctl role init test # hastctl create test # hastctl role secondary test .... diff --git a/documentation/content/en/books/handbook/disks/_index.po b/documentation/content/en/books/handbook/disks/_index.po index 243e97ee3e..653339cc41 100644 --- a/documentation/content/en/books/handbook/disks/_index.po +++ b/documentation/content/en/books/handbook/disks/_index.po @@ -1,5079 +1,5079 @@ # SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-09-14 14:59-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/disks/_index.adoc:1 #, no-wrap msgid "This chapter covers the use of disks and storage media in FreeBSD. This includes SCSI and IDE disks, CD and DVD media, memory-backed disks, and USB storage devices." msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/disks/_index.adoc:1 #, no-wrap msgid "Part III. System Administration" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/disks/_index.adoc:1 #, no-wrap msgid "Chapter 20. Storage" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/disks/_index.adoc:14 #, no-wrap msgid "Storage" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:52 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:56 msgid "" "This chapter covers the use of disks and storage media in FreeBSD. This " "includes SCSI and IDE disks, CD and DVD media, memory-backed disks, and USB " "storage devices." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:58 msgid "After reading this chapter, you will know:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:60 msgid "How to add additional hard disks to a FreeBSD system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:61 msgid "How to grow the size of a disk's partition on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:62 msgid "How to configure FreeBSD to use USB storage devices." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:63 msgid "How to use CD and DVD media on a FreeBSD system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:64 msgid "How to use the backup programs available under FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:65 msgid "How to set up memory disks." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:66 msgid "What file system snapshots are and how to use them efficiently." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:67 msgid "How to use quotas to limit disk space usage." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:68 msgid "How to encrypt disks and swap to secure them against attackers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:69 msgid "How to configure a highly available storage network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:71 msgid "Before reading this chapter, you should:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:73 msgid "" "Know how to crossref:kernelconfig[kernelconfig,configure and install a new " "FreeBSD kernel]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:75 #, no-wrap msgid "Adding Disks" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:80 msgid "" "This section describes how to add a new SATA disk to a machine that " "currently only has a single drive. First, turn off the computer and install " "the drive in the computer following the instructions of the computer, " "controller, and drive manufacturers. Reboot the system and become `root`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:83 msgid "" "Inspect [.filename]#/var/run/dmesg.boot# to ensure the new disk was found. " "In this example, the newly added SATA drive will appear as [.filename]#ada1#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:86 msgid "" "For this example, a single large partition will be created on the new disk. " -"The http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning " +"The https://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning " "scheme will be used in preference to the older and less versatile MBR scheme." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:91 msgid "" "If the disk to be added is not blank, old partition information can be " "removed with `gpart delete`. See man:gpart[8] for details." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:95 msgid "" "The partition scheme is created, and then a single partition is added. To " "improve performance on newer disks with larger hardware block sizes, the " "partition is aligned to one megabyte boundaries:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:100 #, no-wrap msgid "" "# gpart create -s GPT ada1\n" "# gpart add -t freebsd-ufs -a 1M ada1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:104 msgid "" "Depending on use, several smaller partitions may be desired. See man:" "gpart[8] for options to create partitions smaller than a whole disk." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:106 msgid "The disk partition information can be viewed with `gpart show`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:114 #, no-wrap msgid "" "% gpart show ada1\n" "=> 34 1465146988 ada1 GPT (699G)\n" " 34 2014 - free - (1.0M)\n" " 2048 1465143296 1 freebsd-ufs (699G)\n" " 1465145344 1678 - free - (839K)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:117 msgid "A file system is created in the new partition on the new disk:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:121 #, no-wrap msgid "# newfs -U /dev/ada1p1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:124 msgid "" "An empty directory is created as a _mountpoint_, a location for mounting the " "new disk in the original disk's file system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:128 #, no-wrap msgid "# mkdir /newdisk\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:131 msgid "" "Finally, an entry is added to [.filename]#/etc/fstab# so the new disk will " "be mounted automatically at startup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:135 #, no-wrap msgid "/dev/ada1p1\t/newdisk\tufs\trw\t2\t2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:138 msgid "The new disk can be mounted manually, without restarting the system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:142 #, no-wrap msgid "# mount /newdisk\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:145 #, no-wrap msgid "Resizing and Growing Disks" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:151 msgid "" "A disk's capacity can increase without any changes to the data already " "present. This happens commonly with virtual machines, when the virtual disk " "turns out to be too small and is enlarged. Sometimes a disk image is " "written to a USB memory stick, but does not use the full capacity. Here we " "describe how to resize or _grow_ disk contents to take advantage of " "increased capacity." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:154 msgid "" "Determine the device name of the disk to be resized by inspecting [." "filename]#/var/run/dmesg.boot#. In this example, there is only one SATA " "disk in the system, so the drive will appear as [.filename]#ada0#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:156 msgid "List the partitions on the disk to see the current configuration:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:165 #, no-wrap msgid "" "# gpart show ada0\n" "=> 34 83886013 ada0 GPT (48G) [CORRUPT]\n" " 34 128 1 freebsd-boot (64k)\n" " 162 79691648 2 freebsd-ufs (38G)\n" " 79691810 4194236 3 freebsd-swap (2G)\n" " 83886046 1 - free - (512B)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:171 msgid "" -"If the disk was formatted with the http://en.wikipedia.org/wiki/" +"If the disk was formatted with the https://en.wikipedia.org/wiki/" "GUID_Partition_Table[GPT] partitioning scheme, it may show as \"corrupted\" " "because the GPT backup partition table is no longer at the end of the " "drive. Fix the backup partition table with `gpart`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:176 #, no-wrap msgid "" "# gpart recover ada0\n" "ada0 recovered\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:181 msgid "" "Now the additional space on the disk is available for use by a new " "partition, or an existing partition can be expanded:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:190 #, no-wrap msgid "" "# gpart show ada0\n" "=> 34 102399933 ada0 GPT (48G)\n" " 34 128 1 freebsd-boot (64k)\n" " 162 79691648 2 freebsd-ufs (38G)\n" " 79691810 4194236 3 freebsd-swap (2G)\n" " 83886046 18513921 - free - (8.8G)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:195 msgid "" "Partitions can only be resized into contiguous free space. Here, the last " "partition on the disk is the swap partition, but the second partition is the " "one that needs to be resized. Swap partitions only contain temporary data, " "so it can safely be unmounted, deleted, and then recreate the third " "partition after resizing the second partition." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:197 msgid "Disable the swap partition:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:201 #, no-wrap msgid "# swapoff /dev/ada0p3\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:204 msgid "" "Delete the third partition, specified by the `-i` flag, from the disk _ada0_." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:214 #, no-wrap msgid "" "# gpart delete -i 3 ada0\n" "ada0p3 deleted\n" "# gpart show ada0\n" "=> 34 102399933 ada0 GPT (48G)\n" " 34 128 1 freebsd-boot (64k)\n" " 162 79691648 2 freebsd-ufs (38G)\n" " 79691810 22708157 - free - (10G)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:222 msgid "" "There is risk of data loss when modifying the partition table of a mounted " "file system. It is best to perform the following steps on an unmounted file " "system while running from a live CD-ROM or USB device. However, if " "absolutely necessary, a mounted file system can be resized after disabling " "GEOM safety features:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:226 #, no-wrap msgid "# sysctl kern.geom.debugflags=16\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:235 msgid "" "Resize the partition, leaving room to recreate a swap partition of the " "desired size. The partition to resize is specified with `-i`, and the new " "desired size with `-s`. Optionally, alignment of the partition is " "controlled with `-a`. This only modifies the size of the partition. The " "file system in the partition will be expanded in a separate step." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:245 #, no-wrap msgid "" "# gpart resize -i 2 -s 47G -a 4k ada0\n" "ada0p2 resized\n" "# gpart show ada0\n" "=> 34 102399933 ada0 GPT (48G)\n" " 34 128 1 freebsd-boot (64k)\n" " 162 98566144 2 freebsd-ufs (47G)\n" " 98566306 3833661 - free - (1.8G)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:249 msgid "" "Recreate the swap partition and activate it. If no size is specified with `-" "s`, all remaining space is used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:260 #, no-wrap msgid "" "# gpart add -t freebsd-swap -a 4k ada0\n" "ada0p3 added\n" "# gpart show ada0\n" "=> 34 102399933 ada0 GPT (48G)\n" " 34 128 1 freebsd-boot (64k)\n" " 162 98566144 2 freebsd-ufs (47G)\n" " 98566306 3833661 3 freebsd-swap (1.8G)\n" "# swapon /dev/ada0p3\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:263 msgid "" "Grow the UFS file system to use the new capacity of the resized partition:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:273 #, no-wrap msgid "" "# growfs /dev/ada0p2\n" "Device is mounted read-write; resizing will result in temporary write suspension for /.\n" "It's strongly recommended to make a backup before growing the file system.\n" "OK to grow file system on /dev/ada0p2, mounted on /, from 38GB to 47GB? [Yes/No] Yes\n" "super-block backups (for fsck -b #) at:\n" " 80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752,\n" " 89756992, 91039232, 92321472, 93603712, 94885952, 96168192, 97450432\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:276 msgid "" "If the file system is ZFS, the resize is triggered by running the `online` " "subcommand with `-e`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:280 #, no-wrap msgid "# zpool online -e zroot /dev/ada0p2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:283 msgid "" "Both the partition and the file system on it have now been resized to use " "the newly-available disk space." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:285 #, no-wrap msgid "USB Storage Devices" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:289 msgid "" "Many external storage solutions, such as hard drives, USB thumbdrives, and " "CD and DVD burners, use the Universal Serial Bus (USB). FreeBSD provides " "support for USB 1.x, 2.0, and 3.0 devices." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:294 msgid "" "USB 3.0 support is not compatible with some hardware, including Haswell " "(Lynx point) chipsets. If FreeBSD boots with a `failed with error 19` " "message, disable xHCI/USB3 in the system BIOS." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:298 msgid "" "Support for USB storage devices is built into the [.filename]#GENERIC# " "kernel. For a custom kernel, be sure that the following lines are present " "in the kernel configuration file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:311 #, no-wrap msgid "" "device scbus\t# SCSI bus (required for ATA/SCSI)\n" "device da\t# Direct Access (disks)\n" "device pass\t# Passthrough device (direct ATA/SCSI access)\n" "device uhci\t# provides USB 1.x support\n" "device ohci\t# provides USB 1.x support\n" "device ehci\t# provides USB 2.0 support\n" "device xhci\t# provides USB 3.0 support\n" "device usb\t# USB Bus (required)\n" "device umass\t# Disks/Mass storage - Requires scbus and da\n" "device cd\t# needed for CD and DVD burners\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:315 msgid "" "FreeBSD uses the man:umass[4] driver which uses the SCSI subsystem to access " "USB storage devices. Since any USB device will be seen as a SCSI device by " "the system, if the USB device is a CD or DVD burner, do _not_ include " "`device atapicam` in a custom kernel configuration file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:317 msgid "" "The rest of this section demonstrates how to verify that a USB storage " "device is recognized by FreeBSD and how to configure the device so that it " "can be used." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:318 #, no-wrap msgid "Device Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:323 msgid "" "To test the USB configuration, plug in the USB device. Use `dmesg` to " "confirm that the drive appears in the system message buffer. It should look " "something like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:335 #, no-wrap msgid "" "umass0: on usbus0\n" "umass0: SCSI over Bulk-Only; quirks = 0x0100\n" "umass0:4:0:-1: Attached to scbus4\n" "da0 at umass-sim0 bus 0 scbus4 target 0 lun 0\n" "da0: Fixed Direct Access SCSI-4 device\n" "da0: Serial Number WD-WXE508CAN263\n" "da0: 40.000MB/s transfers\n" "da0: 152627MB (312581808 512 byte sectors: 255H 63S/T 19457C)\n" "da0: quirks=0x2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:338 msgid "" "The brand, device node ([.filename]#da0#), speed, and size will differ " "according to the device." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:340 msgid "" "Since the USB device is seen as a SCSI one, `camcontrol` can be used to list " "the USB storage devices attached to the system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:345 #, no-wrap msgid "" "# camcontrol devlist\n" " at scbus4 target 0 lun 0 (pass3,da0)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:349 msgid "" "Alternately, `usbconfig` can be used to list the device. Refer to man:" "usbconfig[8] for more information about this command." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:354 #, no-wrap msgid "" "# usbconfig\n" "ugen0.3: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (2mA)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:358 msgid "" "If the device has not been formatted, refer to crossref:disks[disks-adding] " "for instructions on how to format and create partitions on the USB drive. " "If the drive comes with a file system, it can be mounted by `root` using the " "instructions in crossref:basics[mount-unmount,“Mounting and Unmounting File " "Systems”]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:363 msgid "" "Allowing untrusted users to mount arbitrary media, by enabling `vfs." "usermount` as described below, should not be considered safe from a security " "point of view. Most file systems were not built to safeguard against " "malicious devices." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:367 msgid "" "To make the device mountable as a normal user, one solution is to make all " "users of the device a member of the `operator` group using man:pw[8]. Next, " "ensure that `operator` is able to read and write the device by adding these " "lines to [.filename]#/etc/devfs.rules#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:372 #, no-wrap msgid "" "[localrules=5]\n" "add path 'da*' mode 0660 group operator\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:377 msgid "" "If internal SCSI disks are also installed in the system, change the second " "line as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:381 #, no-wrap msgid "add path 'da[3-9]*' mode 0660 group operator\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:386 msgid "" "This will exclude the first three SCSI disks ([.filename]#da0# to [." "filename]#da2#) from belonging to the `operator` group. Replace _3_ with " "the number of internal SCSI disks. Refer to man:devfs.rules[5] for more " "information about this file." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:389 msgid "Next, enable the ruleset in [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:393 #, no-wrap msgid "devfs_system_ruleset=\"localrules\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:396 msgid "" "Then, instruct the system to allow regular users to mount file systems by " "adding the following line to [.filename]#/etc/sysctl.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:400 #, no-wrap msgid "vfs.usermount=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:403 msgid "" "Since this only takes effect after the next reboot, use `sysctl` to set this " "variable now:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:408 #, no-wrap msgid "" "# sysctl vfs.usermount=1\n" "vfs.usermount: 0 -> 1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:414 msgid "" "The final step is to create a directory where the file system is to be " "mounted. This directory needs to be owned by the user that is to mount the " "file system. One way to do that is for `root` to create a subdirectory " "owned by that user as [.filename]#/mnt/username#. In the following example, " "replace _username_ with the login name of the user and _usergroup_ with the " "user's primary group:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:419 #, no-wrap msgid "" "# mkdir /mnt/username\n" "# chown username:usergroup /mnt/username\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:423 msgid "" "Suppose a USB thumbdrive is plugged in, and a device [.filename]#/dev/da0s1# " "appears. If the device is formatted with a FAT file system, the user can " "mount it using:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:427 #, no-wrap msgid "% mount -t msdosfs -o -m=644,-M=755 /dev/da0s1 /mnt/username\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:430 msgid "Before the device can be unplugged, it _must_ be unmounted first:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:434 #, no-wrap msgid "% umount /mnt/username\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:437 msgid "" "After device removal, the system message buffer will show messages similar " "to the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:444 #, no-wrap msgid "" "umass0: at uhub3, port 2, addr 3 (disconnected)\n" "da0 at umass-sim0 bus 0 scbus4 target 0 lun 0\n" "da0: s/n WD-WXE508CAN263 detached\n" "(da0:umass-sim0:0:0:0): Periph destroyed\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:446 #, no-wrap msgid "Automounting Removable Media" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:449 msgid "" "USB devices can be automatically mounted by uncommenting this line in [." "filename]#/etc/auto_master#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:453 #, no-wrap msgid "/media\t\t-media\t\t-nosuid\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:456 msgid "Then add these lines to [.filename]#/etc/devd.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:464 #, no-wrap msgid "" "notify 100 {\n" "\tmatch \"system\" \"GEOM\";\n" "\tmatch \"subsystem\" \"DEV\";\n" "\taction \"/usr/sbin/automount -c\";\n" "};\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:467 msgid "" "Reload the configuration if man:autofs[5] and man:devd[8] are already " "running:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:472 #, no-wrap msgid "" "# service automount restart\n" "# service devd restart\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:475 msgid "" "man:autofs[5] can be set to start at boot by adding this line to [." "filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:479 #, no-wrap msgid "autofs_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:482 msgid "man:autofs[5] requires man:devd[8] to be enabled, as it is by default." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:484 msgid "Start the services immediately with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:491 #, no-wrap msgid "" "# service automount start\n" "# service automountd start\n" "# service autounmountd start\n" "# service devd start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:496 msgid "" "Each file system that can be automatically mounted appears as a directory in " "[.filename]#/media/#. The directory is named after the file system label. " "If the label is missing, the directory is named after the device node." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:499 msgid "" "The file system is transparently mounted on the first access, and unmounted " "after a period of inactivity. Automounted drives can also be unmounted " "manually:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:503 #, no-wrap msgid "# automount -fu\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:507 msgid "" "This mechanism is typically used for memory cards and USB memory sticks. It " "can be used with any block device, including optical drives or iSCSILUNs." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:509 #, no-wrap msgid "Creating and Using CD Media" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:515 msgid "" "Compact Disc (CD) media provide a number of features that differentiate them " "from conventional disks. They are designed so that they can be read " "continuously without delays to move the head between tracks. While CD media " "do have tracks, these refer to a section of data to be read continuously, " "and not a physical property of the disk. The ISO 9660 file system was " "designed to deal with these differences." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:519 msgid "" "The FreeBSD Ports Collection provides several utilities for burning and " "duplicating audio and data CDs. This chapter demonstrates the use of " "several command line utilities. For CD burning software with a graphical " "utility, consider installing the package:sysutils/xcdroast[] or package:" "sysutils/k3b[] packages or ports." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:521 #, no-wrap msgid "Supported Devices" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:525 msgid "" "The [.filename]#GENERIC# kernel provides support for SCSI, USB, and ATAPICD " "readers and burners. If a custom kernel is used, the options that need to " "be present in the kernel configuration file vary by the type of device." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:527 msgid "For a SCSI burner, make sure these options are present:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:534 #, no-wrap msgid "" "device scbus\t# SCSI bus (required for ATA/SCSI)\n" "device da\t# Direct Access (disks)\n" "device pass\t# Passthrough device (direct ATA/SCSI access)\n" "device cd\t# needed for CD and DVD burners\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:537 msgid "For a USB burner, make sure these options are present:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:550 #, no-wrap msgid "" "device scbus\t# SCSI bus (required for ATA/SCSI)\n" "device da\t# Direct Access (disks)\n" "device pass\t# Passthrough device (direct ATA/SCSI access)\n" "device cd\t# needed for CD and DVD burners\n" "device uhci\t# provides USB 1.x support\n" "device ohci\t# provides USB 1.x support\n" "device ehci\t# provides USB 2.0 support\n" "device xhci\t# provides USB 3.0 support\n" "device usb\t# USB Bus (required)\n" "device umass\t# Disks/Mass storage - Requires scbus and da\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:553 msgid "For an ATAPI burner, make sure these options are present:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:560 #, no-wrap msgid "" "device ata\t# Legacy ATA/SATA controllers\n" "device scbus\t# SCSI bus (required for ATA/SCSI)\n" "device pass\t# Passthrough device (direct ATA/SCSI access)\n" "device cd\t# needed for CD and DVD burners\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:565 msgid "" "On FreeBSD versions prior to 10.x, this line is also needed in the kernel " "configuration file if the burner is an ATAPI device:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:569 #, no-wrap msgid "device atapicam\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:572 msgid "" "Alternately, this driver can be loaded at boot time by adding the following " "line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:576 #, no-wrap msgid "atapicam_load=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:579 msgid "" "This will require a reboot of the system as this driver can only be loaded " "at boot time." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:583 msgid "" "To verify that FreeBSD recognizes the device, run `dmesg` and look for an " "entry for the device. On systems prior to 10.x, the device name in the " "first line of the output will be [.filename]#acd0# instead of [." "filename]#cd0#." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:592 #, no-wrap msgid "" "% dmesg | grep cd\n" "cd0 at ahcich1 bus 0 scbus1 target 0 lun 0\n" "cd0: Removable CD-ROM SCSI-0 device\n" "cd0: Serial Number M3OD3S34152\n" "cd0: 150.000MB/s transfers (SATA 1.x, UDMA6, ATAPI 12bytes, PIO 8192bytes)\n" "cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:595 #, no-wrap msgid "Burning a CD" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:599 msgid "" "In FreeBSD, `cdrecord` can be used to burn CDs. This command is installed " "with the package:sysutils/cdrtools[] package or port." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:602 msgid "" "While `cdrecord` has many options, basic usage is simple. Specify the name " "of the ISO file to burn and, if the system has multiple burner devices, " "specify the name of the device to use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:606 #, no-wrap msgid "# cdrecord dev=device imagefile.iso\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:609 msgid "" "To determine the device name of the burner, use `-scanbus` which might " "produce results like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:633 #, no-wrap msgid "" "# cdrecord -scanbus\n" "ProDVD-ProBD-Clone 3.00 (amd64-unknown-freebsd10.0) Copyright (C) 1995-2010 Jörg Schilling\n" "Using libscg version 'schily-0.9'\n" "scsibus0:\n" " 0,0,0 0) 'SEAGATE ' 'ST39236LW ' '0004' Disk\n" " 0,1,0 1) 'SEAGATE ' 'ST39173W ' '5958' Disk\n" " 0,2,0 2) *\n" " 0,3,0 3) 'iomega ' 'jaz 1GB ' 'J.86' Removable Disk\n" " 0,4,0 4) 'NEC ' 'CD-ROM DRIVE:466' '1.26' Removable CD-ROM\n" " 0,5,0 5) *\n" " 0,6,0 6) *\n" " 0,7,0 7) *\n" "scsibus1:\n" " 1,0,0 100) *\n" " 1,1,0 101) *\n" " 1,2,0 102) *\n" " 1,3,0 103) *\n" " 1,4,0 104) *\n" " 1,5,0 105) 'YAMAHA ' 'CRW4260 ' '1.0q' Removable CD-ROM\n" " 1,6,0 106) 'ARTEC ' 'AM12S ' '1.06' Scanner\n" " 1,7,0 107) *\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:638 msgid "" "Locate the entry for the CD burner and use the three numbers separated by " "commas as the value for `dev`. In this case, the Yamaha burner device is " "`1,5,0`, so the appropriate input to specify that device is `dev=1,5,0`. " "Refer to the manual page for `cdrecord` for other ways to specify this value " "and for information on writing audio tracks and controlling the write speed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:640 msgid "" "Alternately, run the following command to get the device address of the " "burner:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:645 #, no-wrap msgid "" "# camcontrol devlist\n" " at scbus1 target 0 lun 0 (cd0,pass0)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:649 msgid "" "Use the numeric values for `scbus`, `target`, and `lun`. For this example, " "`1,0,0` is the device name to use." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:651 #, no-wrap msgid "Writing Data to an ISO File System" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:656 msgid "" "In order to produce a data CD, the data files that are going to make up the " "tracks on the CD must be prepared before they can be burned to the CD. In " "FreeBSD, package:sysutils/cdrtools[] installs `mkisofs`, which can be used " "to produce an ISO 9660 file system that is an image of a directory tree " "within a UNIX(R) file system. The simplest usage is to specify the name of " "the ISO file to create and the path to the files to place into the ISO 9660 " "file system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:660 #, no-wrap msgid "# mkisofs -o imagefile.iso /path/to/tree\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:663 msgid "" "This command maps the file names in the specified path to names that fit the " "limitations of the standard ISO 9660 file system, and will exclude files " "that do not meet the standard for ISO file systems." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:666 msgid "" "A number of options are available to overcome the restrictions imposed by " "the standard. In particular, `-R` enables the Rock Ridge extensions common " "to UNIX(R) systems and `-J` enables Joliet extensions used by Microsoft(R) " "systems." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:669 msgid "" "For CDs that are going to be used only on FreeBSD systems, `-U` can be used " "to disable all filename restrictions. When used with `-R`, it produces a " "file system image that is identical to the specified FreeBSD tree, even if " "it violates the ISO 9660 standard." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:677 msgid "" "The last option of general use is `-b`. This is used to specify the " "location of a boot image for use in producing an \"El Torito\" bootable CD. " "This option takes an argument which is the path to a boot image from the top " "of the tree being written to the CD. By default, `mkisofs` creates an ISO " "image in \"floppy disk emulation\" mode, and thus expects the boot image to " "be exactly 1200, 1440 or 2880 KB in size. Some boot loaders, like the one " "used by the FreeBSD distribution media, do not use emulation mode. In this " "case, `-no-emul-boot` should be used. So, if [.filename]#/tmp/myboot# holds " "a bootable FreeBSD system with the boot image in [.filename]#/tmp/myboot/" "boot/cdboot#, this command would produce [.filename]#/tmp/bootable.iso#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:681 #, no-wrap msgid "# mkisofs -R -no-emul-boot -b boot/cdboot -o /tmp/bootable.iso /tmp/myboot\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:684 msgid "The resulting ISO image can be mounted as a memory disk with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:689 #, no-wrap msgid "" "# mdconfig -a -t vnode -f /tmp/bootable.iso -u 0\n" "# mount -t cd9660 /dev/md0 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:692 msgid "" "One can then verify that [.filename]#/mnt# and [.filename]#/tmp/myboot# are " "identical." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:695 msgid "" "There are many other options available for `mkisofs` to fine-tune its " "behavior. Refer to man:mkisofs[8] for details." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:700 msgid "" "It is possible to copy a data CD to an image file that is functionally " "equivalent to the image file created with `mkisofs`. To do so, use [." "filename]#dd# with the device name as the input file and the name of the ISO " "to create as the output file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:704 #, no-wrap msgid "# dd if=/dev/cd0 of=file.iso bs=2048\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:707 msgid "" "The resulting image file can be burned to CD as described in crossref:" "disks[cdrecord]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:710 #, no-wrap msgid "Using Data CDs" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:713 msgid "" "Once an ISO has been burned to a CD, it can be mounted by specifying the " "file system type, the name of the device containing the CD, and an existing " "mount point:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:717 #, no-wrap msgid "# mount -t cd9660 /dev/cd0 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:720 msgid "" "Since `mount` assumes that a file system is of type `ufs`, an `Incorrect " "super block` error will occur if `-t cd9660` is not included when mounting a " "data CD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:725 msgid "" "While any data CD can be mounted this way, disks with certain ISO 9660 " "extensions might behave oddly. For example, Joliet disks store all " "filenames in two-byte Unicode characters. If some non-English characters " "show up as question marks, specify the local charset with `-C`. For more " "information, refer to man:mount_cd9660[8]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:730 msgid "" "In order to do this character conversion with the help of `-C`, the kernel " "requires the [.filename]#cd9660_iconv.ko# module to be loaded. This can be " "done either by adding this line to [.filename]#loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:734 #, no-wrap msgid "cd9660_iconv_load=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:737 msgid "" "and then rebooting the machine, or by directly loading the module with " "`kldload`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:742 msgid "" "Occasionally, `Device not configured` will be displayed when trying to mount " "a data CD. This usually means that the CD drive has not detected a disk in " "the tray, or that the drive is not visible on the bus. It can take a couple " "of seconds for a CD drive to detect media, so be patient." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:746 msgid "" "Sometimes, a SCSICD drive may be missed because it did not have enough time " "to answer the bus reset. To resolve this, a custom kernel can be created " "which increases the default SCSI delay. Add the following option to the " "custom kernel configuration file and rebuild the kernel using the " "instructions in crossref:kernelconfig[kernelconfig-building,“Building and " "Installing a Custom Kernel”]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:750 #, no-wrap msgid "options SCSI_DELAY=15000\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:753 msgid "" "This tells the SCSI bus to pause 15 seconds during boot, to give the CD " "drive every possible chance to answer the bus reset." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:758 msgid "" "It is possible to burn a file directly to CD, without creating an ISO 9660 " "file system. This is known as burning a raw data CD and some people do this " "for backup purposes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:762 msgid "" "This type of disk can not be mounted as a normal data CD. In order to " "retrieve the data burned to such a CD, the data must be read from the raw " "device node. For example, this command will extract a compressed tar file " "located on the second CD device into the current working directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:766 #, no-wrap msgid "# tar xzvf /dev/cd1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:769 msgid "In order to mount a data CD, the data must be written using `mkisofs`." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:772 #, no-wrap msgid "Duplicating Audio CDs" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:775 msgid "" "To duplicate an audio CD, extract the audio data from the CD to a series of " "files, then write these files to a blank CD." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:779 msgid "" "crossref:disks[using-cdrecord] describes how to duplicate and burn an audio " "CD. If the FreeBSD version is less than 10.0 and the device is ATAPI, the " "`atapicam` module must be first loaded using the instructions in crossref:" "disks[atapicam]." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:782 #, no-wrap msgid "Procedure: Duplicating an Audio CD" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:784 msgid "" "The package:sysutils/cdrtools[] package or port installs `cdda2wav`. This " "command can be used to extract all of the audio tracks, with each track " "written to a separate WAV file in the current working directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:788 #, no-wrap msgid "% cdda2wav -vall -B -Owav\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:792 msgid "" "A device name does not need to be specified if there is only one CD device " "on the system. Refer to the `cdda2wav` manual page for instructions on how " "to specify a device and to learn more about the other options available for " "this command." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:793 msgid "Use `cdrecord` to write the [.filename]#.wav# files:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:797 #, no-wrap msgid "% cdrecord -v dev=2,0 -dao -useinfo *.wav\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:800 msgid "" "Make sure that _2,0_ is set appropriately, as described in crossref:" "disks[cdrecord]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:802 #, no-wrap msgid "Creating and Using DVD Media" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:806 msgid "" "Compared to the CD, the DVD is the next generation of optical media storage " "technology. The DVD can hold more data than any CD and is the standard for " "video publishing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:808 msgid "Five physical recordable formats can be defined for a recordable DVD:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:810 msgid "" "DVD-R: This was the first DVD recordable format available. The DVD-R " "standard is defined by the http://www.dvdforum.org/forum.shtml[DVD Forum]. " "This format is write once." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:811 msgid "" "DVD-RW: This is the rewritable version of the DVD-R standard. A DVD-RW can " "be rewritten about 1000 times." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:815 msgid "" "DVD-RAM: This is a rewritable format which can be seen as a removable hard " "drive. However, this media is not compatible with most DVD-ROM drives and " "DVD-Video players as only a few DVD writers support the DVD-RAM format. " "Refer to crossref:disks[creating-dvd-ram] for more information on DVD-RAM " "use." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:816 msgid "" "DVD+RW: This is a rewritable format defined by the https://en.wikipedia.org/" "wiki/DVD%2BRW_Alliance[DVD+RW Alliance]. A DVD+RW can be rewritten about " "1000 times." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:817 msgid "DVD+R: This format is the write once variation of the DVD+RW format." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:819 msgid "" "A single layer recordable DVD can hold up to 4,700,000,000 bytes which is " "actually 4.38 GB or 4485 MB as 1 kilobyte is 1024 bytes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:825 msgid "" "A distinction must be made between the physical media and the application. " "For example, a DVD-Video is a specific file layout that can be written on " "any recordable DVD physical media such as DVD-R, DVD+R, or DVD-RW. Before " "choosing the type of media, ensure that both the burner and the DVD-Video " "player are compatible with the media under consideration." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:827 #, no-wrap msgid "Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:831 msgid "" "To perform DVD recording, use man:growisofs[1]. This command is part of the " "package:sysutils/dvd+rw-tools[] utilities which support all DVD media types." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:836 msgid "" "These tools use the SCSI subsystem to access the devices, therefore crossref:" "disks[atapicam,ATAPI/CAM support] must be loaded or statically compiled into " "the kernel. This support is not needed if the burner uses the USB " "interface. Refer to crossref:disks[usb-disks] for more details on USB " "device configuration." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:838 msgid "" "DMA access must also be enabled for ATAPI devices, by adding the following " "line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:842 #: documentation/content/en/books/handbook/disks/_index.adoc:1075 #, no-wrap msgid "hw.ata.atapi_dma=\"1\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:845 msgid "" "Before attempting to use dvd+rw-tools, consult the http://fy.chalmers.se/" "~appro/linux/DVD+RW/hcn.html[Hardware Compatibility Notes]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:849 msgid "" "For a graphical user interface, consider using package:sysutils/k3b[] which " "provides a user friendly interface to man:growisofs[1] and many other " "burning tools." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:851 #, no-wrap msgid "Burning Data DVDs" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:855 msgid "" "Since man:growisofs[1] is a front-end to crossref:disks[mkisofs,mkisofs], it " "will invoke man:mkisofs[8] to create the file system layout and perform the " "write on the DVD. This means that an image of the data does not need to be " "created before the burning process." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:857 msgid "" "To burn to a DVD+R or a DVD-R the data in [.filename]#/path/to/data#, use " "the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:861 #, no-wrap msgid "# growisofs -dvd-compat -Z /dev/cd0 -J -R /path/to/data\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:865 msgid "" "In this example, `-J -R` is passed to man:mkisofs[8] to create an ISO 9660 " "file system with Joliet and Rock Ridge extensions. Refer to man:mkisofs[8] " "for more details." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:870 msgid "" "For the initial session recording, `-Z` is used for both single and multiple " "sessions. Replace _/dev/cd0_, with the name of the DVD device. Using `-dvd-" "compat` indicates that the disk will be closed and that the recording will " "be unappendable. This should also provide better media compatibility with " "DVD-ROM drives." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:872 msgid "To burn a pre-mastered image, such as _imagefile.iso_, use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:876 #, no-wrap msgid "# growisofs -dvd-compat -Z /dev/cd0=imagefile.iso\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:880 msgid "" "The write speed should be detected and automatically set according to the " "media and the drive being used. To force the write speed, use `-speed=`. " "Refer to man:growisofs[1] for example usage." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:887 msgid "" "In order to support working files larger than 4.38GB, an UDF/ISO-9660 hybrid " "file system must be created by passing `-udf -iso-level 3` to man:mkisofs[8] " "and all related programs, such as man:growisofs[1]. This is required only " "when creating an ISO image file or when writing files directly to a disk. " "Since a disk created this way must be mounted as an UDF file system with man:" "mount_udf[8], it will be usable only on an UDF aware operating system. " "Otherwise it will look as if it contains corrupted files." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:889 msgid "To create this type of ISO file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:893 #, no-wrap msgid "% mkisofs -R -J -udf -iso-level 3 -o imagefile.iso /path/to/data\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:896 msgid "To burn files directly to a disk:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:900 #, no-wrap msgid "# growisofs -dvd-compat -udf -iso-level 3 -Z /dev/cd0 -J -R /path/to/data\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:903 msgid "" "When an ISO image already contains large files, no additional options are " "required for man:growisofs[1] to burn that image on a disk." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:906 msgid "" "Be sure to use an up-to-date version of package:sysutils/cdrtools[], which " "contains man:mkisofs[8], as an older version may not contain large files " "support. If the latest version does not work, install package:sysutils/" "cdrtools-devel[] and read its man:mkisofs[8]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:908 #, no-wrap msgid "Burning a DVD-Video" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:912 msgid "" "A DVD-Video is a specific file layout based on the ISO 9660 and micro-UDF (M-" "UDF) specifications. Since DVD-Video presents a specific data structure " "hierarchy, a particular program such as package:multimedia/dvdauthor[] is " "needed to author the DVD." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:915 msgid "" "If an image of the DVD-Video file system already exists, it can be burned in " "the same way as any other image. If `dvdauthor` was used to make the DVD " "and the result is in [.filename]#/path/to/video#, the following command " "should be used to burn the DVD-Video:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:919 #, no-wrap msgid "# growisofs -Z /dev/cd0 -dvd-video /path/to/video\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:923 msgid "" "`-dvd-video` is passed to man:mkisofs[8] to instruct it to create a DVD-" "Video file system layout. This option implies the `-dvd-compat` man:" "growisofs[1] option." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:924 #, no-wrap msgid "Using a DVD+RW" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:929 msgid "" "Unlike CD-RW, a virgin DVD+RW needs to be formatted before first use. It is " "_recommended_ to let man:growisofs[1] take care of this automatically " "whenever appropriate. However, it is possible to use `dvd+rw-format` to " "format the DVD+RW:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:933 #: documentation/content/en/books/handbook/disks/_index.adoc:1023 #, no-wrap msgid "# dvd+rw-format /dev/cd0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:937 msgid "" "Only perform this operation once and keep in mind that only virgin DVD+RW " "medias need to be formatted. Once formatted, the DVD+RW can be burned as " "usual." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:940 msgid "" "To burn a totally new file system and not just append some data onto a " "DVD+RW, the media does not need to be blanked first. Instead, write over " "the previous recording like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:944 #, no-wrap msgid "# growisofs -Z /dev/cd0 -J -R /path/to/newdata\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:949 msgid "" "The DVD+RW format supports appending data to a previous recording. This " "operation consists of merging a new session to the existing one as it is not " "considered to be multi-session writing. man:growisofs[1] will _grow_ the " "ISO 9660 file system present on the media." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:951 msgid "For example, to append data to a DVD+RW, use the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:955 #: documentation/content/en/books/handbook/disks/_index.adoc:1043 #, no-wrap msgid "# growisofs -M /dev/cd0 -J -R /path/to/nextdata\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:958 msgid "" "The same man:mkisofs[8] options used to burn the initial session should be " "used during next writes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:963 msgid "" "Use `-dvd-compat` for better media compatibility with DVD-ROM drives. When " "using DVD+RW, this option will not prevent the addition of data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:966 msgid "To blank the media, use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:970 #, no-wrap msgid "# growisofs -Z /dev/cd0=/dev/zero\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:972 #, no-wrap msgid "Using a DVD-RW" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:976 msgid "" "A DVD-RW accepts two disc formats: incremental sequential and restricted " "overwrite. By default, DVD-RW discs are in sequential format." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:979 msgid "" "A virgin DVD-RW can be directly written without being formatted. However, a " "non-virgin DVD-RW in sequential format needs to be blanked before writing a " "new initial session." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:981 msgid "To blank a DVD-RW in sequential mode:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:985 #: documentation/content/en/books/handbook/disks/_index.adoc:1030 #, no-wrap msgid "# dvd+rw-format -blank=full /dev/cd0\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:992 msgid "" "A full blanking using `-blank=full` will take about one hour on a 1x media. " "A fast blanking can be performed using `-blank`, if the DVD-RW will be " "recorded in Disk-At-Once (DAO) mode. To burn the DVD-RW in DAO mode, use " "the command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:996 #, no-wrap msgid "# growisofs -use-the-force-luke=dao -Z /dev/cd0=imagefile.iso\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:999 msgid "" "Since man:growisofs[1] automatically attempts to detect fast blanked media " "and engage DAO write, `-use-the-force-luke=dao` should not be required." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1001 msgid "" "One should instead use restricted overwrite mode with any DVD-RW as this " "format is more flexible than the default of incremental sequential." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1004 msgid "" "To write data on a sequential DVD-RW, use the same instructions as for the " "other DVD formats:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1008 #, no-wrap msgid "# growisofs -Z /dev/cd0 -J -R /path/to/data\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1012 msgid "" "To append some data to a previous recording, use `-M` with man:" "growisofs[1]. However, if data is appended on a DVD-RW in incremental " "sequential mode, a new session will be created on the disc and the result " "will be a multi-session disc." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1017 msgid "" "A DVD-RW in restricted overwrite format does not need to be blanked before a " "new initial session. Instead, overwrite the disc with `-Z`. It is also " "possible to grow an existing ISO 9660 file system written on the disc with `-" "M`. The result will be a one-session DVD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1019 msgid "" "To put a DVD-RW in restricted overwrite format, the following command must " "be used:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1026 msgid "To change back to sequential format, use:" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1032 #, no-wrap msgid "Multi-Session" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1037 msgid "" "Few DVD-ROM drives support multi-session DVDs and most of the time only read " "the first session. DVD+R, DVD-R and DVD-RW in sequential format can accept " "multiple sessions. The notion of multiple sessions does not exist for the " "DVD+RW and the DVD-RW restricted overwrite formats." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1039 msgid "" "Using the following command after an initial non-closed session on a DVD+R, " "DVD-R, or DVD-RW in sequential format, will add a new session to the disc:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1048 msgid "" "Using this command with a DVD+RW or a DVD-RW in restricted overwrite mode " "will append data while merging the new session to the existing one. The " "result will be a single-session disc. Use this method to add data after an " "initial write on these types of media." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1053 msgid "" "Since some space on the media is used between each session to mark the end " "and start of sessions, one should add sessions with a large amount of data " "to optimize media space. The number of sessions is limited to 154 for a " "DVD+R, about 2000 for a DVD-R, and 127 for a DVD+R Double Layer." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1055 #, no-wrap msgid "For More Information" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1058 msgid "" "To obtain more information about a DVD, use `dvd+rw-mediainfo _/dev/cd0_` " "while the disc in the specified drive." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1060 msgid "" "More information about dvd+rw-tools can be found in man:growisofs[1], on the " "http://fy.chalmers.se/~appro/linux/DVD+RW/[dvd+rw-tools web site], and in " "the http://lists.debian.org/cdwrite/[cdwrite mailing list] archives." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1064 msgid "" "When creating a problem report related to the use of dvd+rw-tools, always " "include the output of `dvd+rw-mediainfo`." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1067 #, no-wrap msgid "Using a DVD-RAM" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1071 msgid "" "DVD-RAM writers can use either a SCSI or ATAPI interface. For ATAPI " "devices, DMA access has to be enabled by adding the following line to [." "filename]#/boot/loader.conf#:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1080 msgid "" "A DVD-RAM can be seen as a removable hard drive. Like any other hard drive, " "the DVD-RAM must be formatted before it can be used. In this example, the " "whole disk space will be formatted with a standard UFS2 file system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1086 #, no-wrap msgid "" "# dd if=/dev/zero of=/dev/acd0 bs=2k count=1\n" "# bsdlabel -Bw acd0\n" "# newfs /dev/acd0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1089 msgid "" "The DVD device, [.filename]#acd0#, must be changed according to the " "configuration." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1091 msgid "" "Once the DVD-RAM has been formatted, it can be mounted as a normal hard " "drive:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1095 #, no-wrap msgid "# mount /dev/acd0 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1098 msgid "Once mounted, the DVD-RAM will be both readable and writeable." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1100 #, no-wrap msgid "Creating and Using Floppy Disks" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1103 msgid "This section explains how to format a 3.5 inch floppy disk in FreeBSD." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1107 #, no-wrap msgid "*Procedure: Steps to Format a Floppy*\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1112 msgid "" "A floppy disk needs to be low-level formatted before it can be used. This " "is usually done by the vendor, but formatting is a good way to check media " "integrity. To low-level format the floppy disk on FreeBSD, use man:" "fdformat[1]. When using this utility, make note of any error messages, as " "these can help determine if the disk is good or bad." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1114 msgid "" "To format the floppy, insert a new 3.5 inch floppy disk into the first " "floppy drive and issue:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1118 #, no-wrap msgid "# /usr/sbin/fdformat -f 1440 /dev/fd0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1121 msgid "" "After low-level formatting the disk, create a disk label as it is needed by " "the system to determine the size of the disk and its geometry. The supported " "geometry values are listed in [.filename]#/etc/disktab#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1123 msgid "To write the disk label, use man:bsdlabel[8]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1127 #, no-wrap msgid "# /sbin/bsdlabel -B -w /dev/fd0 fd1440\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1130 msgid "" "The floppy is now ready to be high-level formatted with a file system. The " "floppy's file system can be either UFS or FAT, where FAT is generally a " "better choice for floppies." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1132 msgid "To format the floppy with FAT, issue:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1136 #, no-wrap msgid "# /sbin/newfs_msdos /dev/fd0\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1142 msgid "" "The disk is now ready for use. To use the floppy, mount it with man:" "mount_msdosfs[8]. One can also install and use package:emulators/mtools[] " "from the Ports Collection." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1144 #, no-wrap msgid "Using NTFS Disks" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1147 msgid "This section explains how to mount NTFS disks in FreeBSD." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1152 msgid "" "NTFS (New Technology File System) is a proprietary journaling file system " "developed by Microsoft(R). It has been the default file system in Microsoft " "Windows(R) for many years. FreeBSD can mount NTFS volumes using a FUSE file " "system. These file systems are implemented as user space programs which " "interact with the man:fusefs[5] kernel module via a well defined interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1156 #, no-wrap msgid "*Procedure: Steps to Mount a NTFS Disk*\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1159 msgid "" "Before using a FUSE file system we need to load the man:fusefs[5] kernel " "module:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1163 #, no-wrap msgid "# kldload fusefs\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1166 msgid "Use man:sysrc[8] to load the module at startup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1170 #, no-wrap msgid "# sysrc kld_list+=fusefs\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1173 msgid "" "Install the actual NTFS file system from packages as in the example (see " "crossref:ports[pkgng-intro,Using pkg for Binary Package Management]) or from " "ports (see crossref:ports[ports-using,Using the Ports Collection]):" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1177 #, no-wrap msgid "# pkg install fusefs-ntfs\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1180 msgid "" "Last we need to create a directory where the file system will be mounted:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1184 #, no-wrap msgid "# mkdir /mnt/usb\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1187 msgid "" "Suppose a USB disk is plugged in. The disk partition information can be " "viewed with man:gpart[8]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1193 #, no-wrap msgid "" "# gpart show da0\n" "=>\t 63 1953525105 da0 MBR (932G)\n" "\t 63 1953525105 1 ntfs (932G)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1196 msgid "We can mount the disk using the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1200 #, no-wrap msgid "# ntfs-3g /dev/da0s1 /mnt/usb/\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1202 msgid "The disk is now ready to use." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1204 msgid "Additionally, an entry can be added to /etc/fstab:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1208 #, no-wrap msgid "/dev/da0s1 /mnt/usb\tntfs mountprog=/usr/local/bin/ntfs-3g,noauto,rw 0 0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1211 msgid "Now the disk can be now mounted with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1215 #, no-wrap msgid "# mount /mnt/usb\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1218 msgid "The disk can be unmounted with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1222 #, no-wrap msgid "# umount /mnt/usb/\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1226 #, no-wrap msgid "Backup Basics" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1229 msgid "" "Implementing a backup plan is essential in order to have the ability to " "recover from disk failure, accidental file deletion, random file corruption, " "or complete machine destruction, including destruction of on-site backups." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1232 msgid "" "The backup type and schedule will vary, depending upon the importance of the " "data, the granularity needed for file restores, and the amount of acceptable " "downtime. Some possible backup techniques include:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1234 msgid "" "Archives of the whole system, backed up onto permanent, off-site media. This " "provides protection against all of the problems listed above, but is slow " "and inconvenient to restore from, especially for non-privileged users." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1235 msgid "" "File system snapshots, which are useful for restoring deleted files or " "previous versions of files." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1236 msgid "" "Copies of whole file systems or disks which are synchronized with another " "system on the network using a scheduled package:net/rsync[]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1237 msgid "" "Hardware or software RAID, which minimizes or avoids downtime when a disk " "fails." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1241 msgid "" "Typically, a mix of backup techniques is used. For example, one could " "create a schedule to automate a weekly, full system backup that is stored " "off-site and to supplement this backup with hourly ZFS snapshots. In " "addition, one could make a manual backup of individual directories or files " "before making file edits or deletions." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1243 msgid "" "This section describes some of the utilities which can be used to create and " "manage backups on a FreeBSD system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1244 #, no-wrap msgid "File System Backups" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1250 msgid "" "The traditional UNIX(R) programs for backing up a file system are man:" "dump[8], which creates the backup, and man:restore[8], which restores the " "backup. These utilities work at the disk block level, below the " "abstractions of the files, links, and directories that are created by file " "systems. Unlike other backup software, `dump` backs up an entire file " "system and is unable to backup only part of a file system or a directory " "tree that spans multiple file systems. Instead of writing files and " "directories, `dump` writes the raw data blocks that comprise files and " "directories." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1254 msgid "" "If `dump` is used on the root directory, it will not back up [.filename]#/" "home#, [.filename]#/usr#, or many other directories since these are " "typically mount points for other file systems or symbolic links into those " "file systems." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1258 msgid "" "When used to restore data, `restore` stores temporary files in [.filename]#/" "tmp/# by default. When using a recovery disk with a small [.filename]#/" "tmp#, set `TMPDIR` to a directory with more free space for the restore to " "succeed." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1262 msgid "" "When using `dump`, be aware that some quirks remain from its early days in " "Version 6 of AT&T UNIX(R),circa 1975. The default parameters assume a " "backup to a 9-track tape, rather than to another type of media or to the " "high-density tapes available today. These defaults must be overridden on " "the command line." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1265 msgid "" "It is possible to backup a file system across the network to another system " "or a tape drive attached to another computer. While the man:rdump[8] and " "man:rrestore[8] utilities can be used for this purpose, they are not " "considered to be secure." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1268 msgid "" "Instead, one can use `dump` and `restore` more securely over an SSH " "connection. This example creates a full, compressed backup of [.filename]#/" "usr# and sends the backup file to the specified host over an SSH connection." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1269 #, no-wrap msgid "Using `dump` over ssh" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1276 #, no-wrap msgid "" "# /sbin/dump -0uan -f - /usr | gzip -2 | ssh -c blowfish \\\n" " targetuser@targetmachine.example.com dd of=/mybigfiles/dump-usr-l0.gz\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1280 msgid "" "This example sets `RSH` in order to write the backup to a tape drive on a " "remote system over an SSH connection:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1281 #, no-wrap msgid "Using `dump` over ssh with `RSH` Set" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1287 #, no-wrap msgid "# env RSH=/usr/bin/ssh /sbin/dump -0uan -f targetuser@targetmachine.example.com:/dev/sa0 /usr\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1293 msgid "" "Systems using the crossref:zfs[,Z file system (ZFS)] can make use of man:" "zfs[8] for creating snapshots, as well as crossref:zfs[zfs-zfs-send,sending " "and receiving] them to/from remote systems." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1295 #, no-wrap msgid "Directory Backups" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1298 msgid "" "Several built-in utilities are available for backing up and restoring " "specified files and directories as needed." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1302 msgid "" "A good choice for making a backup of all of the files in a directory is man:" "tar[1]. This utility dates back to Version 6 of AT&T UNIX(R) and by default " "assumes a recursive backup to a local tape device. Switches can be used to " "instead specify the name of a backup file." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1305 msgid "" "This example creates a compressed backup of the current directory and saves " "it to [.filename]#/tmp/mybackup.tgz#. When creating a backup file, make " "sure that the backup is not saved to the same directory that is being backed " "up." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1306 #, no-wrap msgid "Backing Up the Current Directory with `tar`" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1312 #, no-wrap msgid "# tar czvf /tmp/mybackup.tgz .\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1318 msgid "" "To restore the entire backup, `cd` into the directory to restore into and " "specify the name of the backup. Note that this will overwrite any newer " "versions of files in the restore directory. When in doubt, restore to a " "temporary directory or specify the name of the file within the backup to " "restore." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1319 #, no-wrap msgid "Restoring Up the Current Directory with `tar`" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1325 #, no-wrap msgid "# tar xzvf /tmp/mybackup.tgz\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1330 msgid "" "There are dozens of available switches which are described in man:tar[1]. " "This utility also supports the use of exclude patterns to specify which " "files should not be included when backing up the specified directory or " "restoring files from a backup." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1333 msgid "" "To create a backup using a specified list of files and directories, man:" "cpio[1] is a good choice. Unlike `tar`, `cpio` does not know how to walk " "the directory tree and it must be provided the list of files to backup." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1336 msgid "" "For example, a list of files can be created using `ls` or `find`. This " "example creates a recursive listing of the current directory which is then " "piped to `cpio` in order to create an output backup file named [.filename]#/" "tmp/mybackup.cpio#." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1337 #, no-wrap msgid "Using `ls` and `cpio` to Make a Recursive Backup of the Current Directory" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1343 #, no-wrap msgid "# ls -R | cpio -ovF /tmp/mybackup.cpio\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1349 msgid "" "A backup utility which tries to bridge the features provided by `tar` and " "`cpio` is man:pax[1]. Over the years, the various versions of `tar` and " "`cpio` became slightly incompatible. POSIX(R) created `pax` which attempts " "to read and write many of the various `cpio` and `tar` formats, plus new " "formats of its own." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1351 msgid "The `pax` equivalent to the previous examples would be:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1352 #, no-wrap msgid "Backing Up the Current Directory with `pax`" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1358 #, no-wrap msgid "# pax -wf /tmp/mybackup.pax .\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1362 #, no-wrap msgid "Using Data Tapes for Backups" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1367 msgid "" "While tape technology has continued to evolve, modern backup systems tend to " "combine off-site backups with local removable media. FreeBSD supports any " "tape drive that uses SCSI, such as LTO or DAT. There is limited support for " "SATA and USB tape drives." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1371 msgid "" "For SCSI tape devices, FreeBSD uses the man:sa[4] driver and the [." "filename]#/dev/sa0#, [.filename]#/dev/nsa0#, and [.filename]#/dev/esa0# " "devices. The physical device name is [.filename]#/dev/sa0#. When [." "filename]#/dev/nsa0# is used, the backup application will not rewind the " "tape after writing a file, which allows writing more than one file to a " "tape. Using [.filename]#/dev/esa0# ejects the tape after the device is " "closed." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1374 msgid "" "In FreeBSD, `mt` is used to control operations of the tape drive, such as " "seeking through files on a tape or writing tape control marks to the tape. " "For example, the first three files on a tape can be preserved by skipping " "past them before writing a new file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1378 #, no-wrap msgid "# mt -f /dev/nsa0 fsf 3\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1381 msgid "This utility supports many operations. Refer to man:mt[1] for details." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1383 msgid "" "To write a single file to tape using `tar`, specify the name of the tape " "device and the file to backup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1387 #, no-wrap msgid "# tar cvf /dev/sa0 file\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1390 msgid "" "To recover files from a `tar` archive on tape into the current directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1394 #, no-wrap msgid "# tar xvf /dev/sa0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1398 msgid "" "To backup a UFS file system, use `dump`. This examples backs up [." "filename]#/usr# without rewinding the tape when finished:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1402 #, no-wrap msgid "# dump -0aL -b64 -f /dev/nsa0 /usr\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1405 msgid "" "To interactively restore files from a `dump` file on tape into the current " "directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1409 #, no-wrap msgid "# restore -i -f /dev/nsa0\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1412 #, no-wrap msgid "Third-Party Backup Utilities" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1416 msgid "" "The FreeBSD Ports Collection provides many third-party utilities which can " "be used to schedule the creation of backups, simplify tape backup, and make " "backups easier and more convenient. Many of these applications are client/" "server based and can be used to automate the backups of a single system or " "all of the computers in a network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1418 msgid "Popular utilities include:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1420 msgid "Amanda (package:misc/amanda-server[] and package:misc/amanda-client[])," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1421 msgid "" "Bacula (package:sysutils/bacula13-server[] and package:sysutils/bacula13-" "client[])," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1422 msgid "" "Bareos (package:sysutils/bareos-server[] and package:sysutils/bareos-" "client[])," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1423 msgid "package:net/rsync[]," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1424 msgid "package:sysutils/duply[], and" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1425 msgid "package:sysutils/duplicity[]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1426 #, no-wrap msgid "Emergency Recovery" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1429 msgid "" "In addition to regular backups, it is recommended to perform the following " "steps as part of an emergency preparedness plan." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1431 msgid "Create a print copy of the output of the following commands:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1433 msgid "`gpart show`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1434 msgid "`more /etc/fstab`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1435 msgid "`pkg prime-list`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1436 msgid "`dmesg`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1440 msgid "" "Store this printout and a copy of the installation media in a secure " "location. Should an emergency restore be needed, boot into the installation " "media and select `Live CD` to access a rescue shell. This rescue mode can " "be used to view the current state of the system, and if needed, to reformat " "disks and restore data from backups." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1445 msgid "" "Next, test the rescue shell and the backups. Make notes of the procedure. " "Store these notes with the media, the printouts, and the backups. These " "notes may prevent the inadvertent destruction of the backups while under the " "stress of performing an emergency recovery." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1447 msgid "" "For an added measure of security, store the latest backup at a remote " "location which is physically separated from the computers and disk drives by " "a significant distance." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1449 #, no-wrap msgid "Memory Disks" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1453 msgid "" "In addition to physical disks, FreeBSD also supports the creation and use of " "memory disks. One possible use for a memory disk is to access the contents " "of an ISO file system without the overhead of first burning it to a CD or " "DVD, then mounting the CD/DVD media." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1457 msgid "" "In FreeBSD, the man:md[4] driver is used to provide support for memory " "disks. The [.filename]#GENERIC# kernel includes this driver. When using a " "custom kernel configuration file, ensure it includes this line:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1461 #, no-wrap msgid "device md\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1464 #, no-wrap msgid "Attaching and Detaching Existing Images" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1470 msgid "" "To mount an existing file system image, use `mdconfig` to specify the name " "of the ISO file and a free unit number. Then, refer to that unit number to " "mount it on an existing mount point. Once mounted, the files in the ISO " "will appear in the mount point. This example attaches _diskimage.iso_ to " "the memory device [.filename]#/dev/md0# then mounts that memory device on [." "filename]#/mnt#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1475 #, no-wrap msgid "" "# mdconfig -f diskimage.iso -u 0\n" "# mount -t cd9660 /dev/md0 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1480 msgid "" "Notice that `-t cd9660` was used to mount an ISO format. If a unit number " "is not specified with `-u`, `mdconfig` will automatically allocate an unused " "memory device and output the name of the allocated unit, such as [." "filename]#md4#. Refer to man:mdconfig[8] for more details about this " "command and its options." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1484 msgid "" "When a memory disk is no longer in use, its resources should be released " "back to the system. First, unmount the file system, then use `mdconfig` to " "detach the disk from the system and release its resources. To continue this " "example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1489 #, no-wrap msgid "" "# umount /mnt\n" "# mdconfig -d -u 0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1492 msgid "" "To determine if any memory disks are still attached to the system, type " "`mdconfig -l`." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1494 #, no-wrap msgid "Creating a File- or Memory-Backed Memory Disk" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1499 msgid "" "FreeBSD also supports memory disks where the storage to use is allocated " "from either a hard disk or an area of memory. The first method is commonly " "referred to as a file-backed file system and the second method as a memory-" "backed file system. Both types can be created using `mdconfig`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1504 msgid "" "To create a new memory-backed file system, specify a type of `swap` and the " "size of the memory disk to create. Then, format the memory disk with a file " "system and mount as usual. This example creates a 5M memory disk on unit " "`1`. That memory disk is then formatted with the UFS file system before it " "is mounted:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1518 #, no-wrap msgid "" "# mdconfig -a -t swap -s 5m -u 1\n" "# newfs -U md1\n" "/dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048\n" " using 4 cylinder groups of 1.27MB, 81 blks, 192 inodes.\n" " with soft updates\n" "super-block backups (for fsck -b #) at:\n" " 160, 2752, 5344, 7936\n" "# mount /dev/md1 /mnt\n" "# df /mnt\n" "Filesystem 1K-blocks Used Avail Capacity Mounted on\n" "/dev/md1 4718 4 4338 0% /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1522 msgid "" "To create a new file-backed memory disk, first allocate an area of disk to " "use. This example creates an empty 5MB file named [.filename]#newimage#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1528 #, no-wrap msgid "" "# dd if=/dev/zero of=newimage bs=1k count=5k\n" "5120+0 records in\n" "5120+0 records out\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1531 msgid "" "Next, attach that file to a memory disk, label the memory disk and format it " "with the UFS file system, mount the memory disk, and verify the size of the " "file-backed disk:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1545 #, no-wrap msgid "" "# mdconfig -f newimage -u 0\n" "# bsdlabel -w md0 auto\n" "# newfs -U md0a\n" "/dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048\n" " using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes.\n" "super-block backups (for fsck -b #) at:\n" " 160, 2720, 5280, 7840\n" "# mount /dev/md0a /mnt\n" "# df /mnt\n" "Filesystem 1K-blocks Used Avail Capacity Mounted on\n" "/dev/md0a 4710 4 4330 0% /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1550 msgid "" "It takes several commands to create a file- or memory-backed file system " "using `mdconfig`. FreeBSD also comes with `mdmfs` which automatically " "configures a memory disk, formats it with the UFS file system, and mounts " "it. For example, after creating _newimage_ with `dd`, this one command is " "equivalent to running the `bsdlabel`, `newfs`, and `mount` commands shown " "above:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1554 #, no-wrap msgid "# mdmfs -F newimage -s 5m md0 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1557 msgid "" "To instead create a new memory-based memory disk with `mdmfs`, use this one " "command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1561 #, no-wrap msgid "# mdmfs -s 5m md1 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1565 msgid "" "If the unit number is not specified, `mdmfs` will automatically select an " "unused memory device. For more details about `mdmfs`, refer to man:mdmfs[8]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1567 #, no-wrap msgid "File System Snapshots" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1570 msgid "" "FreeBSD offers a feature in conjunction with crossref:config[soft-updates," "Soft Updates]: file system snapshots." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1572 msgid "" "UFS snapshots allow a user to create images of specified file systems, and " "treat them as a file. If you are using the crossref:zfs[,Z file system " "(ZFS)], refer to crossref:zfs[zfs-zfs-snapshot,\"Managing Snapshots\"] on " "how to use snapshots." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1577 msgid "" "Snapshot files must be created in the file system that the action is " "performed on, and a user may create no more than 20 snapshots per file " "system. Active snapshots are recorded in the superblock so they are " "persistent across unmount and remount operations along with system reboots. " "When a snapshot is no longer required, it can be removed using man:rm[1]. " "While snapshots may be removed in any order, all the used space may not be " "acquired because another snapshot will possibly claim some of the released " "blocks." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1580 msgid "" "The un-alterable `snapshot` file flag is set by man:mksnap_ffs[8] after " "initial creation of a snapshot file. man:unlink[1] makes an exception for " "snapshot files since it allows them to be removed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1583 msgid "" "Snapshots are created using man:mount[8]. To place a snapshot of [." "filename]#/var# in the file [.filename]#/var/snapshot/snap#, use the " "following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1587 #, no-wrap msgid "# mount -u -o snapshot /var/snapshot/snap /var\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1590 msgid "Alternatively, use man:mksnap_ffs[8] to create the snapshot:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1594 #, no-wrap msgid "# mksnap_ffs /var /var/snapshot/snap\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1597 msgid "" "One can find snapshot files on a file system, such as [.filename]#/var#, " "using man:find[1]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1601 #, no-wrap msgid "# find /var -flags snapshot\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1604 msgid "Once a snapshot has been created, it has several uses:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1606 msgid "" "Some administrators will use a snapshot file for backup purposes, because " "the snapshot can be transferred to CDs or tape." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1607 msgid "" "The file system integrity checker, man:fsck[8], may be run on the snapshot. " "Assuming that the file system was clean when it was mounted, this should " "always provide a clean and unchanging result." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1608 msgid "" "Running man:dump[8] on the snapshot will produce a dump file that is " "consistent with the file system and the timestamp of the snapshot. man:" "dump[8] can also take a snapshot, create a dump image, and then remove the " "snapshot in one command by using `-L`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1609 msgid "" "The snapshot can be mounted as a frozen image of the file system. To man:" "mount[8] the snapshot [.filename]#/var/snapshot/snap# run:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1614 #, no-wrap msgid "" "# mdconfig -a -t vnode -o readonly -f /var/snapshot/snap -u 4\n" "# mount -r /dev/md4 /mnt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1620 msgid "" "The frozen [.filename]#/var# is now available through [.filename]#/mnt#. " "Everything will initially be in the same state it was during the snapshot " "creation time. The only exception is that any earlier snapshots will appear " "as zero length files. To unmount the snapshot, use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1625 #, no-wrap msgid "" "# umount /mnt\n" "# mdconfig -d -u 4\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1628 msgid "" "For more information about `softupdates` and file system snapshots, " "including technical papers, visit Marshall Kirk McKusick's website at http://" "www.mckusick.com/[http://www.mckusick.com/]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1630 #, no-wrap msgid "Disk Quotas" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1634 msgid "" "Disk quotas can be used to limit the amount of disk space or the number of " "files a user or members of a group may allocate on a per-file system basis. " "This prevents one user or group of users from consuming all of the available " "disk space." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1637 msgid "" "This section describes how to configure disk quotas for the UFS file " "system. To configure quotas on the ZFS file system, refer to crossref:" "zfs[zfs-zfs-quota,\"Dataset, User, and Group Quotas\"]" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1638 #, no-wrap msgid "Enabling Disk Quotas" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1641 msgid "To determine if the FreeBSD kernel provides support for disk quotas:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1646 #, no-wrap msgid "" "% sysctl kern.features.ufs_quota\n" "kern.features.ufs_quota: 1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1650 msgid "" "In this example, the `1` indicates quota support. If the value is instead " "`0`, add the following line to a custom kernel configuration file and " "rebuild the kernel using the instructions in crossref:" "kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1654 #, no-wrap msgid "options QUOTA\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1657 msgid "Next, enable disk quotas in [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1661 #, no-wrap msgid "quota_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1667 msgid "" "Normally on bootup, the quota integrity of each file system is checked by " "man:quotacheck[8]. This program insures that the data in the quota database " "properly reflects the data on the file system. This is a time consuming " "process that will significantly affect the time the system takes to boot. " "To skip this step, add this variable to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1671 #, no-wrap msgid "check_quotas=\"NO\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1676 msgid "" "Finally, edit [.filename]#/etc/fstab# to enable disk quotas on a per-file " "system basis. To enable per-user quotas on a file system, add `userquota` " "to the options field in the [.filename]#/etc/fstab# entry for the file " "system to enable quotas on. For example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1680 #, no-wrap msgid "/dev/da1s2g /home ufs rw,userquota 1 2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1684 msgid "" "To enable group quotas, use `groupquota` instead. To enable both user and " "group quotas, separate the options with a comma:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1688 #, no-wrap msgid "/dev/da1s2g /home ufs rw,userquota,groupquota 1 2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1693 msgid "" "By default, quota files are stored in the root directory of the file system " "as [.filename]#quota.user# and [.filename]#quota.group#. Refer to man:" "fstab[5] for more information. Specifying an alternate location for the " "quota files is not recommended." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1695 msgid "" "Once the configuration is complete, reboot the system and [.filename]#/etc/" "rc# will automatically run the appropriate commands to create the initial " "quota files for all of the quotas enabled in [.filename]#/etc/fstab#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1698 msgid "" "In the normal course of operations, there should be no need to manually run " "man:quotacheck[8], man:quotaon[8], or man:quotaoff[8]. However, one should " "read these manual pages to be familiar with their operation." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1699 #, no-wrap msgid "Setting Quota Limits" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1702 msgid "To verify that quotas are enabled, run:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1706 #, no-wrap msgid "# quota -v\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1709 msgid "" "There should be a one line summary of disk usage and current quota limits " "for each file system that quotas are enabled on." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1711 msgid "The system is now ready to be assigned quota limits with `edquota`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1715 msgid "" "Several options are available to enforce limits on the amount of disk space " "a user or group may allocate, and how many files they may create. " "Allocations can be limited based on disk space (block quotas), number of " "files (inode quotas), or a combination of both. Each limit is further " "broken down into two categories: hard and soft limits." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1720 msgid "" "A hard limit may not be exceeded. Once a user reaches a hard limit, no " "further allocations can be made on that file system by that user. For " "example, if the user has a hard limit of 500 kbytes on a file system and is " "currently using 490 kbytes, the user can only allocate an additional 10 " "kbytes. Attempting to allocate an additional 11 kbytes will fail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1724 msgid "" "Soft limits can be exceeded for a limited amount of time, known as the grace " "period, which is one week by default. If a user stays over their limit " "longer than the grace period, the soft limit turns into a hard limit and no " "further allocations are allowed. When the user drops back below the soft " "limit, the grace period is reset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1728 msgid "" "In the following example, the quota for the `test` account is being edited. " "When `edquota` is invoked, the editor specified by `EDITOR` is opened in " "order to edit the quota limits. The default editor is set to vi." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1737 #, no-wrap msgid "" "# edquota -u test\n" "Quotas for user test:\n" "/usr: kbytes in use: 65, limits (soft = 50, hard = 75)\n" " inodes in use: 7, limits (soft = 50, hard = 60)\n" "/usr/var: kbytes in use: 0, limits (soft = 50, hard = 75)\n" " inodes in use: 0, limits (soft = 50, hard = 60)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1743 msgid "" "There are normally two lines for each file system that has quotas enabled. " "One line represents the block limits and the other represents the inode " "limits. Change the value to modify the quota limit. For example, to raise " "the block limit on [.filename]#/usr# to a soft limit of `500` and a hard " "limit of `600`, change the values in that line as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1747 #, no-wrap msgid "/usr: kbytes in use: 65, limits (soft = 500, hard = 600)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1750 msgid "The new quota limits take effect upon exiting the editor." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1755 msgid "" "Sometimes it is desirable to set quota limits on a range of users. This can " "be done by first assigning the desired quota limit to a user. Then, use `-" "p` to duplicate that quota to a specified range of user IDs (UIDs). The " "following command will duplicate those quota limits for UIDs `10,000` " "through `19,999`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1759 #, no-wrap msgid "# edquota -p test 10000-19999\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1762 msgid "For more information, refer to man:edquota[8]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1763 #, no-wrap msgid "Checking Quota Limits and Disk Usage" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1769 msgid "" "To check individual user or group quotas and disk usage, use man:quota[1]. " "A user may only examine their own quota and the quota of a group they are a " "member of. Only the superuser may view all user and group quotas. To get a " "summary of all quotas and disk usage for file systems with quotas enabled, " "use man:repquota[8]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1773 msgid "" "Normally, file systems that the user is not using any disk space on will not " "show in the output of `quota`, even if the user has a quota limit assigned " "for that file system. Use `-v` to display those file systems. The " "following is sample output from `quota -v` for a user that has quota limits " "on two file systems." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1780 #, no-wrap msgid "" "Disk quotas for user test (uid 1002):\n" " Filesystem usage quota limit grace files quota limit grace\n" " /usr 65* 50 75 5days 7 50 60\n" " /usr/var 0 50 75 0 50 60\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1784 msgid "" "In this example, the user is currently 15 kbytes over the soft limit of 50 " "kbytes on [.filename]#/usr# and has 5 days of grace period left. The " "asterisk `*` indicates that the user is currently over the quota limit." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1785 #, no-wrap msgid "Quotas over NFS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1789 msgid "" "Quotas are enforced by the quota subsystem on the NFS server. The man:rpc." "rquotad[8] daemon makes quota information available to `quota` on NFS " "clients, allowing users on those machines to see their quota statistics." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1791 msgid "" "On the NFS server, enable `rpc.rquotad` by removing the `+#+` from this line " "in [.filename]*/etc/inetd.conf*:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1795 #, no-wrap msgid "rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1798 msgid "Then, restart `inetd`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1802 #, no-wrap msgid "# service inetd restart\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:1805 #, no-wrap msgid "Encrypting Disk Partitions" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1810 msgid "" "FreeBSD offers excellent online protections against unauthorized data " "access. File permissions and crossref:mac[mac,Mandatory Access Control] " "(MAC) help prevent unauthorized users from accessing data while the " "operating system is active and the computer is powered up. However, the " "permissions enforced by the operating system are irrelevant if an attacker " "has physical access to a computer and can move the computer's hard drive to " "another system to copy and analyze the data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1814 msgid "" "Regardless of how an attacker may have come into possession of a hard drive " "or powered-down computer, the GEOM-based cryptographic subsystems built into " "FreeBSD are able to protect the data on the computer's file systems against " "even highly-motivated attackers with significant resources. Unlike " "encryption methods that encrypt individual files, the built-in `gbde` and " "`geli` utilities can be used to transparently encrypt entire file systems. " "No cleartext ever touches the hard drive's platter." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1817 msgid "" "This chapter demonstrates how to create an encrypted file system on " "FreeBSD. It first demonstrates the process using `gbde` and then " "demonstrates the same example using `geli`." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1818 #, no-wrap msgid "Disk Encryption with gbde" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1823 msgid "" "The objective of the man:gbde[4] facility is to provide a formidable " "challenge for an attacker to gain access to the contents of a _cold_ storage " "device. However, if the computer is compromised while up and running and " "the storage device is actively attached, or the attacker has access to a " "valid passphrase, it offers no protection to the contents of the storage " "device. Thus, it is important to provide physical security while the system " "is running and to protect the passphrase used by the encryption mechanism." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1828 msgid "" "This facility provides several barriers to protect the data stored in each " "disk sector. It encrypts the contents of a disk sector using 128-bit AES in " "CBC mode. Each sector on the disk is encrypted with a different AES key. " "For more information on the cryptographic design, including how the sector " "keys are derived from the user-supplied passphrase, refer to man:gbde[4]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1830 msgid "" "FreeBSD provides a kernel module for gbde which can be loaded with this " "command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1834 #, no-wrap msgid "# kldload geom_bde\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1837 msgid "" "If using a custom kernel configuration file, ensure it contains this line:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1839 msgid "`options GEOM_BDE`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1841 msgid "" "The following example demonstrates adding a new hard drive to a system that " "will hold a single encrypted partition that will be mounted as [.filename]#/" "private#." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:1843 #, no-wrap msgid "Procedure: Encrypting a Partition with gbde" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1845 msgid "Add the New Hard Drive" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1848 msgid "" "Install the new drive to the system as explained in crossref:disks[disks-" "adding]. For the purposes of this example, a new hard drive partition has " "been added as [.filename]#/dev/ad4s1c# and [.filename]#/dev/ad0s1*# " "represents the existing standard FreeBSD partitions." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1855 #, no-wrap msgid "" "# ls /dev/ad*\n" "/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1\n" "/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c\n" "/dev/ad0s1a /dev/ad0s1d /dev/ad4\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1858 msgid "Create a Directory to Hold `gbde` Lock Files" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1862 #, no-wrap msgid "# mkdir /etc/gbde\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1867 msgid "" "The gbde lock file contains information that gbde requires to access " "encrypted partitions. Without access to the lock file, gbde will not be " "able to decrypt the data contained in the encrypted partition without " "significant manual intervention which is not supported by the software. " "Each encrypted partition uses a separate lock file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1868 msgid "Initialize the `gbde` Partition" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1873 msgid "" "A gbde partition must be initialized before it can be used. This " "initialization needs to be performed only once. This command will open the " "default editor, in order to set various configuration options in a " "template. For use with the UFS file system, set the sector_size to 2048:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1885 #, no-wrap msgid "" "# gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock\n" "#\n" "# Sector size is the smallest unit of data which can be read or written.\n" "# Making it too small decreases performance and decreases available space.\n" "# Making it too large may prevent filesystems from working. 512 is the\n" "# minimum and always safe. For UFS, use the fragment size\n" "#\n" "sector_size\t=\t2048\n" "[...]\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1891 msgid "" "Once the edit is saved, the user will be asked twice to type the passphrase " "used to secure the data. The passphrase must be the same both times. The " "ability of gbde to protect data depends entirely on the quality of the " "passphrase. For tips on how to select a secure passphrase that is easy to " "remember, see http://world.std.com/\\~reinhold/diceware.html[http://world." "std.com/~reinhold/diceware.htm]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1895 msgid "" "This initialization creates a lock file for the gbde partition. In this " "example, it is stored as [.filename]#/etc/gbde/ad4s1c.lock#. Lock files " "must end in \".lock\" in order to be correctly detected by the [.filename]#/" "etc/rc.d/gbde# start up script." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1900 msgid "" "Lock files _must_ be backed up together with the contents of any encrypted " "partitions. Without the lock file, the legitimate owner will be unable to " "access the data on the encrypted partition." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1903 msgid "Attach the Encrypted Partition to the Kernel" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1907 #, no-wrap msgid "# gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1911 msgid "" "This command will prompt to input the passphrase that was selected during " "the initialization of the encrypted partition. The new encrypted device " "will appear in [.filename]#/dev# as [.filename]#/dev/device_name.bde#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1918 #, no-wrap msgid "" "# ls /dev/ad*\n" "/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1\n" "/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c\n" "/dev/ad0s1a /dev/ad0s1d /dev/ad4 /dev/ad4s1c.bde\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1921 msgid "Create a File System on the Encrypted Device" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1925 msgid "" "Once the encrypted device has been attached to the kernel, a file system can " "be created on the device. This example creates a UFS file system with soft " "updates enabled. Be sure to specify the partition which has a [.filename]#*." "bde# extension:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1929 #, no-wrap msgid "# newfs -U /dev/ad4s1c.bde\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1932 msgid "Mount the Encrypted Partition" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1934 msgid "Create a mount point and mount the encrypted file system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1939 #, no-wrap msgid "" "# mkdir /private\n" "# mount /dev/ad4s1c.bde /private\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1942 msgid "Verify That the Encrypted File System is Available" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1944 msgid "The encrypted file system should now be visible and available for use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1955 #, no-wrap msgid "" "% df -H\n" "Filesystem Size Used Avail Capacity Mounted on\n" "/dev/ad0s1a 1037M 72M 883M 8% /\n" "/devfs 1.0K 1.0K 0B 100% /dev\n" "/dev/ad0s1f 8.1G 55K 7.5G 0% /home\n" "/dev/ad0s1e 1037M 1.1M 953M 0% /tmp\n" "/dev/ad0s1d 6.1G 1.9G 3.7G 35% /usr\n" "/dev/ad4s1c.bde 150G 4.1K 138G 0% /private\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1959 msgid "" "After each boot, any encrypted file systems must be manually re-attached to " "the kernel, checked for errors, and mounted, before the file systems can be " "used. To configure these steps, add the following lines to [.filename]#/etc/" "rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1965 #, no-wrap msgid "" "gbde_autoattach_all=\"YES\"\n" "gbde_devices=\"ad4s1c\"\n" "gbde_lockdir=\"/etc/gbde\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:1970 msgid "" "This requires that the passphrase be entered at the console at boot time. " "After typing the correct passphrase, the encrypted partition will be mounted " "automatically. Additional gbde boot options are available and listed in man:" "rc.conf[5]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1976 msgid "" "sysinstall is incompatible with gbde-encrypted devices. All [.filename]#*." "bde# devices must be detached from the kernel before starting sysinstall or " "it will crash during its initial probing for devices. To detach the " "encrypted device used in the example, use the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1980 #, no-wrap msgid "# gbde detach /dev/ad4s1c\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:1984 #, no-wrap msgid "Disk Encryption with `geli`" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1989 msgid "" "An alternative cryptographic GEOM class is available using `geli`. This " "control utility adds some features and uses a different scheme for doing " "cryptographic work. It provides the following features:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1991 msgid "" "Utilizes the man:crypto[9] framework and automatically uses cryptographic " "hardware when it is available." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1992 msgid "" "Supports multiple cryptographic algorithms such as AES-XTS, AES-CBC, and " "Camellia-CBCAES." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1993 msgid "" "Allows the root partition to be encrypted. The passphrase used to access the " "encrypted root partition will be requested during system boot." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1994 msgid "Allows the use of two independent keys." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1995 msgid "It is fast as it performs simple sector-to-sector encryption." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1996 msgid "" "Allows backup and restore of master keys. If a user destroys their keys, it " "is still possible to get access to the data by restoring keys from the " "backup." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1997 msgid "" "Allows a disk to attach with a random, one-time key which is useful for swap " "partitions and temporary file systems." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:1999 msgid "More features and usage examples can be found in man:geli[8]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2005 msgid "" "The following example describes how to generate a key file which will be " "used as part of the master key for the encrypted provider mounted under [." "filename]#/private#. The key file will provide some random data used to " "encrypt the master key. The master key will also be protected by a " "passphrase. The provider's sector size will be 4kB. The example describes " "how to attach to the `geli` provider, create a file system on it, mount it, " "work with it, and finally, how to detach it." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/disks/_index.adoc:2007 #, no-wrap msgid "Procedure: Encrypting a Partition with `geli`" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2009 msgid "Load `geli` Support" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2011 msgid "" "Support for `geli` is available as a loadable kernel module. To configure " "the system to automatically load the module at boot time, add the following " "line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2015 #, no-wrap msgid "geom_eli_load=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2018 msgid "To load the kernel module now:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2022 #, no-wrap msgid "# kldload geom_eli\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2025 msgid "" "For a custom kernel, ensure the kernel configuration file contains these " "lines:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2030 #, no-wrap msgid "" "options GEOM_ELI\n" "device crypto\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2033 msgid "Generate the Master Key" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2040 msgid "" "The following commands generate a master key that all data will be encrypted " "with. This key can never be changed. Rather than using it directly, it is " "encrypted with one or more user keys. The user keys are made up of an " "optional combination of random bytes from a file, [.filename]#/root/da2." "key#, and/or a passphrase. In this case, the data source for the key file " "is [.filename]#/dev/random#. This command also configures the sector size " "of the provider ([.filename]#/dev/da2.eli#) as 4kB, for better performance:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2047 #, no-wrap msgid "" "# dd if=/dev/random of=/root/da2.key bs=64 count=1\n" "# geli init -K /root/da2.key -s 4096 /dev/da2\n" "Enter new passphrase:\n" "Reenter new passphrase:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2050 msgid "" "It is not mandatory to use both a passphrase and a key file as either method " "of securing the master key can be used in isolation." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2053 msgid "" "If the key file is given as \"-\", standard input will be used. For " "example, this command generates three key files:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2057 #, no-wrap msgid "# cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2060 msgid "Attach the Provider with the Generated Key" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2062 msgid "" "To attach the provider, specify the key file, the name of the disk, and the " "passphrase:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2067 #, no-wrap msgid "" "# geli attach -k /root/da2.key /dev/da2\n" "Enter passphrase:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2070 msgid "This creates a new device with an [.filename]#.eli# extension:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2075 #, no-wrap msgid "" "# ls /dev/da2*\n" "/dev/da2 /dev/da2.eli\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2078 msgid "Create the New File System" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2080 msgid "" "Next, format the device with the UFS file system and mount it on an existing " "mount point:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2086 #, no-wrap msgid "" "# dd if=/dev/random of=/dev/da2.eli bs=1m\n" "# newfs /dev/da2.eli\n" "# mount /dev/da2.eli /private\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2089 msgid "The encrypted file system should now be available for use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2100 #, no-wrap msgid "" "# df -H\n" "Filesystem Size Used Avail Capacity Mounted on\n" "/dev/ad0s1a 248M 89M 139M 38% /\n" "/devfs 1.0K 1.0K 0B 100% /dev\n" "/dev/ad0s1f 7.7G 2.3G 4.9G 32% /usr\n" "/dev/ad0s1d 989M 1.5M 909M 0% /tmp\n" "/dev/ad0s1e 3.9G 1.3G 2.3G 35% /var\n" "/dev/da2.eli 150G 4.1K 138G 0% /private\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2103 msgid "" "Once the work on the encrypted partition is done, and the [.filename]#/" "private# partition is no longer needed, it is prudent to put the device into " "cold storage by unmounting and detaching the `geli` encrypted partition from " "the kernel:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2108 #, no-wrap msgid "" "# umount /private\n" "# geli detach da2.eli\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2111 msgid "" "An [.filename]#rc.d# script is provided to simplify the mounting of `geli`-" "encrypted devices at boot time. For this example, add these lines to [." "filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2116 #, no-wrap msgid "" "geli_devices=\"da2\"\n" "geli_da2_flags=\"-k /root/da2.key\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2126 msgid "" "This configures [.filename]#/dev/da2# as a `geli` provider with a master key " "of [.filename]#/root/da2.key#. The system will automatically detach the " "provider from the kernel before the system shuts down. During the startup " "process, the script will prompt for the passphrase before attaching the " "provider. Other kernel messages might be shown before and after the " "password prompt. If the boot process seems to stall, look carefully for the " "password prompt among the other messages. Once the correct passphrase is " "entered, the provider is attached. The file system is then mounted, " "typically by an entry in [.filename]#/etc/fstab#. Refer to crossref:" "basics[mount-unmount,“Mounting and Unmounting File Systems”] for " "instructions on how to configure a file system to mount at boot time." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:2128 #, no-wrap msgid "Encrypting Swap" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2135 msgid "" "Like the encryption of disk partitions, encryption of swap space is used to " "protect sensitive information. Consider an application that deals with " "passwords. As long as these passwords stay in physical memory, they are not " "written to disk and will be cleared after a reboot. However, if FreeBSD " "starts swapping out memory pages to free space, the passwords may be written " "to the disk unencrypted. Encrypting swap space can be a solution for this " "scenario." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2138 msgid "" "This section demonstrates how to configure an encrypted swap partition using " "man:gbde[8] or man:geli[8] encryption. It assumes that [.filename]#/dev/" "ada0s1b# is the swap partition." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:2139 #, no-wrap msgid "Configuring Encrypted Swap" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2143 msgid "" "Swap partitions are not encrypted by default and should be cleared of any " "sensitive data before continuing. To overwrite the current swap partition " "with random garbage, execute the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2147 #, no-wrap msgid "# dd if=/dev/random of=/dev/ada0s1b bs=1m\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2150 msgid "" "To encrypt the swap partition using man:gbde[8], add the `.bde` suffix to " "the swap line in [.filename]#/etc/fstab#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2155 #, no-wrap msgid "" "# Device\t\tMountpoint\tFStype\tOptions\t\tDump\tPass#\n" "/dev/ada0s1b.bde\tnone\t\tswap\tsw\t\t0\t0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2158 msgid "" "To instead encrypt the swap partition using man:geli[8], use the `.eli` " "suffix:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2163 #, no-wrap msgid "" "# Device\t\tMountpoint\tFStype\tOptions\t\tDump\tPass#\n" "/dev/ada0s1b.eli\tnone\t\tswap\tsw\t\t0\t0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2168 msgid "" "By default, man:geli[8] uses the AES algorithm with a key length of 128 " "bits. Normally the default settings will suffice. If desired, these " "defaults can be altered in the options field in [.filename]#/etc/fstab#. The " "possible flags are:" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/disks/_index.adoc:2169 #, no-wrap msgid "aalgo" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2172 msgid "" "Data integrity verification algorithm used to ensure that the encrypted data " "has not been tampered with. See man:geli[8] for a list of supported " "algorithms." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/disks/_index.adoc:2173 #, no-wrap msgid "ealgo" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2176 msgid "" "Encryption algorithm used to protect the data. See man:geli[8] for a list " "of supported algorithms." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/disks/_index.adoc:2177 #, no-wrap msgid "keylen" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2180 msgid "" "The length of the key used for the encryption algorithm. See man:geli[8] " "for the key lengths that are supported by each encryption algorithm." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/disks/_index.adoc:2181 #, no-wrap msgid "sectorsize" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2185 msgid "" "The size of the blocks data is broken into before it is encrypted. Larger " "sector sizes increase performance at the cost of higher storage overhead. " "The recommended size is 4096 bytes." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2187 msgid "" "This example configures an encrypted swap partition using the AES-XTS " "algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2192 #, no-wrap msgid "" "# Device\t\tMountpoint\tFStype\tOptions\t\t\t\tDump\tPass#\n" "/dev/ada0s1b.eli\tnone\t\tswap\tsw,ealgo=AES-XTS,keylen=128,sectorsize=4096\t0\t0\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:2194 #, no-wrap msgid "Encrypted Swap Verification" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2197 msgid "" "Once the system has rebooted, proper operation of the encrypted swap can be " "verified using `swapinfo`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2199 msgid "If man:gbde[8] is being used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2205 #, no-wrap msgid "" "% swapinfo\n" "Device 1K-blocks Used Avail Capacity\n" "/dev/ada0s1b.bde 542720 0 542720 0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2208 msgid "If man:geli[8] is being used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2214 #, no-wrap msgid "" "% swapinfo\n" "Device 1K-blocks Used Avail Capacity\n" "/dev/ada0s1b.eli 542720 0 542720 0\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/disks/_index.adoc:2217 #, no-wrap msgid "Highly Available Storage (HAST)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2223 msgid "" "High availability is one of the main requirements in serious business " "applications and highly-available storage is a key component in such " "environments. In FreeBSD, the Highly Available STorage (HAST) framework " "allows transparent storage of the same data across several physically " "separated machines connected by a TCP/IP network. HAST can be understood as " "a network-based RAID1 (mirror), and is similar to the DRBD(R) storage system " "used in the GNU/Linux(R) platform. In combination with other high-" "availability features of FreeBSD like CARP, HAST makes it possible to build " "a highly-available storage cluster that is resistant to hardware failures." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2225 msgid "The following are the main features of HAST:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2227 msgid "Can be used to mask I/O errors on local hard drives." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2228 msgid "" "File system agnostic as it works with any file system supported by FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2229 msgid "" "Efficient and quick resynchronization as only the blocks that were modified " "during the downtime of a node are synchronized." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2230 msgid "" "Can be used in an already deployed environment to add additional redundancy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2231 msgid "" "Together with CARP, Heartbeat, or other tools, it can be used to build a " "robust and durable storage system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2233 msgid "After reading this section, you will know:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2235 msgid "What HAST is, how it works, and which features it provides." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2236 msgid "How to set up and use HAST on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2237 msgid "How to integrate CARP and man:devd[8] to build a robust storage system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2239 msgid "Before reading this section, you should:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2241 msgid "" "Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD " "Basics])." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2242 msgid "" "Know how to configure network interfaces and other core FreeBSD subsystems " "(crossref:config[config-tuning,Configuration and Tuning])." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2243 msgid "" "Have a good understanding of FreeBSD networking (crossref:partiv[network-" "communication,\"Network Communication\"])." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2245 msgid "" "The HAST project was sponsored by The FreeBSD Foundation with support from " "http://www.omc.net/[http://www.omc.net/] and http://www.transip.nl/[http://" "www.transip.nl/]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:2246 #, no-wrap msgid "HAST Operation" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2250 msgid "" "HAST provides synchronous block-level replication between two physical " "machines: the _primary_ node and the _secondary_ node. These two machines " "together are referred to as a cluster." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2254 msgid "" "Since HAST works in a primary-secondary configuration, it allows only one of " "the cluster nodes to be active at any given time. The primary node, also " "called _active_, is the one which will handle all the I/O requests to HAST-" "managed devices. The secondary node is automatically synchronized from the " "primary node." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2256 msgid "" "The physical components of the HAST system are the local disk on primary " "node, and the disk on the remote, secondary node." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2260 msgid "" "HAST operates synchronously on a block level, making it transparent to file " "systems and applications. HAST provides regular GEOM providers in [." "filename]#/dev/hast/# for use by other tools or applications. There is no " "difference between using HAST-provided devices and raw disks or partitions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2264 msgid "" "Each write, delete, or flush operation is sent to both the local disk and to " "the remote disk over TCP/IP. Each read operation is served from the local " "disk, unless the local disk is not up-to-date or an I/O error occurs. In " "such cases, the read operation is sent to the secondary node." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2268 msgid "" "HAST tries to provide fast failure recovery. For this reason, it is " "important to reduce synchronization time after a node's outage. To provide " "fast synchronization, HAST manages an on-disk bitmap of dirty extents and " "only synchronizes those during a regular synchronization, with an exception " "of the initial sync." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2271 msgid "" "There are many ways to handle synchronization. HAST implements several " "replication modes to handle different synchronization methods:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2273 msgid "" "_memsync_: This mode reports a write operation as completed when the local " "write operation is finished and when the remote node acknowledges data " "arrival, but before actually storing the data. The data on the remote node " "will be stored directly after sending the acknowledgement. This mode is " "intended to reduce latency, but still provides good reliability. This mode " "is the default." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2274 msgid "" "_fullsync_: This mode reports a write operation as completed when both the " "local write and the remote write complete. This is the safest and the " "slowest replication mode." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2275 msgid "" "_async_: This mode reports a write operation as completed when the local " "write completes. This is the fastest and the most dangerous replication " "mode. It should only be used when replicating to a distant node where " "latency is too high for other modes." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:2276 #, no-wrap msgid "HAST Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2279 msgid "The HAST framework consists of several components:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2281 msgid "" "The man:hastd[8] daemon which provides data synchronization. When this " "daemon is started, it will automatically load `geom_gate.ko`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2282 msgid "The userland management utility, man:hastctl[8]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2283 msgid "" "The man:hast.conf[5] configuration file. This file must exist before " "starting hastd." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2285 msgid "" "Users who prefer to statically build `GEOM_GATE` support into the kernel " "should add this line to the custom kernel configuration file, then rebuild " "the kernel using the instructions in crossref:kernelconfig[kernelconfig," "Configuring the FreeBSD Kernel]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2289 #, no-wrap msgid "options\tGEOM_GATE\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2295 msgid "" "The following example describes how to configure two nodes in primary-" "secondary operation using HAST to replicate the data between the two. The " "nodes will be called `hasta`, with an IP address of `172.16.0.1`, and " "`hastb`, with an IP address of `172.16.0.2`. Both nodes will have a " "dedicated hard drive [.filename]#/dev/ad6# of the same size for HAST " "operation. The HAST pool, sometimes referred to as a resource or the GEOM " "provider in [.filename]#/dev/hast/#, will be called `test`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2299 msgid "" "Configuration of HAST is done using [.filename]#/etc/hast.conf#. This file " "should be identical on both nodes. The simplest configuration is:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2312 #, no-wrap msgid "" "resource test {\n" "\ton hasta {\n" "\t\tlocal /dev/ad6\n" "\t\tremote 172.16.0.2\n" "\t}\n" "\ton hastb {\n" "\t\tlocal /dev/ad6\n" "\t\tremote 172.16.0.1\n" "\t}\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2315 msgid "For more advanced configuration, refer to man:hast.conf[5]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2319 msgid "" "It is also possible to use host names in the `remote` statements if the " "hosts are resolvable and defined either in [.filename]#/etc/hosts# or in the " "local DNS." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2323 msgid "" "Once the configuration exists on both nodes, the HAST pool can be created. " "Run these commands on both nodes to place the initial metadata onto the " "local disk and to start man:hastd[8]:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2328 #, no-wrap msgid "" "# hastctl create test\n" "# service hastd onestart\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2334 msgid "" "It is _not_ possible to use GEOM providers with an existing file system or " "to convert an existing storage to a HAST-managed pool. This procedure needs " "to store some metadata on the provider and there will not be enough required " "space available on an existing provider." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2338 msgid "" "A HAST node's `primary` or `secondary` role is selected by an administrator, " "or software like Heartbeat, using man:hastctl[8]. On the primary node, " "`hasta`, issue this command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2342 #, no-wrap msgid "# hastctl role primary test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2345 msgid "Run this command on the secondary node, `hastb`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2349 #, no-wrap msgid "# hastctl role secondary test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2352 msgid "Verify the result by running `hastctl` on each node:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2356 #, no-wrap msgid "# hastctl status test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2362 msgid "" "Check the `status` line in the output. If it says `degraded`, something is " "wrong with the configuration file. It should say `complete` on each node, " "meaning that the synchronization between the nodes has started. The " "synchronization completes when `hastctl status` reports 0 bytes of `dirty` " "extents." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2367 msgid "" "The next step is to create a file system on the GEOM provider and mount it. " "This must be done on the `primary` node. Creating the file system can take " "a few minutes, depending on the size of the hard drive. This example " "creates a UFS file system on [.filename]#/dev/hast/test#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2373 #, no-wrap msgid "" "# newfs -U /dev/hast/test\n" "# mkdir /hast/test\n" "# mount /dev/hast/test /hast/test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2377 msgid "" "Once the HAST framework is configured properly, the final step is to make " "sure that HAST is started automatically during system boot. Add this line " "to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2381 #, no-wrap msgid "hastd_enable=\"YES\"\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/disks/_index.adoc:2383 #, no-wrap msgid "Failover Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2387 msgid "" "The goal of this example is to build a robust storage system which is " "resistant to the failure of any given node. If the primary node fails, the " "secondary node is there to take over seamlessly, check and mount the file " "system, and continue to work without missing a single bit of data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2393 msgid "" "To accomplish this task, the Common Address Redundancy Protocol (CARP) is " "used to provide for automatic failover at the IP layer. CARP allows " "multiple hosts on the same network segment to share an IP address. Set up " "CARP on both nodes of the cluster according to the documentation available " "in crossref:advanced-networking[carp,“Common Address Redundancy Protocol " "(CARP)”]. In this example, each node will have its own management IP " "address and a shared IP address of _172.16.0.254_. The primary HAST node of " "the cluster must be the primary CARP node." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2397 msgid "" "The HAST pool created in the previous section is now ready to be exported to " "the other hosts on the network. This can be accomplished by exporting it " "through NFS or Samba, using the shared IP address _172.16.0.254_. The only " "problem which remains unresolved is an automatic failover should the primary " "node fail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2401 msgid "" "In the event of CARP interfaces going up or down, the FreeBSD operating " "system generates a man:devd[8] event, making it possible to watch for state " "changes on the CARP interfaces. A state change on the CARP interface is an " "indication that one of the nodes failed or came back online. These state " "change events make it possible to run a script which will automatically " "handle the HAST failover." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2403 msgid "" "To catch state changes on the CARP interfaces, add this configuration to [." "filename]#/etc/devd.conf# on each node, while replacing `` with the " "virtual host id and `` with the associated interface name:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2412 #, no-wrap msgid "" "notify 30 {\n" "\tmatch \"system\" \"CARP\";\n" "\tmatch \"subsystem\" \"@\";\n" "\tmatch \"type\" \"MASTER\";\n" "\taction \"/usr/local/sbin/carp-hast-switch primary\";\n" "};\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2419 #, no-wrap msgid "" "notify 30 {\n" "\tmatch \"system\" \"CARP\";\n" "\tmatch \"subsystem\" \"@\";\n" "\tmatch \"type\" \"BACKUP\";\n" "\taction \"/usr/local/sbin/carp-hast-switch secondary\";\n" "};\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2422 msgid "" "Restart man:devd[8] on both nodes to put the new configuration into effect:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2426 #, no-wrap msgid "# service devd restart\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2430 msgid "" "When the specified interface state changes by going up or down , the system " "generates a notification, allowing the man:devd[8] subsystem to run the " "specified automatic failover script, [.filename]#/usr/local/sbin/carp-hast-" "switch#. For further clarification about this configuration, refer to man:" "devd.conf[5]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2432 msgid "Here is an example of an automated failover script:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2436 #, no-wrap msgid "#!/bin/sh\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2440 #, no-wrap msgid "" "# Original script by Freddie Cash \n" "# Modified by Michael W. Lucas \n" "# and Viktor Petersson \n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2443 #, no-wrap msgid "" "# The names of the HAST resources, as listed in /etc/hast.conf\n" "resources=\"test\"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2447 #, no-wrap msgid "" "# delay in mounting HAST resource after becoming primary\n" "# make your best guess\n" "delay=3\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2451 #, no-wrap msgid "" "# logging\n" "log=\"local0.debug\"\n" "name=\"carp-hast\"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2453 #, no-wrap msgid "# end of user configurable stuff\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2458 #, no-wrap msgid "" "case \"$1\" in\n" "\tprimary)\n" "\t\tlogger -p $log -t $name \"Switching to primary provider for ${resources}.\"\n" "\t\tsleep ${delay}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2464 #, no-wrap msgid "" "\t\t# Wait for any \"hastd secondary\" processes to stop\n" "\t\tfor disk in ${resources}; do\n" "\t\t\twhile $( pgrep -lf \"hastd: ${disk} \\(secondary\\)\" > /dev/null 2>&1 ); do\n" "\t\t\t\tsleep 1\n" "\t\t\tdone\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2472 #, no-wrap msgid "" "\t\t\t# Switch role for each disk\n" "\t\t\thastctl role primary ${disk}\n" "\t\t\tif [ $? -ne 0 ]; then\n" "\t\t\t\tlogger -p $log -t $name \"Unable to change role to primary for resource ${disk}.\"\n" "\t\t\t\texit 1\n" "\t\t\tfi\n" "\t\tdone\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2479 #, no-wrap msgid "" "\t\t# Wait for the /dev/hast/* devices to appear\n" "\t\tfor disk in ${resources}; do\n" "\t\t\tfor I in $( jot 60 ); do\n" "\t\t\t\t[ -c \"/dev/hast/${disk}\" ] && break\n" "\t\t\t\tsleep 0.5\n" "\t\t\tdone\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2485 #, no-wrap msgid "" "\t\t\tif [ ! -c \"/dev/hast/${disk}\" ]; then\n" "\t\t\t\tlogger -p $log -t $name \"GEOM provider /dev/hast/${disk} did not appear.\"\n" "\t\t\t\texit 1\n" "\t\t\tfi\n" "\t\tdone\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2487 #, no-wrap msgid "\t\tlogger -p $log -t $name \"Role for HAST resources ${resources} switched to primary.\"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2494 #, no-wrap msgid "" "\t\tlogger -p $log -t $name \"Mounting disks.\"\n" "\t\tfor disk in ${resources}; do\n" "\t\t\tmkdir -p /hast/${disk}\n" "\t\t\tfsck -p -y -t ufs /dev/hast/${disk}\n" "\t\t\tmount /dev/hast/${disk} /hast/${disk}\n" "\t\tdone\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2496 #, no-wrap msgid "\t;;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2499 #, no-wrap msgid "" "\tsecondary)\n" "\t\tlogger -p $log -t $name \"Switching to secondary provider for ${resources}.\"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2517 #, no-wrap msgid "" "\t\t# Switch roles for the HAST resources\n" "\t\tfor disk in ${resources}; do\n" "\t\t\tif ! mount | grep -q \"^/dev/hast/${disk} on \"\n" "\t\t\tthen\n" "\t\t\telse\n" "\t\t\t\tumount -f /hast/${disk}\n" "\t\t\tfi\n" "\t\t\tsleep $delay\n" "\t\t\thastctl role secondary ${disk} 2>&1\n" "\t\t\tif [ $? -ne 0 ]; then\n" "\t\t\t\tlogger -p $log -t $name \"Unable to switch role to secondary for resource ${disk}.\"\n" "\t\t\t\texit 1\n" "\t\t\tfi\n" "\t\t\tlogger -p $log -t $name \"Role switched to secondary for resource ${disk}.\"\n" "\t\tdone\n" "\t;;\n" "esac\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2520 msgid "" "In a nutshell, the script takes these actions when a node becomes primary:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2522 msgid "Promotes the HAST pool to primary on the other node." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2523 msgid "Checks the file system under the HAST pool." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2524 msgid "Mounts the pool." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2526 msgid "When a node becomes secondary:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2528 msgid "Unmounts the HAST pool." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2529 msgid "Degrades the HAST pool to secondary." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2534 msgid "" "This is just an example script which serves as a proof of concept. It does " "not handle all the possible scenarios and can be extended or altered in any " "way, for example, to start or stop required services." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2540 msgid "" "For this example, a standard UFS file system was used. To reduce the time " "needed for recovery, a journal-enabled UFS or ZFS file system can be used " "instead." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2543 msgid "" "Instead of using the highly available storage locally, it can also be shared " "to other computers on a network via crossref:network-servers[network-nfs," "NFS], crossref:network-servers[network-iscsi,iSCSI], man:sshfs[1], or " "programs in ports (i.e. package:net/samba419[])." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2545 msgid "" "More detailed information with additional examples can be found at http://" "wiki.FreeBSD.org/HAST[http://wiki.FreeBSD.org/HAST]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/disks/_index.adoc:2546 #, no-wrap msgid "Troubleshooting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2551 msgid "" "HAST should generally work without issues. However, as with any other " "software product, there may be times when it does not work as supposed. The " "sources of the problems may be different, but the rule of thumb is to ensure " "that the time is synchronized between the nodes of the cluster." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2555 msgid "" "When troubleshooting HAST, the debugging level of man:hastd[8] should be " "increased by starting `hastd` with `-d`. This argument may be specified " "multiple times to further increase the debugging level. Consider also using " "`-F`, which starts `hastd` in the foreground." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/disks/_index.adoc:2557 #, no-wrap msgid "Recovering from the Split-brain Condition" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2562 msgid "" "_Split-brain_ occurs when the nodes of the cluster are unable to communicate " "with each other, and both are configured as primary. This is a dangerous " "condition because it allows both nodes to make incompatible changes to the " "data. This problem must be corrected manually by the system administrator." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/disks/_index.adoc:2566 msgid "" "The administrator must either decide which node has more important changes, " "or perform the merge manually. Then, let HAST perform full synchronization " "of the node which has the broken data. To do this, issue these commands on " "the node which needs to be resynchronized:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/disks/_index.adoc:2572 #, no-wrap msgid "" "# hastctl role init test\n" "# hastctl create test\n" "# hastctl role secondary test\n" msgstr "" diff --git a/documentation/content/en/books/handbook/firewalls/_index.adoc b/documentation/content/en/books/handbook/firewalls/_index.adoc index 0075506a6a..2175a1717b 100644 --- a/documentation/content/en/books/handbook/firewalls/_index.adoc +++ b/documentation/content/en/books/handbook/firewalls/_index.adoc @@ -1,2691 +1,2691 @@ --- title: Chapter 33. Firewalls part: IV. Network Communication prev: books/handbook/network-servers next: books/handbook/advanced-networking description: "FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them" tags: ["firewall", "pf", "ipfw", "ipfilter", "blacklistd", "filtering"] showBookMenu: true weight: 38 path: "/books/handbook/firewalls/" --- [[firewalls]] = Firewalls :doctype: book :toc: macro :toclevels: 1 :icons: font :sectnums: :sectnumlevels: 6 :sectnumoffset: 33 :partnums: :source-highlighter: rouge :experimental: :images-path: books/handbook/firewalls/ ifdef::env-beastie[] ifdef::backend-html5[] :imagesdir: ../../../../images/{images-path} endif::[] ifndef::book[] include::shared/authors.adoc[] include::shared/mirrors.adoc[] include::shared/releases.adoc[] include::shared/attributes/attributes-{{% lang %}}.adoc[] include::shared/{{% lang %}}/teams.adoc[] include::shared/{{% lang %}}/mailing-lists.adoc[] include::shared/{{% lang %}}/urls.adoc[] toc::[] endif::[] ifdef::backend-pdf,backend-epub3[] include::../../../../../shared/asciidoctor.adoc[] endif::[] endif::[] ifndef::env-beastie[] toc::[] include::../../../../../shared/asciidoctor.adoc[] endif::[] [[firewalls-intro]] == Synopsis Firewalls make it possible to filter the incoming and outgoing traffic that flows through a system. A firewall can use one or more sets of "rules" to inspect network packets as they come in or go out of network connections and either allows the traffic through or blocks it. The rules of a firewall can inspect one or more characteristics of the packets such as the protocol type, source or destination host address, and source or destination port. Firewalls can enhance the security of a host or a network. They can be used to do one or more of the following: * Protect and insulate the applications, services, and machines of an internal network from unwanted traffic from the public Internet. * Limit or disable access from hosts of the internal network to services of the public Internet. * Support network address translation (NAT), which allows an internal network to use private IP addresses and share a single connection to the public Internet using either a single IP address or a shared pool of automatically assigned public addresses. FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF. FreeBSD also provides two traffic shapers for controlling bandwidth usage: man:altq[4] and man:dummynet[4]. ALTQ has traditionally been closely tied with PF and dummynet with IPFW. Each firewall uses rules to control the access of packets to and from a FreeBSD system, although they go about it in different ways and each has a different rule syntax. FreeBSD provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. Each user should evaluate which firewall best meets their needs. After reading this chapter, you will know: * How to define packet filtering rules. * The differences between the firewalls built into FreeBSD. * How to use and configure the PF firewall. * How to use and configure the IPFW firewall. * How to use and configure the IPFILTER firewall. Before reading this chapter, you should: * Understand basic FreeBSD and Internet concepts. [NOTE] ==== Since all firewalls are based on inspecting the values of selected packet control fields, the creator of the firewall ruleset must have an understanding of how TCP/IP works, what the different values in the packet control fields are, and how these values are used in a normal session conversation. For a good introduction, refer to http://www.ipprimer.com[Daryl's TCP/IP Primer]. ==== [[firewalls-concepts]] == Firewall Concepts A ruleset contains a group of rules which pass or block packets based on the values contained in the packet. The bi-directional exchange of packets between hosts comprises a session conversation. The firewall ruleset processes both the packets arriving from the public Internet, as well as the packets produced by the system as a response to them. Each TCP/IP service is predefined by its protocol and listening port. Packets destined for a specific service originate from the source address using an unprivileged port and target the specific service port on the destination address. All the above parameters can be used as selection criteria to create rules which will pass or block services. To lookup unknown port numbers, refer to [.filename]#/etc/services#. -Alternatively, visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers[http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the purpose of a particular port number. +Alternatively, visit https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers[https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the purpose of a particular port number. Check out this link for http://web.archive.org/web/20150803024617/http://www.sans.org/security-resources/idfaq/oddports.php[port numbers used by Trojans]. FTP has two modes: active mode and passive mode. The difference is in how the data channel is acquired. Passive mode is more secure as the data channel is acquired by the ordinal ftp session requester. For a good explanation of FTP and the different modes, see http://www.slacksite.com/other/ftp.html[http://www.slacksite.com/other/ftp.html]. A firewall ruleset can be either "exclusive" or "inclusive". An exclusive firewall allows all traffic through except for the traffic matching the ruleset. An inclusive firewall does the reverse as it only allows traffic matching the rules through and blocks everything else. An inclusive firewall offers better control of the outgoing traffic, making it a better choice for systems that offer services to the public Internet. It also controls the type of traffic originating from the public Internet that can gain access to a private network. All traffic that does not match the rules is blocked and logged. Inclusive firewalls are generally safer than exclusive firewalls because they significantly reduce the risk of allowing unwanted traffic. [NOTE] ==== Unless noted otherwise, all configuration and example rulesets in this chapter create inclusive firewall rulesets. ==== Security can be tightened further using a "stateful firewall". This type of firewall keeps track of open connections and only allows traffic which either matches an existing connection or opens a new, allowed connection. Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session. When state is specified on a matching rule the firewall dynamically generates internal rules for each anticipated packet being exchanged during the session. It has sufficient matching capabilities to determine if a packet is valid for a session. Any packets that do not properly fit the session template are automatically rejected. When the session completes, it is removed from the dynamic state table. Stateful filtering allows one to focus on blocking/passing new sessions. If the new session is passed, all its subsequent packets are allowed automatically and any impostor packets are automatically rejected. If a new session is blocked, none of its subsequent packets are allowed. Stateful filtering provides advanced matching abilities capable of defending against the flood of different attack methods employed by attackers. NAT stands for _Network Address Translation_. NAT function enables the private LAN behind the firewall to share a single ISP-assigned IP address, even if that address is dynamically assigned. NAT allows each computer in the LAN to have Internet access, without having to pay the ISP for multiple Internet accounts or IP addresses. NAT will automatically translate the private LAN IP address for each system on the LAN to the single public IP address as packets exit the firewall bound for the public Internet. It also performs the reverse translation for returning packets. According to RFC 1918, the following IP address ranges are reserved for private networks which will never be routed directly to the public Internet, and therefore are available for use with NAT: * `10.0.0.0/8`. * `172.16.0.0/12`. * `192.168.0.0/16`. [WARNING] ==== When working with the firewall rules, be _very careful_. Some configurations _can lock the administrator out_ of the server. To be on the safe side, consider performing the initial firewall configuration from the local console rather than doing it remotely over ssh. ==== [[firewalls-pf]] == PF Since FreeBSD 5.3, a ported version of OpenBSD's PF firewall has been included as an integrated part of the base system. PF is a complete, full-featured firewall that has optional support for ALTQ (Alternate Queuing), which provides Quality of Service (QoS). The OpenBSD Project maintains the definitive reference for PF in the http://www.openbsd.org/faq/pf/[PF FAQ]. Peter Hansteen maintains a thorough PF tutorial at http://home.nuug.no/\~peter/pf/[http://home.nuug.no/~peter/pf/]. [WARNING] ==== When reading the http://www.openbsd.org/faq/pf/[PF FAQ], keep in mind that FreeBSD's version of PF has diverged substantially from the upstream OpenBSD version over the years. Not all features work the same way on FreeBSD as they do in OpenBSD and vice versa. ==== The {freebsd-pf} is a good place to ask questions about configuring and running the PF firewall. Check the mailing list archives before asking a question as it may have already been answered. This section of the Handbook focuses on PF as it pertains to FreeBSD. It demonstrates how to enable PF and ALTQ. It also provides several examples for creating rulesets on a FreeBSD system. === Enabling PF To use PF, its kernel module must be first loaded. This section describes the entries that can be added to [.filename]#/etc/rc.conf# to enable PF. Start by adding `pf_enable=yes` to [.filename]#/etc/rc.conf#: [source,shell] .... # sysrc pf_enable=yes .... Additional options, described in man:pfctl[8], can be passed to PF when it is started. Add or change this entry in [.filename]#/etc/rc.conf# and specify any required flags between the two quotes (`""`): [.programlisting] .... pf_flags="" # additional flags for pfctl startup .... PF will not start if it cannot find its ruleset configuration file. By default, FreeBSD does not ship with a ruleset and there is no [.filename]#/etc/pf.conf#. Example rulesets can be found in [.filename]#/usr/share/examples/pf/#. If a custom ruleset has been saved somewhere else, add a line to [.filename]#/etc/rc.conf# which specifies the full path to the file: [.programlisting] .... pf_rules="/path/to/pf.conf" .... Logging support for PF is provided by man:pflog[4]. To enable logging support, add `pflog_enable=yes` to [.filename]#/etc/rc.conf#: [source,shell] .... # sysrc pflog_enable=yes .... The following lines can also be added to change the default location of the log file or to specify any additional flags to pass to man:pflog[4] when it is started: [.programlisting] .... pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup .... Finally, if there is a LAN behind the firewall and packets need to be forwarded for the computers on the LAN, or NAT is required, enable the following option: [.programlisting] .... gateway_enable="YES" # Enable as LAN gateway .... After saving the needed edits, PF can be started with logging support by typing: [source,shell] .... # service pf start # service pflog start .... By default, PF reads its configuration rules from [.filename]#/etc/pf.conf# and modifies, drops, or passes packets according to the rules or definitions specified in this file. The FreeBSD installation includes several sample files located in [.filename]#/usr/share/examples/pf/#. Refer to the http://www.openbsd.org/faq/pf/[PF FAQ] for complete coverage of PF rulesets. To control PF, use `pfctl`. crossref:firewalls[pfctl,Useful `pfctl` Options] summarizes some useful options to this command. Refer to man:pfctl[8] for a description of all available options: [[pfctl]] .Useful `pfctl` Options [cols="1,1", frame="none", options="header"] |=== | Command | Purpose |`pfctl -e` |Enable PF. |`pfctl -d` |Disable PF. |`pfctl -F all -f /etc/pf.conf` |Flush all NAT, filter, state, and table rules and reload [.filename]#/etc/pf.conf#. |`pfctl -s [ rules \| nat \| states ]` |Report on the filter rules, NAT rules, or state table. |`pfctl -vnf /etc/pf.conf` |Check [.filename]#/etc/pf.conf# for errors, but do not load ruleset. |=== [TIP] ==== package:security/sudo[] is useful for running commands like `pfctl` that require elevated privileges. It can be installed from the Ports Collection. ==== To keep an eye on the traffic that passes through the PF firewall, consider installing the package:sysutils/pftop[] package or port. Once installed, pftop can be run to view a running snapshot of traffic in a format which is similar to man:top[1]. [[pf-tutorial]] === PF Rulesets This section demonstrates how to create a customized ruleset. It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of PF's many features. The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet. To create this minimal ruleset, edit [.filename]#/etc/pf.conf# so it looks like this: [.programlisting] .... block in all pass out all keep state .... The first rule denies all incoming traffic by default. The second rule allows connections created by this system to pass out, while retaining state information on those connections. This state information allows return traffic for those connections to pass back and should only be used on machines that can be trusted. The ruleset can be loaded with: [source,shell] .... # pfctl -e ; pfctl -f /etc/pf.conf .... In addition to keeping state, PF provides _lists_ and _macros_ which can be defined for use when creating rules. Macros can include lists and need to be defined before use. As an example, insert these lines at the very top of the ruleset: [.programlisting] .... tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }" .... PF understands port names as well as port numbers, as long as the names are listed in [.filename]#/etc/services#. This example creates two macros. The first is a list of seven TCP port names and the second is one UDP port name. Once defined, macros can be used in rules. In this example, all traffic is blocked except for the connections initiated by this system for the seven specified TCP services and the one specified UDP service: [.programlisting] .... tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }" block all pass out proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state .... Even though UDP is considered to be a stateless protocol, PF is able to track some state information. For example, when a UDP request is passed which asks a name server about a domain name, PF will watch for the response to pass it back. Whenever an edit is made to a ruleset, the new rules must be loaded so they can be used: [source,shell] .... # pfctl -f /etc/pf.conf .... If there are no syntax errors, `pfctl` will not output any messages during the rule load. Rules can also be tested before attempting to load them: [source,shell] .... # pfctl -nf /etc/pf.conf .... Including `-n` causes the rules to be interpreted only, but not loaded. This provides an opportunity to correct any errors. At all times, the last valid ruleset loaded will be enforced until either PF is disabled or a new ruleset is loaded. [TIP] ==== Adding `-v` to a `pfctl` ruleset verify or load will display the fully parsed rules exactly the way they will be loaded. This is extremely useful when debugging rules. ==== [[pftut-gateway]] ==== A Simple Gateway with NAT This section demonstrates how to configure a FreeBSD system running PF to act as a gateway for at least one other machine. The gateway needs at least two network interfaces, each connected to a separate network. In this example, [.filename]#xl0# is connected to the Internet and [.filename]#xl1# is connected to the internal network. First, enable the gateway to let the machine forward the network traffic it receives on one interface to another interface. This sysctl setting will forward IPv4 packets: [source,shell] .... # sysctl net.inet.ip.forwarding=1 .... To forward IPv6 traffic, use: [source,shell] .... # sysctl net.inet6.ip6.forwarding=1 .... To enable these settings at system boot, use man:sysrc[8] to add them to [.filename]#/etc/rc.conf#: [source,shell] .... # sysrc gateway_enable=yes # sysrc ipv6_gateway_enable=yes .... Verify with `ifconfig` that both of the interfaces are up and running. Next, create the PF rules to allow the gateway to pass traffic. While the following rule allows stateful traffic from hosts of the internal network to pass to the gateway, the `to` keyword does not guarantee passage all the way from source to destination: [.programlisting] .... pass in on xl1 from xl1:network to xl0:network port $ports keep state .... That rule only lets the traffic pass in to the gateway on the internal interface. To let the packets go further, a matching rule is needed: [.programlisting] .... pass out on xl0 from xl1:network to xl0:network port $ports keep state .... While these two rules will work, rules this specific are rarely needed. For a busy network admin, a readable ruleset is a safer ruleset. The remainder of this section demonstrates how to keep the rules as simple as possible for readability. For example, those two rules could be replaced with one rule: [.programlisting] .... pass from xl1:network to any port $ports keep state .... The `interface:network` notation can be replaced with a macro to make the ruleset even more readable. For example, a `$localnet` macro could be defined as the network directly attached to the internal interface (`$xl1:network`). Alternatively, the definition of `$localnet` could be changed to an _IP address/netmask_ notation to denote a network, such as `192.168.100.1/24` for a subnet of private addresses. If required, `$localnet` could even be defined as a list of networks. Whatever the specific needs, a sensible `$localnet` definition could be used in a typical pass rule as follows: [.programlisting] .... pass from $localnet to any port $ports keep state .... The following sample ruleset allows all traffic initiated by machines on the internal network. It first defines two macros to represent the external and internal 3COM interfaces of the gateway. [NOTE] ==== For dialup users, the external interface will use [.filename]#tun0#. For an ADSL connection, specifically those using PPP over Ethernet (PPPoE), the correct external interface is [.filename]#tun0#, not the physical Ethernet interface. ==== [.programlisting] .... ext_if = "xl0" # macro for external interface - use tun0 for PPPoE int_if = "xl1" # macro for internal interface localnet = $int_if:network # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from $localnet to any -> ($ext_if) block all pass from { lo0, $localnet } to any keep state .... This ruleset introduces the `nat` rule which is used to handle the network address translation from the non-routable addresses inside the internal network to the IP address assigned to the external interface. The parentheses surrounding the last part of the nat rule `($ext_if)` is included when the IP address of the external interface is dynamically assigned. It ensures that network traffic runs without serious interruptions even if the external IP address changes. Note that this ruleset probably allows more traffic to pass out of the network than is needed. One reasonable setup could create this macro: [.programlisting] .... client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \ https, cvspserver, 2628, 5999, 8000, 8080 }" .... to use in the main pass rule: [.programlisting] .... pass inet proto tcp from $localnet to any port $client_out \ flags S/SA keep state .... A few other pass rules may be needed. This one enables SSH on the external interface: [.programlisting] .... pass in inet proto tcp to $ext_if port ssh .... This macro definition and rule allows DNS and NTP for internal clients: [.programlisting] .... udp_services = "{ domain, ntp }" pass quick inet proto { tcp, udp } to any port $udp_services keep state .... Note the `quick` keyword in this rule. Since the ruleset consists of several rules, it is important to understand the relationships between the rules in a ruleset. Rules are evaluated from top to bottom, in the sequence they are written. For each packet or connection evaluated by PF, _the last matching rule_ in the ruleset is the one which is applied. However, when a packet matches a rule which contains the `quick` keyword, the rule processing stops and the packet is treated according to that rule. This is very useful when an exception to the general rules is needed. [[pftut-ftp]] ==== Creating an FTP Proxy Configuring working FTP rules can be problematic due to the nature of the FTP protocol. FTP pre-dates firewalls by several decades and is insecure in its design. The most common points against using FTP include: * Passwords are transferred in the clear. * The protocol demands the use of at least two TCP connections (control and data) on separate ports. * When a session is established, data is communicated using randomly selected ports. All of these points present security challenges, even before considering any potential security weaknesses in client or server software. More secure alternatives for file transfer exist, such as man:sftp[1] or man:scp[1], which both feature authentication and data transfer over encrypted connections. For those situations when FTP is required, PF provides redirection of FTP traffic to a small proxy program called man:ftp-proxy[8], which is included in the base system of FreeBSD. The role of the proxy is to dynamically insert and delete rules in the ruleset, using a set of anchors, to correctly handle FTP traffic. To enable the FTP proxy, add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... ftpproxy_enable="YES" .... Then start the proxy by running: [source,bash] .... # service ftp-proxy start .... For a basic configuration, three elements need to be added to [.filename]#/etc/pf.conf#. First, the anchors which the proxy will use to insert the rules it generates for the FTP sessions: [.programlisting] .... nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" .... Second, a pass rule is needed to allow FTP traffic in to the proxy. Third, redirection and NAT rules need to be defined before the filtering rules. Insert this `rdr` rule immediately after the `nat` rule: [.programlisting] .... rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 .... Finally, allow the redirected traffic to pass: [.programlisting] .... pass out proto tcp from $proxy to any port ftp .... where `$proxy` expands to the address the proxy daemon is bound to. Save [.filename]#/etc/pf.conf#, load the new rules, and verify from a client that FTP connections are working: [source,shell] .... # pfctl -f /etc/pf.conf .... This example covers a basic setup where the clients in the local network need to contact FTP servers elsewhere. This basic configuration should work well with most combinations of FTP clients and servers. As shown in man:ftp-proxy[8], the proxy's behavior can be changed in various ways by adding options to the `ftpproxy_flags=` line. Some clients or servers may have specific quirks that must be compensated for in the configuration, or there may be a need to integrate the proxy in specific ways such as assigning FTP traffic to a specific queue. For ways to run an FTP server protected by PF and man:ftp-proxy[8], configure a separate `ftp-proxy` in reverse mode, using `-R`, on a separate port with its own redirecting pass rule. [[pftut-icmp]] ==== Managing ICMP Many of the tools used for debugging or troubleshooting a TCP/IP network rely on the Internet Control Message Protocol (ICMP), which was designed specifically with debugging in mind. The ICMP protocol sends and receives _control messages_ between hosts and gateways, mainly to provide feedback to a sender about any unusual or difficult conditions enroute to the target host. Routers use ICMP to negotiate packet sizes and other transmission parameters in a process often referred to as _path MTU discovery_. From a firewall perspective, some ICMP control messages are vulnerable to known attack vectors. Also, letting all diagnostic traffic pass unconditionally makes debugging easier, but it also makes it easier for others to extract information about the network. For these reasons, the following rule may not be optimal: [.programlisting] .... pass inet proto icmp from any to any .... One solution is to let all ICMP traffic from the local network through while stopping all probes from outside the network: [.programlisting] .... pass inet proto icmp from $localnet to any keep state pass inet proto icmp from any to $ext_if keep state .... Additional options are available which demonstrate some of PF's flexibility. For example, rather than allowing all ICMP messages, one can specify the messages used by man:ping[8] and man:traceroute[8]. Start by defining a macro for that type of message: [.programlisting] .... icmp_types = "echoreq" .... and a rule which uses the macro: [.programlisting] .... pass inet proto icmp all icmp-type $icmp_types keep state .... If other types of ICMP packets are needed, expand `icmp_types` to a list of those packet types. Type `more /usr/src/sbin/pfctl/pfctl_parser.c` to see the list of ICMP message types supported by PF. Refer to http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml[http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml] for an explanation of each message type. Since Unix `traceroute` uses UDP by default, another rule is needed to allow Unix `traceroute`: [.programlisting] .... # allow out the default range for traceroute(8): pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state .... Since `TRACERT.EXE` on Microsoft Windows systems uses ICMP echo request messages, only the first rule is needed to allow network traces from those systems. Unix `traceroute` can be instructed to use other protocols as well, and will use ICMP echo request messages if `-I` is used. Check the man:traceroute[8] man page for details. [[pftut-pathmtudisc]] ===== Path MTU Discovery Internet protocols are designed to be device independent, and one consequence of device independence is that the optimal packet size for a given connection cannot always be predicted reliably. The main constraint on packet size is the _Maximum Transmission Unit_ (MTU) which sets the upper limit on the packet size for an interface. Type `ifconfig` to view the MTUs for a system's network interfaces. TCP/IP uses a process known as path MTU discovery to determine the right packet size for a connection. This process sends packets of varying sizes with the "Do not fragment" flag set, expecting an ICMP return packet of "type 3, code 4" when the upper limit has been reached. Type 3 means "destination unreachable", and code 4 is short for "fragmentation needed, but the do-not-fragment flag is set". To allow path MTU discovery in order to support connections to other MTUs, add the `destination unreachable` type to the `icmp_types` macro: [.programlisting] .... icmp_types = "{ echoreq, unreach }" .... Since the pass rule already uses that macro, it does not need to be modified to support the new ICMP type: [.programlisting] .... pass inet proto icmp all icmp-type $icmp_types keep state .... PF allows filtering on all variations of ICMP types and codes. The list of possible types and codes are documented in man:icmp[4] and man:icmp6[4]. [[pftut-tables]] ==== Using Tables Some types of data are relevant to filtering and redirection at a given time, but their definition is too long to be included in the ruleset file. PF supports the use of tables, which are defined lists that can be manipulated without needing to reload the entire ruleset, and which can provide fast lookups. Table names are always enclosed within `< >`, like this: [.programlisting] .... table { 192.168.2.0/24, !192.168.2.5 } .... In this example, the `192.168.2.0/24` network is part of the table, except for the address `192.168.2.5`, which is excluded using the `!` operator. It is also possible to load tables from files where each item is on a separate line, as seen in this example [.filename]#/etc/clients#: [.programlisting] .... 192.168.2.0/24 !192.168.2.5 .... To refer to the file, define the table like this: [.programlisting] .... table persist file "/etc/clients" .... Once the table is defined, it can be referenced by a rule: [.programlisting] .... pass inet proto tcp from to any port $client_out flags S/SA keep state .... A table's contents can be manipulated live, using `pfctl`. This example adds another network to the table: [source,shell] .... # pfctl -t clients -T add 192.168.1.0/16 .... Note that any changes made this way will take affect now, making them ideal for testing, but will not survive a power failure or reboot. To make the changes permanent, modify the definition of the table in the ruleset or edit the file that the table refers to. One can maintain the on-disk copy of the table using a man:cron[8] job which dumps the table's contents to disk at regular intervals, using a command such as `pfctl -t clients -T show >/etc/clients`. Alternatively, [.filename]#/etc/clients# can be updated with the in-memory table contents: [source,shell] .... # pfctl -t clients -T replace -f /etc/clients .... [[pftut-overload]] ==== Using Overload Tables to Protect SSH Those who run SSH on an external interface have probably seen something like this in the authentication logs: [.programlisting] .... Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2 Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2 Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31 Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2 .... This is indicative of a brute force attack where somebody or some program is trying to discover the user name and password which will let them into the system. If external SSH access is needed for legitimate users, changing the default port used by SSH can offer some protection. However, PF provides a more elegant solution. Pass rules can contain limits on what connecting hosts can do and violators can be banished to a table of addresses which are denied some or all access. It is even possible to drop all existing connections from machines which overreach the limits. To configure this, create this table in the tables section of the ruleset: [.programlisting] .... table persist .... Then, somewhere early in the ruleset, add rules to block brute access while allowing legitimate access: [.programlisting] .... block quick from pass inet proto tcp from any to $localnet port $tcp_services \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload flush global) .... The part in parentheses defines the limits and the numbers should be changed to meet local requirements. It can be read as follows: `max-src-conn` is the number of simultaneous connections allowed from one host. `max-src-conn-rate` is the rate of new connections allowed from any single host (_15_) per number of seconds (_5_). `overload ` means that any host which exceeds these limits gets its address added to the `bruteforce` table. The ruleset blocks all traffic from addresses in the `bruteforce` table. Finally, `flush global` says that when a host reaches the limit, that all (`global`) of that host's connections will be terminated (`flush`). [NOTE] ==== These rules will _not_ block slow bruteforcers, as described in http://home.nuug.no/\~peter/hailmary2013/[http://home.nuug.no/~peter/hailmary2013/]. ==== This example ruleset is intended mainly as an illustration. For example, if a generous number of connections in general are wanted, but the desire is to be more restrictive when it comes to ssh, supplement the rule above with something like the one below, early on in the rule set: [.programlisting] .... pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) .... [NOTE] ==== *It May Not be Necessary to Block All Overloaders:* + It is worth noting that the overload mechanism is a general technique which does not apply exclusively to SSH, and it is not always optimal to entirely block all traffic from offenders. For example, an overload rule could be used to protect a mail service or a web service, and the overload table could be used in a rule to assign offenders to a queue with a minimal bandwidth allocation or to redirect to a specific web page. ==== Over time, tables will be filled by overload rules and their size will grow incrementally, taking up more memory. Sometimes an IP address that is blocked is a dynamically assigned one, which has since been assigned to a host who has a legitimate reason to communicate with hosts in the local network. For situations like these, pfctl provides the ability to expire table entries. For example, this command will remove `` table entries which have not been referenced for `86400` seconds: [source,shell] .... # pfctl -t bruteforce -T expire 86400 .... Similar functionality is provided by package:security/expiretable[], which removes table entries which have not been accessed for a specified period of time. Once installed, expiretable can be run to remove `` table entries older than a specified age. This example removes all entries older than 24 hours: [.programlisting] .... /usr/local/sbin/expiretable -v -d -t 24h bruteforce .... [[pftut-spamd]] ==== Protecting Against SPAM Not to be confused with the spamd daemon which comes bundled with spamassassin, package:mail/spamd[] can be configured with PF to provide an outer defense against SPAM. This spamd hooks into the PF configuration using a set of redirections. Spammers tend to send a large number of messages, and SPAM is mainly sent from a few spammer friendly networks and a large number of hijacked machines, both of which are reported to _blocklists_ fairly quickly. When an SMTP connection from an address in a blocklist is received, spamd presents its banner and immediately switches to a mode where it answers SMTP traffic one byte at a time. This technique, which is intended to waste as much time as possible on the spammer's end, is called _tarpitting_. The specific implementation which uses one byte SMTP replies is often referred to as _stuttering_. This example demonstrates the basic procedure for setting up spamd with automatically updated blocklists. Refer to the man pages which are installed with package:mail/spamd[] for more information. [.procedure] **** .Procedure: Configuring spamd . Install the package:mail/spamd[] package or port. To use spamd's greylisting features, man:fdescfs[5] must be mounted at [.filename]#/dev/fd#. Add the following line to [.filename]#/etc/fstab#: + [.programlisting] .... fdescfs /dev/fd fdescfs rw 0 0 .... + Then, mount the filesystem: + [.programlisting] .... # mount fdescfs .... . Next, edit the PF ruleset to include: + [.programlisting] .... table persist table persist rdr pass on $ext_if inet proto tcp from to \ { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from ! to \ { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025 .... + The two tables `` and `` are essential. SMTP traffic from an address listed in `` but not in `` is redirected to the spamd daemon listening at port 8025. . The next step is to configure spamd in [.filename]#/usr/local/etc/spamd.conf# and to add some [.filename]#rc.conf# parameters. + The installation of package:mail/spamd[] includes a sample configuration file ([.filename]#/usr/local/etc/spamd.conf.sample#) and a man page for [.filename]#spamd.conf#. Refer to these for additional configuration options beyond those shown in this example. + One of the first lines in the configuration file that does not begin with a `+#+` comment sign contains the block which defines the `all` list, which specifies the lists to use: + [.programlisting] .... all:\ :traplist:allowlist: .... + This entry adds the desired blocklists, separated by colons (`:`). To use an allowlist to subtract addresses from a blocklist, add the name of the allowlist _immediately_ after the name of that blocklist. For example: `:blocklist:allowlist:`. + This is followed by the specified blocklist's definition: + [.programlisting] .... traplist:\ :black:\ :msg="SPAM. Your address %A has sent spam within the last 24 hours":\ :method=http:\ :file=www.openbsd.org/spamd/traplist.gz .... + where the first line is the name of the blocklist and the second line specifies the list type. The `msg` field contains the message to display to blocklisted senders during the SMTP dialogue. The `method` field specifies how spamd-setup fetches the list data; supported methods are `http`, `ftp`, from a `file` in a mounted file system, and via `exec` of an external program. Finally, the `file` field specifies the name of the file spamd expects to receive. + The definition of the specified allowlist is similar, but omits the `msg` field since a message is not needed: + [.programlisting] .... allowlist:\ :white:\ :method=file:\ :file=/var/mail/allowlist.txt .... + [TIP] ==== *Choose Data Sources with Care:* + Using all the blocklists in the sample [.filename]#spamd.conf# will block large blocks of the Internet. Administrators need to edit the file to create an optimal configuration which uses applicable data sources and, when necessary, uses custom lists. ==== + Next, add this entry to [.filename]#/etc/rc.conf#. Additional flags are described in the man page specified by the comment: + [.programlisting] .... spamd_flags="-v" # use "" and see spamd-setup(8) for flags .... + When finished, reload the ruleset, start spamd by typing `service obspamd start`, and complete the configuration using `spamd-setup`. Finally, create a man:cron[8] job which calls `spamd-setup` to update the tables at reasonable intervals. **** On a typical gateway in front of a mail server, hosts will soon start getting trapped within a few seconds to several minutes. PF also supports _greylisting_, which temporarily rejects messages from unknown hosts with _45n_ codes. Messages from greylisted hosts which try again within a reasonable time are let through. Traffic from senders which are set up to behave within the limits set by RFC 1123 and RFC 2821 are immediately let through. More information about greylisting as a technique can be found at the http://www.greylisting.org/[greylisting.org] web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers and malware writers have been very slow to adapt to bypass this technique. The basic procedure for configuring greylisting is as follows: [.procedure] .Procedure: Configuring Greylisting . Make sure that man:fdescfs[5] is mounted as described in Step 1 of the previous Procedure. . To run spamd in greylisting mode, add this line to [.filename]#/etc/rc.conf#: + [.programlisting] .... spamd_grey="YES" # use spamd greylisting if YES .... + Refer to the spamd man page for descriptions of additional related parameters. . To complete the greylisting setup: + [.programlisting] .... # service obspamd restart # service obspamlogd start .... Behind the scenes, the spamdb database tool and the spamlogd whitelist updater perform essential functions for the greylisting feature. spamdb is the administrator's main interface to managing the block, grey, and allow lists via the contents of the [.filename]#/var/db/spamdb# database. [[pftut-hygiene]] ==== Network Hygiene This section describes how `block-policy`, `scrub`, and `antispoof` can be used to make the ruleset behave sanely. The `block-policy` is an option which can be set in the `options` part of the ruleset, which precedes the redirection and filtering rules. This option determines which feedback, if any, PF sends to hosts that are blocked by a rule. The option has two possible values: `drop` drops blocked packets with no feedback, and `return` returns a status code such as `Connection refused`. If not set, the default policy is `drop`. To change the `block-policy`, specify the desired value: [.programlisting] .... set block-policy return .... In PF, `scrub` is a keyword which enables network packet normalization. This process reassembles fragmented packets and drops TCP packets that have invalid flag combinations. Enabling `scrub` provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments. A number of options are available, but the simplest form is suitable for most configurations: [.programlisting] .... scrub in all .... Some services, such as NFS, require specific fragment handling options. Refer to https://home.nuug.no/\~peter/pf/en/scrub.html[https://home.nuug.no/~peter/pf/en/scrub.html] for more information. This example reassembles fragments, clears the "do not fragment" bit, and sets the maximum segment size to 1440 bytes: [.programlisting] .... scrub in all fragment reassemble no-df max-mss 1440 .... The `antispoof` mechanism protects against activity from spoofed or forged IP addresses, mainly by blocking packets appearing on interfaces and in directions which are logically not possible. These rules weed out spoofed traffic coming in from the rest of the world as well as any spoofed packets which originate in the local network: [.programlisting] .... antispoof for $ext_if antispoof for $int_if .... [[pftut-unrouteables]] ==== Handling Non-Routable Addresses Even with a properly configured gateway to handle network address translation, one may have to compensate for other people's misconfigurations. A common misconfiguration is to let traffic with non-routable addresses out to the Internet. Since traffic from non-routeable addresses can play a part in several DoS attack techniques, consider explicitly blocking traffic from non-routeable addresses from entering the network through the external interface. In this example, a macro containing non-routable addresses is defined, then used in blocking rules. Traffic to and from these addresses is quietly dropped on the gateway's external interface. [.programlisting] .... martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians .... === Enabling ALTQ On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS). Once ALTQ is enabled, queues can be defined in the ruleset which determine the processing priority of outbound packets. Before enabling ALTQ, refer to man:altq[4] to determine if the drivers for the network cards installed on the system support it. ALTQ is not available as a loadable kernel module. If the system's interfaces support ALTQ, create a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The following kernel options are available. The first is needed to enable ALTQ. At least one of the other options is necessary to specify the queueing scheduler algorithm: [.programlisting] .... options ALTQ options ALTQ_CBQ # Class Based Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) .... The following scheduler algorithms are available: CBQ:: Class Based Queuing (CBQ) is used to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules. RED:: Random Early Detection (RED) is used to avoid network congestion by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. When the queue is over the maximum, all new packets are randomly dropped. RIO:: In Random Early Detection In and Out (RIO) mode, RED maintains multiple average queue lengths and multiple threshold values, one for each QOS level. HFSC:: Hierarchical Fair Service Curve Packet Scheduler (HFSC) is described in http://www-2.cs.cmu.edu/\~hzhang/HFSC/main.html[http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html]. PRIQ:: Priority Queuing (PRIQ) always passes traffic that is in a higher queue first. More information about the scheduling algorithms and example rulesets are available at the https://web.archive.org/web/20151109213426/http://www.openbsd.org/faq/pf/queueing.html[OpenBSD's web archive]. [[firewalls-ipfw]] == IPFW IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and IPv6. It is comprised of several components: the kernel firewall filter rule processor and its integrated packet accounting facility, the logging facility, NAT, the man:dummynet[4] traffic shaper, a forward facility, a bridge facility, and an ipstealth facility. FreeBSD provides a sample ruleset in [.filename]#/etc/rc.firewall# which defines several firewall types for common scenarios to assist novice users in generating an appropriate ruleset. IPFW provides a powerful syntax which advanced users can use to craft customized rulesets that meet the security requirements of a given environment. This section describes how to enable IPFW, provides an overview of its rule syntax, and demonstrates several rulesets for common configuration scenarios. [[firewalls-ipfw-enable]] === Enabling IPFW IPFW is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPFW. For those users who wish to statically compile IPFW support into a custom kernel, see crossref:firewalls[firewalls-ipfw-kernelconfig, IPFW Kernel Options]. To configure the system to enable IPFW at boot time, add `firewall_enable="YES"` to [.filename]#/etc/rc.conf#: [source,shell] .... # sysrc firewall_enable="YES" .... To use one of the default firewall types provided by FreeBSD, add another line which specifies the type: [source,shell] .... # sysrc firewall_type="open" .... The available types are: * `open`: passes all traffic. * `client`: protects only this machine. * `simple`: protects the whole network. * `closed`: entirely disables IP traffic except for the loopback interface. * `workstation`: protects only this machine using stateful rules. * `UNKNOWN`: disables the loading of firewall rules. * [.filename]#filename#: full path of the file containing the firewall ruleset. If `firewall_type` is set to either `client` or `simple`, modify the default rules found in [.filename]#/etc/rc.firewall# to fit the configuration of the system. Note that the `filename` type is used to load a custom ruleset. An alternate way to load a custom ruleset is to set the `firewall_script` variable to the absolute path of an _executable script_ that includes IPFW commands. The examples used in this section assume that the `firewall_script` is set to [.filename]#/etc/ipfw.rules#: [source,shell] .... # sysrc firewall_script="/etc/ipfw.rules" .... To enable logging through man:syslogd[8], include this line: [source,shell] .... # sysrc firewall_logging="YES" .... [WARNING] ==== Only firewall rules with the `log` option will be logged. The default rules do not include this option and it must be manually added. Therefore it is advisable that the default ruleset is edited for logging. In addition, log rotation may be desired if the logs are stored in a separate file. ==== There is no [.filename]#/etc/rc.conf# variable to set logging limits. To limit the number of times a rule is logged per connection attempt, specify the number using this line in [.filename]#/etc/sysctl.conf#: [source,shell] .... # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf .... To enable logging through a dedicated interface named `ipfw0`, add this line to [.filename]#/etc/rc.conf# instead: [source,shell] .... # sysrc firewall_logif="YES" .... Then use tcpdump to see what is being logged: [source,shell] .... # tcpdump -t -n -i ipfw0 .... [TIP] ==== There is no overhead due to logging unless tcpdump is attached. ==== After saving the needed edits, start the firewall. To enable logging limits now, also set the `sysctl` value specified above: [source,shell] .... # service ipfw start # sysctl net.inet.ip.fw.verbose_limit=5 .... [[firewalls-ipfw-rules]] === IPFW Rule Syntax When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. This is referred to as "first match wins". If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the `count`, `skipto`, or `tee` keywords, the search continues. Refer to man:ipfw[8] for details on how these keywords affect rule processing. When creating an IPFW rule, keywords must be written in the following order. Some keywords are mandatory while other keywords are optional. The words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it. The `+#+` symbol is used to mark the start of a comment and may appear at the end of a rule or on its own line. Blank lines are ignored. `_CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC SRC_PORT to DST DST_PORT OPTIONS_` This section provides an overview of these keywords and their options. It is not an exhaustive list of every possible option. Refer to man:ipfw[8] for a complete description of the rule syntax that can be used when creating IPFW rules. CMD:: Every rule must start with `ipfw add`. RULE_NUMBER:: Each rule is associated with a number from `1` to `65534`. The number is used to indicate the order of rule processing. Multiple rules can have the same number, in which case they are applied according to the order in which they have been added. SET_NUMBER:: Each rule is associated with a set number from `0` to `31`. Sets can be individually disabled or enabled, making it possible to quickly add or delete a set of rules. If a SET_NUMBER is not specified, the rule will be added to set `0`. ACTION:: A rule can be associated with one of the following actions. The specified action will be executed when the packet matches the selection criterion of the rule. + `allow | accept | pass | permit`: these keywords are equivalent and allow packets that match the rule. + `check-state`: checks the packet against the dynamic state table. If a match is found, execute the action associated with the rule which generated this dynamic rule, otherwise move to the next rule. A `check-state` rule does not have selection criterion. If no `check-state` rule is present in the ruleset, the dynamic rules table is checked at the first `keep-state` or `limit` rule. + `count`: updates counters for all packets that match the rule. The search continues with the next rule. + `deny | drop`: either word silently discards packets that match this rule. + Additional actions are available. Refer to man:ipfw[8] for details. LOG_AMOUNT:: When a packet matches a rule with the `log` keyword, a message will be logged to man:syslogd[8] with a facility name of `SECURITY`. Logging only occurs if the number of packets logged for that particular rule does not exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is taken from the value of `net.inet.ip.fw.verbose_limit`. A value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that rule, using `ipfw resetlog`. + [NOTE] ==== Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet. The administrator decides which rules to enable logging on. ==== PROTO:: This optional value can be used to specify any protocol name or number found in [.filename]#/etc/protocols#. SRC:: The `from` keyword must be followed by the source address or a keyword that represents the source address. An address can be represented by `any`, `me` (any address configured on an interface on this system), `me6`, (any IPv6 address configured on an interface on this system), or `table` followed by the number of a lookup table which contains a list of addresses. When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. For example, `1.2.3.4/25` or `1.2.3.4:255.255.255.128`. SRC_PORT:: An optional source port can be specified using the port number or name from [.filename]#/etc/services#. DST:: The `to` keyword must be followed by the destination address or a keyword that represents the destination address. The same keywords and addresses described in the SRC section can be used to describe the destination. DST_PORT:: An optional destination port can be specified using the port number or name from [.filename]#/etc/services#. OPTIONS:: Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include `in` or `out`, which specify the direction of packet flow, `icmptypes` followed by the type of ICMP message, and `keep-state`. + When a `keep-state` rule is matched, the firewall will create a dynamic rule which matches bidirectional traffic between the source and destination addresses and ports using the same protocol. + The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with IPFW, use `limit`. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and IP address combination occurred. If this count is greater than the value specified by `limit`, the packet is discarded. + Dozens of OPTIONS are available. Refer to man:ipfw[8] for a description of each available option. === Example Ruleset This section demonstrates how to create an example stateful firewall ruleset script named [.filename]#/etc/ipfw.rules#. In this example, all connection rules use `in` or `out` to clarify the direction. They also use `via` _interface-name_ to specify the interface the packet is traveling over. [NOTE] ==== When first creating or testing a firewall ruleset, consider temporarily setting this tunable: [.programlisting] .... net.inet.ip.fw.default_to_accept="1" .... This sets the default policy of man:ipfw[8] to be more permissive than the default `deny ip from any to any`, making it slightly more difficult to get locked out of the system right after a reboot. ==== The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the `cmd` variable so that `ipfw add` does not have to be typed at the beginning of every rule. It also defines the `pif` variable which represents the name of the interface that is attached to the Internet. [.programlisting] .... #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="dc0" # interface name of NIC attached to Internet .... The first two rules allow all traffic on the trusted internal interface and on the loopback interface: [.programlisting] .... # Change xl0 to LAN NIC interface name $cmd 00005 allow all from any to any via xl0 # No restrictions on Loopback Interface $cmd 00010 allow all from any to any via lo0 .... The next rule allows the packet through if it matches an existing entry in the dynamic rules table: [.programlisting] .... $cmd 00101 check-state .... The next set of rules defines which stateful connections internal systems can create to hosts on the Internet: [.programlisting] .... # Allow access to public DNS # Replace x.x.x.x with the IP address of a public DNS server # and repeat for each DNS server in /etc/resolv.conf $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state # Allow access to ISP's DHCP server for cable/DSL configurations. # Use the first rule and check log for IP address. # Then, uncomment the second rule, input the IP address, and delete the first rule $cmd 00120 allow log udp from any to any 67 out via $pif keep-state #$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state # Allow outbound HTTP and HTTPS connections $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state # Allow outbound email connections $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state # Allow outbound ping $cmd 00250 allow icmp from any to any out via $pif keep-state # Allow outbound NTP $cmd 00260 allow udp from any to any 123 out via $pif keep-state # Allow outbound SSH $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state # deny and log all other outbound connections $cmd 00299 deny log all from any to any out via $pif .... The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use `limit` to prevent flooding. [.programlisting] .... # Deny all inbound traffic from non-routable reserved address spaces $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif # Deny ident $cmd 00315 deny tcp from any to any 113 in via $pif # Deny all Netbios services. $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif # Deny fragments $cmd 00330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 00332 deny tcp from any to any established in via $pif # Allow traffic from ISP's DHCP server. # Replace x.x.x.x with the same IP address used in rule 00120. #$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state # Allow HTTP connections to internal web server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow inbound SSH connections $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Reject and log all other incoming connections $cmd 00499 deny log all from any to any in via $pif .... The last rule logs all packets that do not match any of the rules in the ruleset: [.programlisting] .... # Everything else is denied and logged $cmd 00999 deny log all from any to any .... [[in-kernel-nat]] === In-kernel NAT FreeBSD's IPFW firewall has two implementations of NAT: the userland implementation man:natd[8], and the more recent in-kernel NAT implementation. Both work in conjunction with IPFW to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public IP address. To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two NICs, where one is connected to the Internet and the other is connected to the internal LAN. Each machine connected to the LAN should be assigned an IP address in the private network space, as defined by https://www.ietf.org/rfc/rfc1918.txt[RFC 1918]. Some additional configuration is needed in order to enable the in-kernel NAT facility of IPFW. To enable in-kernel NAT support at boot time, the following must be set in [.filename]#/etc/rc.conf#: [.programlisting] .... gateway_enable="YES" firewall_enable="YES" firewall_nat_enable="YES" .... [NOTE] ==== When `firewall_nat_enable` is set but `firewall_enable` is not, it will have no effect and do nothing. This is because the in-kernel NAT implementation is only compatible with IPFW. ==== When the ruleset contains stateful rules, the positioning of the NAT rule is critical and the `skipto` action is used. The `skipto` action requires a rule number so that it knows which rule to jump to. The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel NAT. It starts by adding some additional variables which represent the rule number to skip to, the `keep-state` option, and a list of TCP ports which will be used to reduce the number of rules. [.programlisting] .... #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" skip="skipto 1000" pif=dc0 ks="keep-state" good_tcpo="22,25,37,53,80,443,110" .... With in-kernel NAT it is necessary to disable TCP segmentation offloading (TSO) due to the architecture of man:libalias[3], a library implemented as a kernel module to provide the in-kernel NAT facility of IPFW. TSO can be disabled on a per network interface basis using man:ifconfig[8] or on a system wide basis using man:sysctl[8]. To disable TSO system wide, the following must be set it [.filename]#/etc/sysctl.conf#: [.programlisting] .... net.inet.tcp.tso="0" .... A NAT instance will also be configured. It is possible to have multiple NAT instances each with their own configuration. For this example only one NAT instance is needed, NAT instance number 1. The configuration can take a few options such as: `if` which indicates the public interface, `same_ports` which takes care that aliased ports and local port numbers are mapped the same, `unreg_only` will result in only unregistered (private) address spaces to be processed by the NAT instance, and `reset` which will help to keep a functioning NAT instance even when the public IP address of the IPFW machine changes. For all possible options that can be passed to a single NAT instance configuration consult man:ipfw[8]. When configuring a stateful NATing firewall, it is necessary to allow translated packets to be reinjected in the firewall for further processing. This can be achieved by disabling `one_pass` behavior at the start of the firewall script. [.programlisting] .... ipfw disable one_pass ipfw -q nat 1 config if $pif same_ports unreg_only reset .... The inbound NAT rule is inserted _after_ the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but _before_ the `check-state` rule. It is important that the rule number selected for this NAT rule, in this example `100`, is higher than the first three rules and lower than the `check-state` rule. Furthermore, because of the behavior of in-kernel NAT it is advised to place a reassemble rule just before the first NAT rule and after the rules that allow traffic on trusted interface. Normally, IP fragmentation should not happen, but when dealing with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel NAT facility. [NOTE] ==== The reassemble rule was not needed with userland man:natd[8] because the internal workings of the IPFW `divert` action already takes care of reassembling packets before delivery to the socket as also stated in man:ipfw[8]. The NAT instance and rule number used in this example does not match with the default NAT instance and rule number created by [.filename]#rc.firewall#. [.filename]#rc.firewall# is a script that sets up the default firewall rules present in FreeBSD. ==== [.programlisting] .... $cmd 005 allow all from any to any via xl0 # exclude LAN traffic $cmd 010 allow all from any to any via lo0 # exclude loopback traffic $cmd 099 reass all from any to any in # reassemble inbound packets $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets # Allow the packet through if it has an existing entry in the dynamic rules table $cmd 101 check-state .... The outbound rules are modified to replace the `allow` action with the `$skip` variable, indicating that rule processing will continue at rule `1000`. The seven `tcp` rules have been replaced by rule `125` as the `$good_tcpo` variable contains the seven allowed outbound ports. [NOTE] ==== Remember that IPFW's performance is largely determined by the number of rules present in the ruleset. ==== [.programlisting] .... # Authorized outbound packets $cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks $cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks .... The inbound rules remain the same, except for the very last rule which removes the `via $pif` in order to catch both inbound and outbound rules. The NAT rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the `skipto` action. In this ruleset, rule number `1000` handles passing all packets to our configured instance for NAT processing. The next rule allows any packet which has undergone NAT processing to pass. [.programlisting] .... $cmd 999 deny log all from any to any $cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules $cmd 1001 allow ip from any to any .... In this example, rules `100`, `101`, `125`, `1000`, and `1001` control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private LANIP address. Consider an internal web browser which initializes a new outbound HTTP session over port 80. When the first outbound packet enters the firewall, it does not match rule `100` because it is headed out rather than in. It passes rule `101` because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule `125` as it is outbound on an allowed port and has a source IP address from the internal LAN. On matching this rule, two actions take place. First, the `keep-state` action adds an entry to the dynamic state table and the specified action, `skipto rule 1000`, is executed. Next, the packet undergoes NAT and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule `100` and has its destination IP address mapped back to the original internal address. It then is processed by the `check-state` rule, is found in the table as an existing session, and is released to the LAN. On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the LAN. The packet generated as a response is recognized by the `check-state` rule as belonging to an existing session. It is then sent to rule `1000` to undergo NAT before being released to the outbound interface. [NOTE] ==== Transitioning from userland man:natd[8] to in-kernel NAT might appear seamless at first but there is small catch. When using the GENERIC kernel, IPFW will load the [.filename]#libalias.ko# kernel module, when `firewall_nat_enable` is enabled in [.filename]#/etc/rc.conf#. The [.filename]#libalias.ko# kernel module only provides basic NAT functionality, whereas the userland implementation man:natd[8] has all NAT functionality available in its userland library without any extra configuration. All functionality refers to the following kernel modules that can additionally be loaded when needed besides the standard [.filename]#libalias.ko# kernel module: [.filename]#alias_ftp.ko#, [.filename]#alias_bbt.ko#, [.filename]#skinny.ko#, [.filename]#irc.ko#, [.filename]#alias_pptp.ko# and [.filename]#alias_smedia.ko# using the `kld_list` directive in [.filename]#/etc/rc.conf#. If a custom kernel is used, the full functionality of the userland library can be compiled in, in the kernel, using the `options LIBALIAS`. ==== ==== Port Redirection The drawback with NAT in general is that the LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the LAN client machines. A simple way around this is to redirect selected Internet ports on the NAT providing machine to a LAN client. For example, an IRC server runs on client `A` and a web server runs on client `B`. For this to work properly, connections received on ports 6667 (IRC) and 80 (HTTP) must be redirected to the respective machines. With in-kernel NAT all configuration is done in the NAT instance configuration. For a full list of options that an in-kernel NAT instance can use, consult man:ipfw[8]. The IPFW syntax follows the syntax of natd. The syntax for `redirect_port` is as follows: [.programlisting] .... redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] .... To configure the above example setup, the arguments should be: [.programlisting] .... redirect_port tcp 192.168.0.2:6667 6667 redirect_port tcp 192.168.0.3:80 80 .... After adding these arguments to the configuration of NAT instance 1 in the above ruleset, the TCP ports will be port forwarded to the LAN client machines running the IRC and HTTP services. [.programlisting] .... ipfw -q nat 1 config if $pif same_ports unreg_only reset \ redirect_port tcp 192.168.0.2:6667 6667 \ redirect_port tcp 192.168.0.3:80 80 .... Port ranges over individual ports can be indicated with `redirect_port`. For example, _tcp 192.168.0.2:2000-3000 2000-3000_ would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client `A`. ==== Address Redirection Address redirection is useful if more than one IP address is available. Each LAN client can be assigned its own external IP address by man:ipfw[8], which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client. This is also known as static NAT. For example, if IP addresses `128.1.1.1`, `128.1.1.2`, and `128.1.1.3` are available, `128.1.1.1` can be used as the man:ipfw[8] machine's external IP address, while `128.1.1.2` and `128.1.1.3` are forwarded back to LAN clients `A` and `B`. The `redirect_addr` syntax is as below, where `localIP` is the internal IP address of the LAN client, and `publicIP` the external IP address corresponding to the LAN client. [.programlisting] .... redirect_addr localIP publicIP .... In the example, the arguments would read: [.programlisting] .... redirect_addr 192.168.0.2 128.1.1.2 redirect_addr 192.168.0.3 128.1.1.3 .... Like `redirect_port`, these arguments are placed in a NAT instance configuration. With address redirection, there is no need for port redirection, as all data received on a particular IP address is redirected. The external IP addresses on the man:ipfw[8] machine must be active and aliased to the external interface. Refer to man:rc.conf[5] for details. ==== Userspace NAT Let us start with a statement: the userspace NAT implementation: man:natd[8], has more overhead than in-kernel NAT. For man:natd[8] to translate packets, the packets have to be copied from the kernel to userspace and back which brings in extra overhead that is not present with in-kernel NAT. To enable the userspace NAT daemon man:natd[8] at boot time, the following is a minimum configuration in [.filename]#/etc/rc.conf#. Where `natd_interface` is set to the name of the NIC attached to the Internet. The man:rc[8] script of man:natd[8] will automatically check if a dynamic IP address is used and configure itself to handle that. [.programlisting] .... gateway_enable="YES" natd_enable="YES" natd_interface="rl0" .... In general, the above ruleset as explained for in-kernel NAT can also be used together with man:natd[8]. The exceptions are the configuration of the in-kernel NAT instance `(ipfw -q nat 1 config ...)` which is not needed together with reassemble rule 99 because its functionality is included in the `divert` action. Rule number 100 and 1000 will have to change sligthly as shown below. [.programlisting] .... $cmd 100 divert natd ip from any to any in via $pif $cmd 1000 divert natd ip from any to any out via $pif .... To configure port or address redirection, a similar syntax as with in-kernel NAT is used. Although, now, instead of specifying the configuration in our ruleset script like with in-kernel NAT, configuration of man:natd[8] is best done in a configuration file. To do this, an extra flag must be passed via [.filename]#/etc/rc.conf# which specifies the path of the configuration file. [.programlisting] .... natd_flags="-f /etc/natd.conf" .... [NOTE] ==== The specified file must contain a list of configuration options, one per line. For more information about the configuration file and possible variables, consult man:natd[8]. Below are two example entries, one per line: [.programlisting] .... redirect_port tcp 192.168.0.2:6667 6667 redirect_addr 192.168.0.3 128.1.1.3 .... ==== [[firewalls-ipfw-cmd]] === The IPFW Command `ipfw` can be used to make manual, single rule additions or deletions to the active firewall while it is running. The problem with using this method is that all the changes are lost when the system reboots. It is recommended to instead write all the rules in a file and to use that file to load the rules at boot time and to replace the currently running firewall rules whenever that file changes. `ipfw` is a useful way to display the running firewall rules to the console screen. The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its counter is one way to determine if the rule is functioning as expected. To list all the running rules in sequence: [source,shell] .... # ipfw list .... To list all the running rules with a time stamp of when the last time the rule was matched: [source,shell] .... # ipfw -t list .... The next example lists accounting information and the packet count for matched rules along with the rules themselves. The first column is the rule number, followed by the number of matched packets and bytes, followed by the rule itself. [source,shell] .... # ipfw -a list .... To list dynamic rules in addition to static rules: [source,shell] .... # ipfw -d list .... To also show the expired dynamic rules: [source,shell] .... # ipfw -d -e list .... To zero the counters: [source,shell] .... # ipfw zero .... To zero the counters for just the rule with number _NUM_: [source,shell] .... # ipfw zero NUM .... ==== Logging Firewall Messages Even with the logging facility enabled, IPFW will not generate any rule logging on its own. The firewall administrator decides which rules in the ruleset will be logged, and adds the `log` keyword to those rules. Normally only deny rules are logged. It is customary to duplicate the "ipfw default deny everything" rule with the `log` keyword included as the last rule in the ruleset. This way, it is possible to see all the packets that did not match any of the rules in the ruleset. Logging is a two edged sword. If one is not careful, an over abundance of log data or a DoS attack can fill the disk with log files. Log messages are not only written to syslogd, but also are displayed on the root console screen and soon become annoying. The `IPFIREWALL_VERBOSE_LIMIT=5` kernel option limits the number of consecutive messages sent to man:syslogd[8], concerning the packet matching of a given rule. When this option is enabled in the kernel, the number of consecutive messages concerning a particular rule is capped at the number specified. There is nothing to be gained from 200 identical log messages. With this option set to five, five consecutive messages concerning a particular rule would be logged to syslogd and the remainder identical consecutive messages would be counted and posted to syslogd with a phrase like the following: [.programlisting] .... last message repeated 45 times .... All logged packets messages are written by default to [.filename]#/var/log/security#, which is defined in [.filename]#/etc/syslog.conf#. [[firewalls-ipfw-rules-script]] ==== Building a Rule Script Most experienced IPFW users create a file containing the rules and code them in a manner compatible with running them as a script. The major benefit of doing this is the firewall rules can be refreshed in mass without the need of rebooting the system to activate them. This method is convenient in testing new rules as the procedure can be executed as many times as needed. Being a script, symbolic substitution can be used for frequently used values to be substituted into multiple rules. This example script is compatible with the syntax used by the man:sh[1], man:csh[1], and man:tcsh[1] shells. Symbolic substitution fields are prefixed with a dollar sign ($). Symbolic fields do not have the $ prefix. The value to populate the symbolic field must be enclosed in double quotes (""). Start the rules file like this: [.programlisting] .... ############### start of example ipfw rules script ############# # ipfw -q -f flush # Delete all rules # Set defaults oif="tun0" # out interface odns="192.0.2.11" # ISP's DNS server IP address cmd="ipfw -q add " # build rule prefix ks="keep-state" # just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established $cmd 00600 allow tcp from any to any 80 out via $oif setup $ks $cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks $cmd 00611 allow udp from any to $odns 53 out via $oif $ks ################### End of example ipfw rules script ############ .... The rules are not important as the focus of this example is how the symbolic substitution fields are populated. If the above example was in [.filename]#/etc/ipfw.rules#, the rules could be reloaded by the following command: [source,shell] .... # sh /etc/ipfw.rules .... [.filename]#/etc/ipfw.rules# can be located anywhere and the file can have any name. The same thing could be accomplished by running these commands by hand: [source,shell] .... # ipfw -q -f flush # ipfw -q add check-state # ipfw -q add deny all from any to any frag # ipfw -q add deny tcp from any to any established # ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state # ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state # ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state .... [[firewalls-ipfw-kernelconfig]] === IPFW Kernel Options In order to statically compile IPFW support into a custom kernel, refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The following options are available for the custom kernel configuration file: [.programlisting] .... options IPFIREWALL # enables IPFW options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied options IPFIREWALL_NAT # enables basic in-kernel NAT support options LIBALIAS # enables full in-kernel NAT support options IPFIREWALL_NAT64 # enables in-kernel NAT64 support options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support options IPFIREWALL_PMOD # enables protocols modification module support options IPDIVERT # enables NAT through natd(8) .... [NOTE] ==== IPFW can be loaded as a kernel module: options above are built by default as modules or can be set at runtime using tunables. ==== [[firewalls-ipf]] == IPFILTER (IPF) IPFILTER, also known as IPF, is a cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris(TM). IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled and monitored by userland programs. Firewall rules can be set or deleted using ipf, NAT rules can be set or deleted using ipnat, run-time statistics for the kernel parts of IPFILTER can be printed using ipfstat, and ipmon can be used to log IPFILTER actions to the system log files. IPF was originally written using a rule processing logic of "the last matching rule wins" and only used stateless rules. Since then, IPF has been enhanced to include the `quick` and `keep state` options. The IPF FAQ is at http://www.phildev.net/ipf/index.html[http://www.phildev.net/ipf/index.html]. A searchable archive of the IPFilter mailing list is available at http://marc.info/?l=ipfilter[http://marc.info/?l=ipfilter]. This section of the Handbook focuses on IPF as it pertains to FreeBSD. It provides examples of rules that contain the `quick` and `keep state` options. === Enabling IPF IPF is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPF. For users who prefer to statically compile IPF support into a custom kernel, refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The following kernel options are available: [.programlisting] .... options IPFILTER options IPFILTER_LOG options IPFILTER_LOOKUP options IPFILTER_DEFAULT_BLOCK .... where `options IPFILTER` enables support for IPFILTER, `options IPFILTER_LOG` enables IPF logging using the [.filename]#ipl# packet logging pseudo-device for every rule that has the `log` keyword, `IPFILTER_LOOKUP` enables IP pools in order to speed up IP lookups, and `options IPFILTER_DEFAULT_BLOCK` changes the default behavior so that any packet not matching a firewall `pass` rule gets blocked. To configure the system to enable IPF at boot time, add the following entries to [.filename]#/etc/rc.conf#. These entries will also enable logging and `default pass all`. To change the default policy to `block all` without compiling a custom kernel, remember to add a `block all` rule at the end of the ruleset. [.programlisting] .... ipfilter_enable="YES" # Start ipf firewall ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipv6_ipfilter_rules="/etc/ipf6.rules" # loads rules definition text file for IPv6 ipmon_enable="YES" # Start IP monitor log ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map IP & port to names .... If NAT functionality is needed, also add these lines: [.programlisting] .... gateway_enable="YES" # Enable as LAN gateway ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat .... Then, to start IPF now: [.programlisting] .... # service ipfilter start .... To load the firewall rules, specify the name of the ruleset file using `ipf`. The following command can be used to replace the currently running firewall rules: [source,shell] .... # ipf -Fa -f /etc/ipf.rules .... where `-Fa` flushes all the internal rules tables and `-f` specifies the file containing the rules to load. This provides the ability to make changes to a custom ruleset and update the running firewall with a fresh copy of the rules without having to reboot the system. This method is convenient for testing new rules as the procedure can be executed as many times as needed. Refer to man:ipf[8] for details on the other flags available with this command. === IPF Rule Syntax This section describes the IPF rule syntax used to create stateful rules. When creating rules, keep in mind that unless the `quick` keyword appears in a rule, every rule is read in order, with the _last matching rule_ being the one that is applied. This means that even if the first rule to match a packet is a `pass`, if there is a later matching rule that is a `block`, the packet will be dropped. Sample rulesets can be found in [.filename]#/usr/share/examples/ipfilter#. When creating rules, a `+#+` character is used to mark the start of a comment and may appear at the end of a rule, to explain that rule's function, or on its own line. Any blank lines are ignored. The keywords which are used in rules must be written in a specific order, from left to right. Some keywords are mandatory while others are optional. Some keywords have sub-options which may be keywords themselves and also include more sub-options. The keyword order is as follows, where the words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it: `_ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE_` This section describes each of these keywords and their options. It is not an exhaustive list of every possible option. Refer to man:ipf[5] for a complete description of the rule syntax that can be used when creating IPF rules and examples for using each keyword. ACTION:: The action keyword indicates what to do with the packet if it matches that rule. Every rule _must_ have an action. The following actions are recognized: + `block`: drops the packet. + `pass`: allows the packet. + `log`: generates a log record. + `count`: counts the number of packets and bytes which can provide an indication of how often a rule is used. + `auth`: queues the packet for further processing by another program. + `call`: provides access to functions built into IPF that allow more complex actions. + `decapsulate`: removes any headers in order to process the contents of the packet. DIRECTION:: Next, each rule must explicitly state the direction of traffic using one of these keywords: + `in`: the rule is applied against an inbound packet. + `out`: the rule is applied against an outbound packet. + `all`: the rule applies to either direction. + If the system has multiple interfaces, the interface can be specified along with the direction. An example would be `in on fxp0`. OPTIONS:: Options are optional. However, if multiple options are specified, they must be used in the order shown here. + `log`: when performing the specified ACTION, the contents of the packet's headers will be written to the man:ipl[4] packet log pseudo-device. + `quick`: if a packet matches this rule, the ACTION specified by the rule occurs and no further processing of any following rules will occur for this packet. + `on`: must be followed by the interface name as displayed by man:ifconfig[8]. The rule will only match if the packet is going through the specified interface in the specified direction. + When using the `log` keyword, the following qualifiers may be used in this order: + `body`: indicates that the first 128 bytes of the packet contents will be logged after the headers. + `first`: if the `log` keyword is being used in conjunction with a `keep state` option, this option is recommended so that only the triggering packet is logged and not every packet which matches the stateful connection. + Additional options are available to specify error return messages. Refer to man:ipf[5] for more details. PROTO_TYPE:: The protocol type is optional. However, it is mandatory if the rule needs to specify a SRC_PORT or a DST_PORT as it defines the type of protocol. When specifying the type of protocol, use the `proto` keyword followed by either a protocol number or name from [.filename]#/etc/protocols#. Example protocol names include `tcp`, `udp`, or `icmp`. If PROTO_TYPE is specified but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol will match that rule. SRC_ADDR:: The `from` keyword is mandatory and is followed by a keyword which represents the source of the packet. The source can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keyword `all`. Refer to man:ipf[5] for examples. + There is no way to match ranges of IP addresses which do not express themselves easily using the dotted numeric form / mask-length notation. The package:net-mgmt/ipcalc[] package or port may be used to ease the calculation of the CIDR mask. Additional information is available at the utility's web page: http://jodies.de/ipcalc[http://jodies.de/ipcalc]. SRC_PORT:: The port number of the source is optional. However, if it is used, it requires PROTO_TYPE to be first defined in the rule. The port number must also be preceded by the `proto` keyword. + A number of different comparison operators are supported: `=` (equal to), `!=` (not equal to), `<` (less than), `>` (greater than), `<=` (less than or equal to), and `>=` (greater than or equal to). + To specify port ranges, place the two port numbers between `<>` (less than and greater than ), `><` (greater than and less than ), or `:` (greater than or equal to and less than or equal to). DST_ADDR:: The `to` keyword is mandatory and is followed by a keyword which represents the destination of the packet. Similar to SRC_ADDR, it can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keyword `all`. DST_PORT:: Similar to SRC_PORT, the port number of the destination is optional. However, if it is used, it requires PROTO_TYPE to be first defined in the rule. The port number must also be preceded by the `proto` keyword. TCP_FLAG|ICMP_TYPE:: If `tcp` is specified as the PROTO_TYPE, flags can be specified as letters, where each letter represents one of the possible TCP flags used to determine the state of a connection. Possible values are: `S` (SYN), `A` (ACK), `P` (PSH), `F` (FIN), `U` (URG), `R` (RST), `C` (CWN), and `E` (ECN). + If `icmp` is specified as the PROTO_TYPE, the ICMP type to match can be specified. Refer to man:ipf[5] for the allowable types. STATE:: If a `pass` rule contains `keep state`, IPF will add an entry to its dynamic state table and allow subsequent packets that match the connection. IPF can track state for TCP, UDP, and ICMP sessions. Any packet that IPF can be certain is part of an active session, even if it is a different protocol, will be allowed. + In IPF, packets destined to go out through the interface connected to the public Internet are first checked against the dynamic state table. If the packet matches the next expected packet comprising an active session conversation, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. Packets that do not belong to an already active session are checked against the outbound ruleset. Packets coming in from the interface connected to the public Internet are first checked against the dynamic state table. If the packet matches the next expected packet comprising an active session, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. Packets that do not belong to an already active session are checked against the inbound ruleset. + Several keywords can be added after `keep state`. If used, these keywords set various options that control stateful filtering, such as setting connection limits or connection age. Refer to man:ipf[5] for the list of available options and their descriptions. === Example Ruleset This section demonstrates how to create an example ruleset which only allows services matching `pass` rules and blocks all others. FreeBSD uses the loopback interface ([.filename]#lo0#) and the IP address `127.0.0.1` for internal communication. The firewall ruleset must contain rules to allow free movement of these internally used packets: [.programlisting] .... # no restrictions on loopback interface pass in quick on lo0 all pass out quick on lo0 all .... The public interface connected to the Internet is used to authorize and control access of all outbound and inbound connections. If one or more interfaces are cabled to private networks, those internal interfaces may require rules to allow packets originating from the LAN to flow between the internal networks or to the interface attached to the Internet. The ruleset should be organized into three major sections: any trusted internal interfaces, outbound connections through the public interface, and inbound connections through the public interface. These two rules allow all traffic to pass through a trusted LAN interface named [.filename]#xl0#: [.programlisting] .... # no restrictions on inside LAN interface for private network pass out quick on xl0 all pass in quick on xl0 all .... The rules for the public interface's outbound and inbound sections should have the most frequently matched rules placed before less commonly matched rules, with the last rule in the section blocking and logging all packets for that interface and direction. This set of rules defines the outbound section of the public interface named [.filename]#dc0#. These rules keep state and identify the specific services that internal systems are authorized for public Internet access. All the rules use `quick` and specify the appropriate port numbers and, where applicable, destination addresses. [.programlisting] .... # interface facing Internet (outbound) # Matches session start requests originating from or behind the # firewall, destined for the Internet. # Allow outbound access to public DNS servers. # Replace x.x.x.x with address listed in /etc/resolv.conf. # Repeat for each DNS server. pass out quick on dc0 proto tcp from any to x.x.x.x port = 53 flags S keep state pass out quick on dc0 proto udp from any to x.x.x.x port = 53 keep state # Allow access to ISP's specified DHCP server for cable or DSL networks. # Use the first rule, then check log for the IP address of DHCP server. # Then, uncomment the second rule, replace z.z.z.z with the IP address, # and comment out the first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state # Allow HTTP and HTTPS pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state # Allow email pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state # Allow NTP pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state # Allow FTP pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state # Allow SSH pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state # Allow ping pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state # Block and log everything else block out log first quick on dc0 all .... This example of the rules in the inbound section of the public interface blocks all undesirable packets first. This reduces the number of packets that are logged by the last rule. [.programlisting] .... # interface facing Internet (inbound) # Block all inbound traffic from non-routable or reserved address spaces block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on dc0 from 127.0.0.0/8 to any #loopback block in quick on dc0 from 0.0.0.0/8 to any #loopback block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast # Block fragments and too short tcp packets block in quick on dc0 all with frags block in quick on dc0 proto tcp all with short # block source routed packets block in quick on dc0 all with opt lsrr block in quick on dc0 all with opt ssrr # Block OS fingerprint attempts and log first occurrence block in log first quick on dc0 proto tcp from any to any flags FUP # Block anything with special options block in quick on dc0 all with ipopts # Block public pings and ident block in quick on dc0 proto icmp all icmp-type 8 block in quick on dc0 proto tcp from any to any port = 113 # Block incoming Netbios services block in log first quick on dc0 proto tcp/udp from any to any port = 137 block in log first quick on dc0 proto tcp/udp from any to any port = 138 block in log first quick on dc0 proto tcp/udp from any to any port = 139 block in log first quick on dc0 proto tcp/udp from any to any port = 81 .... Any time there are logged messages on a rule with the `log first` option, run `ipfstat -hio` to evaluate how many times the rule has been matched. A large number of matches may indicate that the system is under attack. The rest of the rules in the inbound section define which connections are allowed to be initiated from the Internet. The last rule denies all connections which were not explicitly allowed by previous rules in this section. [.programlisting] .... # Allow traffic in from ISP's DHCP server. Replace z.z.z.z with # the same IP address used in the outbound section. pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state # Allow public connections to specified internal web server pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state # Block and log only first occurrence of all remaining traffic. block in log first quick on dc0 all .... === Configuring NAT To enable NAT, add these statements to [.filename]#/etc/rc.conf# and specify the name of the file containing the NAT rules: [.programlisting] .... gateway_enable="YES" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" .... NAT rules are flexible and can accomplish many different things to fit the needs of both commercial and home users. The rule syntax presented here has been simplified to demonstrate common usage. For a complete rule syntax description, refer to man:ipnat[5]. The basic syntax for a NAT rule is as follows, where `map` starts the rule and _IF_ should be replaced with the name of the external interface: [.programlisting] .... map IF LAN_IP_RANGE -> PUBLIC_ADDRESS .... The _LAN_IP_RANGE_ is the range of IP addresses used by internal clients. Usually, it is a private address range such as `192.168.1.0/24`. The _PUBLIC_ADDRESS_ can either be the static external IP address or the keyword `0/32` which represents the IP address assigned to _IF_. In IPF, when a packet arrives at the firewall from the LAN with a public destination, it first passes through the outbound rules of the firewall ruleset. Then, the packet is passed to the NAT ruleset which is read from the top down, where the first matching rule wins. IPF tests each NAT rule against the packet's interface name and source IP address. When a packet's interface name matches a NAT rule, the packet's source IP address in the private LAN is checked to see if it falls within the IP address range specified in _LAN_IP_RANGE_. On a match, the packet has its source IP address rewritten with the public IP address specified by _PUBLIC_ADDRESS_. IPF posts an entry in its internal NAT table so that when the packet returns from the Internet, it can be mapped back to its original private IP address before being passed to the firewall rules for further processing. For networks that have large numbers of internal systems or multiple subnets, the process of funneling every private IP address into a single public IP address becomes a resource problem. Two methods are available to relieve this issue. The first method is to assign a range of ports to use as source ports. By adding the `portmap` keyword, NAT can be directed to only use source ports in the specified range: [.programlisting] .... map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 .... Alternately, use the `auto` keyword which tells NAT to determine the ports that are available for use: [.programlisting] .... map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto .... The second method is to use a pool of public addresses. This is useful when there are too many LAN addresses to fit into a single public address and a block of public IP addresses is available. These public addresses can be used as a pool from which NAT selects an IP address as a packet's address is mapped on its way out. The range of public IP addresses can be specified using a netmask or CIDR notation. These two rules are equivalent: [.programlisting] .... map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0 map dc0 192.168.1.0/24 -> 204.134.75.0/24 .... A common practice is to have a publicly accessible web server or mail server segregated to an internal network segment. The traffic from these servers still has to undergo NAT, but port redirection is needed to direct inbound traffic to the correct server. For example, to map a web server using the internal address `10.0.10.25` to its public IP address of `20.20.20.5`, use this rule: [.programlisting] .... rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80 .... If it is the only web server, this rule would also work as it redirects all external HTTP requests to `10.0.10.25`: [.programlisting] .... rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80 .... IPF has a built in FTP proxy which can be used with NAT. It monitors all outbound traffic for active or passive FTP connection requests and dynamically creates temporary filter rules containing the port number used by the FTP data channel. This eliminates the need to open large ranges of high order ports for FTP connections. In this example, the first rule calls the proxy for outbound FTP traffic from the internal LAN. The second rule passes the FTP traffic from the firewall to the Internet, and the third rule handles all non-FTP traffic from the internal LAN: [.programlisting] .... map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map dc0 10.0.10.0/29 -> 0/32 .... The FTP `map` rules go before the NAT rule so that when a packet matches an FTP rule, the FTP proxy creates temporary filter rules to let the FTP session packets pass and undergo NAT. All LAN packets that are not FTP will not match the FTP rules but will undergo NAT if they match the third rule. Without the FTP proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above `1024` need to be allowed: [.programlisting] .... # Allow out LAN PC client FTP to public Internet # Active and passive modes pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Allow out passive mode data channel high order port numbers pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state .... Whenever the file containing the NAT rules is edited, run `ipnat` with `-CF` to delete the current NAT rules and flush the contents of the dynamic translation table. Include `-f` and specify the name of the NAT ruleset to load: [source,shell] .... # ipnat -CF -f /etc/ipnat.rules .... To display the NAT statistics: [source,shell] .... # ipnat -s .... To list the NAT table's current mappings: [source,shell] .... # ipnat -l .... To turn verbose mode on and display information relating to rule processing and active rules and table entries: [source,shell] .... # ipnat -v .... === Viewing IPF Statistics IPF includes man:ipfstat[8] which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using `ipf -Z`. The default `ipfstat` output looks like this: [source,shell] .... input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 input packets logged: blocked 99286 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 3898 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 169364 lost 0 packet state(out): kept 431395 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Result cache hits(in): 1215208 (out): 1098963 IN Pullups succeeded: 2 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) .... Several options are available. When supplied with either `-i` for inbound or `-o` for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. To also see the rule numbers, include `-n`. For example, `ipfstat -on` displays the outbound rules table with rule numbers: [source,shell] .... @1 pass out on xl0 from any to any @2 block out on dc0 from any to any @3 pass out quick on dc0 proto tcp/udp from any to any keep state .... Include `-h` to prefix each rule with a count of how many times the rule was matched. For example, `ipfstat -oh` displays the outbound internal rules table, prefixing each rule with its usage count: [source,shell] .... 2451423 pass out on xl0 from any to any 354727 block out on dc0 from any to any 430918 pass out quick on dc0 proto tcp/udp from any to any keep state .... To display the state table in a format similar to man:top[1], use `ipfstat -t`. When the firewall is under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give the ability to select the destination or source IP, port, or protocol to be monitored in real time. Refer to man:ipfstat[8] for details. === IPF Logging IPF provides `ipmon`, which can be used to write the firewall's logging information in a human readable format. It requires that `options IPFILTER_LOG` be first added to a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. This command is typically run in daemon mode in order to provide a continuous system log file so that logging of past events may be reviewed. Since FreeBSD has a built in man:syslogd[8] facility to automatically rotate system logs, the default [.filename]#rc.conf# `ipmon_flags` statement uses `-Ds`: [.programlisting] .... ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map IP & port to names .... Logging provides the ability to review, after the fact, information such as which packets were dropped, what addresses they came from, and where they were going. This information is useful in tracking down attackers. Once the logging facility is enabled in [.filename]#rc.conf# and started with `service ipmon start`, IPF will only log the rules which contain the `log` keyword. The firewall administrator decides which rules in the ruleset should be logged and normally only deny rules are logged. It is customary to include the `log` keyword in the last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset. By default, `ipmon -Ds` mode uses `local0` as the logging facility. The following logging levels can be used to further segregate the logged data: [source,shell] .... LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header .... In order to setup IPF to log all data to [.filename]#/var/log/ipfilter.log#, first create the empty file: [source,shell] .... # touch /var/log/ipfilter.log .... Then, to write all logged messages to the specified file, add the following statement to [.filename]#/etc/syslog.conf#: [.programlisting] .... local0.* /var/log/ipfilter.log .... To activate the changes and instruct man:syslogd[8] to read the modified [.filename]#/etc/syslog.conf#, run `service syslogd reload`. Do not forget to edit [.filename]#/etc/newsyslog.conf# to rotate the new log file. Messages generated by `ipmon` consist of data fields separated by white space. Fields common to all messages are: . The date of packet receipt. . The time of packet receipt. This is in the form HH:MM:SS.F, for hours, minutes, seconds, and fractions of a second. . The name of the interface that processed the packet. . The group and rule number of the rule in the format `@0:17`. . The action: `p` for passed, `b` for blocked, `S` for a short packet, `n` did not match any rules, and `L` for a log rule. . The addresses written as three fields: the source address and port separated by a comma, the -> symbol, and the destination address and port. For example: `209.53.17.22,80 -> 198.73.220.17,1722`. . `PR` followed by the protocol name or number: for example, `PR tcp`. . `len` followed by the header length and total length of the packet: for example, `len 20 40`. If the packet is a TCP packet, there will be an additional field starting with a hyphen followed by letters corresponding to any flags that were set. Refer to man:ipf[5] for a list of letters and their flags. If the packet is an ICMP packet, there will be two fields at the end: the first always being "icmp" and the next being the ICMP message and sub-message type, separated by a slash. For example: `icmp 3/3` for a port unreachable message. [[firewalls-blacklistd]] == Blacklistd Blacklistd is a daemon listening to sockets awaiting to receive notifications from other daemons about connection attempts that failed or were successful. It is most widely used in blocking too many connection attempts on open ports. A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access. Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7. FreeBSD 11 imported blacklistd from NetBSD. This chapter describes how to set up blacklistd, configure it, and provides examples on how to use it. Readers should be familiar with basic firewall concepts like rules. For details, refer to the firewall chapter. PF is used in the examples, but other firewalls available on FreeBSD should be able to work with blacklistd, too. === Enabling Blacklistd The main configuration for blacklistd is stored in man:blacklistd.conf[5]. Various command line options are also available to change blacklistd's run-time behavior. Persistent configuration across reboots should be stored in [.filename]#/etc/blacklistd.conf#. To enable the daemon during system boot, add a `blacklistd_enable` line to [.filename]#/etc/rc.conf# like this: [source,shell] .... # sysrc blacklistd_enable=yes .... To start the service manually, run this command: [source,shell] .... # service blacklistd start .... === Creating a Blacklistd Ruleset Rules for blacklistd are configured in man:blacklistd.conf[5] with one entry per line. Each rule contains a tuple separated by spaces or tabs. Rules either belong to a `local` or a `remote`, which applies to the machine where blacklistd is running or an outside source, respectively. ==== Local Rules An example blacklistd.conf entry for a local rule looks like this: [.programlisting] .... [local] ssh stream * * * 3 24h .... All rules that follow the `[local]` section are treated as local rules (which is the default), applying to the local machine. When a `[remote]` section is encountered, all rules that follow it are handled as remote machine rules. Seven fields separated by either tabs or spaces define a rule. The first four fields identify the traffic that should be blocklisted. The three fields that follow define backlistd's behavior. Wildcards are denoted as asterisks (`*`), matching anything in this field. The first field defines the location. In local rules, these are the network ports. The syntax for the location field is as follows: [.programlisting] .... [address|interface][/mask][:port] .... Addresses can be specified as IPv4 in numeric format or IPv6 in square brackets. An interface name like `_em0_` can also be used. The socket type is defined by the second field. TCP sockets are of type `stream`, whereas UDP is denoted as `dgram`. The example above uses TCP, since SSH is using that protocol. A protocol can be used in the third field of a blacklistd rule. The following protocols can be used: `tcp`, `udp`, `tcp6`, `udp6`, or numeric. A wildcard, like in the example, is typically used to match all protocols unless there is a reason to distinguish traffic by a certain protocol. In the fourth field, the effective user or owner of the daemon process that is reporting the event is defined. The username or UID can be used here, as well as a wildcard (see example rule above). The packet filter rule name is declared by the fifth field, which starts the behavior part of the rule. By default, blacklistd puts all blocks under a pf anchor called `blacklistd` in [.filename]#pf.conf# like this: [.programlisting] .... anchor "blacklistd/*" in on $ext_if block in pass out .... For separate blocklists, an anchor name can be used in this field. In other cases, the wildcard will suffice. When a name starts with a hyphen (`-`) it means that an anchor with the default rule name prepended should be used. A modified example from the above using the hyphen would look like this: [.programlisting] .... ssh stream * * -ssh 3 24h .... With such a rule, any new blocklist rules are added to an anchor called `blacklistd-ssh`. To block whole subnets for a single rule violation, a `/` in the rule name can be used. This causes the remaining portion of the name to be interpreted as the mask to be applied to the address specified in the rule. For example, this rule would block every address adjoining `/24`. [.programlisting] .... 22 stream tcp * */24 3 24h .... [NOTE] ==== It is important to specify the proper protocol here. IPv4 and IPv6 treat /24 differently, that is the reason why `*` cannot be used in the third field for this rule. ==== This rule defines that if any one host in that network is misbehaving, everything else on that network will be blocked, too. The sixth field, called `nfail`, sets the number of login failures required to blocklist the remote IP in question. When a wildcard is used at this position, it means that blocks will never happen. In the example rule above, a limit of three is defined meaning that after three attempts to log into SSH on one connection, the IP is blocked. The last field in a blacklistd rule definition specifies how long a host is blocklisted. The default unit is seconds, but suffixes like `m`, `h`, and `d` can also be specified for minutes, hours, and days, respectively. The example rule in its entirety means that after three times authenticating to SSH will result in a new PF block rule for that host. Rule matches are performed by first checking local rules one after another, from most specific to least specific. When a match occurs, the `remote` rules are applied and the name, `nfail`, and disable fields are changed by the `remote` rule that matched. ==== Remote Rules Remote rules are used to specify how blacklistd changes its behavior depending on the remote host currently being evaluated. Each field in a remote rule is the same as in a local rule. The only difference is in the way blacklistd is using them. To explain it, this example rule is used: [.programlisting] .... [remote] 203.0.113.128/25 * * * =/25 = 48h .... The address field can be an IP address (either v4 or v6), a port or both. This allows setting special rules for a specific remote address range like in this example. The fields for socket type, protocol and owner are identically interpreted as in the local rule. The name fields is different though: the equal sign (`=`) in a remote rule tells blacklistd to use the value from the matching local rule. It means that the firewall rule entry is taken and the `/25` prefix (a netmask of `255.255.255.128`) is added. When a connection from that address range is blocklisted, the entire subnet is affected. A PF anchor name can also be used here, in which case blacklistd will add rules for this address block to the anchor of that name. The default table is used when a wildcard is specified. A custom number of failures in the `nfail` column can be defined for an address. This is useful for exceptions to a specific rule, to maybe allow someone a less strict application of rules or a bit more leniency in login tries. Blocking is disabled when an asterisk is used in this sixth field. Remote rules allow a stricter enforcement of limits on attempts to log in compared to attempts coming from a local network like an office. === Blacklistd Client Configuration There are a few software packages in FreeBSD that can utilize blacklistd's functionality. The two most prominent ones are man:ftpd[8] and man:sshd[8] to block excessive connection attempts. To activate blacklistd in the SSH daemon, add the following line to [.filename]#/etc/ssh/sshd_config#: [.programlisting] .... UseBlacklist yes .... Restart sshd afterwards to make these changes take effect. Blacklisting for man:ftpd[8] is enabled using `-B`, either in [.filename]#/etc/inetd.conf# or as a flag in [.filename]#/etc/rc.conf# like this: [.programlisting] .... ftpd_flags="-B" .... That is all that is needed to make these programs talk to blacklistd. === Blacklistd Management Blacklistd provides the user with a management utility called man:blacklistctl[8]. It displays blocked addresses and networks that are blocklisted by the rules defined in man:blacklistd.conf[5]. To see the list of currently blocked hosts, use `dump` combined with `-b` like this. [source,shell] .... # blacklistctl dump -b address/ma:port id nfail last access 213.0.123.128/25:22 OK 6/3 2019/06/08 14:30:19 .... This example shows that there were 6 out of three permitted attempts on port 22 coming from the address range `213.0.123.128/25`. There are more attempts listed than are allowed because SSH allows a client to try multiple logins on a single TCP connection. A connection that is currently going on is not stopped by blacklistd. The last connection attempt is listed in the `last access` column of the output. To see the remaining time that this host will be on the blocklist, add `-r` to the previous command. [source,shell] .... # blacklistctl dump -br address/ma:port id nfail remaining time 213.0.123.128/25:22 OK 6/3 36s .... In this example, there are 36s seconds left until this host will not be blocked any more. === Removing Hosts from the Block List Sometimes it is necessary to remove a host from the block list before the remaining time expires. Unfortunately, there is no functionality in blacklistd to do that. However, it is possible to remove the address from the PF table using pfctl. For each blocked port, there is a child anchor inside the blacklistd anchor defined in [.filename]#/etc/pf.conf#. For example, if there is a child anchor for blocking port 22 it is called `blacklistd/22`. There is a table inside that child anchor that contains the blocked addresses. This table is called port followed by the port number. In this example, it would be called `port22`. With that information at hand, it is now possible to use man:pfctl[8] to display all addresses listed like this: [source,shell] .... # pfctl -a blacklistd/22 -t port22 -T show ... 213.0.123.128/25 ... .... After identifying the address to be unblocked from the list, the following command removes it from the list: [source,shell] .... # pfctl -a blacklistd/22 -t port22 -T delete 213.0.123.128/25 .... The address is now removed from PF, but will still show up in the blacklistctl list, since it does not know about any changes made in PF. The entry in blacklistd's database will eventually expire and be removed from its output. The entry will be added again if the host is matching one of the block rules in blacklistd again. diff --git a/documentation/content/en/books/handbook/firewalls/_index.po b/documentation/content/en/books/handbook/firewalls/_index.po index 14d6b5b4b0..b7738a80aa 100644 --- a/documentation/content/en/books/handbook/firewalls/_index.po +++ b/documentation/content/en/books/handbook/firewalls/_index.po @@ -1,5621 +1,5621 @@ # SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-09-14 14:59-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/firewalls/_index.adoc:1 #, no-wrap msgid "FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them" msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/firewalls/_index.adoc:1 #, no-wrap msgid "IV. Network Communication" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/firewalls/_index.adoc:1 #, no-wrap msgid "Chapter 33. Firewalls" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/firewalls/_index.adoc:14 #, no-wrap msgid "Firewalls" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:52 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:57 msgid "" "Firewalls make it possible to filter the incoming and outgoing traffic that " "flows through a system. A firewall can use one or more sets of \"rules\" to " "inspect network packets as they come in or go out of network connections and " "either allows the traffic through or blocks it. The rules of a firewall can " "inspect one or more characteristics of the packets such as the protocol " "type, source or destination host address, and source or destination port." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:60 msgid "" "Firewalls can enhance the security of a host or a network. They can be used " "to do one or more of the following:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:62 msgid "" "Protect and insulate the applications, services, and machines of an internal " "network from unwanted traffic from the public Internet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:63 msgid "" "Limit or disable access from hosts of the internal network to services of " "the public Internet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:64 msgid "" "Support network address translation (NAT), which allows an internal network " "to use private IP addresses and share a single connection to the public " "Internet using either a single IP address or a shared pool of automatically " "assigned public addresses." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:69 msgid "" "FreeBSD has three firewalls built into the base system: PF, IPFW, and " "IPFILTER, also known as IPF. FreeBSD also provides two traffic shapers for " "controlling bandwidth usage: man:altq[4] and man:dummynet[4]. ALTQ has " "traditionally been closely tied with PF and dummynet with IPFW. Each " "firewall uses rules to control the access of packets to and from a FreeBSD " "system, although they go about it in different ways and each has a different " "rule syntax." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:72 msgid "" "FreeBSD provides multiple firewalls in order to meet the different " "requirements and preferences for a wide variety of users. Each user should " "evaluate which firewall best meets their needs." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:74 msgid "After reading this chapter, you will know:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:76 msgid "How to define packet filtering rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:77 msgid "The differences between the firewalls built into FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:78 msgid "How to use and configure the PF firewall." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:79 msgid "How to use and configure the IPFW firewall." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:80 msgid "How to use and configure the IPFILTER firewall." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:82 msgid "Before reading this chapter, you should:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:84 msgid "Understand basic FreeBSD and Internet concepts." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:89 msgid "" "Since all firewalls are based on inspecting the values of selected packet " "control fields, the creator of the firewall ruleset must have an " "understanding of how TCP/IP works, what the different values in the packet " "control fields are, and how these values are used in a normal session " "conversation. For a good introduction, refer to http://www.ipprimer." "com[Daryl's TCP/IP Primer]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:92 #, no-wrap msgid "Firewall Concepts" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:100 msgid "" "A ruleset contains a group of rules which pass or block packets based on the " "values contained in the packet. The bi-directional exchange of packets " "between hosts comprises a session conversation. The firewall ruleset " "processes both the packets arriving from the public Internet, as well as the " "packets produced by the system as a response to them. Each TCP/IP service " "is predefined by its protocol and listening port. Packets destined for a " "specific service originate from the source address using an unprivileged " "port and target the specific service port on the destination address. All " "the above parameters can be used as selection criteria to create rules which " "will pass or block services." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:103 msgid "" "To lookup unknown port numbers, refer to [.filename]#/etc/services#. " -"Alternatively, visit http://en.wikipedia.org/wiki/" -"List_of_TCP_and_UDP_port_numbers[http://en.wikipedia.org/wiki/" +"Alternatively, visit https://en.wikipedia.org/wiki/" +"List_of_TCP_and_UDP_port_numbers[https://en.wikipedia.org/wiki/" "List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the " "purpose of a particular port number." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:105 msgid "" "Check out this link for http://web.archive.org/web/20150803024617/http://www." "sans.org/security-resources/idfaq/oddports.php[port numbers used by Trojans]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:110 msgid "" "FTP has two modes: active mode and passive mode. The difference is in how " "the data channel is acquired. Passive mode is more secure as the data " "channel is acquired by the ordinal ftp session requester. For a good " "explanation of FTP and the different modes, see http://www.slacksite.com/" "other/ftp.html[http://www.slacksite.com/other/ftp.html]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:114 msgid "" "A firewall ruleset can be either \"exclusive\" or \"inclusive\". An " "exclusive firewall allows all traffic through except for the traffic " "matching the ruleset. An inclusive firewall does the reverse as it only " "allows traffic matching the rules through and blocks everything else." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:119 msgid "" "An inclusive firewall offers better control of the outgoing traffic, making " "it a better choice for systems that offer services to the public Internet. " "It also controls the type of traffic originating from the public Internet " "that can gain access to a private network. All traffic that does not match " "the rules is blocked and logged. Inclusive firewalls are generally safer " "than exclusive firewalls because they significantly reduce the risk of " "allowing unwanted traffic." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:123 msgid "" "Unless noted otherwise, all configuration and example rulesets in this " "chapter create inclusive firewall rulesets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:127 msgid "" "Security can be tightened further using a \"stateful firewall\". This type " "of firewall keeps track of open connections and only allows traffic which " "either matches an existing connection or opens a new, allowed connection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:132 msgid "" "Stateful filtering treats traffic as a bi-directional exchange of packets " "comprising a session. When state is specified on a matching rule the " "firewall dynamically generates internal rules for each anticipated packet " "being exchanged during the session. It has sufficient matching capabilities " "to determine if a packet is valid for a session. Any packets that do not " "properly fit the session template are automatically rejected." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:134 msgid "When the session completes, it is removed from the dynamic state table." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:139 msgid "" "Stateful filtering allows one to focus on blocking/passing new sessions. If " "the new session is passed, all its subsequent packets are allowed " "automatically and any impostor packets are automatically rejected. If a new " "session is blocked, none of its subsequent packets are allowed. Stateful " "filtering provides advanced matching abilities capable of defending against " "the flood of different attack methods employed by attackers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:143 msgid "" "NAT stands for _Network Address Translation_. NAT function enables the " "private LAN behind the firewall to share a single ISP-assigned IP address, " "even if that address is dynamically assigned. NAT allows each computer in " "the LAN to have Internet access, without having to pay the ISP for multiple " "Internet accounts or IP addresses." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:146 msgid "" "NAT will automatically translate the private LAN IP address for each system " "on the LAN to the single public IP address as packets exit the firewall " "bound for the public Internet. It also performs the reverse translation for " "returning packets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:148 msgid "" "According to RFC 1918, the following IP address ranges are reserved for " "private networks which will never be routed directly to the public Internet, " "and therefore are available for use with NAT:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:150 msgid "`10.0.0.0/8`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:151 msgid "`172.16.0.0/12`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:152 msgid "`192.168.0.0/16`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:158 msgid "" "When working with the firewall rules, be _very careful_. Some " "configurations _can lock the administrator out_ of the server. To be on the " "safe side, consider performing the initial firewall configuration from the " "local console rather than doing it remotely over ssh." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:161 #, no-wrap msgid "PF" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:165 msgid "" "Since FreeBSD 5.3, a ported version of OpenBSD's PF firewall has been " "included as an integrated part of the base system. PF is a complete, full-" "featured firewall that has optional support for ALTQ (Alternate Queuing), " "which provides Quality of Service (QoS)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:168 msgid "" "The OpenBSD Project maintains the definitive reference for PF in the http://" "www.openbsd.org/faq/pf/[PF FAQ]. Peter Hansteen maintains a thorough PF " "tutorial at http://home.nuug.no/\\~peter/pf/[http://home.nuug.no/~peter/pf/]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:173 msgid "" "When reading the http://www.openbsd.org/faq/pf/[PF FAQ], keep in mind that " "FreeBSD's version of PF has diverged substantially from the upstream OpenBSD " "version over the years. Not all features work the same way on FreeBSD as " "they do in OpenBSD and vice versa." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:177 msgid "" "The {freebsd-pf} is a good place to ask questions about configuring and " "running the PF firewall. Check the mailing list archives before asking a " "question as it may have already been answered." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:181 msgid "" "This section of the Handbook focuses on PF as it pertains to FreeBSD. It " "demonstrates how to enable PF and ALTQ. It also provides several examples " "for creating rulesets on a FreeBSD system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:182 #, no-wrap msgid "Enabling PF" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:186 msgid "" "To use PF, its kernel module must be first loaded. This section describes " "the entries that can be added to [.filename]#/etc/rc.conf# to enable PF." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:188 msgid "Start by adding `pf_enable=yes` to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:192 #, no-wrap msgid "# sysrc pf_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:196 msgid "" "Additional options, described in man:pfctl[8], can be passed to PF when it " "is started. Add or change this entry in [.filename]#/etc/rc.conf# and " "specify any required flags between the two quotes (`\"\"`):" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:200 #, no-wrap msgid "pf_flags=\"\" # additional flags for pfctl startup\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:206 msgid "" "PF will not start if it cannot find its ruleset configuration file. By " "default, FreeBSD does not ship with a ruleset and there is no [.filename]#/" "etc/pf.conf#. Example rulesets can be found in [.filename]#/usr/share/" "examples/pf/#. If a custom ruleset has been saved somewhere else, add a " "line to [.filename]#/etc/rc.conf# which specifies the full path to the file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:210 #, no-wrap msgid "pf_rules=\"/path/to/pf.conf\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:214 msgid "" "Logging support for PF is provided by man:pflog[4]. To enable logging " "support, add `pflog_enable=yes` to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:218 #, no-wrap msgid "# sysrc pflog_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:221 msgid "" "The following lines can also be added to change the default location of the " "log file or to specify any additional flags to pass to man:pflog[4] when it " "is started:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:226 #, no-wrap msgid "" "pflog_logfile=\"/var/log/pflog\" # where pflogd should store the logfile\n" "pflog_flags=\"\" # additional flags for pflogd startup\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:229 msgid "" "Finally, if there is a LAN behind the firewall and packets need to be " "forwarded for the computers on the LAN, or NAT is required, enable the " "following option:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:233 #, no-wrap msgid "gateway_enable=\"YES\" # Enable as LAN gateway\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:236 msgid "" "After saving the needed edits, PF can be started with logging support by " "typing:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:241 #, no-wrap msgid "" "# service pf start\n" "# service pflog start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:246 msgid "" "By default, PF reads its configuration rules from [.filename]#/etc/pf.conf# " "and modifies, drops, or passes packets according to the rules or definitions " "specified in this file. The FreeBSD installation includes several sample " "files located in [.filename]#/usr/share/examples/pf/#. Refer to the http://" "www.openbsd.org/faq/pf/[PF FAQ] for complete coverage of PF rulesets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:250 msgid "" "To control PF, use `pfctl`. crossref:firewalls[pfctl] summarizes some " "useful options to this command. Refer to man:pfctl[8] for a description of " "all available options:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/firewalls/_index.adoc:251 #, no-wrap msgid "Useful `pfctl` Options" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:255 #, no-wrap msgid "Command" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:257 #, no-wrap msgid "Purpose" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:258 #, no-wrap msgid "`pfctl -e`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:260 #, no-wrap msgid "Enable PF." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:261 #, no-wrap msgid "`pfctl -d`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:263 #, no-wrap msgid "Disable PF." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:264 #, no-wrap msgid "`pfctl -F all -f /etc/pf.conf`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:266 #, no-wrap msgid "Flush all NAT, filter, state, and table rules and reload [.filename]#/etc/pf.conf#." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:266 #, no-wrap msgid "`pfctl -s [ rules \\" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:266 #, no-wrap msgid "nat \\" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:267 #, no-wrap msgid "states ]`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:269 #, no-wrap msgid "Report on the filter rules, NAT rules, or state table." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:270 #, no-wrap msgid "`pfctl -vnf /etc/pf.conf`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:271 #, no-wrap msgid "Check [.filename]#/etc/pf.conf# for errors, but do not load ruleset." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:277 msgid "" "package:security/sudo[] is useful for running commands like `pfctl` that " "require elevated privileges. It can be installed from the Ports Collection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:281 msgid "" "To keep an eye on the traffic that passes through the PF firewall, consider " "installing the package:sysutils/pftop[] package or port. Once installed, " "pftop can be run to view a running snapshot of traffic in a format which is " "similar to man:top[1]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:283 #, no-wrap msgid "PF Rulesets" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:287 msgid "" "This section demonstrates how to create a customized ruleset. It starts " "with the simplest of rulesets and builds upon its concepts using several " "examples to demonstrate real-world usage of PF's many features." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:290 msgid "" "The simplest possible ruleset is for a single machine that does not run any " "services and which needs access to one network, which may be the Internet. " "To create this minimal ruleset, edit [.filename]#/etc/pf.conf# so it looks " "like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:295 #, no-wrap msgid "" "block in all\n" "pass out all keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:301 msgid "" "The first rule denies all incoming traffic by default. The second rule " "allows connections created by this system to pass out, while retaining state " "information on those connections. This state information allows return " "traffic for those connections to pass back and should only be used on " "machines that can be trusted. The ruleset can be loaded with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:305 #, no-wrap msgid "# pfctl -e ; pfctl -f /etc/pf.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:310 msgid "" "In addition to keeping state, PF provides _lists_ and _macros_ which can be " "defined for use when creating rules. Macros can include lists and need to " "be defined before use. As an example, insert these lines at the very top of " "the ruleset:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:315 #, no-wrap msgid "" "tcp_services = \"{ ssh, smtp, domain, www, pop3, auth, pop3s }\"\n" "udp_services = \"{ domain }\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:322 msgid "" "PF understands port names as well as port numbers, as long as the names are " "listed in [.filename]#/etc/services#. This example creates two macros. The " "first is a list of seven TCP port names and the second is one UDP port " "name. Once defined, macros can be used in rules. In this example, all " "traffic is blocked except for the connections initiated by this system for " "the seven specified TCP services and the one specified UDP service:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:330 #, no-wrap msgid "" "tcp_services = \"{ ssh, smtp, domain, www, pop3, auth, pop3s }\"\n" "udp_services = \"{ domain }\"\n" "block all\n" "pass out proto tcp to any port $tcp_services keep state\n" "pass proto udp to any port $udp_services keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:334 msgid "" "Even though UDP is considered to be a stateless protocol, PF is able to " "track some state information. For example, when a UDP request is passed " "which asks a name server about a domain name, PF will watch for the response " "to pass it back." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:336 msgid "" "Whenever an edit is made to a ruleset, the new rules must be loaded so they " "can be used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:340 #: documentation/content/en/books/handbook/firewalls/_index.adoc:558 #, no-wrap msgid "# pfctl -f /etc/pf.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:344 msgid "" "If there are no syntax errors, `pfctl` will not output any messages during " "the rule load. Rules can also be tested before attempting to load them:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:348 #, no-wrap msgid "# pfctl -nf /etc/pf.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:353 msgid "" "Including `-n` causes the rules to be interpreted only, but not loaded. " "This provides an opportunity to correct any errors. At all times, the last " "valid ruleset loaded will be enforced until either PF is disabled or a new " "ruleset is loaded." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:358 msgid "" "Adding `-v` to a `pfctl` ruleset verify or load will display the fully " "parsed rules exactly the way they will be loaded. This is extremely useful " "when debugging rules." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:361 #, no-wrap msgid "A Simple Gateway with NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:366 msgid "" "This section demonstrates how to configure a FreeBSD system running PF to " "act as a gateway for at least one other machine. The gateway needs at least " "two network interfaces, each connected to a separate network. In this " "example, [.filename]#xl0# is connected to the Internet and [.filename]#xl1# " "is connected to the internal network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:369 msgid "" "First, enable the gateway to let the machine forward the network traffic it " "receives on one interface to another interface. This sysctl setting will " "forward IPv4 packets:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:373 #, no-wrap msgid "# sysctl net.inet.ip.forwarding=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:376 msgid "To forward IPv6 traffic, use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:380 #, no-wrap msgid "# sysctl net.inet6.ip6.forwarding=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:383 msgid "" "To enable these settings at system boot, use man:sysrc[8] to add them to [." "filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:388 #, no-wrap msgid "" "# sysrc gateway_enable=yes\n" "# sysrc ipv6_gateway_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:391 msgid "Verify with `ifconfig` that both of the interfaces are up and running." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:394 msgid "" "Next, create the PF rules to allow the gateway to pass traffic. While the " "following rule allows stateful traffic from hosts of the internal network to " "pass to the gateway, the `to` keyword does not guarantee passage all the way " "from source to destination:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:398 #, no-wrap msgid "pass in on xl1 from xl1:network to xl0:network port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:402 msgid "" "That rule only lets the traffic pass in to the gateway on the internal " "interface. To let the packets go further, a matching rule is needed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:406 #, no-wrap msgid "pass out on xl0 from xl1:network to xl0:network port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:412 msgid "" "While these two rules will work, rules this specific are rarely needed. For " "a busy network admin, a readable ruleset is a safer ruleset. The remainder " "of this section demonstrates how to keep the rules as simple as possible for " "readability. For example, those two rules could be replaced with one rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:416 #, no-wrap msgid "pass from xl1:network to any port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:421 msgid "" "The `interface:network` notation can be replaced with a macro to make the " "ruleset even more readable. For example, a `$localnet` macro could be " "defined as the network directly attached to the internal interface (`$xl1:" "network`). Alternatively, the definition of `$localnet` could be changed to " "an _IP address/netmask_ notation to denote a network, such as " "`192.168.100.1/24` for a subnet of private addresses." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:424 msgid "" "If required, `$localnet` could even be defined as a list of networks. " "Whatever the specific needs, a sensible `$localnet` definition could be used " "in a typical pass rule as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:428 #, no-wrap msgid "pass from $localnet to any port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:432 msgid "" "The following sample ruleset allows all traffic initiated by machines on the " "internal network. It first defines two macros to represent the external and " "internal 3COM interfaces of the gateway." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:437 msgid "" "For dialup users, the external interface will use [.filename]#tun0#. For an " "ADSL connection, specifically those using PPP over Ethernet (PPPoE), the " "correct external interface is [.filename]#tun0#, not the physical Ethernet " "interface." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:448 #, no-wrap msgid "" "ext_if = \"xl0\"\t# macro for external interface - use tun0 for PPPoE\n" "int_if = \"xl1\"\t# macro for internal interface\n" "localnet = $int_if:network\n" "# ext_if IP address could be dynamic, hence ($ext_if)\n" "nat on $ext_if from $localnet to any -> ($ext_if)\n" "block all\n" "pass from { lo0, $localnet } to any keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:453 msgid "" "This ruleset introduces the `nat` rule which is used to handle the network " "address translation from the non-routable addresses inside the internal " "network to the IP address assigned to the external interface. The " "parentheses surrounding the last part of the nat rule `($ext_if)` is " "included when the IP address of the external interface is dynamically " "assigned. It ensures that network traffic runs without serious " "interruptions even if the external IP address changes." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:456 msgid "" "Note that this ruleset probably allows more traffic to pass out of the " "network than is needed. One reasonable setup could create this macro:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:461 #, no-wrap msgid "" "client_out = \"{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \\\n" " https, cvspserver, 2628, 5999, 8000, 8080 }\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:464 msgid "to use in the main pass rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:469 #, no-wrap msgid "" "pass inet proto tcp from $localnet to any port $client_out \\\n" " flags S/SA keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:473 msgid "" "A few other pass rules may be needed. This one enables SSH on the external " "interface:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:477 #, no-wrap msgid "pass in inet proto tcp to $ext_if port ssh\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:480 msgid "This macro definition and rule allows DNS and NTP for internal clients:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:485 #, no-wrap msgid "" "udp_services = \"{ domain, ntp }\"\n" "pass quick inet proto { tcp, udp } to any port $udp_services keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:493 msgid "" "Note the `quick` keyword in this rule. Since the ruleset consists of " "several rules, it is important to understand the relationships between the " "rules in a ruleset. Rules are evaluated from top to bottom, in the sequence " "they are written. For each packet or connection evaluated by PF, _the last " "matching rule_ in the ruleset is the one which is applied. However, when a " "packet matches a rule which contains the `quick` keyword, the rule " "processing stops and the packet is treated according to that rule. This is " "very useful when an exception to the general rules is needed." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:495 #, no-wrap msgid "Creating an FTP Proxy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:500 msgid "" "Configuring working FTP rules can be problematic due to the nature of the " "FTP protocol. FTP pre-dates firewalls by several decades and is insecure in " "its design. The most common points against using FTP include:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:502 msgid "Passwords are transferred in the clear." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:503 msgid "" "The protocol demands the use of at least two TCP connections (control and " "data) on separate ports." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:504 msgid "" "When a session is established, data is communicated using randomly selected " "ports." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:507 msgid "" "All of these points present security challenges, even before considering any " "potential security weaknesses in client or server software. More secure " "alternatives for file transfer exist, such as man:sftp[1] or man:scp[1], " "which both feature authentication and data transfer over encrypted " "connections." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:510 msgid "" "For those situations when FTP is required, PF provides redirection of FTP " "traffic to a small proxy program called man:ftp-proxy[8], which is included " "in the base system of FreeBSD. The role of the proxy is to dynamically " "insert and delete rules in the ruleset, using a set of anchors, to correctly " "handle FTP traffic." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:512 msgid "To enable the FTP proxy, add this line to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:516 #, no-wrap msgid "ftpproxy_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:519 msgid "Then start the proxy by running:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:523 #, no-wrap msgid "# service ftp-proxy start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:527 msgid "" "For a basic configuration, three elements need to be added to [.filename]#/" "etc/pf.conf#. First, the anchors which the proxy will use to insert the " "rules it generates for the FTP sessions:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:532 #, no-wrap msgid "" "nat-anchor \"ftp-proxy/*\"\n" "rdr-anchor \"ftp-proxy/*\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:535 msgid "Second, a pass rule is needed to allow FTP traffic in to the proxy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:538 msgid "" "Third, redirection and NAT rules need to be defined before the filtering " "rules. Insert this `rdr` rule immediately after the `nat` rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:542 #, no-wrap msgid "rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:545 msgid "Finally, allow the redirected traffic to pass:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:549 #, no-wrap msgid "pass out proto tcp from $proxy to any port ftp\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:552 msgid "where `$proxy` expands to the address the proxy daemon is bound to." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:554 msgid "" "Save [.filename]#/etc/pf.conf#, load the new rules, and verify from a client " "that FTP connections are working:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:564 msgid "" "This example covers a basic setup where the clients in the local network " "need to contact FTP servers elsewhere. This basic configuration should work " "well with most combinations of FTP clients and servers. As shown in man:ftp-" "proxy[8], the proxy's behavior can be changed in various ways by adding " "options to the `ftpproxy_flags=` line. Some clients or servers may have " "specific quirks that must be compensated for in the configuration, or there " "may be a need to integrate the proxy in specific ways such as assigning FTP " "traffic to a specific queue." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:566 msgid "" "For ways to run an FTP server protected by PF and man:ftp-proxy[8], " "configure a separate `ftp-proxy` in reverse mode, using `-R`, on a separate " "port with its own redirecting pass rule." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:568 #, no-wrap msgid "Managing ICMP" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:571 msgid "" "Many of the tools used for debugging or troubleshooting a TCP/IP network " "rely on the Internet Control Message Protocol (ICMP), which was designed " "specifically with debugging in mind." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:574 msgid "" "The ICMP protocol sends and receives _control messages_ between hosts and " "gateways, mainly to provide feedback to a sender about any unusual or " "difficult conditions enroute to the target host. Routers use ICMP to " "negotiate packet sizes and other transmission parameters in a process often " "referred to as _path MTU discovery_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:578 msgid "" "From a firewall perspective, some ICMP control messages are vulnerable to " "known attack vectors. Also, letting all diagnostic traffic pass " "unconditionally makes debugging easier, but it also makes it easier for " "others to extract information about the network. For these reasons, the " "following rule may not be optimal:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:582 #, no-wrap msgid "pass inet proto icmp from any to any\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:585 msgid "" "One solution is to let all ICMP traffic from the local network through while " "stopping all probes from outside the network:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:590 #, no-wrap msgid "" "pass inet proto icmp from $localnet to any keep state\n" "pass inet proto icmp from any to $ext_if keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:595 msgid "" "Additional options are available which demonstrate some of PF's " "flexibility. For example, rather than allowing all ICMP messages, one can " "specify the messages used by man:ping[8] and man:traceroute[8]. Start by " "defining a macro for that type of message:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:599 #, no-wrap msgid "icmp_types = \"echoreq\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:602 msgid "and a rule which uses the macro:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:606 #: documentation/content/en/books/handbook/firewalls/_index.adoc:646 #, no-wrap msgid "pass inet proto icmp all icmp-type $icmp_types keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:611 msgid "" "If other types of ICMP packets are needed, expand `icmp_types` to a list of " "those packet types. Type `more /usr/src/sbin/pfctl/pfctl_parser.c` to see " "the list of ICMP message types supported by PF. Refer to http://www.iana." "org/assignments/icmp-parameters/icmp-parameters.xhtml[http://www.iana.org/" "assignments/icmp-parameters/icmp-parameters.xhtml] for an explanation of " "each message type." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:613 msgid "" "Since Unix `traceroute` uses UDP by default, another rule is needed to allow " "Unix `traceroute`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:618 #, no-wrap msgid "" "# allow out the default range for traceroute(8):\n" "pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:623 msgid "" "Since `TRACERT.EXE` on Microsoft Windows systems uses ICMP echo request " "messages, only the first rule is needed to allow network traces from those " "systems. Unix `traceroute` can be instructed to use other protocols as " "well, and will use ICMP echo request messages if `-I` is used. Check the " "man:traceroute[8] man page for details." msgstr "" #. type: Title ===== #: documentation/content/en/books/handbook/firewalls/_index.adoc:625 #, no-wrap msgid "Path MTU Discovery" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:630 msgid "" "Internet protocols are designed to be device independent, and one " "consequence of device independence is that the optimal packet size for a " "given connection cannot always be predicted reliably. The main constraint " "on packet size is the _Maximum Transmission Unit_ (MTU) which sets the upper " "limit on the packet size for an interface. Type `ifconfig` to view the MTUs " "for a system's network interfaces." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:635 msgid "" "TCP/IP uses a process known as path MTU discovery to determine the right " "packet size for a connection. This process sends packets of varying sizes " "with the \"Do not fragment\" flag set, expecting an ICMP return packet of " "\"type 3, code 4\" when the upper limit has been reached. Type 3 means " "\"destination unreachable\", and code 4 is short for \"fragmentation needed, " "but the do-not-fragment flag is set\". To allow path MTU discovery in order " "to support connections to other MTUs, add the `destination unreachable` type " "to the `icmp_types` macro:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:639 #, no-wrap msgid "icmp_types = \"{ echoreq, unreach }\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:642 msgid "" "Since the pass rule already uses that macro, it does not need to be modified " "to support the new ICMP type:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:650 msgid "" "PF allows filtering on all variations of ICMP types and codes. The list of " "possible types and codes are documented in man:icmp[4] and man:icmp6[4]." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:652 #, no-wrap msgid "Using Tables" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:657 msgid "" "Some types of data are relevant to filtering and redirection at a given " "time, but their definition is too long to be included in the ruleset file. " "PF supports the use of tables, which are defined lists that can be " "manipulated without needing to reload the entire ruleset, and which can " "provide fast lookups. Table names are always enclosed within `< >`, like " "this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:661 #, no-wrap msgid "table { 192.168.2.0/24, !192.168.2.5 }\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:665 msgid "" "In this example, the `192.168.2.0/24` network is part of the table, except " "for the address `192.168.2.5`, which is excluded using the `!` operator. It " "is also possible to load tables from files where each item is on a separate " "line, as seen in this example [.filename]#/etc/clients#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:670 #, no-wrap msgid "" "192.168.2.0/24\n" "!192.168.2.5\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:673 msgid "To refer to the file, define the table like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:677 #, no-wrap msgid "table persist file \"/etc/clients\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:680 msgid "Once the table is defined, it can be referenced by a rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:684 #, no-wrap msgid "pass inet proto tcp from to any port $client_out flags S/SA keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:688 msgid "" "A table's contents can be manipulated live, using `pfctl`. This example " "adds another network to the table:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:692 #, no-wrap msgid "# pfctl -t clients -T add 192.168.1.0/16\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:698 msgid "" "Note that any changes made this way will take affect now, making them ideal " "for testing, but will not survive a power failure or reboot. To make the " "changes permanent, modify the definition of the table in the ruleset or edit " "the file that the table refers to. One can maintain the on-disk copy of the " "table using a man:cron[8] job which dumps the table's contents to disk at " "regular intervals, using a command such as `pfctl -t clients -T show >/etc/" "clients`. Alternatively, [.filename]#/etc/clients# can be updated with the " "in-memory table contents:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:702 #, no-wrap msgid "# pfctl -t clients -T replace -f /etc/clients\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:705 #, no-wrap msgid "Using Overload Tables to Protect SSH" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:708 msgid "" "Those who run SSH on an external interface have probably seen something like " "this in the authentication logs:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:717 #, no-wrap msgid "" "Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2\n" "Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2\n" "Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye\n" "Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31\n" "Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin\n" "Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:720 msgid "" "This is indicative of a brute force attack where somebody or some program is " "trying to discover the user name and password which will let them into the " "system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:725 msgid "" "If external SSH access is needed for legitimate users, changing the default " "port used by SSH can offer some protection. However, PF provides a more " "elegant solution. Pass rules can contain limits on what connecting hosts " "can do and violators can be banished to a table of addresses which are " "denied some or all access. It is even possible to drop all existing " "connections from machines which overreach the limits." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:727 msgid "" "To configure this, create this table in the tables section of the ruleset:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:731 #, no-wrap msgid "table persist\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:734 msgid "" "Then, somewhere early in the ruleset, add rules to block brute access while " "allowing legitimate access:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:742 #, no-wrap msgid "" "block quick from \n" "pass inet proto tcp from any to $localnet port $tcp_services \\\n" " flags S/SA keep state \\\n" " (max-src-conn 100, max-src-conn-rate 15/5, \\\n" " overload flush global)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:746 msgid "" "The part in parentheses defines the limits and the numbers should be changed " "to meet local requirements. It can be read as follows:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:748 msgid "" "`max-src-conn` is the number of simultaneous connections allowed from one " "host." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:750 msgid "" "`max-src-conn-rate` is the rate of new connections allowed from any single " "host (_15_) per number of seconds (_5_)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:753 msgid "" "`overload ` means that any host which exceeds these limits gets " "its address added to the `bruteforce` table. The ruleset blocks all traffic " "from addresses in the `bruteforce` table." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:755 msgid "" "Finally, `flush global` says that when a host reaches the limit, that all " "(`global`) of that host's connections will be terminated (`flush`)." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:759 msgid "" "These rules will _not_ block slow bruteforcers, as described in http://home." "nuug.no/\\~peter/hailmary2013/[http://home.nuug.no/~peter/hailmary2013/]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:763 msgid "" "This example ruleset is intended mainly as an illustration. For example, if " "a generous number of connections in general are wanted, but the desire is to " "be more restrictive when it comes to ssh, supplement the rule above with " "something like the one below, early on in the rule set:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:770 #, no-wrap msgid "" "pass quick proto { tcp, udp } from any to any port ssh \\\n" " flags S/SA keep state \\\n" " (max-src-conn 15, max-src-conn-rate 5/3, \\\n" " overload flush global)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:775 #, no-wrap msgid "*It May Not be Necessary to Block All Overloaders:* +\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:777 msgid "" "It is worth noting that the overload mechanism is a general technique which " "does not apply exclusively to SSH, and it is not always optimal to entirely " "block all traffic from offenders." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:779 msgid "" "For example, an overload rule could be used to protect a mail service or a " "web service, and the overload table could be used in a rule to assign " "offenders to a queue with a minimal bandwidth allocation or to redirect to a " "specific web page." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:783 msgid "" "Over time, tables will be filled by overload rules and their size will grow " "incrementally, taking up more memory. Sometimes an IP address that is " "blocked is a dynamically assigned one, which has since been assigned to a " "host who has a legitimate reason to communicate with hosts in the local " "network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:786 msgid "" "For situations like these, pfctl provides the ability to expire table " "entries. For example, this command will remove `` table entries " "which have not been referenced for `86400` seconds:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:790 #, no-wrap msgid "# pfctl -t bruteforce -T expire 86400\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:793 msgid "" "Similar functionality is provided by package:security/expiretable[], which " "removes table entries which have not been accessed for a specified period of " "time." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:796 msgid "" "Once installed, expiretable can be run to remove `` table " "entries older than a specified age. This example removes all entries older " "than 24 hours:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:800 #, no-wrap msgid "/usr/local/sbin/expiretable -v -d -t 24h bruteforce\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:803 #, no-wrap msgid "Protecting Against SPAM" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:807 msgid "" "Not to be confused with the spamd daemon which comes bundled with " "spamassassin, package:mail/spamd[] can be configured with PF to provide an " "outer defense against SPAM. This spamd hooks into the PF configuration " "using a set of redirections." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:809 msgid "" "Spammers tend to send a large number of messages, and SPAM is mainly sent " "from a few spammer friendly networks and a large number of hijacked " "machines, both of which are reported to _blocklists_ fairly quickly." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:813 msgid "" "When an SMTP connection from an address in a blocklist is received, spamd " "presents its banner and immediately switches to a mode where it answers SMTP " "traffic one byte at a time. This technique, which is intended to waste as " "much time as possible on the spammer's end, is called _tarpitting_. The " "specific implementation which uses one byte SMTP replies is often referred " "to as _stuttering_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:816 msgid "" "This example demonstrates the basic procedure for setting up spamd with " "automatically updated blocklists. Refer to the man pages which are " "installed with package:mail/spamd[] for more information." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/firewalls/_index.adoc:819 #, no-wrap msgid "Procedure: Configuring spamd" msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:821 msgid "" "Install the package:mail/spamd[] package or port. To use spamd's greylisting " "features, man:fdescfs[5] must be mounted at [.filename]#/dev/fd#. Add the " "following line to [.filename]#/etc/fstab#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:825 #, no-wrap msgid " fdescfs /dev/fd fdescfs rw 0 0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:828 msgid "Then, mount the filesystem:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:832 #, no-wrap msgid "# mount fdescfs\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:835 msgid "Next, edit the PF ruleset to include:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:844 #, no-wrap msgid "" "table persist\n" "table persist\n" "rdr pass on $ext_if inet proto tcp from to \\\n" " { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025\n" "rdr pass on $ext_if inet proto tcp from ! to \\\n" " { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:848 msgid "" "The two tables `` and `` are essential. SMTP traffic " "from an address listed in `` but not in `` is redirected " "to the spamd daemon listening at port 8025." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:849 msgid "" "The next step is to configure spamd in [.filename]#/usr/local/etc/spamd." "conf# and to add some [.filename]#rc.conf# parameters." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:852 msgid "" "The installation of package:mail/spamd[] includes a sample configuration " "file ([.filename]#/usr/local/etc/spamd.conf.sample#) and a man page for [." "filename]#spamd.conf#. Refer to these for additional configuration options " "beyond those shown in this example." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:854 msgid "" "One of the first lines in the configuration file that does not begin with a " "`+#+` comment sign contains the block which defines the `all` list, which " "specifies the lists to use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:859 #, no-wrap msgid "" "all:\\\n" " :traplist:allowlist:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:862 msgid "" "This entry adds the desired blocklists, separated by colons (`:`). To use " "an allowlist to subtract addresses from a blocklist, add the name of the " "allowlist _immediately_ after the name of that blocklist. For example: `:" "blocklist:allowlist:`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:864 msgid "This is followed by the specified blocklist's definition:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:872 #, no-wrap msgid "" "traplist:\\\n" " :black:\\\n" " :msg=\"SPAM. Your address %A has sent spam within the last 24 hours\":\\\n" " :method=http:\\\n" " :file=www.openbsd.org/spamd/traplist.gz\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:878 msgid "" "where the first line is the name of the blocklist and the second line " "specifies the list type. The `msg` field contains the message to display to " "blocklisted senders during the SMTP dialogue. The `method` field specifies " "how spamd-setup fetches the list data; supported methods are `http`, `ftp`, " "from a `file` in a mounted file system, and via `exec` of an external " "program. Finally, the `file` field specifies the name of the file spamd " "expects to receive." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:880 msgid "" "The definition of the specified allowlist is similar, but omits the `msg` " "field since a message is not needed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:887 #, no-wrap msgid "" "allowlist:\\\n" " :white:\\\n" " :method=file:\\\n" " :file=/var/mail/allowlist.txt\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:892 #, no-wrap msgid "*Choose Data Sources with Care:* +\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:895 msgid "" "Using all the blocklists in the sample [.filename]#spamd.conf# will block " "large blocks of the Internet. Administrators need to edit the file to " "create an optimal configuration which uses applicable data sources and, when " "necessary, uses custom lists." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:899 msgid "" "Next, add this entry to [.filename]#/etc/rc.conf#. Additional flags are " "described in the man page specified by the comment:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:903 #, no-wrap msgid "spamd_flags=\"-v\" # use \"\" and see spamd-setup(8) for flags\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:907 msgid "" "When finished, reload the ruleset, start spamd by typing `service obspamd " "start`, and complete the configuration using `spamd-setup`. Finally, create " "a man:cron[8] job which calls `spamd-setup` to update the tables at " "reasonable intervals." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:910 msgid "" "On a typical gateway in front of a mail server, hosts will soon start " "getting trapped within a few seconds to several minutes." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:914 msgid "" "PF also supports _greylisting_, which temporarily rejects messages from " "unknown hosts with _45n_ codes. Messages from greylisted hosts which try " "again within a reasonable time are let through. Traffic from senders which " "are set up to behave within the limits set by RFC 1123 and RFC 2821 are " "immediately let through." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:918 msgid "" "More information about greylisting as a technique can be found at the http://" "www.greylisting.org/[greylisting.org] web site. The most amazing thing " "about greylisting, apart from its simplicity, is that it still works. " "Spammers and malware writers have been very slow to adapt to bypass this " "technique." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:920 msgid "The basic procedure for configuring greylisting is as follows:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/firewalls/_index.adoc:922 #, no-wrap msgid "Procedure: Configuring Greylisting" msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:924 msgid "" "Make sure that man:fdescfs[5] is mounted as described in Step 1 of the " "previous Procedure." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:925 msgid "" "To run spamd in greylisting mode, add this line to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:929 #, no-wrap msgid "spamd_grey=\"YES\" # use spamd greylisting if YES\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:932 msgid "" "Refer to the spamd man page for descriptions of additional related " "parameters." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:933 msgid "To complete the greylisting setup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:938 #, no-wrap msgid "" "# service obspamd restart\n" "# service obspamlogd start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:942 msgid "" "Behind the scenes, the spamdb database tool and the spamlogd whitelist " "updater perform essential functions for the greylisting feature. spamdb is " "the administrator's main interface to managing the block, grey, and allow " "lists via the contents of the [.filename]#/var/db/spamdb# database." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:944 #, no-wrap msgid "Network Hygiene" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:947 msgid "" "This section describes how `block-policy`, `scrub`, and `antispoof` can be " "used to make the ruleset behave sanely." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:951 msgid "" "The `block-policy` is an option which can be set in the `options` part of " "the ruleset, which precedes the redirection and filtering rules. This " "option determines which feedback, if any, PF sends to hosts that are blocked " "by a rule. The option has two possible values: `drop` drops blocked packets " "with no feedback, and `return` returns a status code such as `Connection " "refused`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:954 msgid "" "If not set, the default policy is `drop`. To change the `block-policy`, " "specify the desired value:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:958 #, no-wrap msgid "set block-policy return\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:964 msgid "" "In PF, `scrub` is a keyword which enables network packet normalization. " "This process reassembles fragmented packets and drops TCP packets that have " "invalid flag combinations. Enabling `scrub` provides a measure of " "protection against certain kinds of attacks based on incorrect handling of " "packet fragments. A number of options are available, but the simplest form " "is suitable for most configurations:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:968 #, no-wrap msgid "scrub in all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:972 msgid "" "Some services, such as NFS, require specific fragment handling options. " "Refer to https://home.nuug.no/\\~peter/pf/en/scrub.html[https://home.nuug.no/" "~peter/pf/en/scrub.html] for more information." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:974 msgid "" "This example reassembles fragments, clears the \"do not fragment\" bit, and " "sets the maximum segment size to 1440 bytes:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:978 #, no-wrap msgid "scrub in all fragment reassemble no-df max-mss 1440\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:981 msgid "" "The `antispoof` mechanism protects against activity from spoofed or forged " "IP addresses, mainly by blocking packets appearing on interfaces and in " "directions which are logically not possible." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:983 msgid "" "These rules weed out spoofed traffic coming in from the rest of the world as " "well as any spoofed packets which originate in the local network:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:988 #, no-wrap msgid "" "antispoof for $ext_if\n" "antispoof for $int_if\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:991 #, no-wrap msgid "Handling Non-Routable Addresses" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:996 msgid "" "Even with a properly configured gateway to handle network address " "translation, one may have to compensate for other people's " "misconfigurations. A common misconfiguration is to let traffic with non-" "routable addresses out to the Internet. Since traffic from non-routeable " "addresses can play a part in several DoS attack techniques, consider " "explicitly blocking traffic from non-routeable addresses from entering the " "network through the external interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:999 msgid "" "In this example, a macro containing non-routable addresses is defined, then " "used in blocking rules. Traffic to and from these addresses is quietly " "dropped on the gateway's external interface." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1005 #, no-wrap msgid "" "martians = \"{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \\\n" "\t 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \\\n" "\t 0.0.0.0/8, 240.0.0.0/4 }\"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1008 #, no-wrap msgid "" "block drop in quick on $ext_if from $martians to any\n" "block drop out quick on $ext_if from any to $martians\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1010 #, no-wrap msgid "Enabling ALTQ" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1014 msgid "" "On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS). " "Once ALTQ is enabled, queues can be defined in the ruleset which determine " "the processing priority of outbound packets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1016 msgid "" "Before enabling ALTQ, refer to man:altq[4] to determine if the drivers for " "the network cards installed on the system support it." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1022 msgid "" "ALTQ is not available as a loadable kernel module. If the system's " "interfaces support ALTQ, create a custom kernel using the instructions in " "crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The " "following kernel options are available. The first is needed to enable " "ALTQ. At least one of the other options is necessary to specify the " "queueing scheduler algorithm:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1031 #, no-wrap msgid "" "options ALTQ\n" "options ALTQ_CBQ # Class Based Queuing (CBQ)\n" "options ALTQ_RED # Random Early Detection (RED)\n" "options ALTQ_RIO # RED In/Out\n" "options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)\n" "options ALTQ_PRIQ # Priority Queuing (PRIQ)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1034 msgid "The following scheduler algorithms are available:" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1035 #, no-wrap msgid "CBQ" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1037 msgid "" "Class Based Queuing (CBQ) is used to divide a connection's bandwidth into " "different classes or queues to prioritize traffic based on filter rules." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1038 #, no-wrap msgid "RED" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1041 msgid "" "Random Early Detection (RED) is used to avoid network congestion by " "measuring the length of the queue and comparing it to the minimum and " "maximum thresholds for the queue. When the queue is over the maximum, all " "new packets are randomly dropped." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1042 #, no-wrap msgid "RIO" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1044 msgid "" "In Random Early Detection In and Out (RIO) mode, RED maintains multiple " "average queue lengths and multiple threshold values, one for each QOS level." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1045 #, no-wrap msgid "HFSC" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1047 msgid "" "Hierarchical Fair Service Curve Packet Scheduler (HFSC) is described in " "http://www-2.cs.cmu.edu/\\~hzhang/HFSC/main.html[http://www-2.cs.cmu.edu/" "~hzhang/HFSC/main.html]." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1048 #, no-wrap msgid "PRIQ" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1050 msgid "" "Priority Queuing (PRIQ) always passes traffic that is in a higher queue " "first." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1052 msgid "" "More information about the scheduling algorithms and example rulesets are " "available at the https://web.archive.org/web/20151109213426/http://www." "openbsd.org/faq/pf/queueing.html[OpenBSD's web archive]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:1054 #, no-wrap msgid "IPFW" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1058 msgid "" "IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and " "IPv6. It is comprised of several components: the kernel firewall filter " "rule processor and its integrated packet accounting facility, the logging " "facility, NAT, the man:dummynet[4] traffic shaper, a forward facility, a " "bridge facility, and an ipstealth facility." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1061 msgid "" "FreeBSD provides a sample ruleset in [.filename]#/etc/rc.firewall# which " "defines several firewall types for common scenarios to assist novice users " "in generating an appropriate ruleset. IPFW provides a powerful syntax which " "advanced users can use to craft customized rulesets that meet the security " "requirements of a given environment." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1063 msgid "" "This section describes how to enable IPFW, provides an overview of its rule " "syntax, and demonstrates several rulesets for common configuration scenarios." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1065 #, no-wrap msgid "Enabling IPFW" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1068 msgid "" "IPFW is included in the basic FreeBSD install as a kernel loadable module, " "meaning that a custom kernel is not needed in order to enable IPFW." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1071 msgid "" "For those users who wish to statically compile IPFW support into a custom " "kernel, see crossref:firewalls[firewalls-ipfw-kernelconfig]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1073 msgid "" "To configure the system to enable IPFW at boot time, add " "`firewall_enable=\"YES\"` to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1077 #, no-wrap msgid "# sysrc firewall_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1080 msgid "" "To use one of the default firewall types provided by FreeBSD, add another " "line which specifies the type:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1084 #, no-wrap msgid "# sysrc firewall_type=\"open\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1087 msgid "The available types are:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1089 msgid "`open`: passes all traffic." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1090 msgid "`client`: protects only this machine." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1091 msgid "`simple`: protects the whole network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1092 msgid "" "`closed`: entirely disables IP traffic except for the loopback interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1093 msgid "`workstation`: protects only this machine using stateful rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1094 msgid "`UNKNOWN`: disables the loading of firewall rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1095 msgid "" "[.filename]#filename#: full path of the file containing the firewall ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1097 msgid "" "If `firewall_type` is set to either `client` or `simple`, modify the default " "rules found in [.filename]#/etc/rc.firewall# to fit the configuration of the " "system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1099 msgid "Note that the `filename` type is used to load a custom ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1102 msgid "" "An alternate way to load a custom ruleset is to set the `firewall_script` " "variable to the absolute path of an _executable script_ that includes IPFW " "commands. The examples used in this section assume that the " "`firewall_script` is set to [.filename]#/etc/ipfw.rules#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1106 #, no-wrap msgid "# sysrc firewall_script=\"/etc/ipfw.rules\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1109 msgid "To enable logging through man:syslogd[8], include this line:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1113 #, no-wrap msgid "# sysrc firewall_logging=\"YES\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1121 msgid "" "Only firewall rules with the `log` option will be logged. The default rules " "do not include this option and it must be manually added. Therefore it is " "advisable that the default ruleset is edited for logging. In addition, log " "rotation may be desired if the logs are stored in a separate file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1125 msgid "" "There is no [.filename]#/etc/rc.conf# variable to set logging limits. To " "limit the number of times a rule is logged per connection attempt, specify " "the number using this line in [.filename]#/etc/sysctl.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1129 #, no-wrap msgid "# echo \"net.inet.ip.fw.verbose_limit=5\" >> /etc/sysctl.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1132 msgid "" "To enable logging through a dedicated interface named `ipfw0`, add this line " "to [.filename]#/etc/rc.conf# instead:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1136 #, no-wrap msgid "# sysrc firewall_logif=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1139 msgid "Then use tcpdump to see what is being logged:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1143 #, no-wrap msgid "# tcpdump -t -n -i ipfw0\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1149 msgid "There is no overhead due to logging unless tcpdump is attached." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1153 msgid "" "After saving the needed edits, start the firewall. To enable logging limits " "now, also set the `sysctl` value specified above:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1158 #, no-wrap msgid "" "# service ipfw start\n" "# sysctl net.inet.ip.fw.verbose_limit=5\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1161 #, no-wrap msgid "IPFW Rule Syntax" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1169 msgid "" "When a packet enters the IPFW firewall, it is compared against the first " "rule in the ruleset and progresses one rule at a time, moving from top to " "bottom in sequence. When the packet matches the selection parameters of a " "rule, the rule's action is executed and the search of the ruleset terminates " "for that packet. This is referred to as \"first match wins\". If the " "packet does not match any of the rules, it gets caught by the mandatory IPFW " "default rule number 65535, which denies all packets and silently discards " "them. However, if the packet matches a rule that contains the `count`, " "`skipto`, or `tee` keywords, the search continues. Refer to man:ipfw[8] for " "details on how these keywords affect rule processing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1175 msgid "" "When creating an IPFW rule, keywords must be written in the following " "order. Some keywords are mandatory while other keywords are optional. The " "words shown in uppercase represent a variable and the words shown in " "lowercase must precede the variable that follows it. The `+#+` symbol is " "used to mark the start of a comment and may appear at the end of a rule or " "on its own line. Blank lines are ignored." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1177 msgid "" "`_CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC " "SRC_PORT to DST DST_PORT OPTIONS_`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1181 msgid "" "This section provides an overview of these keywords and their options. It " "is not an exhaustive list of every possible option. Refer to man:ipfw[8] " "for a complete description of the rule syntax that can be used when creating " "IPFW rules." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1182 #, no-wrap msgid "CMD" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1184 msgid "Every rule must start with `ipfw add`." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1185 #, no-wrap msgid "RULE_NUMBER" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1189 msgid "" "Each rule is associated with a number from `1` to `65534`. The number is " "used to indicate the order of rule processing. Multiple rules can have the " "same number, in which case they are applied according to the order in which " "they have been added." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1190 #, no-wrap msgid "SET_NUMBER" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1194 msgid "" "Each rule is associated with a set number from `0` to `31`. Sets can be " "individually disabled or enabled, making it possible to quickly add or " "delete a set of rules. If a SET_NUMBER is not specified, the rule will be " "added to set `0`." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1195 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1941 #, no-wrap msgid "ACTION" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1198 msgid "" "A rule can be associated with one of the following actions. The specified " "action will be executed when the packet matches the selection criterion of " "the rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1200 msgid "" "`allow | accept | pass | permit`: these keywords are equivalent and allow " "packets that match the rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1205 msgid "" "`check-state`: checks the packet against the dynamic state table. If a " "match is found, execute the action associated with the rule which generated " "this dynamic rule, otherwise move to the next rule. A `check-state` rule " "does not have selection criterion. If no `check-state` rule is present in " "the ruleset, the dynamic rules table is checked at the first `keep-state` or " "`limit` rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1208 msgid "" "`count`: updates counters for all packets that match the rule. The search " "continues with the next rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1210 msgid "" "`deny | drop`: either word silently discards packets that match this rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1213 msgid "Additional actions are available. Refer to man:ipfw[8] for details." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1214 #, no-wrap msgid "LOG_AMOUNT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1220 msgid "" "When a packet matches a rule with the `log` keyword, a message will be " "logged to man:syslogd[8] with a facility name of `SECURITY`. Logging only " "occurs if the number of packets logged for that particular rule does not " "exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is " "taken from the value of `net.inet.ip.fw.verbose_limit`. A value of zero " "removes the logging limit. Once the limit is reached, logging can be re-" "enabled by clearing the logging counter or the packet counter for that rule, " "using `ipfw resetlog`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1225 msgid "" "Logging is done after all other packet matching conditions have been met, " "and before performing the final action on the packet. The administrator " "decides which rules to enable logging on." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1227 #, no-wrap msgid "PROTO" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1229 msgid "" "This optional value can be used to specify any protocol name or number found " "in [.filename]#/etc/protocols#." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1230 #, no-wrap msgid "SRC" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1235 msgid "" "The `from` keyword must be followed by the source address or a keyword that " "represents the source address. An address can be represented by `any`, `me` " "(any address configured on an interface on this system), `me6`, (any IPv6 " "address configured on an interface on this system), or `table` followed by " "the number of a lookup table which contains a list of addresses. When " "specifying an IP address, it can be optionally followed by its CIDR mask or " "subnet mask. For example, `1.2.3.4/25` or `1.2.3.4:255.255.255.128`." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1236 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2007 #, no-wrap msgid "SRC_PORT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1238 msgid "" "An optional source port can be specified using the port number or name from " "[.filename]#/etc/services#." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1239 #, no-wrap msgid "DST" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1242 msgid "" "The `to` keyword must be followed by the destination address or a keyword " "that represents the destination address. The same keywords and addresses " "described in the SRC section can be used to describe the destination." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1243 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2020 #, no-wrap msgid "DST_PORT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1245 msgid "" "An optional destination port can be specified using the port number or name " "from [.filename]#/etc/services#." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1246 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1971 #, no-wrap msgid "OPTIONS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1250 msgid "" "Several keywords can follow the source and destination. As the name " "suggests, OPTIONS are optional. Commonly used options include `in` or " "`out`, which specify the direction of packet flow, `icmptypes` followed by " "the type of ICMP message, and `keep-state`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1252 msgid "" "When a `keep-state` rule is matched, the firewall will create a dynamic rule " "which matches bidirectional traffic between the source and destination " "addresses and ports using the same protocol." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1257 msgid "" "The dynamic rules facility is vulnerable to resource depletion from a SYN-" "flood attack which would open a huge number of dynamic rules. To counter " "this type of attack with IPFW, use `limit`. This option limits the number " "of simultaneous sessions by checking the open dynamic rules, counting the " "number of times this rule and IP address combination occurred. If this " "count is greater than the value specified by `limit`, the packet is " "discarded." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1260 msgid "" "Dozens of OPTIONS are available. Refer to man:ipfw[8] for a description of " "each available option." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1261 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2048 #, no-wrap msgid "Example Ruleset" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1266 msgid "" "This section demonstrates how to create an example stateful firewall ruleset " "script named [.filename]#/etc/ipfw.rules#. In this example, all connection " "rules use `in` or `out` to clarify the direction. They also use `via` " "_interface-name_ to specify the interface the packet is traveling over." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1270 msgid "" "When first creating or testing a firewall ruleset, consider temporarily " "setting this tunable:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1274 #, no-wrap msgid "net.inet.ip.fw.default_to_accept=\"1\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1277 msgid "" "This sets the default policy of man:ipfw[8] to be more permissive than the " "default `deny ip from any to any`, making it slightly more difficult to get " "locked out of the system right after a reboot." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1282 msgid "" "The firewall script begins by indicating that it is a Bourne shell script " "and flushes any existing rules. It then creates the `cmd` variable so that " "`ipfw add` does not have to be typed at the beginning of every rule. It " "also defines the `pif` variable which represents the name of the interface " "that is attached to the Internet." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1288 #, no-wrap msgid "" "#!/bin/sh\n" "# Flush out the list before we begin.\n" "ipfw -q -f flush\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1292 #, no-wrap msgid "" "# Set rules command prefix\n" "cmd=\"ipfw -q add\"\n" "pif=\"dc0\" # interface name of NIC attached to Internet\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1295 msgid "" "The first two rules allow all traffic on the trusted internal interface and " "on the loopback interface:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1300 #, no-wrap msgid "" "# Change xl0 to LAN NIC interface name\n" "$cmd 00005 allow all from any to any via xl0\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1303 #, no-wrap msgid "" "# No restrictions on Loopback Interface\n" "$cmd 00010 allow all from any to any via lo0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1306 msgid "" "The next rule allows the packet through if it matches an existing entry in " "the dynamic rules table:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1310 #, no-wrap msgid "$cmd 00101 check-state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1313 msgid "" "The next set of rules defines which stateful connections internal systems " "can create to hosts on the Internet:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1321 #, no-wrap msgid "" "# Allow access to public DNS\n" "# Replace x.x.x.x with the IP address of a public DNS server\n" "# and repeat for each DNS server in /etc/resolv.conf\n" "$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state\n" "$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1327 #, no-wrap msgid "" "# Allow access to ISP's DHCP server for cable/DSL configurations.\n" "# Use the first rule and check log for IP address.\n" "# Then, uncomment the second rule, input the IP address, and delete the first rule\n" "$cmd 00120 allow log udp from any to any 67 out via $pif keep-state\n" "#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1331 #, no-wrap msgid "" "# Allow outbound HTTP and HTTPS connections\n" "$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state\n" "$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1335 #, no-wrap msgid "" "# Allow outbound email connections\n" "$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state\n" "$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1338 #, no-wrap msgid "" "# Allow outbound ping\n" "$cmd 00250 allow icmp from any to any out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1341 #, no-wrap msgid "" "# Allow outbound NTP\n" "$cmd 00260 allow udp from any to any 123 out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1344 #, no-wrap msgid "" "# Allow outbound SSH\n" "$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1347 #, no-wrap msgid "" "# deny and log all other outbound connections\n" "$cmd 00299 deny log all from any to any out via $pif\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1352 msgid "" "The next set of rules controls connections from Internet hosts to the " "internal network. It starts by denying packets typically associated with " "attacks and then explicitly allows specific types of connections. All the " "authorized services that originate from the Internet use `limit` to prevent " "flooding." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1365 #, no-wrap msgid "" "# Deny all inbound traffic from non-routable reserved address spaces\n" "$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP\n" "$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP\n" "$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP\n" "$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback\n" "$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback\n" "$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config\n" "$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs\n" "$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect\n" "$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1368 #, no-wrap msgid "" "# Deny public pings\n" "$cmd 00310 deny icmp from any to any in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1371 #, no-wrap msgid "" "# Deny ident\n" "$cmd 00315 deny tcp from any to any 113 in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1377 #, no-wrap msgid "" "# Deny all Netbios services.\n" "$cmd 00320 deny tcp from any to any 137 in via $pif\n" "$cmd 00321 deny tcp from any to any 138 in via $pif\n" "$cmd 00322 deny tcp from any to any 139 in via $pif\n" "$cmd 00323 deny tcp from any to any 81 in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1380 #, no-wrap msgid "" "# Deny fragments\n" "$cmd 00330 deny all from any to any frag in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1383 #, no-wrap msgid "" "# Deny ACK packets that did not match the dynamic rule table\n" "$cmd 00332 deny tcp from any to any established in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1387 #, no-wrap msgid "" "# Allow traffic from ISP's DHCP server.\n" "# Replace x.x.x.x with the same IP address used in rule 00120.\n" "#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1390 #, no-wrap msgid "" "# Allow HTTP connections to internal web server\n" "$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1393 #, no-wrap msgid "" "# Allow inbound SSH connections\n" "$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1396 #, no-wrap msgid "" "# Reject and log all other incoming connections\n" "$cmd 00499 deny log all from any to any in via $pif\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1399 msgid "" "The last rule logs all packets that do not match any of the rules in the " "ruleset:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1404 #, no-wrap msgid "" "# Everything else is denied and logged\n" "$cmd 00999 deny log all from any to any\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1407 #, no-wrap msgid "In-kernel NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1412 msgid "" "FreeBSD's IPFW firewall has two implementations of NAT: the userland " "implementation man:natd[8], and the more recent in-kernel NAT " "implementation. Both work in conjunction with IPFW to provide network " "address translation. This can be used to provide an Internet Connection " "Sharing solution so that several internal computers can connect to the " "Internet using a single public IP address." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1416 msgid "" "To do this, the FreeBSD machine connected to the Internet must act as a " "gateway. This system must have two NICs, where one is connected to the " "Internet and the other is connected to the internal LAN. Each machine " "connected to the LAN should be assigned an IP address in the private network " "space, as defined by https://www.ietf.org/rfc/rfc1918.txt[RFC 1918]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1419 msgid "" "Some additional configuration is needed in order to enable the in-kernel NAT " "facility of IPFW. To enable in-kernel NAT support at boot time, the " "following must be set in [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1425 #, no-wrap msgid "" "gateway_enable=\"YES\"\n" "firewall_enable=\"YES\"\n" "firewall_nat_enable=\"YES\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1431 msgid "" "When `firewall_nat_enable` is set but `firewall_enable` is not, it will have " "no effect and do nothing. This is because the in-kernel NAT implementation " "is only compatible with IPFW." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1438 msgid "" "When the ruleset contains stateful rules, the positioning of the NAT rule is " "critical and the `skipto` action is used. The `skipto` action requires a " "rule number so that it knows which rule to jump to. The example below " "builds upon the firewall ruleset shown in the previous section. It adds " "some additional entries and modifies some existing rules in order to " "configure the firewall for in-kernel NAT. It starts by adding some " "additional variables which represent the rule number to skip to, the `keep-" "state` option, and a list of TCP ports which will be used to reduce the " "number of rules." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1448 #, no-wrap msgid "" "#!/bin/sh\n" "ipfw -q -f flush\n" "cmd=\"ipfw -q add\"\n" "skip=\"skipto 1000\"\n" "pif=dc0\n" "ks=\"keep-state\"\n" "good_tcpo=\"22,25,37,53,80,443,110\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1453 msgid "" "With in-kernel NAT it is necessary to disable TCP segmentation offloading " "(TSO) due to the architecture of man:libalias[3], a library implemented as a " "kernel module to provide the in-kernel NAT facility of IPFW. TSO can be " "disabled on a per network interface basis using man:ifconfig[8] or on a " "system wide basis using man:sysctl[8]. To disable TSO system wide, the " "following must be set it [.filename]#/etc/sysctl.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1457 #, no-wrap msgid "net.inet.tcp.tso=\"0\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1466 msgid "" "A NAT instance will also be configured. It is possible to have multiple NAT " "instances each with their own configuration. For this example only one NAT " "instance is needed, NAT instance number 1. The configuration can take a few " "options such as: `if` which indicates the public interface, `same_ports` " "which takes care that aliased ports and local port numbers are mapped the " "same, `unreg_only` will result in only unregistered (private) address spaces " "to be processed by the NAT instance, and `reset` which will help to keep a " "functioning NAT instance even when the public IP address of the IPFW machine " "changes. For all possible options that can be passed to a single NAT " "instance configuration consult man:ipfw[8]. When configuring a stateful " "NATing firewall, it is necessary to allow translated packets to be " "reinjected in the firewall for further processing. This can be achieved by " "disabling `one_pass` behavior at the start of the firewall script." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1471 #, no-wrap msgid "" "ipfw disable one_pass\n" "ipfw -q nat 1 config if $pif same_ports unreg_only reset\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1477 msgid "" "The inbound NAT rule is inserted _after_ the two rules which allow all " "traffic on the trusted and loopback interfaces and after the reassemble rule " "but _before_ the `check-state` rule. It is important that the rule number " "selected for this NAT rule, in this example `100`, is higher than the first " "three rules and lower than the `check-state` rule. Furthermore, because of " "the behavior of in-kernel NAT it is advised to place a reassemble rule just " "before the first NAT rule and after the rules that allow traffic on trusted " "interface. Normally, IP fragmentation should not happen, but when dealing " "with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of " "fragments is necessary before handing the complete packet over to the in-" "kernel NAT facility." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1481 msgid "" "The reassemble rule was not needed with userland man:natd[8] because the " "internal workings of the IPFW `divert` action already takes care of " "reassembling packets before delivery to the socket as also stated in man:" "ipfw[8]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1484 msgid "" "The NAT instance and rule number used in this example does not match with " "the default NAT instance and rule number created by [.filename]#rc." "firewall#. [.filename]#rc.firewall# is a script that sets up the default " "firewall rules present in FreeBSD." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1494 #, no-wrap msgid "" "$cmd 005 allow all from any to any via xl0 # exclude LAN traffic\n" "$cmd 010 allow all from any to any via lo0 # exclude loopback traffic\n" "$cmd 099 reass all from any to any in # reassemble inbound packets\n" "$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets\n" "# Allow the packet through if it has an existing entry in the dynamic rules table\n" "$cmd 101 check-state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1498 msgid "" "The outbound rules are modified to replace the `allow` action with the " "`$skip` variable, indicating that rule processing will continue at rule " "`1000`. The seven `tcp` rules have been replaced by rule `125` as the " "`$good_tcpo` variable contains the seven allowed outbound ports." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1502 msgid "" "Remember that IPFW's performance is largely determined by the number of " "rules present in the ruleset." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1511 #, no-wrap msgid "" "# Authorized outbound packets\n" "$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks\n" "$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks\n" "$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks\n" "$cmd 130 $skip icmp from any to any out via $pif $ks\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1517 msgid "" "The inbound rules remain the same, except for the very last rule which " "removes the `via $pif` in order to catch both inbound and outbound rules. " "The NAT rule must follow this last outbound rule, must have a higher number " "than that last rule, and the rule number must be referenced by the `skipto` " "action. In this ruleset, rule number `1000` handles passing all packets to " "our configured instance for NAT processing. The next rule allows any packet " "which has undergone NAT processing to pass." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1523 #, no-wrap msgid "" "$cmd 999 deny log all from any to any\n" "$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules\n" "$cmd 1001 allow ip from any to any\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1526 msgid "" "In this example, rules `100`, `101`, `125`, `1000`, and `1001` control the " "address translation of the outbound and inbound packets so that the entries " "in the dynamic state table always register the private LANIP address." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1538 msgid "" "Consider an internal web browser which initializes a new outbound HTTP " "session over port 80. When the first outbound packet enters the firewall, " "it does not match rule `100` because it is headed out rather than in. It " "passes rule `101` because this is the first packet and it has not been " "posted to the dynamic state table yet. The packet finally matches rule " "`125` as it is outbound on an allowed port and has a source IP address from " "the internal LAN. On matching this rule, two actions take place. First, " "the `keep-state` action adds an entry to the dynamic state table and the " "specified action, `skipto rule 1000`, is executed. Next, the packet " "undergoes NAT and is sent out to the Internet. This packet makes its way to " "the destination web server, where a response packet is generated and sent " "back. This new packet enters the top of the ruleset. It matches rule `100` " "and has its destination IP address mapped back to the original internal " "address. It then is processed by the `check-state` rule, is found in the " "table as an existing session, and is released to the LAN." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1543 msgid "" "On the inbound side, the ruleset has to deny bad packets and allow only " "authorized services. A packet which matches an inbound rule is posted to " "the dynamic state table and the packet is released to the LAN. The packet " "generated as a response is recognized by the `check-state` rule as belonging " "to an existing session. It is then sent to rule `1000` to undergo NAT " "before being released to the outbound interface." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1551 msgid "" "Transitioning from userland man:natd[8] to in-kernel NAT might appear " "seamless at first but there is small catch. When using the GENERIC kernel, " "IPFW will load the [.filename]#libalias.ko# kernel module, when " "`firewall_nat_enable` is enabled in [.filename]#/etc/rc.conf#. The [." "filename]#libalias.ko# kernel module only provides basic NAT functionality, " "whereas the userland implementation man:natd[8] has all NAT functionality " "available in its userland library without any extra configuration. All " "functionality refers to the following kernel modules that can additionally " "be loaded when needed besides the standard [.filename]#libalias.ko# kernel " "module: [.filename]#alias_ftp.ko#, [.filename]#alias_bbt.ko#, [." "filename]#skinny.ko#, [.filename]#irc.ko#, [.filename]#alias_pptp.ko# and [." "filename]#alias_smedia.ko# using the `kld_list` directive in [.filename]#/" "etc/rc.conf#. If a custom kernel is used, the full functionality of the " "userland library can be compiled in, in the kernel, using the `options " "LIBALIAS`." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1553 #, no-wrap msgid "Port Redirection" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1559 msgid "" "The drawback with NAT in general is that the LAN clients are not accessible " "from the Internet. Clients on the LAN can make outgoing connections to the " "world but cannot receive incoming ones. This presents a problem if trying " "to run Internet services on one of the LAN client machines. A simple way " "around this is to redirect selected Internet ports on the NAT providing " "machine to a LAN client." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1562 msgid "" "For example, an IRC server runs on client `A` and a web server runs on " "client `B`. For this to work properly, connections received on ports 6667 " "(IRC) and 80 (HTTP) must be redirected to the respective machines." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1566 msgid "" "With in-kernel NAT all configuration is done in the NAT instance " "configuration. For a full list of options that an in-kernel NAT instance " "can use, consult man:ipfw[8]. The IPFW syntax follows the syntax of natd. " "The syntax for `redirect_port` is as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1572 #, no-wrap msgid "" "redirect_port proto targetIP:targetPORT[-targetPORT]\n" " [aliasIP:]aliasPORT[-aliasPORT]\n" " [remoteIP[:remotePORT[-remotePORT]]]\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1575 msgid "To configure the above example setup, the arguments should be:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1580 #, no-wrap msgid "" "redirect_port tcp 192.168.0.2:6667 6667\n" "redirect_port tcp 192.168.0.3:80 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1583 msgid "" "After adding these arguments to the configuration of NAT instance 1 in the " "above ruleset, the TCP ports will be port forwarded to the LAN client " "machines running the IRC and HTTP services." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1589 #, no-wrap msgid "" "ipfw -q nat 1 config if $pif same_ports unreg_only reset \\\n" " redirect_port tcp 192.168.0.2:6667 6667 \\\n" " redirect_port tcp 192.168.0.3:80 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1593 msgid "" "Port ranges over individual ports can be indicated with `redirect_port`. " "For example, _tcp 192.168.0.2:2000-3000 2000-3000_ would redirect all " "connections received on ports 2000 to 3000 to ports 2000 to 3000 on client " "`A`." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1594 #, no-wrap msgid "Address Redirection" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1600 msgid "" "Address redirection is useful if more than one IP address is available. " "Each LAN client can be assigned its own external IP address by man:ipfw[8], " "which will then rewrite outgoing packets from the LAN clients with the " "proper external IP address and redirects all traffic incoming on that " "particular IP address back to the specific LAN client. This is also known " "as static NAT. For example, if IP addresses `128.1.1.1`, `128.1.1.2`, and " "`128.1.1.3` are available, `128.1.1.1` can be used as the man:ipfw[8] " "machine's external IP address, while `128.1.1.2` and `128.1.1.3` are " "forwarded back to LAN clients `A` and `B`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1602 msgid "" "The `redirect_addr` syntax is as below, where `localIP` is the internal IP " "address of the LAN client, and `publicIP` the external IP address " "corresponding to the LAN client." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1606 #, no-wrap msgid "redirect_addr localIP publicIP\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1609 msgid "In the example, the arguments would read:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1614 #, no-wrap msgid "" "redirect_addr 192.168.0.2 128.1.1.2\n" "redirect_addr 192.168.0.3 128.1.1.3\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1618 msgid "" "Like `redirect_port`, these arguments are placed in a NAT instance " "configuration. With address redirection, there is no need for port " "redirection, as all data received on a particular IP address is redirected." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1621 msgid "" "The external IP addresses on the man:ipfw[8] machine must be active and " "aliased to the external interface. Refer to man:rc.conf[5] for details." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1622 #, no-wrap msgid "Userspace NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1626 msgid "" "Let us start with a statement: the userspace NAT implementation: man:" "natd[8], has more overhead than in-kernel NAT. For man:natd[8] to translate " "packets, the packets have to be copied from the kernel to userspace and back " "which brings in extra overhead that is not present with in-kernel NAT." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1630 msgid "" "To enable the userspace NAT daemon man:natd[8] at boot time, the following " "is a minimum configuration in [.filename]#/etc/rc.conf#. Where " "`natd_interface` is set to the name of the NIC attached to the Internet. " "The man:rc[8] script of man:natd[8] will automatically check if a dynamic IP " "address is used and configure itself to handle that." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1636 #, no-wrap msgid "" "gateway_enable=\"YES\"\n" "natd_enable=\"YES\"\n" "natd_interface=\"rl0\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1641 msgid "" "In general, the above ruleset as explained for in-kernel NAT can also be " "used together with man:natd[8]. The exceptions are the configuration of the " "in-kernel NAT instance `(ipfw -q nat 1 config ...)` which is not needed " "together with reassemble rule 99 because its functionality is included in " "the `divert` action. Rule number 100 and 1000 will have to change sligthly " "as shown below." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1646 #, no-wrap msgid "" "$cmd 100 divert natd ip from any to any in via $pif\n" "$cmd 1000 divert natd ip from any to any out via $pif\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1651 msgid "" "To configure port or address redirection, a similar syntax as with in-kernel " "NAT is used. Although, now, instead of specifying the configuration in our " "ruleset script like with in-kernel NAT, configuration of man:natd[8] is best " "done in a configuration file. To do this, an extra flag must be passed via " "[.filename]#/etc/rc.conf# which specifies the path of the configuration file." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1655 #, no-wrap msgid "natd_flags=\"-f /etc/natd.conf\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1662 msgid "" "The specified file must contain a list of configuration options, one per " "line. For more information about the configuration file and possible " "variables, consult man:natd[8]. Below are two example entries, one per line:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1667 #, no-wrap msgid "" "redirect_port tcp 192.168.0.2:6667 6667\n" "redirect_addr 192.168.0.3 128.1.1.3\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1672 #, no-wrap msgid "The IPFW Command" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1677 msgid "" "`ipfw` can be used to make manual, single rule additions or deletions to the " "active firewall while it is running. The problem with using this method is " "that all the changes are lost when the system reboots. It is recommended to " "instead write all the rules in a file and to use that file to load the rules " "at boot time and to replace the currently running firewall rules whenever " "that file changes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1681 msgid "" "`ipfw` is a useful way to display the running firewall rules to the console " "screen. The IPFW accounting facility dynamically creates a counter for each " "rule that counts each packet that matches the rule. During the process of " "testing a rule, listing the rule with its counter is one way to determine if " "the rule is functioning as expected." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1683 msgid "To list all the running rules in sequence:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1687 #, no-wrap msgid "# ipfw list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1690 msgid "" "To list all the running rules with a time stamp of when the last time the " "rule was matched:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1694 #, no-wrap msgid "# ipfw -t list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1698 msgid "" "The next example lists accounting information and the packet count for " "matched rules along with the rules themselves. The first column is the rule " "number, followed by the number of matched packets and bytes, followed by the " "rule itself." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1702 #, no-wrap msgid "# ipfw -a list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1705 msgid "To list dynamic rules in addition to static rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1709 #, no-wrap msgid "# ipfw -d list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1712 msgid "To also show the expired dynamic rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1716 #, no-wrap msgid "# ipfw -d -e list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1719 msgid "To zero the counters:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1723 #, no-wrap msgid "# ipfw zero\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1726 msgid "To zero the counters for just the rule with number _NUM_:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1730 #, no-wrap msgid "# ipfw zero NUM\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1732 #, no-wrap msgid "Logging Firewall Messages" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1739 msgid "" "Even with the logging facility enabled, IPFW will not generate any rule " "logging on its own. The firewall administrator decides which rules in the " "ruleset will be logged, and adds the `log` keyword to those rules. Normally " "only deny rules are logged. It is customary to duplicate the \"ipfw default " "deny everything\" rule with the `log` keyword included as the last rule in " "the ruleset. This way, it is possible to see all the packets that did not " "match any of the rules in the ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1743 msgid "" "Logging is a two edged sword. If one is not careful, an over abundance of " "log data or a DoS attack can fill the disk with log files. Log messages are " "not only written to syslogd, but also are displayed on the root console " "screen and soon become annoying." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1748 msgid "" "The `IPFIREWALL_VERBOSE_LIMIT=5` kernel option limits the number of " "consecutive messages sent to man:syslogd[8], concerning the packet matching " "of a given rule. When this option is enabled in the kernel, the number of " "consecutive messages concerning a particular rule is capped at the number " "specified. There is nothing to be gained from 200 identical log messages. " "With this option set to five, five consecutive messages concerning a " "particular rule would be logged to syslogd and the remainder identical " "consecutive messages would be counted and posted to syslogd with a phrase " "like the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1752 #, no-wrap msgid "last message repeated 45 times\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1755 msgid "" "All logged packets messages are written by default to [.filename]#/var/log/" "security#, which is defined in [.filename]#/etc/syslog.conf#." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1757 #, no-wrap msgid "Building a Rule Script" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1763 msgid "" "Most experienced IPFW users create a file containing the rules and code them " "in a manner compatible with running them as a script. The major benefit of " "doing this is the firewall rules can be refreshed in mass without the need " "of rebooting the system to activate them. This method is convenient in " "testing new rules as the procedure can be executed as many times as needed. " "Being a script, symbolic substitution can be used for frequently used values " "to be substituted into multiple rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1768 msgid "" "This example script is compatible with the syntax used by the man:sh[1], man:" "csh[1], and man:tcsh[1] shells. Symbolic substitution fields are prefixed " "with a dollar sign ($). Symbolic fields do not have the $ prefix. The " "value to populate the symbolic field must be enclosed in double quotes " "(\"\")." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1770 msgid "Start the rules file like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1788 #, no-wrap msgid "" "############### start of example ipfw rules script #############\n" "#\n" "ipfw -q -f flush # Delete all rules\n" "# Set defaults\n" "oif=\"tun0\" # out interface\n" "odns=\"192.0.2.11\" # ISP's DNS server IP address\n" "cmd=\"ipfw -q add \" # build rule prefix\n" "ks=\"keep-state\" # just too lazy to key this each time\n" "$cmd 00500 check-state\n" "$cmd 00502 deny all from any to any frag\n" "$cmd 00501 deny tcp from any to any established\n" "$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks\n" "$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks\n" "$cmd 00611 allow udp from any to $odns 53 out via $oif $ks\n" "################### End of example ipfw rules script ############\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1791 msgid "" "The rules are not important as the focus of this example is how the symbolic " "substitution fields are populated." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1793 msgid "" "If the above example was in [.filename]#/etc/ipfw.rules#, the rules could be " "reloaded by the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1797 #, no-wrap msgid "# sh /etc/ipfw.rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1800 msgid "" "[.filename]#/etc/ipfw.rules# can be located anywhere and the file can have " "any name." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1802 msgid "The same thing could be accomplished by running these commands by hand:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1812 #, no-wrap msgid "" "# ipfw -q -f flush\n" "# ipfw -q add check-state\n" "# ipfw -q add deny all from any to any frag\n" "# ipfw -q add deny tcp from any to any established\n" "# ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state\n" "# ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state\n" "# ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1815 #, no-wrap msgid "IPFW Kernel Options" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1819 msgid "" "In order to statically compile IPFW support into a custom kernel, refer to " "the instructions in crossref:kernelconfig[kernelconfig,Configuring the " "FreeBSD Kernel]. The following options are available for the custom kernel " "configuration file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1832 #, no-wrap msgid "" "options IPFIREWALL\t\t\t# enables IPFW\n" "options IPFIREWALL_VERBOSE\t\t# enables logging for rules with log keyword to syslogd(8)\n" "options IPFIREWALL_VERBOSE_LIMIT=5\t# limits number of logged packets per-entry\n" "options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied\n" "options IPFIREWALL_NAT\t\t# enables basic in-kernel NAT support\n" "options LIBALIAS\t\t\t# enables full in-kernel NAT support\n" "options IPFIREWALL_NAT64\t\t# enables in-kernel NAT64 support\n" "options IPFIREWALL_NPTV6\t\t# enables in-kernel IPv6 NPT support\n" "options IPFIREWALL_PMOD\t\t# enables protocols modification module support\n" "options IPDIVERT\t\t\t# enables NAT through natd(8)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1837 msgid "" "IPFW can be loaded as a kernel module: options above are built by default as " "modules or can be set at runtime using tunables." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:1840 #, no-wrap msgid "IPFILTER (IPF)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1843 msgid "" "IPFILTER, also known as IPF, is a cross-platform, open source firewall which " "has been ported to several operating systems, including FreeBSD, NetBSD, " "OpenBSD, and Solaris(TM)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1846 msgid "" "IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled " "and monitored by userland programs. Firewall rules can be set or deleted " "using ipf, NAT rules can be set or deleted using ipnat, run-time statistics " "for the kernel parts of IPFILTER can be printed using ipfstat, and ipmon can " "be used to log IPFILTER actions to the system log files." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1849 msgid "" "IPF was originally written using a rule processing logic of \"the last " "matching rule wins\" and only used stateless rules. Since then, IPF has " "been enhanced to include the `quick` and `keep state` options." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1852 msgid "" "The IPF FAQ is at http://www.phildev.net/ipf/index.html[http://www.phildev." "net/ipf/index.html]. A searchable archive of the IPFilter mailing list is " "available at http://marc.info/?l=ipfilter[http://marc.info/?l=ipfilter]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1855 msgid "" "This section of the Handbook focuses on IPF as it pertains to FreeBSD. It " "provides examples of rules that contain the `quick` and `keep state` options." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1856 #, no-wrap msgid "Enabling IPF" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1859 msgid "" "IPF is included in the basic FreeBSD install as a kernel loadable module, " "meaning that a custom kernel is not needed in order to enable IPF." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1862 msgid "" "For users who prefer to statically compile IPF support into a custom kernel, " "refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring " "the FreeBSD Kernel]. The following kernel options are available:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1869 #, no-wrap msgid "" "options IPFILTER\n" "options IPFILTER_LOG\n" "options IPFILTER_LOOKUP\n" "options IPFILTER_DEFAULT_BLOCK\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1872 msgid "" "where `options IPFILTER` enables support for IPFILTER, `options " "IPFILTER_LOG` enables IPF logging using the [.filename]#ipl# packet logging " "pseudo-device for every rule that has the `log` keyword, `IPFILTER_LOOKUP` " "enables IP pools in order to speed up IP lookups, and `options " "IPFILTER_DEFAULT_BLOCK` changes the default behavior so that any packet not " "matching a firewall `pass` rule gets blocked." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1876 msgid "" "To configure the system to enable IPF at boot time, add the following " "entries to [.filename]#/etc/rc.conf#. These entries will also enable " "logging and `default pass all`. To change the default policy to `block all` " "without compiling a custom kernel, remember to add a `block all` rule at the " "end of the ruleset." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1887 #, no-wrap msgid "" "ipfilter_enable=\"YES\" # Start ipf firewall\n" "ipfilter_rules=\"/etc/ipf.rules\" # loads rules definition text file\n" "ipv6_ipfilter_rules=\"/etc/ipf6.rules\" # loads rules definition text file for IPv6\n" "ipmon_enable=\"YES\" # Start IP monitor log\n" "ipmon_flags=\"-Ds\" # D = start as daemon\n" " # s = log to syslog\n" " # v = log tcp window, ack, seq\n" " # n = map IP & port to names\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1890 msgid "If NAT functionality is needed, also add these lines:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1896 #, no-wrap msgid "" "gateway_enable=\"YES\" # Enable as LAN gateway\n" "ipnat_enable=\"YES\" # Start ipnat function\n" "ipnat_rules=\"/etc/ipnat.rules\" # rules definition file for ipnat\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1899 msgid "Then, to start IPF now:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1903 #, no-wrap msgid "# service ipfilter start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1907 msgid "" "To load the firewall rules, specify the name of the ruleset file using " "`ipf`. The following command can be used to replace the currently running " "firewall rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1911 #, no-wrap msgid "# ipf -Fa -f /etc/ipf.rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1914 msgid "" "where `-Fa` flushes all the internal rules tables and `-f` specifies the " "file containing the rules to load." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1917 msgid "" "This provides the ability to make changes to a custom ruleset and update the " "running firewall with a fresh copy of the rules without having to reboot the " "system. This method is convenient for testing new rules as the procedure " "can be executed as many times as needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1919 msgid "" "Refer to man:ipf[8] for details on the other flags available with this " "command." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1920 #, no-wrap msgid "IPF Rule Syntax" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1926 msgid "" "This section describes the IPF rule syntax used to create stateful rules. " "When creating rules, keep in mind that unless the `quick` keyword appears in " "a rule, every rule is read in order, with the _last matching rule_ being the " "one that is applied. This means that even if the first rule to match a " "packet is a `pass`, if there is a later matching rule that is a `block`, the " "packet will be dropped. Sample rulesets can be found in [.filename]#/usr/" "share/examples/ipfilter#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1929 msgid "" "When creating rules, a `+#+` character is used to mark the start of a " "comment and may appear at the end of a rule, to explain that rule's " "function, or on its own line. Any blank lines are ignored." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1934 msgid "" "The keywords which are used in rules must be written in a specific order, " "from left to right. Some keywords are mandatory while others are optional. " "Some keywords have sub-options which may be keywords themselves and also " "include more sub-options. The keyword order is as follows, where the words " "shown in uppercase represent a variable and the words shown in lowercase " "must precede the variable that follows it:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1936 msgid "" "`_ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to " "DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE_`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1940 msgid "" "This section describes each of these keywords and their options. It is not " "an exhaustive list of every possible option. Refer to man:ipf[5] for a " "complete description of the rule syntax that can be used when creating IPF " "rules and examples for using each keyword." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1945 msgid "" "The action keyword indicates what to do with the packet if it matches that " "rule. Every rule _must_ have an action. The following actions are " "recognized:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1947 msgid "`block`: drops the packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1949 msgid "`pass`: allows the packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1951 msgid "`log`: generates a log record." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1953 msgid "" "`count`: counts the number of packets and bytes which can provide an " "indication of how often a rule is used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1955 msgid "`auth`: queues the packet for further processing by another program." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1957 msgid "" "`call`: provides access to functions built into IPF that allow more complex " "actions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1959 msgid "" "`decapsulate`: removes any headers in order to process the contents of the " "packet." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1960 #, no-wrap msgid "DIRECTION" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1962 msgid "" "Next, each rule must explicitly state the direction of traffic using one of " "these keywords:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1964 msgid "`in`: the rule is applied against an inbound packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1966 msgid "`out`: the rule is applied against an outbound packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1968 msgid "`all`: the rule applies to either direction." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1970 msgid "" "If the system has multiple interfaces, the interface can be specified along " "with the direction. An example would be `in on fxp0`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1974 msgid "" "Options are optional. However, if multiple options are specified, they must " "be used in the order shown here." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1976 msgid "" "`log`: when performing the specified ACTION, the contents of the packet's " "headers will be written to the man:ipl[4] packet log pseudo-device." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1978 msgid "" "`quick`: if a packet matches this rule, the ACTION specified by the rule " "occurs and no further processing of any following rules will occur for this " "packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1981 msgid "" "`on`: must be followed by the interface name as displayed by man:" "ifconfig[8]. The rule will only match if the packet is going through the " "specified interface in the specified direction." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1983 msgid "" "When using the `log` keyword, the following qualifiers may be used in this " "order:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1985 msgid "" "`body`: indicates that the first 128 bytes of the packet contents will be " "logged after the headers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1987 msgid "" "`first`: if the `log` keyword is being used in conjunction with a `keep " "state` option, this option is recommended so that only the triggering packet " "is logged and not every packet which matches the stateful connection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1990 msgid "" "Additional options are available to specify error return messages. Refer to " "man:ipf[5] for more details." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1991 #, no-wrap msgid "PROTO_TYPE" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1997 msgid "" "The protocol type is optional. However, it is mandatory if the rule needs " "to specify a SRC_PORT or a DST_PORT as it defines the type of protocol. " "When specifying the type of protocol, use the `proto` keyword followed by " "either a protocol number or name from [.filename]#/etc/protocols#. Example " "protocol names include `tcp`, `udp`, or `icmp`. If PROTO_TYPE is specified " "but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol " "will match that rule." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1998 #, no-wrap msgid "SRC_ADDR" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2002 msgid "" "The `from` keyword is mandatory and is followed by a keyword which " "represents the source of the packet. The source can be a hostname, an IP " "address followed by the CIDR mask, an address pool, or the keyword `all`. " "Refer to man:ipf[5] for examples." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2006 msgid "" "There is no way to match ranges of IP addresses which do not express " "themselves easily using the dotted numeric form / mask-length notation. The " "package:net-mgmt/ipcalc[] package or port may be used to ease the " "calculation of the CIDR mask. Additional information is available at the " "utility's web page: http://jodies.de/ipcalc[http://jodies.de/ipcalc]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2011 msgid "" "The port number of the source is optional. However, if it is used, it " "requires PROTO_TYPE to be first defined in the rule. The port number must " "also be preceded by the `proto` keyword." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2013 msgid "" "A number of different comparison operators are supported: `=` (equal to), `!" "=` (not equal to), `<` (less than), `>` (greater than), `<=` (less than or " "equal to), and `>=` (greater than or equal to)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2015 msgid "" "To specify port ranges, place the two port numbers between `<>` (less than " "and greater than ), `><` (greater than and less than ), or `:` (greater than " "or equal to and less than or equal to)." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:2016 #, no-wrap msgid "DST_ADDR" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2019 msgid "" "The `to` keyword is mandatory and is followed by a keyword which represents " "the destination of the packet. Similar to SRC_ADDR, it can be a hostname, " "an IP address followed by the CIDR mask, an address pool, or the keyword " "`all`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2024 msgid "" "Similar to SRC_PORT, the port number of the destination is optional. " "However, if it is used, it requires PROTO_TYPE to be first defined in the " "rule. The port number must also be preceded by the `proto` keyword." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:2025 #, no-wrap msgid "TCP_FLAG|ICMP_TYPE" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2028 msgid "" "If `tcp` is specified as the PROTO_TYPE, flags can be specified as letters, " "where each letter represents one of the possible TCP flags used to determine " "the state of a connection. Possible values are: `S` (SYN), `A` (ACK), `P` " "(PSH), `F` (FIN), `U` (URG), `R` (RST), `C` (CWN), and `E` (ECN)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2031 msgid "" "If `icmp` is specified as the PROTO_TYPE, the ICMP type to match can be " "specified. Refer to man:ipf[5] for the allowable types." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:2032 #, no-wrap msgid "STATE" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2036 msgid "" "If a `pass` rule contains `keep state`, IPF will add an entry to its dynamic " "state table and allow subsequent packets that match the connection. IPF can " "track state for TCP, UDP, and ICMP sessions. Any packet that IPF can be " "certain is part of an active session, even if it is a different protocol, " "will be allowed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2043 msgid "" "In IPF, packets destined to go out through the interface connected to the " "public Internet are first checked against the dynamic state table. If the " "packet matches the next expected packet comprising an active session " "conversation, it exits the firewall and the state of the session " "conversation flow is updated in the dynamic state table. Packets that do " "not belong to an already active session are checked against the outbound " "ruleset. Packets coming in from the interface connected to the public " "Internet are first checked against the dynamic state table. If the packet " "matches the next expected packet comprising an active session, it exits the " "firewall and the state of the session conversation flow is updated in the " "dynamic state table. Packets that do not belong to an already active " "session are checked against the inbound ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2047 msgid "" "Several keywords can be added after `keep state`. If used, these keywords " "set various options that control stateful filtering, such as setting " "connection limits or connection age. Refer to man:ipf[5] for the list of " "available options and their descriptions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2051 msgid "" "This section demonstrates how to create an example ruleset which only allows " "services matching `pass` rules and blocks all others." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2054 msgid "" "FreeBSD uses the loopback interface ([.filename]#lo0#) and the IP address " "`127.0.0.1` for internal communication. The firewall ruleset must contain " "rules to allow free movement of these internally used packets:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2060 #, no-wrap msgid "" "# no restrictions on loopback interface\n" "pass in quick on lo0 all\n" "pass out quick on lo0 all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2065 msgid "" "The public interface connected to the Internet is used to authorize and " "control access of all outbound and inbound connections. If one or more " "interfaces are cabled to private networks, those internal interfaces may " "require rules to allow packets originating from the LAN to flow between the " "internal networks or to the interface attached to the Internet. The ruleset " "should be organized into three major sections: any trusted internal " "interfaces, outbound connections through the public interface, and inbound " "connections through the public interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2067 msgid "" "These two rules allow all traffic to pass through a trusted LAN interface " "named [.filename]#xl0#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2073 #, no-wrap msgid "" "# no restrictions on inside LAN interface for private network\n" "pass out quick on xl0 all\n" "pass in quick on xl0 all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2076 msgid "" "The rules for the public interface's outbound and inbound sections should " "have the most frequently matched rules placed before less commonly matched " "rules, with the last rule in the section blocking and logging all packets " "for that interface and direction." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2080 msgid "" "This set of rules defines the outbound section of the public interface named " "[.filename]#dc0#. These rules keep state and identify the specific services " "that internal systems are authorized for public Internet access. All the " "rules use `quick` and specify the appropriate port numbers and, where " "applicable, destination addresses." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2086 #, no-wrap msgid "" "# interface facing Internet (outbound)\n" "# Matches session start requests originating from or behind the\n" "# firewall, destined for the Internet.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2092 #, no-wrap msgid "" "# Allow outbound access to public DNS servers.\n" "# Replace x.x.x.x with address listed in /etc/resolv.conf.\n" "# Repeat for each DNS server.\n" "pass out quick on dc0 proto tcp from any to x.x.x.x port = 53 flags S keep state\n" "pass out quick on dc0 proto udp from any to x.x.x.x port = 53 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2099 #, no-wrap msgid "" "# Allow access to ISP's specified DHCP server for cable or DSL networks.\n" "# Use the first rule, then check log for the IP address of DHCP server.\n" "# Then, uncomment the second rule, replace z.z.z.z with the IP address,\n" "# and comment out the first rule\n" "pass out log quick on dc0 proto udp from any to any port = 67 keep state\n" "#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2103 #, no-wrap msgid "" "# Allow HTTP and HTTPS\n" "pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state\n" "pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2107 #, no-wrap msgid "" "# Allow email\n" "pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state\n" "pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2110 #, no-wrap msgid "" "# Allow NTP\n" "pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2113 #, no-wrap msgid "" "# Allow FTP\n" "pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2116 #, no-wrap msgid "" "# Allow SSH\n" "pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2119 #, no-wrap msgid "" "# Allow ping\n" "pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2122 #, no-wrap msgid "" "# Block and log everything else\n" "block out log first quick on dc0 all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2126 msgid "" "This example of the rules in the inbound section of the public interface " "blocks all undesirable packets first. This reduces the number of packets " "that are logged by the last rule." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2140 #, no-wrap msgid "" "# interface facing Internet (inbound)\n" "# Block all inbound traffic from non-routable or reserved address spaces\n" "block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP\n" "block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP\n" "block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP\n" "block in quick on dc0 from 127.0.0.0/8 to any #loopback\n" "block in quick on dc0 from 0.0.0.0/8 to any #loopback\n" "block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config\n" "block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs\n" "block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect\n" "block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2144 #, no-wrap msgid "" "# Block fragments and too short tcp packets\n" "block in quick on dc0 all with frags\n" "block in quick on dc0 proto tcp all with short\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2148 #, no-wrap msgid "" "# block source routed packets\n" "block in quick on dc0 all with opt lsrr\n" "block in quick on dc0 all with opt ssrr\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2151 #, no-wrap msgid "" "# Block OS fingerprint attempts and log first occurrence\n" "block in log first quick on dc0 proto tcp from any to any flags FUP\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2154 #, no-wrap msgid "" "# Block anything with special options\n" "block in quick on dc0 all with ipopts\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2158 #, no-wrap msgid "" "# Block public pings and ident\n" "block in quick on dc0 proto icmp all icmp-type 8\n" "block in quick on dc0 proto tcp from any to any port = 113\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2164 #, no-wrap msgid "" "# Block incoming Netbios services\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 137\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 138\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 139\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 81\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2168 msgid "" "Any time there are logged messages on a rule with the `log first` option, " "run `ipfstat -hio` to evaluate how many times the rule has been matched. A " "large number of matches may indicate that the system is under attack." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2171 msgid "" "The rest of the rules in the inbound section define which connections are " "allowed to be initiated from the Internet. The last rule denies all " "connections which were not explicitly allowed by previous rules in this " "section." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2177 #, no-wrap msgid "" "# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with\n" "# the same IP address used in the outbound section.\n" "pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2180 #, no-wrap msgid "" "# Allow public connections to specified internal web server\n" "pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2183 #, no-wrap msgid "" "# Block and log only first occurrence of all remaining traffic.\n" "block in log first quick on dc0 all\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2185 #, no-wrap msgid "Configuring NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2188 msgid "" "To enable NAT, add these statements to [.filename]#/etc/rc.conf# and specify " "the name of the file containing the NAT rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2194 #, no-wrap msgid "" "gateway_enable=\"YES\"\n" "ipnat_enable=\"YES\"\n" "ipnat_rules=\"/etc/ipnat.rules\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2199 msgid "" "NAT rules are flexible and can accomplish many different things to fit the " "needs of both commercial and home users. The rule syntax presented here has " "been simplified to demonstrate common usage. For a complete rule syntax " "description, refer to man:ipnat[5]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2201 msgid "" "The basic syntax for a NAT rule is as follows, where `map` starts the rule " "and _IF_ should be replaced with the name of the external interface:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2205 #, no-wrap msgid "map IF LAN_IP_RANGE -> PUBLIC_ADDRESS\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2210 msgid "" "The _LAN_IP_RANGE_ is the range of IP addresses used by internal clients. " "Usually, it is a private address range such as `192.168.1.0/24`. The " "_PUBLIC_ADDRESS_ can either be the static external IP address or the keyword " "`0/32` which represents the IP address assigned to _IF_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2217 msgid "" "In IPF, when a packet arrives at the firewall from the LAN with a public " "destination, it first passes through the outbound rules of the firewall " "ruleset. Then, the packet is passed to the NAT ruleset which is read from " "the top down, where the first matching rule wins. IPF tests each NAT rule " "against the packet's interface name and source IP address. When a packet's " "interface name matches a NAT rule, the packet's source IP address in the " "private LAN is checked to see if it falls within the IP address range " "specified in _LAN_IP_RANGE_. On a match, the packet has its source IP " "address rewritten with the public IP address specified by _PUBLIC_ADDRESS_. " "IPF posts an entry in its internal NAT table so that when the packet returns " "from the Internet, it can be mapped back to its original private IP address " "before being passed to the firewall rules for further processing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2220 msgid "" "For networks that have large numbers of internal systems or multiple " "subnets, the process of funneling every private IP address into a single " "public IP address becomes a resource problem. Two methods are available to " "relieve this issue." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2223 msgid "" "The first method is to assign a range of ports to use as source ports. By " "adding the `portmap` keyword, NAT can be directed to only use source ports " "in the specified range:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2227 #, no-wrap msgid "map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2230 msgid "" "Alternately, use the `auto` keyword which tells NAT to determine the ports " "that are available for use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2234 #, no-wrap msgid "map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2239 msgid "" "The second method is to use a pool of public addresses. This is useful when " "there are too many LAN addresses to fit into a single public address and a " "block of public IP addresses is available. These public addresses can be " "used as a pool from which NAT selects an IP address as a packet's address is " "mapped on its way out." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2242 msgid "" "The range of public IP addresses can be specified using a netmask or CIDR " "notation. These two rules are equivalent:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2247 #, no-wrap msgid "" "map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0\n" "map dc0 192.168.1.0/24 -> 204.134.75.0/24\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2252 msgid "" "A common practice is to have a publicly accessible web server or mail server " "segregated to an internal network segment. The traffic from these servers " "still has to undergo NAT, but port redirection is needed to direct inbound " "traffic to the correct server. For example, to map a web server using the " "internal address `10.0.10.25` to its public IP address of `20.20.20.5`, use " "this rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2256 #, no-wrap msgid "rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2259 msgid "" "If it is the only web server, this rule would also work as it redirects all " "external HTTP requests to `10.0.10.25`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2263 #, no-wrap msgid "rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2268 msgid "" "IPF has a built in FTP proxy which can be used with NAT. It monitors all " "outbound traffic for active or passive FTP connection requests and " "dynamically creates temporary filter rules containing the port number used " "by the FTP data channel. This eliminates the need to open large ranges of " "high order ports for FTP connections." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2271 msgid "" "In this example, the first rule calls the proxy for outbound FTP traffic " "from the internal LAN. The second rule passes the FTP traffic from the " "firewall to the Internet, and the third rule handles all non-FTP traffic " "from the internal LAN:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2277 #, no-wrap msgid "" "map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp\n" "map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp\n" "map dc0 10.0.10.0/29 -> 0/32\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2281 msgid "" "The FTP `map` rules go before the NAT rule so that when a packet matches an " "FTP rule, the FTP proxy creates temporary filter rules to let the FTP " "session packets pass and undergo NAT. All LAN packets that are not FTP will " "not match the FTP rules but will undergo NAT if they match the third rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2284 msgid "" "Without the FTP proxy, the following firewall rules would instead be " "needed. Note that without the proxy, all ports above `1024` need to be " "allowed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2290 #, no-wrap msgid "" "# Allow out LAN PC client FTP to public Internet\n" "# Active and passive modes\n" "pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2293 #, no-wrap msgid "" "# Allow out passive mode data channel high order port numbers\n" "pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2296 #, no-wrap msgid "" "# Active mode let data channel in from FTP server\n" "pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2300 msgid "" "Whenever the file containing the NAT rules is edited, run `ipnat` with `-CF` " "to delete the current NAT rules and flush the contents of the dynamic " "translation table. Include `-f` and specify the name of the NAT ruleset to " "load:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2304 #, no-wrap msgid "# ipnat -CF -f /etc/ipnat.rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2307 msgid "To display the NAT statistics:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2311 #, no-wrap msgid "# ipnat -s\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2314 msgid "To list the NAT table's current mappings:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2318 #, no-wrap msgid "# ipnat -l\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2321 msgid "" "To turn verbose mode on and display information relating to rule processing " "and active rules and table entries:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2325 #, no-wrap msgid "# ipnat -v\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2327 #, no-wrap msgid "Viewing IPF Statistics" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2331 msgid "" "IPF includes man:ipfstat[8] which can be used to retrieve and display " "statistics which are gathered as packets match rules as they go through the " "firewall. Statistics are accumulated since the firewall was last started or " "since the last time they were reset to zero using `ipf -Z`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2333 msgid "The default `ipfstat` output looks like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2353 #, no-wrap msgid "" "input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0\n" " output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0\n" " input packets logged: blocked 99286 passed 0\n" " output packets logged: blocked 0 passed 0\n" " packets logged: input 0 output 0\n" " log failures: input 3898 output 0\n" " fragment state(in): kept 0 lost 0\n" " fragment state(out): kept 0 lost 0\n" " packet state(in): kept 169364 lost 0\n" " packet state(out): kept 431395 lost 0\n" " ICMP replies: 0 TCP RSTs sent: 0\n" " Result cache hits(in): 1215208 (out): 1098963\n" " IN Pullups succeeded: 2 failed: 0\n" " OUT Pullups succeeded: 0 failed: 0\n" " Fastroute successes: 0 failures: 0\n" " TCP cksum fails(in): 0 (out): 0\n" " Packet log flags set: (0)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2359 msgid "" "Several options are available. When supplied with either `-i` for inbound " "or `-o` for outbound, the command will retrieve and display the appropriate " "list of filter rules currently installed and in use by the kernel. To also " "see the rule numbers, include `-n`. For example, `ipfstat -on` displays the " "outbound rules table with rule numbers:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2365 #, no-wrap msgid "" "@1 pass out on xl0 from any to any\n" "@2 block out on dc0 from any to any\n" "@3 pass out quick on dc0 proto tcp/udp from any to any keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2369 msgid "" "Include `-h` to prefix each rule with a count of how many times the rule was " "matched. For example, `ipfstat -oh` displays the outbound internal rules " "table, prefixing each rule with its usage count:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2375 #, no-wrap msgid "" "2451423 pass out on xl0 from any to any\n" "354727 block out on dc0 from any to any\n" "430918 pass out quick on dc0 proto tcp/udp from any to any keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2381 msgid "" "To display the state table in a format similar to man:top[1], use `ipfstat -" "t`. When the firewall is under attack, this option provides the ability to " "identify and see the attacking packets. The optional sub-flags give the " "ability to select the destination or source IP, port, or protocol to be " "monitored in real time. Refer to man:ipfstat[8] for details." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2382 #, no-wrap msgid "IPF Logging" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2386 msgid "" "IPF provides `ipmon`, which can be used to write the firewall's logging " "information in a human readable format. It requires that `options " "IPFILTER_LOG` be first added to a custom kernel using the instructions in " "crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2389 msgid "" "This command is typically run in daemon mode in order to provide a " "continuous system log file so that logging of past events may be reviewed. " "Since FreeBSD has a built in man:syslogd[8] facility to automatically rotate " "system logs, the default [.filename]#rc.conf# `ipmon_flags` statement uses `-" "Ds`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2396 #, no-wrap msgid "" "ipmon_flags=\"-Ds\" # D = start as daemon\n" " # s = log to syslog\n" " # v = log tcp window, ack, seq\n" " # n = map IP & port to names\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2400 msgid "" "Logging provides the ability to review, after the fact, information such as " "which packets were dropped, what addresses they came from, and where they " "were going. This information is useful in tracking down attackers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2405 msgid "" "Once the logging facility is enabled in [.filename]#rc.conf# and started " "with `service ipmon start`, IPF will only log the rules which contain the " "`log` keyword. The firewall administrator decides which rules in the " "ruleset should be logged and normally only deny rules are logged. It is " "customary to include the `log` keyword in the last rule in the ruleset. " "This makes it possible to see all the packets that did not match any of the " "rules in the ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2408 msgid "" "By default, `ipmon -Ds` mode uses `local0` as the logging facility. The " "following logging levels can be used to further segregate the logged data:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2415 #, no-wrap msgid "" "LOG_INFO - packets logged using the \"log\" keyword as the action rather than pass or block.\n" "LOG_NOTICE - packets logged which are also passed\n" "LOG_WARNING - packets logged which are also blocked\n" "LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2418 msgid "" "In order to setup IPF to log all data to [.filename]#/var/log/ipfilter.log#, " "first create the empty file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2422 #, no-wrap msgid "# touch /var/log/ipfilter.log\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2425 msgid "" "Then, to write all logged messages to the specified file, add the following " "statement to [.filename]#/etc/syslog.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2429 #, no-wrap msgid "local0.* /var/log/ipfilter.log\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2432 msgid "" "To activate the changes and instruct man:syslogd[8] to read the modified [." "filename]#/etc/syslog.conf#, run `service syslogd reload`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2434 msgid "" "Do not forget to edit [.filename]#/etc/newsyslog.conf# to rotate the new log " "file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2437 msgid "" "Messages generated by `ipmon` consist of data fields separated by white " "space. Fields common to all messages are:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2439 msgid "The date of packet receipt." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2440 msgid "" "The time of packet receipt. This is in the form HH:MM:SS.F, for hours, " "minutes, seconds, and fractions of a second." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2441 msgid "The name of the interface that processed the packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2442 msgid "The group and rule number of the rule in the format `@0:17`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2443 msgid "" "The action: `p` for passed, `b` for blocked, `S` for a short packet, `n` did " "not match any rules, and `L` for a log rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2444 msgid "" "The addresses written as three fields: the source address and port separated " "by a comma, the -> symbol, and the destination address and port. For " "example: `209.53.17.22,80 -> 198.73.220.17,1722`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2445 msgid "`PR` followed by the protocol name or number: for example, `PR tcp`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2446 msgid "" "`len` followed by the header length and total length of the packet: for " "example, `len 20 40`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2449 msgid "" "If the packet is a TCP packet, there will be an additional field starting " "with a hyphen followed by letters corresponding to any flags that were set. " "Refer to man:ipf[5] for a list of letters and their flags." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2452 msgid "" "If the packet is an ICMP packet, there will be two fields at the end: the " "first always being \"icmp\" and the next being the ICMP message and sub-" "message type, separated by a slash. For example: `icmp 3/3` for a port " "unreachable message." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:2454 #, no-wrap msgid "Blacklistd" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2461 msgid "" "Blacklistd is a daemon listening to sockets awaiting to receive " "notifications from other daemons about connection attempts that failed or " "were successful. It is most widely used in blocking too many connection " "attempts on open ports. A prime example is SSH running on the internet " "getting a lot of requests from bots or scripts trying to guess passwords and " "gain access. Using blacklistd, the daemon can notify the firewall to create " "a filter rule to block excessive connection attempts from a single source " "after a number of tries. Blacklistd was first developed on NetBSD and " "appeared there in version 7. FreeBSD 11 imported blacklistd from NetBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2466 msgid "" "This chapter describes how to set up blacklistd, configure it, and provides " "examples on how to use it. Readers should be familiar with basic firewall " "concepts like rules. For details, refer to the firewall chapter. PF is " "used in the examples, but other firewalls available on FreeBSD should be " "able to work with blacklistd, too." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2467 #, no-wrap msgid "Enabling Blacklistd" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2473 msgid "" "The main configuration for blacklistd is stored in man:blacklistd.conf[5]. " "Various command line options are also available to change blacklistd's run-" "time behavior. Persistent configuration across reboots should be stored in " "[.filename]#/etc/blacklistd.conf#. To enable the daemon during system boot, " "add a `blacklistd_enable` line to [.filename]#/etc/rc.conf# like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2477 #, no-wrap msgid "# sysrc blacklistd_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2480 msgid "To start the service manually, run this command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2484 #, no-wrap msgid "# service blacklistd start\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2486 #, no-wrap msgid "Creating a Blacklistd Ruleset" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2491 msgid "" "Rules for blacklistd are configured in man:blacklistd.conf[5] with one entry " "per line. Each rule contains a tuple separated by spaces or tabs. Rules " "either belong to a `local` or a `remote`, which applies to the machine where " "blacklistd is running or an outside source, respectively." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:2492 #, no-wrap msgid "Local Rules" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2495 msgid "An example blacklistd.conf entry for a local rule looks like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2500 #, no-wrap msgid "" "[local]\n" "ssh stream * * * 3 24h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2504 msgid "" "All rules that follow the `[local]` section are treated as local rules " "(which is the default), applying to the local machine. When a `[remote]` " "section is encountered, all rules that follow it are handled as remote " "machine rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2512 msgid "" "Seven fields separated by either tabs or spaces define a rule. The first " "four fields identify the traffic that should be blocklisted. The three " "fields that follow define backlistd's behavior. Wildcards are denoted as " "asterisks (`*`), matching anything in this field. The first field defines " "the location. In local rules, these are the network ports. The syntax for " "the location field is as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2516 #, no-wrap msgid "[address|interface][/mask][:port]\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2520 msgid "" "Addresses can be specified as IPv4 in numeric format or IPv6 in square " "brackets. An interface name like `_em0_` can also be used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2524 msgid "" "The socket type is defined by the second field. TCP sockets are of type " "`stream`, whereas UDP is denoted as `dgram`. The example above uses TCP, " "since SSH is using that protocol." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2528 msgid "" "A protocol can be used in the third field of a blacklistd rule. The " "following protocols can be used: `tcp`, `udp`, `tcp6`, `udp6`, or numeric. " "A wildcard, like in the example, is typically used to match all protocols " "unless there is a reason to distinguish traffic by a certain protocol." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2531 msgid "" "In the fourth field, the effective user or owner of the daemon process that " "is reporting the event is defined. The username or UID can be used here, as " "well as a wildcard (see example rule above)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2534 msgid "" "The packet filter rule name is declared by the fifth field, which starts the " "behavior part of the rule. By default, blacklistd puts all blocks under a " "pf anchor called `blacklistd` in [.filename]#pf.conf# like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2540 #, no-wrap msgid "" "anchor \"blacklistd/*\" in on $ext_if\n" "block in\n" "pass out\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2546 msgid "" "For separate blocklists, an anchor name can be used in this field. In other " "cases, the wildcard will suffice. When a name starts with a hyphen (`-`) it " "means that an anchor with the default rule name prepended should be used. A " "modified example from the above using the hyphen would look like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2550 #, no-wrap msgid "ssh stream * * -ssh 3 24h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2553 msgid "" "With such a rule, any new blocklist rules are added to an anchor called " "`blacklistd-ssh`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2557 msgid "" "To block whole subnets for a single rule violation, a `/` in the rule name " "can be used. This causes the remaining portion of the name to be " "interpreted as the mask to be applied to the address specified in the rule. " "For example, this rule would block every address adjoining `/24`." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2561 #, no-wrap msgid "22 stream tcp * */24 3 24h\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2567 msgid "" "It is important to specify the proper protocol here. IPv4 and IPv6 " "treat /24 differently, that is the reason why `*` cannot be used in the " "third field for this rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2570 msgid "" "This rule defines that if any one host in that network is misbehaving, " "everything else on that network will be blocked, too." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2574 msgid "" "The sixth field, called `nfail`, sets the number of login failures required " "to blocklist the remote IP in question. When a wildcard is used at this " "position, it means that blocks will never happen. In the example rule " "above, a limit of three is defined meaning that after three attempts to log " "into SSH on one connection, the IP is blocked." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2577 msgid "" "The last field in a blacklistd rule definition specifies how long a host is " "blocklisted. The default unit is seconds, but suffixes like `m`, `h`, and " "`d` can also be specified for minutes, hours, and days, respectively." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2581 msgid "" "The example rule in its entirety means that after three times authenticating " "to SSH will result in a new PF block rule for that host. Rule matches are " "performed by first checking local rules one after another, from most " "specific to least specific. When a match occurs, the `remote` rules are " "applied and the name, `nfail`, and disable fields are changed by the " "`remote` rule that matched." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:2582 #, no-wrap msgid "Remote Rules" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2588 msgid "" "Remote rules are used to specify how blacklistd changes its behavior " "depending on the remote host currently being evaluated. Each field in a " "remote rule is the same as in a local rule. The only difference is in the " "way blacklistd is using them. To explain it, this example rule is used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2593 #, no-wrap msgid "" "[remote]\n" "203.0.113.128/25 * * * =/25 = 48h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2598 msgid "" "The address field can be an IP address (either v4 or v6), a port or both. " "This allows setting special rules for a specific remote address range like " "in this example. The fields for socket type, protocol and owner are " "identically interpreted as in the local rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2604 msgid "" "The name fields is different though: the equal sign (`=`) in a remote rule " "tells blacklistd to use the value from the matching local rule. It means " "that the firewall rule entry is taken and the `/25` prefix (a netmask of " "`255.255.255.128`) is added. When a connection from that address range is " "blocklisted, the entire subnet is affected. A PF anchor name can also be " "used here, in which case blacklistd will add rules for this address block to " "the anchor of that name. The default table is used when a wildcard is " "specified." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2608 msgid "" "A custom number of failures in the `nfail` column can be defined for an " "address. This is useful for exceptions to a specific rule, to maybe allow " "someone a less strict application of rules or a bit more leniency in login " "tries. Blocking is disabled when an asterisk is used in this sixth field." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2610 msgid "" "Remote rules allow a stricter enforcement of limits on attempts to log in " "compared to attempts coming from a local network like an office." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2611 #, no-wrap msgid "Blacklistd Client Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2616 msgid "" "There are a few software packages in FreeBSD that can utilize blacklistd's " "functionality. The two most prominent ones are man:ftpd[8] and man:sshd[8] " "to block excessive connection attempts. To activate blacklistd in the SSH " "daemon, add the following line to [.filename]#/etc/ssh/sshd_config#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2620 #, no-wrap msgid "UseBlacklist yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2623 msgid "Restart sshd afterwards to make these changes take effect." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2625 msgid "" "Blacklisting for man:ftpd[8] is enabled using `-B`, either in [.filename]#/" "etc/inetd.conf# or as a flag in [.filename]#/etc/rc.conf# like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2629 #, no-wrap msgid "ftpd_flags=\"-B\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2632 msgid "That is all that is needed to make these programs talk to blacklistd." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2633 #, no-wrap msgid "Blacklistd Management" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2638 msgid "" "Blacklistd provides the user with a management utility called man:" "blacklistctl[8]. It displays blocked addresses and networks that are " "blocklisted by the rules defined in man:blacklistd.conf[5]. To see the list " "of currently blocked hosts, use `dump` combined with `-b` like this." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2644 #, no-wrap msgid "" "# blacklistctl dump -b\n" " address/ma:port id nfail last access\n" "213.0.123.128/25:22 OK 6/3 2019/06/08 14:30:19\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2650 msgid "" "This example shows that there were 6 out of three permitted attempts on port " "22 coming from the address range `213.0.123.128/25`. There are more " "attempts listed than are allowed because SSH allows a client to try multiple " "logins on a single TCP connection. A connection that is currently going on " "is not stopped by blacklistd. The last connection attempt is listed in the " "`last access` column of the output." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2652 msgid "" "To see the remaining time that this host will be on the blocklist, add `-r` " "to the previous command." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2658 #, no-wrap msgid "" "# blacklistctl dump -br\n" " address/ma:port id nfail remaining time\n" "213.0.123.128/25:22 OK 6/3 36s\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2661 msgid "" "In this example, there are 36s seconds left until this host will not be " "blocked any more." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2662 #, no-wrap msgid "Removing Hosts from the Block List" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2673 msgid "" "Sometimes it is necessary to remove a host from the block list before the " "remaining time expires. Unfortunately, there is no functionality in " "blacklistd to do that. However, it is possible to remove the address from " "the PF table using pfctl. For each blocked port, there is a child anchor " "inside the blacklistd anchor defined in [.filename]#/etc/pf.conf#. For " "example, if there is a child anchor for blocking port 22 it is called " "`blacklistd/22`. There is a table inside that child anchor that contains " "the blocked addresses. This table is called port followed by the port " "number. In this example, it would be called `port22`. With that " "information at hand, it is now possible to use man:pfctl[8] to display all " "addresses listed like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2680 #, no-wrap msgid "" "# pfctl -a blacklistd/22 -t port22 -T show\n" "...\n" "213.0.123.128/25\n" "...\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2683 msgid "" "After identifying the address to be unblocked from the list, the following " "command removes it from the list:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2687 #, no-wrap msgid "# pfctl -a blacklistd/22 -t port22 -T delete 213.0.123.128/25\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2691 msgid "" "The address is now removed from PF, but will still show up in the " "blacklistctl list, since it does not know about any changes made in PF. The " "entry in blacklistd's database will eventually expire and be removed from " "its output. The entry will be added again if the host is matching one of " "the block rules in blacklistd again." msgstr "" diff --git a/documentation/content/en/books/handbook/virtualization/_index.adoc b/documentation/content/en/books/handbook/virtualization/_index.adoc index 8082578062..cd1c614ee4 100644 --- a/documentation/content/en/books/handbook/virtualization/_index.adoc +++ b/documentation/content/en/books/handbook/virtualization/_index.adoc @@ -1,1748 +1,1748 @@ --- title: Chapter 24. Virtualization part: Part III. System Administration prev: books/handbook/filesystems next: books/handbook/l10n description: Virtualization software allows multiple operating systems to run simultaneously on the same computer tags: ["virtualization", "Parallels", "VMware", "VirtualBox", "bhyve", "XEN"] showBookMenu: true weight: 28 path: "/books/handbook/virtualization/" --- [[virtualization]] = Virtualization :doctype: book :toc: macro :toclevels: 1 :icons: font :sectnums: :sectnumlevels: 6 :sectnumoffset: 24 :partnums: :source-highlighter: rouge :experimental: :images-path: books/handbook/virtualization/ ifdef::env-beastie[] ifdef::backend-html5[] :imagesdir: ../../../../images/{images-path} endif::[] ifndef::book[] include::shared/authors.adoc[] include::shared/mirrors.adoc[] include::shared/releases.adoc[] include::shared/attributes/attributes-{{% lang %}}.adoc[] include::shared/{{% lang %}}/teams.adoc[] include::shared/{{% lang %}}/mailing-lists.adoc[] include::shared/{{% lang %}}/urls.adoc[] toc::[] endif::[] ifdef::backend-pdf,backend-epub3[] include::../../../../../shared/asciidoctor.adoc[] endif::[] endif::[] ifndef::env-beastie[] toc::[] include::../../../../../shared/asciidoctor.adoc[] endif::[] [[virtualization-synopsis]] == Synopsis Virtualization software allows multiple operating systems to run simultaneously on the same computer. Such software systems for PCs often involve a host operating system which runs the virtualization software and supports any number of guest operating systems. After reading this chapter, you will know: * The difference between a host operating system and a guest operating system. * How to install FreeBSD on the following virtualization platforms: ** Parallels Desktop(Apple(R) macOS(R)) ** VMware Fusion(Apple(R) macOS(R)) ** VirtualBox(TM)(Microsoft(R) Windows(R), Intel(R)-based Apple(R) macOS(R), Linux) ** bhyve(FreeBSD) * How to tune a FreeBSD system for best performance under virtualization. Before reading this chapter, you should: * Understand the crossref:basics[basics,basics of UNIX(R) and FreeBSD]. * Know how to crossref:bsdinstall[bsdinstall,install FreeBSD]. * Know how to crossref:advanced-networking[advanced-networking,set up a network connection]. * Know how to crossref:ports[ports,install additional third-party software]. [[virtualization-guest-parallelsdesktop]] == FreeBSD as a Guest on Parallels Desktop for macOS(R) Parallels Desktop for Mac(R) is a commercial software product available for Apple(R) Mac(R) computers running macOS(R) 10.14.6 or higher. FreeBSD is a fully supported guest operating system. Once Parallels has been installed on macOS(R), the user must configure a virtual machine and then install the desired guest operating system. [[virtualization-guest-parallelsdesktop-install]] === Installing FreeBSD on Parallels Desktop on Mac(R) The first step in installing FreeBSD on Parallels is to create a new virtual machine for installing FreeBSD. Choose menu:Install Windows or another OS from a DVD or image file[] and proceed. image::parallels-freebsd1.png[Parallels setup wizard showing Install Windows or another OS from a DVD or image file chosen] Select the FreeBSD image file. image::parallels-freebsd2.png[Parallels setup wizard showing FreeBSD image file selected] Choose menu:Other as operating system[]. [WARNING] ==== Choosing FreeBSD will cause boot error on startup. ==== image::parallels-freebsd3.png[Parallels setup wizard showing Other selected as operating system] Name the virtual machine and check menu:Customize settings before installation[] image::parallels-freebsd4.png[Parallels setup wizard showing the checkbox checked for customizing settings before installation] When the configuration window pops up, go to menu:Hardware[] tab, choose menu:Boot order[], and click menu:Advanced[]. Then, choose *EFI 64-bit* as menu:BIOS[]. image::parallels-freebsd5.png[Parallels setup wizard showing EFI 64-bit chosen as BIOS] Click menu:OK[], close the configuration window, and click menu:Continue[]. image::parallels-freebsd6.png[Parallels setup wizard showing the summary of the new virtual machine] The virtual machine will automatically boot. Install FreeBSD following the general steps. image::parallels-freebsd7.png[FreeBSD booted on Parallels] [[virtualization-guest-parallels-configure]] === Configuring FreeBSD on Parallels After FreeBSD has been successfully installed on macOS(R) X with Parallels, there are a number of configuration steps that can be taken to optimize the system for virtualized operation. [.procedure] . Set Boot Loader Variables + The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the Parallels environment. This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: + [.programlisting] .... kern.hz=100 .... + Without this setting, an idle FreeBSD Parallels guest will use roughly 15% of the CPU of a single processor iMac(R). After this change the usage will be closer to 5%. + If installing FreeBSD 14.0 or later, and CPU utilization is still high, add the following additional line to [.filename]#/boot/loader.conf#: + [.programlisting] .... debug.acpi.disabled="ged" .... . Create a New Kernel Configuration File + All SCSI, FireWire, and USB device drivers can be removed from a custom kernel configuration file. Parallels provides a virtual network adapter used by the man:ed[4] driver, so all network devices except for man:ed[4] and man:miibus[4] can be removed from the kernel. . Configure Networking + The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the host Mac(R). This can be accomplished by adding `ifconfig_ed0="DHCP"` to [.filename]#/etc/rc.conf#. More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. [[virtualization-guest-vmware]] == FreeBSD as a Guest on VMware Fusion for macOS(R) VMware Fusion for Mac(R) is a commercial software product available for Apple(R) Mac(R) computers running macOS(R) 12 or higher. FreeBSD is a fully supported guest operating system. Once VMware Fusion has been installed on macOS(R), the user can configure a virtual machine and then install the desired guest operating system. [[virtualization-guest-vmware-install]] === Installing FreeBSD on VMware Fusion The first step is to start VMware Fusion which will load the Virtual Machine Library. Click [.guimenuitem]#+->New# to create the virtual machine: image::vmware-freebsd01.png[] This will load the New Virtual Machine Assistant. Choose [.guimenuitem]#Create a custom virtual machine# and click [.guimenuitem]#Continue# to proceed: image::vmware-freebsd02.png[] Select [.guimenuitem]#Other# as the [.guimenuitem]#Operating System# and either [.guimenuitem]#FreeBSD X# or [.guimenuitem]#FreeBSD X 64-bit#, as the menu:Version[] when prompted: image::vmware-freebsd03.png[] Choose the firmware(UEFI is recommended): image::vmware-freebsd04.png[] Choose [.guimenuitem]#Create a new virtual disk# and click [.guimenuitem]#Continue#: image::vmware-freebsd05.png[] Check the configuration and click [.guimenuitem]#Finish#: image::vmware-freebsd06.png[] Choose the name of the virtual machine and the directory where it should be saved: image::vmware-freebsd07.png[] Press command+E to open virtual machine settings and click [.guimenuitem]#CD/DVD#: image::vmware-freebsd08.png[] Choose FreeBSD ISO image or from a CD/DVD: image::vmware-freebsd09.png[] Start the virtual machine: image::vmware-freebsd10.png[] Install FreeBSD as usual: image::vmware-freebsd11.png[] Once the install is complete, the settings of the virtual machine can be modified, such as memory usage and the number of CPUs the virtual machine will have access to: [NOTE] ==== The System Hardware settings of the virtual machine cannot be modified while the virtual machine is running. ==== image::vmware-freebsd12.png[] The status of the CD-ROM device. Normally the CD/DVD/ISO is disconnected from the virtual machine when it is no longer needed. image::vmware-freebsd09.png[] The last thing to change is how the virtual machine will connect to the network. To allow connections to the virtual machine from other machines besides the host, choose [.guimenuitem]#Connect directly to the physical network (Bridged)#. Otherwise, [.guimenuitem]#Share the host's internet connection (NAT)# is preferred so that the virtual machine can have access to the Internet, but the network cannot access the virtual machine. image::vmware-freebsd13.png[] After modifying the settings, boot the newly installed FreeBSD virtual machine. [[virtualization-guest-vmware-configure]] === Configuring FreeBSD on VMware Fusion After FreeBSD has been successfully installed on macOS(R) X with VMware Fusion, there are a number of configuration steps that can be taken to optimize the system for virtualized operation. [.procedure] . Set Boot Loader Variables + The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the VMware Fusion environment. This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: + [.programlisting] .... kern.hz=100 .... + Without this setting, an idle FreeBSD VMware Fusion guest will use roughly 15% of the CPU of a single processor iMac(R). After this change, the usage will be closer to 5%. . Create a New Kernel Configuration File + All FireWire, and USB device drivers can be removed from a custom kernel configuration file. VMware Fusion provides a virtual network adapter used by the man:em[4] driver, so all network devices except for man:em[4] can be removed from the kernel. . Configure Networking + The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the host Mac(R). This can be accomplished by adding `ifconfig_em0="DHCP"` to [.filename]#/etc/rc.conf#. More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. + . Install drivers and open-vm-tools + To run FreeBSD smoothly on VMWare, drivers should be installed: + [source,shell] .... # pkg install xf86-video-vmware xf86-input-vmmouse open-vm-tools .... [[virtualization-guest-virtualbox]] == FreeBSD as a Guest on VirtualBox(TM) FreeBSD works well as a guest in VirtualBox(TM). The virtualization software is available for most common operating systems, including FreeBSD itself. The VirtualBox(TM) guest additions provide support for: * Clipboard sharing. * Mouse pointer integration. * Host time synchronization. * Window scaling. * Seamless mode. [NOTE] ==== These commands are run in the FreeBSD guest. ==== First, install the package:emulators/virtualbox-ose-additions[] package or port in the FreeBSD guest. This will install the port: [source,shell] .... # cd /usr/ports/emulators/virtualbox-ose-additions && make install clean .... Add these lines to [.filename]#/etc/rc.conf#: [.programlisting] .... vboxguest_enable="YES" vboxservice_enable="YES" .... If man:ntpd[8] or man:ntpdate[8] is used, disable host time synchronization: [.programlisting] .... vboxservice_flags="--disable-timesync" .... Xorg will automatically recognize the `vboxvideo` driver. It can also be manually entered in [.filename]#/etc/X11/xorg.conf#: [.programlisting] .... Section "Device" Identifier "Card0" Driver "vboxvideo" VendorName "InnoTek Systemberatung GmbH" BoardName "VirtualBox Graphics Adapter" EndSection .... To use the `vboxmouse` driver, adjust the mouse section in [.filename]#/etc/X11/xorg.conf#: [.programlisting] .... Section "InputDevice" Identifier "Mouse0" Driver "vboxmouse" EndSection .... Shared folders for file transfers between host and VM are accessible by mounting them using `mount_vboxvfs`. A shared folder can be created on the host using the VirtualBox GUI or via `vboxmanage`. For example, to create a shared folder called _myshare_ under [.filename]#/mnt/bsdboxshare# for the VM named _BSDBox_, run: [source,shell] .... # vboxmanage sharedfolder add 'BSDBox' --name myshare --hostpath /mnt/bsdboxshare .... Note that the shared folder name must not contain spaces. Mount the shared folder from within the guest system like this: [source,shell] .... # mount_vboxvfs -w myshare /mnt .... [[virtualization-host-virtualbox]] == FreeBSD as a Host with VirtualBox(TM) VirtualBox(TM) is an actively developed, complete virtualization package, that is available for most operating systems including Windows(R), macOS(R), Linux(R) and FreeBSD. It is equally capable of running Windows(R) or UNIX(R)-like guests. It is released as open source software, but with closed-source components available in a separate extension pack. These components include support for USB 2.0 devices. More information may be found on the http://www.virtualbox.org/wiki/Downloads[Downloads page of the VirtualBox(TM) wiki]. Currently, these extensions are not available for FreeBSD. [[virtualization-virtualbox-install]] === Installing VirtualBox(TM) VirtualBox(TM) is available as a FreeBSD package or port in package:emulators/virtualbox-ose[]. The port can be installed using these commands: [source,shell] .... # cd /usr/ports/emulators/virtualbox-ose # make install clean .... One useful option in the port's configuration menu is the `GuestAdditions` suite of programs. These provide a number of useful features in guest operating systems, like mouse pointer integration (allowing the mouse to be shared between host and guest without the need to press a special keyboard shortcut to switch) and faster video rendering, especially in Windows(R) guests. The guest additions are available in the menu:Devices[] menu, after the installation of the guest is finished. A few configuration changes are needed before VirtualBox(TM) is started for the first time. The port installs a kernel module in [.filename]#/boot/modules# which must be loaded into the running kernel: [source,shell] .... # kldload vboxdrv .... To ensure the module is always loaded after a reboot, add this line to [.filename]#/boot/loader.conf#: [.programlisting] .... vboxdrv_load="YES" .... To use the kernel modules that allow bridged or host-only networking, add this line to [.filename]#/etc/rc.conf# and reboot the computer: [.programlisting] .... vboxnet_enable="YES" .... The `vboxusers` group is created during installation of VirtualBox(TM). All users that need access to VirtualBox(TM) will have to be added as members of this group. `pw` can be used to add new members: [source,shell] .... # pw groupmod vboxusers -m yourusername .... The default permissions for [.filename]#/dev/vboxnetctl# are restrictive and need to be changed for bridged networking: [source,shell] .... # chown root:vboxusers /dev/vboxnetctl # chmod 0660 /dev/vboxnetctl .... To make this permissions change permanent, add these lines to [.filename]#/etc/devfs.conf#: [.programlisting] .... own vboxnetctl root:vboxusers perm vboxnetctl 0660 .... To launch VirtualBox(TM), type from an Xorg session: [source,shell] .... % VirtualBox .... For more information on configuring and using VirtualBox(TM), refer to the http://www.virtualbox.org[official website]. For FreeBSD-specific information and troubleshooting instructions, refer to the http://wiki.FreeBSD.org/VirtualBox[relevant page in the FreeBSD wiki]. [[virtualization-virtualbox-usb-support]] === VirtualBox(TM) USB Support VirtualBox(TM) can be configured to pass USB devices through to the guest operating system. The host controller of the OSE version is limited to emulating USB 1.1 devices until the extension pack supporting USB 2.0 and 3.0 devices becomes available on FreeBSD. For VirtualBox(TM) to be aware of USB devices attached to the machine, the user needs to be a member of the `operator` group. [source,shell] .... # pw groupmod operator -m yourusername .... Then, add the following to [.filename]#/etc/devfs.rules#, or create this file if it does not exist yet: [.programlisting] .... [system=10] add path 'usb/*' mode 0660 group operator .... To load these new rules, add the following to [.filename]#/etc/rc.conf#: [.programlisting] .... devfs_system_ruleset="system" .... Then, restart devfs: [source,shell] .... # service devfs restart .... Restart the login session and VirtualBox(TM) for these changes to take effect, and create USB filters as necessary. [[virtualization-virtualbox-host-dvd-cd-access]] === VirtualBox(TM) Host DVD/CD Access Access to the host DVD/CD drives from guests is achieved through the sharing of the physical drives. Within VirtualBox(TM), this is set up from the Storage window in the Settings of the virtual machine. If needed, create an empty IDECD/DVD device first. Then choose the Host Drive from the popup menu for the virtual CD/DVD drive selection. A checkbox labeled `Passthrough` will appear. This allows the virtual machine to use the hardware directly. For example, audio CDs or the burner will only function if this option is selected. In order for users to be able to use VirtualBox(TM)DVD/CD functions, they need access to [.filename]#/dev/xpt0#, [.filename]#/dev/cdN#, and [.filename]#/dev/passN#. This is usually achieved by making the user a member of `operator`. Permissions to these devices have to be corrected by adding these lines to [.filename]#/etc/devfs.conf#: [.programlisting] .... perm cd* 0660 perm xpt0 0660 perm pass* 0660 .... [source,shell] .... # service devfs restart .... [[virtualization-host-bhyve]] == FreeBSD as a Host with bhyve The bhyve BSD-licensed hypervisor became part of the base system with FreeBSD 10.0-RELEASE. This hypervisor supports several guests, including FreeBSD, OpenBSD, many Linux(R) distributions, and Microsoft Windows(R). By default, bhyve provides access to a serial console and does not emulate a graphical console. Virtualization offload features of newer CPUs are used to avoid the legacy methods of translating instructions and manually managing memory mappings. The bhyve design requires * an Intel(R) processor that supports Intel Extended Page Tables (EPT), * or an AMD(R) processor that supports AMD Rapid Virtualization Indexing (RVI), or Nested Page Tables (NPT), * or an ARM(R) aarch64 CPU. Only pure ARMv8.0 virtualization is supported on ARM, the Virtualization Host Extensions are not currently used. Hosting Linux(R) guests or FreeBSD guests with more than one vCPU requires VMX unrestricted mode support (UG). The easiest way to tell if an Intel or AMD processor supports bhyve is to run `dmesg` or look in [.filename]#/var/run/dmesg.boot# for the `POPCNT` processor feature flag on the `Features2` line for AMD(R) processors or `EPT` and `UG` on the `VT-x` line for Intel(R) processors. [[virtualization-bhyve-prep]] === Preparing the Host The first step to creating a virtual machine in bhyve is configuring the host system. First, load the bhyve kernel module: [source,shell] .... # kldload vmm .... There are several ways to connect a virtual machine guest to a host's network; one straightforward way to accomplish this is to create a [.filename]#tap# interface for the network device in the virtual machine to attach to. For the network device to participate in the network, also create a bridge interface containing the [.filename]#tap# interface and the physical interface as members. In this example, the physical interface is _igb0_: [source,shell] .... # ifconfig tap0 create # sysctl net.link.tap.up_on_open=1 net.link.tap.up_on_open: 0 -> 1 # ifconfig bridge0 create # ifconfig bridge0 addm igb0 addm tap0 # ifconfig bridge0 up .... [[virtualization-bhyve-freebsd]] === Creating a FreeBSD Guest Create a file to use as the virtual disk for the guest machine. Specify the size and name of the virtual disk: [source,shell] .... # truncate -s 16G guest.img .... Download an installation image of FreeBSD to install: [source,shell] .... # fetch https://download.freebsd.org/releases/ISO-IMAGES/14.0/FreeBSD-14.0-RELEASE-amd64-bootonly.iso FreeBSD-14.0-RELEASE-amd64-bootonly.iso 426 MB 16 MBps 22s .... FreeBSD comes with an example script `vmrun.sh` for running a virtual machine in bhyve. It will start the virtual machine and run it in a loop, so it will automatically restart if it crashes. `vmrun.sh` takes several options to control the configuration of the machine, including: * `-c` controls the number of virtual CPUs, * `-m` limits the amount of memory available to the guest, * `-t` defines which [.filename]#tap# device to use, * `-d` indicates which disk image to use, * `-i` tells bhyve to boot from the CD image instead of the disk, and * `-I` defines which CD image to use. The last parameter is the name of the virtual machine and is used to track the running machines. The following command lists all available program argument options: [source,shell] .... # sh /usr/share/examples/bhyve/vmrun.sh -h .... This example starts the virtual machine in installation mode: [source,shell] .... # sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M -t tap0 -d guest.img \ -i -I FreeBSD-14.0-RELEASE-amd64-bootonly.iso guestname .... The virtual machine will boot and start the installer. After installing a system in the virtual machine, when the system asks about dropping into a shell at the end of the installation, choose btn:[Yes]. Reboot the virtual machine. While rebooting the virtual machine causes bhyve to exit, the [.filename]#vmrun.sh# script runs `bhyve` in a loop and will automatically restart it. When this happens, choose the reboot option from the boot loader menu to escape the loop. Now the guest can be started from the virtual disk: [source,shell] .... # sh /usr/share/examples/bhyve/vmrun.sh -c 4 -m 1024M -t tap0 -d guest.img guestname .... [[virtualization-bhyve-linux]] === Creating a Linux(R) Guest Linux guests can be booted either like any other regular crossref:virtualization[virtualization-bhyve-uefi,"UEFI-based guest"] virtual machine, or alternatively, you can make use of the package:sysutils/grub2-bhyve[] port. To do this, first ensure that the port is installed, then create a file to use as the virtual disk for the guest machine: [source,shell] .... # truncate -s 16G linux.img .... Starting a Linux virtual machine with `grub2-bhyve` is a two-step process. . First a kernel must be loaded, then the guest can be started. . The Linux(R) kernel is loaded with package:sysutils/grub2-bhyve[]. Create a [.filename]#device.map# that grub will use to map the virtual devices to the files on the host system: [.programlisting] .... (hd0) ./linux.img (cd0) ./somelinux.iso .... Use package:sysutils/grub2-bhyve[] to load the Linux(R) kernel from the ISO image: [source,shell] .... # grub-bhyve -m device.map -r cd0 -M 1024M linuxguest .... This will start grub. If the installation CD contains a [.filename]#grub.cfg#, a menu will be displayed. If not, the `vmlinuz` and `initrd` files must be located and loaded manually: [source,shell] .... grub> ls (hd0) (cd0) (cd0,msdos1) (host) grub> ls (cd0)/isolinux boot.cat boot.msg grub.conf initrd.img isolinux.bin isolinux.cfg memtest splash.jpg TRANS.TBL vesamenu.c32 vmlinuz grub> linux (cd0)/isolinux/vmlinuz grub> initrd (cd0)/isolinux/initrd.img grub> boot .... Now that the Linux(R) kernel is loaded, the guest can be started: [source,shell] .... # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \ -s 3:0,virtio-blk,./linux.img -s 4:0,ahci-cd,./somelinux.iso \ -l com1,stdio -c 4 -m 1024M linuxguest .... The system will boot and start the installer. After installing a system in the virtual machine, reboot the virtual machine. This will cause bhyve to exit. The instance of the virtual machine needs to be destroyed before it can be started again: [source,shell] .... # bhyvectl --destroy --vm=linuxguest .... Now the guest can be started directly from the virtual disk. Load the kernel: [source,shell] .... # grub-bhyve -m device.map -r hd0,msdos1 -M 1024M linuxguest grub> ls (hd0) (hd0,msdos2) (hd0,msdos1) (cd0) (cd0,msdos1) (host) (lvm/VolGroup-lv_swap) (lvm/VolGroup-lv_root) grub> ls (hd0,msdos1)/ lost+found/ grub/ efi/ System.map-2.6.32-431.el6.x86_64 config-2.6.32-431.el6.x 86_64 symvers-2.6.32-431.el6.x86_64.gz vmlinuz-2.6.32-431.el6.x86_64 initramfs-2.6.32-431.el6.x86_64.img grub> linux (hd0,msdos1)/vmlinuz-2.6.32-431.el6.x86_64 root=/dev/mapper/VolGroup-lv_root grub> initrd (hd0,msdos1)/initramfs-2.6.32-431.el6.x86_64.img grub> boot .... Boot the virtual machine: [source,shell] .... # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \ -s 3:0,virtio-blk,./linux.img -l com1,stdio -c 4 -m 1024M linuxguest .... Linux(R) will now boot in the virtual machine and eventually present you with the login prompt. Login and use the virtual machine. When you are finished, reboot the virtual machine to exit bhyve. Destroy the virtual machine instance: [source,shell] .... # bhyvectl --destroy --vm=linuxguest .... [[virtualization-bhyve-uefi]] === Booting bhyve Virtual Machines with UEFI Firmware In addition to `bhyveload` and `grub-bhyve`, the bhyve hypervisor can also boot virtual machines using the UEFI firmware. This option may support guest operating systems that are not supported by the other loaders. To make use of the UEFI support in bhyve, first obtain the UEFI firmware images. This can be done by installing package:sysutils/bhyve-firmware[] port or package. With the firmware in place, add the flags `-l bootrom,_/path/to/firmware_` to your bhyve command line. The actual bhyve command may look like this: [source,shell] .... # bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \ -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \ -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \ guest .... To allow a guest to store UEFI variables, you can use a variables file appended to the `-l` flag. Note that bhyve will write guest modifications to the given variables file. Therefore, be sure to first create a per-guest-copy of the variables template file: [source,shell] .... # cp /usr/local/share/uefi-firmware/BHYVE_UEFI_VARS.fd /path/to/vm-image/BHYVE_UEFI_VARS.fd .... Then, add that variables file into your bhyve arguments: [source,shell] .... # bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \ -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \ -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,/path/to/vm-image/BHYVE_UEFI_VARS.fd \ guest .... [NOTE] ==== Some Linux distributions require the use of UEFI variables to store the path for their UEFI boot file (using `linux64.efi` or `grubx64.efi` instead of `bootx64.efi`, for example). It is therefore recommended to use a variables file for Linux virtual machines to avoid having to manually alter the boot partition files. ==== To view or modify the variables file contents, use man:efivar[8] from the host. package:sysutils/bhyve-firmware[] also contains a CSM-enabled firmware, to boot guests with no UEFI support in legacy BIOS mode: [source,shell] .... # bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \ -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \ -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CSM.fd \ guest .... [[virtualization-bhyve-framebuffer]] === Graphical UEFI Framebuffer for bhyve Guests The UEFI firmware support is particularly useful with predominantly graphical guest operating systems such as Microsoft Windows(R). Support for the UEFI-GOP framebuffer may also be enabled with the `-s 29,fbuf,tcp=_0.0.0.0:5900_` flags. The framebuffer resolution may be configured with `w=_800_` and `h=_600_`, and bhyve can be instructed to wait for a VNC connection before booting the guest by adding `wait`. The framebuffer may be accessed from the host or over the network via the VNC protocol. Additionally, `-s 30,xhci,tablet` can be added to achieve precise mouse cursor synchronization with the host. The resulting bhyve command would look like this: [source,shell] .... # bhyve -AHP -s 0:0,hostbridge -s 31:0,lpc \ -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \ -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \ -s 29,fbuf,tcp=0.0.0.0:5900,w=800,h=600,wait \ -s 30,xhci,tablet \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \ guest .... Note, in BIOS emulation mode, the framebuffer will cease receiving updates once control is passed from firmware to guest operating system. [[virtualization-bhyve-windows]] === Creating a Microsoft Windows(R) Guest === Setting up a guest for Windows versions 10 or earlier can be done directly from the original installation media and is a relatively straightforward process. Aside from minimum resource requirements, running Windows as guest requires * wiring virtual machine memory (flag `-w`) and * booting with an UEFI bootrom. An example for booting a virtual machine guest with a Windows installation ISO: [source,shell] .... bhyve \ -c 2 \ -s 0,hostbridge \ -s 3,nvme,windows2016.img \ -s 4,ahci-cd,install.iso \ -s 10,virtio-net,tap0 \ -s 31,lpc \ -s 30,xhci,tablet \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \ -m 8G -H -w \ windows2016 .... Only one or two VCPUs should be used during installation but this number can be increased once Windows is installed. link:https://github.com/virtio-win/virtio-win-pkg-scripts/blob/master/README.md[VirtIO drivers] must be installed to use the defined `virtio-net` network interface. An alternative is to switch to E1000 (Intel E82545) emulation by changing `virtio-net` to `e1000` in the above command line. However, performance will be impacted. [[virtualization-bhyve-windows-win11]] ==== Creating a Windows 11 Guest ==== Beginning with Windows 11, Microsoft introduced a hardware requirement for a TPM 2 module. bhyve supports passing a hardware TPM through to a guest. The installation media can be modified to disable the relevant hardware checks. A detailed description for this process can be found on the link:https://wiki.freebsd.org/bhyve/Windows#iso-remaster[FreeBSD Wiki]. [WARNING] ==== Modifying Windows installation media and running Windows guests without a TPM module are unsupported by the manufacturer. Consider your application and use case before implementing such approaches. ==== [[virtualization-bhyve-zfs]] === Using ZFS with bhyve Guests If ZFS is available on the host machine, using ZFS volumes instead of disk image files can provide significant performance benefits for the guest VMs. A ZFS volume can be created by: [source,shell] .... # zfs create -V16G -o volmode=dev zroot/linuxdisk0 .... When starting the VM, specify the ZFS volume as the disk drive: [source,shell] .... # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \ -s3:0,virtio-blk,/dev/zvol/zroot/linuxdisk0 \ -l com1,stdio -c 4 -m 1024M linuxguest .... If you are using ZFS for the host as well as inside a guest, keep in mind the competing memory pressure of both systems caching the virtual machine's contents. To alleviate this, consider setting the host's ZFS filesystems to use metadata-only cache. To do this, apply the following settings to ZFS filesystems on the host, replacing `` with the name of the specific zvol dataset name of the virtual machine. [source,shell] .... # zfs set primarycache=metadata .... [[virtualiziation-bhyve-snapshot]] === Creating a Virtual Machine Snapshot === Modern hypervisors allow their users to create "snapshots" of their state; such a snapshot includes a guest's disk, CPU, and memory contents. A snapshot can usually be taken independent of whether the guest is running or shut down. One can then reset and return the virtual machine to the precise state when the snapshot was taken. [[virtualization-bhyve-snapshot-zfs]] ==== ZFS Snapshots ==== Using ZFS volumes as the backing storage for a virtual machine enables the snapshotting of the guest's disk. For example: [source,shell] .... zfs snapshot zroot/path/to/zvol@snapshot_name .... Though it is possible to snapshot a ZFS volume this way while the guest is running, keep in mind that the contents of the virtual disk may be in an inconsistent state while the guest is active. It is therefore recommended to first shutdown or pause the guest before executing this command. Pausing a guest is not supported by default and needs to be enabled first (see crossref:virtualization[virtualization-bhyve-snapshot-builtin,Memory and CPU Snapshots]) [WARNING] ==== Rolling back a ZFS zvol to a snapshot while a virtual machine is using it may corrupt the file system contents and crash the guest. All unsaved data in the guest will be lost and modifications since the last snapshot may get destroyed. A second rollback may be required once the virtual machine is shut down to restore the file system to a useable state. This in turn will ultimately destroy any changes made after the snapshot. ==== [[virtualization-bhyve-snapshot-builtin]] ==== Memory and CPU Snapshots (Experimental Feature) ==== As of FreeBSD 13, bhyve has an experimental "snapshot" feature for dumping a guest's memory and CPU state to a file and then halting the virtual machine. The guest can be resumed from the snapshot file contents later. However, this feature is not enabled by default and requires the system to be rebuilt from source. See crossref:cutting-edge[updating-src-building, Building from Source] for an in-depth description on the process of compiling the kernel with custom options. [WARNING] ==== The functionality is not ready for production use and limited to work for specific virtual machine configurations. There are multiple limitations: * `nvme` and `virtio-blk` storage backends do not work yet * snapshots are only supported when the guest uses a single kind of each device, i.e. if there is more than one `ahci-hd` disk attached, snapshot creation will fail * additionally, the feature may be reasonably stable on Intel, but it probably won't work on AMD CPUs. ==== [NOTE] ==== Make sure the [.filename]#/usr/src# directory is up-to date before taking the following steps. See crossref:cutting-edge[updating-src-obtaining-src, Updating the Source] for the detailed procedure how to do this. ==== First, add the following to [.filename]#/etc/src.conf#: [.programlisting] .... WITH_BHYVE_SNAPHOT=yes BHYVE_SNAPSHOT=1 MK_BHYVE_SNAPSHOT=yes .... [NOTE] ==== If the system was partially or wholly rebuilt, it is recommended to run [source,shell] .... # cd /usr/src # make cleanworld .... before proceeding. ==== Then follow the steps outlined in the crossref:cutting-edge[updating-src-quick-start,"Quick Start section of the Updating FreeBSD from Source"] chapter to build and install world and kernel. To verify successful activation of the snapshot feature, enter [source,shell] .... # bhyvectl --usage .... and check if the output lists a `--suspend` flag. If the flag is missing, the feature did not activate correctly. Then, you can snapshot and suspend a running virtual machine of your choice: [source,shell] .... # bhyvectl --vm=vmname --suspend=/path/to/snapshot/filename .... [NOTE] ==== Provide an absolute path and filename to `--suspend`. Otherwise, bhyve will write snapshot data to whichever directory bhyve was started from. Make sure to write the snapshot data to a secure directory. The generated output contains a full memory dump of the guest and may thus contain sensitive data (i.e. passwords)! ==== This creates three files: * memory snapshot - named like the input to `--suspend` * kernel file - name like the input to `--suspend` with the suffix [.filename]#.kern# * metadata - contains meta data about the system state, named with the suffix [.filename]#.meta# To restore a guest from a snapshot, use the `-r` flag with `bhyve`: [source,shell] .... # bhyve -r /path/to/snapshot/filename .... Restoring a guest snapshot on a different CPU architecture will not work. Generally, attempting to restore on a system not identical to the snapshot creator will likely fail. [[virtualization-bhyve-jailed]] === Jailing bhyve === For improved security and separation of virtual machines from the host operating system, it is possible to run bhyve in a jail. See crossref:jails[,Jails] for an in-depth description of jails and their security benefits. [[virtualization-bhyve-jailed-creation]] ==== Creating a Jail for bhyve ==== First, create a jail environment. If using a UFS file system, simply run: [source,shell] .... # mkdir -p /jails/bhyve .... If using a crossref:zfs[,ZFS filesystem], use the following commands: [source,shell] .... # zfs create zroot/jails # zfs create zroot/jails/bhyve .... Then create a ZFS zvol for the virtual machine `bhyvevm0`: [source,shell] .... # zfs create zroot/vms # zfs create -V 20G zroot/vms/bhyvevm0 .... If not using ZFS, use the following commands to create a disk image file directly in the jail directory structure: [source,shell] .... # mkdir /jails/bhyve/vms # truncate -s 20G /jails/bhyve/vms/bhyvevm0 .... Download a FreeBSD image, preferably a version equal to or older than the host and extract it into the jail directory: [source,shell] .... # cd /jails # fetch -o base.txz http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/13.2-RELEASE/base.txz # tar -C /jails/bhyve -xvf base.txz .... [NOTE] ==== Running a higher FreeBSD version in a jail than the host is unsupported (i.e. running 14.0-RELEASE in a jail, embedded in a 13.2-RELEASE host). ==== Next, add a devfs ruleset to [.filename]#/etc/devfs.rules#: [.programlisting] .... [devfsrules_jail_bhyve=100] add include $devfsrules_hide_all add include $devfsrules_unhide_login add path 'urandom' unhide add path 'random' unhide add path 'crypto' unhide add path 'shm' unhide add path 'zero' unhide add path 'null' unhide add path 'mem' unhide add path 'vmm' unhide add path 'vmm/*' unhide add path 'vmm.io' unhide add path 'vmm.io/*' unhide add path 'nmdmbhyve*' unhide add path 'zvol' unhide add path 'zvol/zroot' unhide add path 'zvol/zroot/vms' unhide add path 'zvol/zroot/vms/bhyvevm0' unhide add path 'zvol/zroot/vms/bhyvevm1' unhide add path 'tap10*' unhide .... [NOTE] ==== If there's another devfs rule with the numeric ID 100 in your [.filename]#/etc/devfs.rules# file, replace the one in the listing with another yet unused ID number. ==== [NOTE] ==== If not using a ZFS filesystem, skip the related zvol rules in [.filename]#/etc/devfs.rules#: [.programlisting] .... add path 'zvol' unhide add path 'zvol/zroot' unhide add path 'zvol/zroot/vms' unhide add path 'zvol/zroot/vms/bhyvevm0' unhide add path 'zvol/zroot/vms/bhyvevm1' unhide .... ==== These rules will cause bhyve to * create a virtual machine with disk volumes called `bhyvevm0` and `bhyvevm1`, * use [.filename]#tap# network interfaces with the name prefix `tap10`. That means, valid interface names will be `tap10`, `tap100`, `tap101`, ... `tap109`, `tap1000` and so on. + Limiting the access to a subset of possible [.filename]#tap# interface names will prevent the jail (and thus bhyve) from seeing [.filename]#tap# interfaces of the host and other jails. * use [.filename]#nmdm# devices prefixed with "bhyve", i.e. [.filename]#/dev/nmdmbhyve0#. Those rules can be expanded and varied with different guest and interface names as desired. [NOTE] ==== If you intend to use bhyve on the host as well as in a one or more jails, remember that [.filename]#tap# and [.filename]#nmdm# interface names will operate in a shared environment. For example, you can use [.filename]#/dev/nmdmbhyve0# only either for bhyve on the host or in a jail. ==== Restart devfs for the changes to be loaded: [source,shell] .... # service devfs restart .... Then add a definition for your new jail into [.filename]#/etc/jail.conf# or [.filename]#/etc/jail.conf.d#. Replace the interface number [.filename]#$if# and IP address with your personal variations. .Using NAT or routed traffic with a firewall [example] ==== [.programlisting] .... bhyve { $if = 0; exec.prestart = "/sbin/ifconfig epair${if} create up"; exec.prestart += "/sbin/ifconfig epair${if}a up"; exec.prestart += "/sbin/ifconfig epair${if}a name ${name}0"; exec.prestart += "/sbin/ifconfig epair${if}b name jail${if}"; exec.prestart += "/sbin/ifconfig ${name}0 inet 192.168.168.1/27"; exec.prestart += "/sbin/sysctl net.inet.ip.forwarding=1"; exec.clean; host.hostname = "your-hostname-here"; vnet; vnet.interface = "em${if}"; path = "/jails/${name}"; persist; securelevel = 3; devfs_ruleset = 100; mount.devfs; allow.vmm; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop += "/sbin/ifconfig ${name}0 destroy"; } .... This example assumes use of a firewall like `pf` or `ipfw` to NAT your jail traffic. See the crossref:firewalls[,Firewalls] chapter for more details on the available options to implement this. ==== .Using a bridged network connection [example] ==== [.programlisting] .... bhyve { $if = 0; exec.prestart = "/sbin/ifconfig epair${if} create up"; exec.prestart += "/sbin/ifconfig epair${if}a up"; exec.prestart += "/sbin/ifconfig epair${if}a name ${name}0"; exec.prestart += "/sbin/ifconfig epair${if}b name jail${if}"; exec.prestart += "/sbin/ifconfig bridge0 addm ${name}0"; exec.prestart += "/sbin/sysctl net.inet.ip.forwarding=1"; exec.clean; host.hostname = "your-hostname-here"; vnet; vnet.interface = "em${if}"; path = "/jails/${name}"; persist; securelevel = 3; devfs_ruleset = 100; mount.devfs; allow.vmm; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop += "/sbin/ifconfig ${name}0 destroy"; } .... ==== [NOTE] ==== If you previously replaced the devfs ruleset ID 100 in [.filename]#/etc/devfs.rules# with your own unique number, remember to replace the numeric ID also in your [.filename]#jails.conf# too. ==== [[virtualization-bhyve-jailed-config]] ==== Configuring the Jail ==== To start the jail for the first time and do some additional configuration work, enter: [source,shell] .... # cp /etc/resolv.conf /jails/bhyve/etc # service jail onestart bhyve # jexec bhyve # sysrc ifconfig_jail0="inet 192.168.168.2/27" # sysrc defaultrouter="192.168.168.1" # sysrc sendmail_enable=NONE # sysrc cloned_interfaces="tap100" # exit .... Restart and enable the jail: [source,shell] .... # sysrc jail_enable=YES # service jail restart bhyve .... Afterwards, you can create a virtual machine within the jail. For a FreeBSD guest, download an installation ISO first: [source,shell] .... # jexec bhyve # cd /vms # fetch -o freebsd.iso https://download.freebsd.org/releases/ISO-IMAGES/14.0/FreeBSD-14.0-RELEASE-amd64-bootonly.iso .... [[virtualization-bhyve-jailed-createvm]] ==== Creating a Virtual Machine Inside the Jail ==== To create a virtual machine, use `bhyvectl` to initialize it first: [source,shell] .... # jexec bhyve # bhyvectl --create --vm=bhyvevm0 .... [NOTE] ==== Creating the guest with `bhyvectl` may be required when initiating the virtual machine from a jail. Skipping this step may cause the following error message when starting `bhyve`: `vm_open: vm-name could not be opened. No such file or directory` ==== Finally, use your preferred way of starting the guest. .Starting with `vmrun.sh` and ZFS [example] ==== Using `vmrun.sh` on a ZFS filesystems: [source,shell] .... # jexec bhyve # sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M \ -t tap100 -d /dev/zvols/zroot/vms/bhyvevm0 -i -I /vms/FreeBSD-14.0-RELEASE-amd64-bootonly.iso bhyvevm0 .... ==== .Starting with `vmrun.sh` and UFS [example] ==== Using `vmrun.sh` on a UFS filesystem: [source,shell] .... # jexec bhyve # sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M \ -t tap100 -d /vms/bhyvevm0 -i -I /vms/FreeBSD-14.0-RELEASE-amd64-bootonly.iso bhyvevm0 .... ==== .Starting bhyve for an UEFI guest with ZFS [example] ==== If instead you want to use an UEFI guest, remember to first install the required firmware package package:sysutils/bhyve-firmware[] in the jail: [source,shell] .... # pkg -j bhyve install bhyve-firmware .... Then use `bhyve` directly: [source,shell] .... # bhyve -A -c 4 -D -H -m 2G \ -s 0,hostbridge \ -s 1,lpc \ -s 2,virtio-net,tap100 \ -s 3,virtio-blk,/dev/zvol/zroot/vms/bhyvevm0 \ -s 4,ahci-cd,/vms/FreeBSD-14.0-RELEASE-amd64-bootonly.iso \ -s 31,fbuf,tcp=127.0.0.1:5900,w=1024,h=800,tablet \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \ -l com1,/dev/nmdbbhyve0A \ bhyvevm0 .... This will allow you to connect to your virtual machine `bhyvevm0` through VNC as well as a serial console at [.filename]#/dev/nmdbbhyve0B#. ==== [[virtualization-bhyve-nmdm]] === Virtual Machine Consoles It is advantageous to wrap the bhyve console in a session management tool such as package:sysutils/tmux[] or package:sysutils/screen[] in order to detach and reattach to the console. It is also possible to have the console of bhyve be a null modem device that can be accessed with `cu`. To do this, load the [.filename]#nmdm# kernel module and replace `-l com1,stdio` with `-l com1,/dev/nmdm0A`. The [.filename]#/dev/nmdm# devices are created automatically as needed, where each is a pair, corresponding to the two ends of the null modem cable ([.filename]#/dev/nmdm0A# and [.filename]#/dev/nmdm0B#). See man:nmdm[4] for more information. [source,shell] .... # kldload nmdm # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s 3:0,virtio-blk,./linux.img \ -l com1,/dev/nmdm0A -c 4 -m 1024M linuxguest # cu -l /dev/nmdm0B Connected Ubuntu 13.10 handbook ttyS0 handbook login: .... To disconnect from a console, enter a newline (i.e. press `RETURN`) followed by tilde (`~`), and finally dot (`.`). Keep in mind that only the connection is dropped while the login session remains active. Another user connecting to the same console could therefore make use of any active sessions without having to first authenticate. For security reasons, it's therefore recommended to logout before disconnecting. The number in the [.filename]#nmdm# device path must be unique for each virtual machine and must not be used by any other processes before bhyve starts. The number can be chosen arbitrarily and does not need to be taken from a consecutive sequence of numbers. The device node pair (i.e. [.filename]#/dev/nmdm0a# and [.filename]#/dev/nmdm0b#) are created dynamically when bhyve connects its console and destroyed when it shuts down. Keep this in mind when creating scripts to start your virtual machines: you need to make sure that all virtual machines are assigned unique [.filename]#nmdm# devices. [[virtualization-bhyve-managing]] === Managing Virtual Machines A device node is created in [.filename]#/dev/vmm# for each virtual machine. This allows the administrator to easily see a list of the running virtual machines: [source,shell] .... # ls -al /dev/vmm total 1 dr-xr-xr-x 2 root wheel 512 Mar 17 12:19 ./ dr-xr-xr-x 14 root wheel 512 Mar 17 06:38 ../ crw------- 1 root wheel 0x1a2 Mar 17 12:20 guestname crw------- 1 root wheel 0x19f Mar 17 12:19 linuxguest crw------- 1 root wheel 0x1a1 Mar 17 12:19 otherguest .... A specified virtual machine can be destroyed using `bhyvectl`: [source,shell] .... # bhyvectl --destroy --vm=guestname .... Destroying a virtual machine this way means killing it immediately. Any unsaved data will be lost, open files and filesystems may get corrupted. To gracefully shut down a virtual machine, send a `TERM` signal to its bhyve process instead. This triggers an ACPI shutdown event for the guest: [source,shell] .... # ps ax | grep bhyve 17424 - SC 56:48.27 bhyve: guestvm (bhyve) # kill 17424 .... [[virtualization-tools-utilities]] === Tools and Utilities There are numerous utilities and applications available in ports to help simplify setting up and managing bhyve virtual machines: .bhyve Managers [options="header", cols="1,1,1,1"] |=== | Name | License | Package | Documentation | vm-bhyve | BSD-2 | package:sysutils/vm-bhyve[] | link:https://github.com/churchers/vm-bhyve[Documentation] | CBSD | BSD-2 | package:sysutils/cbsd[] | link:https://www.bsdstore.ru[Documentation] | Virt-Manager | LGPL-3 | package:deskutils/virt-manager[] | link:https://virt-manager.org/[Documentation] | Bhyve RC Script | Unknown | package:sysutils/bhyve-rc[] | link:https://www.freshports.org/sysutils/bhyve-rc/[Documentation] | bmd | Unknown | package:sysutils/bmd[] | link:https://github.com/yuichiro-naito/bmd[Documentation] | vmstated | BSD-2 | package:sysutils/vmstated[] | link:https://github.com/christian-moerz/vmstated[Documentation] |=== [[virtualization-bhyve-onboot]] === Persistent Configuration In order to configure the system to start bhyve guests at boot time, some configuration file changes are required. [.procedure] . [.filename]#/etc/sysctl.conf# + When using [.filename]#tap# interfaces as network backend, you either need to manually set each used [.filename]#tap# interface to UP or simply set the following sysctl: + [.programlisting] .... net.link.tap.up_on_open=1 .... . [.filename]#/etc/rc.conf# + To connect your virtual machine's [.filename]#tap# device to the network via a [.filename]#bridge#, you need to persist the device settings in [.filename]#/etc/rc.conf#. Additionally, you can load the necessary kernel modules `vmm` for bhyve and `nmdm` for [.filename]#nmdm# devices through the `kld_list` configuration variable. When configuring `ifconfig_bridge0`, make sure to replace `/` with the actual IP address of your physical interface ([.filename]#igb0# in this example) and remove IP settings from your physical device. + [source,shell] .... # sysrc cloned_interfaces+="bridge0 tap0" # sysrc ifconfig_bridge0="inet / addm igb0 addm tap0" # sysrc kld_list+="nmdm vmm" # sysrc ifconfig_igb0="up" .... [[virtualization-bhyve-onboot-bridgenet]] .Setting the IP for a bridge device [example] ==== For a host with an _igb0_ interface connected to the network with IP `10.10.10.1` and netmask `255.255.255.0`, you would use the following commands: [source,shell] .... # sysrc ifconfig_igb0="up" # sysrc ifconfig_bridge0="inet 10.10.10.1/24 addm igb0 addm tap0" # sysrc kld_list+="nmdm vmm" # sysrc cloned_interfaces+="bridge0 tap0" .... ==== [WARNING] ==== Modifying the IP address configuration of a system may lock you out if you are executing these commands while you are connected remotely (i.e. via SSH)! Take precautions to maintain system access or make those modifications while logged in on a local terminal session. ==== [[virtualization-host-xen]] == FreeBSD as a Xen(TM)-Host Xen is a GPLv2-licensed https://en.wikipedia.org/wiki/Hypervisor#Classification[type 1 hypervisor] for Intel(R) and ARM(R) architectures. FreeBSD has included i386(TM) and AMD(R) 64-Bit https://wiki.xenproject.org/wiki/DomU[DomU] and https://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud[Amazon EC2] unprivileged domain (virtual machine) support since FreeBSD 8.0 and includes Dom0 control domain (host) support in FreeBSD 11.0. Support for para-virtualized (PV) domains has been removed from FreeBSD 11 in favor of hardware virtualized (HVM) domains, which provides better performance. Xen(TM) is a bare-metal hypervisor, which means that it is the first program loaded after the BIOS. A special privileged guest called the Domain-0 (`Dom0` for short) is then started. The Dom0 uses its special privileges to directly access the underlying physical hardware, making it a high-performance solution. It is able to access the disk controllers and network adapters directly. The Xen(TM) management tools to manage and control the Xen(TM) hypervisor are also used by the Dom0 to create, list, and destroy VMs. Dom0 provides virtual disks and networking for unprivileged domains, often called `DomU`. Xen(TM) Dom0 can be compared to the service console of other hypervisor solutions, while the DomU is where individual guest VMs are run. Xen(TM) can migrate VMs between different Xen(TM) servers. When the two xen hosts share the same underlying storage, the migration can be done without having to shut the VM down first. Instead, the migration is performed live while the DomU is running and there is no need to restart it or plan a downtime. This is useful in maintenance scenarios or upgrade windows to ensure that the services provided by the DomU are still provided. Many more features of Xen(TM) are listed on the https://wiki.xenproject.org/wiki/Category:Overview[Xen Wiki Overview page]. Note that not all features are supported on FreeBSD yet. [[virtualization-host-xen-requirements]] === Hardware Requirements for Xen(TM) Dom0 To run the Xen(TM) hypervisor on a host, certain hardware functionality is required. -Hardware virtualized domains require Extended Page Table (http://en.wikipedia.org/wiki/Extended_Page_Table[EPT]) and Input/Output Memory Management Unit (http://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware[IOMMU]) support in the host processor. +Hardware virtualized domains require Extended Page Table (https://en.wikipedia.org/wiki/Extended_Page_Table[EPT]) and Input/Output Memory Management Unit (https://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware[IOMMU]) support in the host processor. [NOTE] ==== In order to run a FreeBSD Xen(TM) Dom0 the box must be booted using legacy boot (BIOS). ==== [[virtualization-host-xen-dom0-setup]] === Xen(TM) Dom0 Control Domain Setup Users should install the package:emulators/xen-kernel[] and package:sysutils/xen-tools[] packages, based on Xen(TM) 4.18. Configuration files must be edited to prepare the host for the Dom0 integration after the Xen packages are installed. An entry to [.filename]#/etc/sysctl.conf# disables the limit on how many pages of memory are allowed to be wired. Otherwise, DomU VMs with higher memory requirements will not run. [source,shell] .... # echo 'vm.max_wired=-1' >> /etc/sysctl.conf .... Another memory-related setting involves changing [.filename]#/etc/login.conf#, setting the `memorylocked` option to `unlimited`. Otherwise, creating DomU domains may fail with `Cannot allocate memory` errors. After making the change to [.filename]#/etc/login.conf#, run `cap_mkdb` to update the capability database. See crossref:security[security-resourcelimits,"Resource Limits"] for details. [source,shell] .... # sed -i '' -e 's/memorylocked=64K/memorylocked=unlimited/' /etc/login.conf # cap_mkdb /etc/login.conf .... Add an entry for the Xen(TM) console to [.filename]#/etc/ttys#: [source,shell] .... # echo 'xc0 "/usr/libexec/getty Pc" xterm onifconsole secure' >> /etc/ttys .... Selecting a Xen(TM) kernel in [.filename]#/boot/loader.conf# activates the Dom0. Xen(TM) also requires resources like CPU and memory from the host machine for itself and other DomU domains. How much CPU and memory depends on the individual requirements and hardware capabilities. In this example, 8 GB of memory and 4 virtual CPUs are made available for the Dom0. The serial console is also activated, and logging options are defined. The following command is used for Xen 4.7 packages: [source,shell] .... # echo 'hw.pci.mcfg=0' >> /boot/loader.conf # echo 'if_tap_load="YES"' >> /boot/loader.conf # echo 'xen_kernel="/boot/xen"' >> /boot/loader.conf # echo 'xen_cmdline="dom0_mem=8192M dom0_max_vcpus=4 dom0pvh=1 console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all"' >> /boot/loader.conf .... For Xen versions 4.11 and higher, the following command should be used instead: [source,shell] .... # echo 'if_tap_load="YES"' >> /boot/loader.conf # echo 'xen_kernel="/boot/xen"' >> /boot/loader.conf # echo 'xen_cmdline="dom0_mem=8192M dom0_max_vcpus=4 dom0=pvh console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all"' >> /boot/loader.conf .... [TIP] ==== Log files that Xen(TM) creates for the DomU VMs are stored in [.filename]#/var/log/xen#. Please be sure to check the contents of that directory if experiencing issues. ==== Activate the xencommons service during system startup: [source,shell] .... # sysrc xencommons_enable=yes .... These settings are enough to start a Dom0-enabled system. However, it lacks network functionality for the DomU machines. To fix that, define a bridged interface with the main NIC of the system which the DomU VMs can use to connect to the network. Replace _em0_ with the host network interface name. [source,shell] .... # sysrc cloned_interfaces="bridge0" # sysrc ifconfig_bridge0="addm em0 SYNCDHCP" # sysrc ifconfig_em0="up" .... Restart the host to load the Xen(TM) kernel and start the Dom0. [source,shell] .... # reboot .... After successfully booting the Xen(TM) kernel and logging into the system again, the Xen(TM) management tool `xl` is used to show information about the domains. [source,shell] .... # xl list Name ID Mem VCPUs State Time(s) Domain-0 0 8192 4 r----- 962.0 .... The output confirms that the Dom0 (called `Domain-0`) has the ID `0` and is running. It also has the memory and virtual CPUs that were defined in [.filename]#/boot/loader.conf# earlier. More information can be found in the https://www.xenproject.org/help/documentation.html[Xen(TM) Documentation]. DomU guest VMs can now be created. [[virtualization-host-xen-domu-setup]] === Xen(TM) DomU Guest VM Configuration Unprivileged domains consist of a configuration file and virtual or physical hard disks. Virtual disk storage for the DomU can be files created by man:truncate[1] or ZFS volumes as described in crossref:zfs[zfs-zfs-volume,“Creating and Destroying Volumes”]. In this example, a 20 GB volume is used. A VM is created with the ZFS volume, a FreeBSD ISO image, 1 GB of RAM and two virtual CPUs. The ISO installation file is retrieved with man:fetch[1] and saved locally in a file called [.filename]#freebsd.iso#. [source,shell] .... # fetch https://download.freebsd.org/releases/ISO-IMAGES/14.0/FreeBSD-14.0-RELEASE-amd64-bootonly.iso -o freebsd.iso .... A ZFS volume of 20 GB called [.filename]#xendisk0# is created to serve as the disk space for the VM. [source,shell] .... # zfs create -V20G -o volmode=dev zroot/xendisk0 .... The new DomU guest VM is defined in a file. Some specific definitions like name, keymap, and VNC connection details are also defined. The following [.filename]#freebsd.cfg# contains a minimum DomU configuration for this example: [source,shell] .... # cat freebsd.cfg builder = "hvm" <.> name = "freebsd" <.> memory = 1024 <.> vcpus = 2 <.> vif = [ 'mac=00:16:3E:74:34:32,bridge=bridge0' ] <.> disk = [ '/dev/zvol/tank/xendisk0,raw,hda,rw', <.> '/root/freebsd.iso,raw,hdc:cdrom,r' <.> ] vnc = 1 <.> vnclisten = "0.0.0.0" serial = "pty" usbdevice = "tablet" .... These lines are explained in more detail: <.> This defines what kind of virtualization to use. `hvm` refers to hardware-assisted virtualization or hardware virtual machine. Guest operating systems can run unmodified on CPUs with virtualization extensions, providing nearly the same performance as running on physical hardware. `generic` is the default value and creates a PV domain. <.> Name of this virtual machine to distinguish it from others running on the same Dom0. Required. <.> Quantity of RAM in megabytes to make available to the VM. This amount is subtracted from the hypervisor's total available memory, not the memory of the Dom0. <.> Number of virtual CPUs available to the guest VM. For best performance, do not create guests with more virtual CPUs than the number of physical CPUs on the host. <.> Virtual network adapter. This is the bridge connected to the network interface of the host. The `mac` parameter is the MAC address set on the virtual network interface. This parameter is optional, if no MAC is provided Xen(TM) will generate a random one. <.> Full path to the disk, file, or ZFS volume of the disk storage for this VM. Options and multiple disk definitions are separated by commas. <.> Defines the Boot medium from which the initial operating system is installed. In this example, it is the ISO image downloaded earlier. Consult the Xen(TM) documentation for other kinds of devices and options to set. <.> Options controlling VNC connectivity to the serial console of the DomU. In order, these are: active VNC support, define IP address on which to listen, device node for the serial console, and the input method for precise positioning of the mouse and other input methods. `keymap` defines which keymap to use, and is `english` by default. After the file has been created with all the necessary options, the DomU is created by passing it to `xl create` as a parameter. [source,shell] .... # xl create freebsd.cfg .... [NOTE] ==== Each time the Dom0 is restarted, the configuration file must be passed to `xl create` again to re-create the DomU. By default, only the Dom0 is created after a reboot, not the individual VMs. The VMs can continue where they left off as they stored the operating system on the virtual disk. The virtual machine configuration can change over time (for example, when adding more memory). The virtual machine configuration files must be properly backed up and kept available to be able to re-create the guest VM when needed. ==== The output of `xl list` confirms that the DomU has been created. [source,shell] .... # xl list Name ID Mem VCPUs State Time(s) Domain-0 0 8192 4 r----- 1653.4 freebsd 1 1024 1 -b---- 663.9 .... To begin the installation of the base operating system, start the VNC client, directing it to the main network address of the host or to the IP address defined on the `vnclisten` line of [.filename]#freebsd.cfg#. After the operating system has been installed, shut down the DomU and disconnect the VNC viewer. Edit [.filename]#freebsd.cfg#, removing the line with the `cdrom` definition or commenting it out by inserting a `+#+` character at the beginning of the line. To load this new configuration, it is necessary to remove the old DomU with `xl destroy`, passing either the name or the id as the parameter. Afterwards, recreate it using the modified [.filename]*freebsd.cfg*. [source,shell] .... # xl destroy freebsd # xl create freebsd.cfg .... The machine can then be accessed again using the VNC viewer. This time, it will boot from the virtual disk where the operating system has been installed and can be used as a virtual machine. [[virtualization-host-xen-troubleshooting]] === Troubleshooting This section contains basic information in order to help troubleshoot issues found when using FreeBSD as a Xen(TM) host or guest. [[virtualization-host-xen-troubleshooting-host]] ==== Host Boot Troubleshooting Please note that the following troubleshooting tips are intended for Xen(TM) 4.11 or newer. If you are still using Xen(TM) 4.7 and having issues, consider migrating to a newer version of Xen(TM). In order to troubleshoot host boot issues, you will likely need a serial cable, or a debug USB cable. Verbose Xen(TM) boot output can be obtained by adding options to the `xen_cmdline` option found in [.filename]#loader.conf#. A couple of relevant debug options are: * `iommu=debug`: can be used to print additional diagnostic information about the iommu. * `dom0=verbose`: can be used to print additional diagnostic information about the dom0 build process. * `sync_console`: flag to force synchronous console output. Useful for debugging to avoid losing messages due to rate limiting. Never use this option in production environments since it can allow malicious guests to perform DoS attacks against Xen(TM) using the console. FreeBSD should also be booted in verbose mode in order to identify any issues. To activate verbose booting, run this command: [source,shell] .... # echo 'boot_verbose="YES"' >> /boot/loader.conf .... If none of these options help solving the problem, please send the serial boot log to mailto:freebsd-xen@FreeBSD.org[freebsd-xen@FreeBSD.org] and mailto:xen-devel@lists.xenproject.org[xen-devel@lists.xenproject.org] for further analysis. [[virtualization-host-xen-troubleshooting-guest]] ==== Guest Creation Troubleshooting Issues can also arise when creating guests, the following attempts to provide some help for those trying to diagnose guest creation issues. The most common cause of guest creation failures is the `xl` command spitting some error and exiting with a return code different than 0. If the error provided is not enough to help identify the issue, more verbose output can also be obtained from `xl` by using the `v` option repeatedly. [source,shell] .... # xl -vvv create freebsd.cfg Parsing config from freebsd.cfg libxl: debug: libxl_create.c:1693:do_domain_create: Domain 0:ao 0x800d750a0: create: how=0x0 callback=0x0 poller=0x800d6f0f0 libxl: debug: libxl_device.c:397:libxl__device_disk_set_backend: Disk vdev=xvda spec.backend=unknown libxl: debug: libxl_device.c:432:libxl__device_disk_set_backend: Disk vdev=xvda, using backend phy libxl: debug: libxl_create.c:1018:initiate_domain_create: Domain 1:running bootloader libxl: debug: libxl_bootloader.c:328:libxl__bootloader_run: Domain 1:not a PV/PVH domain, skipping bootloader libxl: debug: libxl_event.c:689:libxl__ev_xswatch_deregister: watch w=0x800d96b98: deregister unregistered domainbuilder: detail: xc_dom_allocate: cmdline="", features="" domainbuilder: detail: xc_dom_kernel_file: filename="/usr/local/lib/xen/boot/hvmloader" domainbuilder: detail: xc_dom_malloc_filemap : 326 kB libxl: debug: libxl_dom.c:988:libxl__load_hvm_firmware_module: Loading BIOS: /usr/local/share/seabios/bios.bin ... .... If the verbose output does not help diagnose the issue, there are also QEMU and Xen(TM) toolstack logs in [.filename]#/var/log/xen#. Note that the name of the domain is appended to the log name, so if the domain is named `freebsd` you should find a [.filename]#/var/log/xen/xl-freebsd.log# and likely a [.filename]#/var/log/xen/qemu-dm-freebsd.log#. Both log files can contain useful information for debugging. If none of this helps solve the issue, please send the description of the issue you are facing and as much information as possible to mailto:freebsd-xen@FreeBSD.org[freebsd-xen@FreeBSD.org] and mailto:xen-devel@lists.xenproject.org[xen-devel@lists.xenproject.org] in order to get help. diff --git a/documentation/content/en/books/handbook/virtualization/_index.po b/documentation/content/en/books/handbook/virtualization/_index.po index 342585c9fc..43c4dcc26f 100644 --- a/documentation/content/en/books/handbook/virtualization/_index.po +++ b/documentation/content/en/books/handbook/virtualization/_index.po @@ -1,3499 +1,3499 @@ # SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-09-14 14:59-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/virtualization/_index.adoc:1 #, no-wrap msgid "Virtualization software allows multiple operating systems to run simultaneously on the same computer" msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/virtualization/_index.adoc:1 #, no-wrap msgid "Part III. System Administration" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1 #, no-wrap msgid "Chapter 24. Virtualization" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/virtualization/_index.adoc:14 #, no-wrap msgid "Virtualization" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:52 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:56 msgid "" "Virtualization software allows multiple operating systems to run " "simultaneously on the same computer. Such software systems for PCs often " "involve a host operating system which runs the virtualization software and " "supports any number of guest operating systems." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:58 msgid "After reading this chapter, you will know:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:60 msgid "" "The difference between a host operating system and a guest operating system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:61 msgid "How to install FreeBSD on the following virtualization platforms:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:62 msgid "Parallels Desktop(Apple(R) macOS(R))" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:63 msgid "VMware Fusion(Apple(R) macOS(R))" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:64 msgid "" "VirtualBox(TM)(Microsoft(R) Windows(R), Intel(R)-based Apple(R) macOS(R), " "Linux)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:65 msgid "bhyve(FreeBSD)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:66 msgid "How to tune a FreeBSD system for best performance under virtualization." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:68 msgid "Before reading this chapter, you should:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:70 msgid "Understand the crossref:basics[basics,basics of UNIX(R) and FreeBSD]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:71 msgid "Know how to crossref:bsdinstall[bsdinstall,install FreeBSD]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:72 msgid "" "Know how to crossref:advanced-networking[advanced-networking,set up a " "network connection]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:73 msgid "" "Know how to crossref:ports[ports,install additional third-party software]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:75 #, no-wrap msgid "FreeBSD as a Guest on Parallels Desktop for macOS(R)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:80 msgid "" "Parallels Desktop for Mac(R) is a commercial software product available for " "Apple(R) Mac(R) computers running macOS(R) 10.14.6 or higher. FreeBSD is a " "fully supported guest operating system. Once Parallels has been installed " "on macOS(R), the user must configure a virtual machine and then install the " "desired guest operating system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:82 #, no-wrap msgid "Installing FreeBSD on Parallels Desktop on Mac(R)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:85 msgid "" "The first step in installing FreeBSD on Parallels is to create a new virtual " "machine for installing FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:87 msgid "" "Choose menu:Install Windows or another OS from a DVD or image file[] and " "proceed." msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:88 #, no-wrap msgid "Parallels setup wizard showing Install Windows or another OS from a DVD or image file chosen" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:88 #, no-wrap msgid "parallels-freebsd1.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:91 msgid "Select the FreeBSD image file." msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:92 #, no-wrap msgid "Parallels setup wizard showing FreeBSD image file selected" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:92 #, no-wrap msgid "parallels-freebsd2.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:95 msgid "Choose menu:Other as operating system[]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:99 msgid "Choosing FreeBSD will cause boot error on startup." msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:101 #, no-wrap msgid "Parallels setup wizard showing Other selected as operating system" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:101 #, no-wrap msgid "parallels-freebsd3.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:104 msgid "" "Name the virtual machine and check menu:Customize settings before " "installation[]" msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:105 #, no-wrap msgid "Parallels setup wizard showing the checkbox checked for customizing settings before installation" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:105 #, no-wrap msgid "parallels-freebsd4.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:109 msgid "" "When the configuration window pops up, go to menu:Hardware[] tab, choose " "menu:Boot order[], and click menu:Advanced[]. Then, choose *EFI 64-bit* as " "menu:BIOS[]." msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:110 #, no-wrap msgid "Parallels setup wizard showing EFI 64-bit chosen as BIOS" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:110 #, no-wrap msgid "parallels-freebsd5.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:113 msgid "" "Click menu:OK[], close the configuration window, and click menu:Continue[]." msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:114 #, no-wrap msgid "Parallels setup wizard showing the summary of the new virtual machine" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:114 #, no-wrap msgid "parallels-freebsd6.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:118 msgid "" "The virtual machine will automatically boot. Install FreeBSD following the " "general steps." msgstr "" #. type: Positional ($1) AttributeList argument for macro 'image' #: documentation/content/en/books/handbook/virtualization/_index.adoc:119 #, no-wrap msgid "FreeBSD booted on Parallels" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:119 #, no-wrap msgid "parallels-freebsd7.png" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:122 #, no-wrap msgid "Configuring FreeBSD on Parallels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:125 msgid "" "After FreeBSD has been successfully installed on macOS(R) X with Parallels, " "there are a number of configuration steps that can be taken to optimize the " "system for virtualized operation." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:128 #: documentation/content/en/books/handbook/virtualization/_index.adoc:241 msgid "Set Boot Loader Variables" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:131 msgid "" "The most important step is to reduce the `kern.hz` tunable to reduce the CPU " "utilization of FreeBSD under the Parallels environment. This is " "accomplished by adding the following line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:135 #: documentation/content/en/books/handbook/virtualization/_index.adoc:248 #, no-wrap msgid "kern.hz=100\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:139 msgid "" "Without this setting, an idle FreeBSD Parallels guest will use roughly 15% " "of the CPU of a single processor iMac(R). After this change the usage will " "be closer to 5%." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:141 msgid "" "If installing FreeBSD 14.0 or later, and CPU utilization is still high, add " "the following additional line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:145 #, no-wrap msgid "debug.acpi.disabled=\"ged\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:147 #: documentation/content/en/books/handbook/virtualization/_index.adoc:253 msgid "Create a New Kernel Configuration File" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:150 msgid "" "All SCSI, FireWire, and USB device drivers can be removed from a custom " "kernel configuration file. Parallels provides a virtual network adapter " "used by the man:ed[4] driver, so all network devices except for man:ed[4] " "and man:miibus[4] can be removed from the kernel." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:151 #: documentation/content/en/books/handbook/virtualization/_index.adoc:257 msgid "Configure Networking" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:155 msgid "" "The most basic networking setup uses DHCP to connect the virtual machine to " "the same local area network as the host Mac(R). This can be accomplished by " "adding `ifconfig_ed0=\"DHCP\"` to [.filename]#/etc/rc.conf#. More advanced " "networking setups are described in crossref:advanced-networking[advanced-" "networking,Advanced Networking]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:157 #, no-wrap msgid "FreeBSD as a Guest on VMware Fusion for macOS(R)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:162 msgid "" "VMware Fusion for Mac(R) is a commercial software product available for " "Apple(R) Mac(R) computers running macOS(R) 12 or higher. FreeBSD is a fully " "supported guest operating system. Once VMware Fusion has been installed on " "macOS(R), the user can configure a virtual machine and then install the " "desired guest operating system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:164 #, no-wrap msgid "Installing FreeBSD on VMware Fusion" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:168 msgid "" "The first step is to start VMware Fusion which will load the Virtual Machine " "Library. Click [.guimenuitem]#+->New# to create the virtual machine:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:169 #, no-wrap msgid "vmware-freebsd01.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:173 msgid "" "This will load the New Virtual Machine Assistant. Choose [." "guimenuitem]#Create a custom virtual machine# and click [." "guimenuitem]#Continue# to proceed:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:174 #, no-wrap msgid "vmware-freebsd02.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:177 msgid "" "Select [.guimenuitem]#Other# as the [.guimenuitem]#Operating System# and " "either [.guimenuitem]#FreeBSD X# or [.guimenuitem]#FreeBSD X 64-bit#, as the " "menu:Version[] when prompted:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:178 #, no-wrap msgid "vmware-freebsd03.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:181 msgid "Choose the firmware(UEFI is recommended):" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:182 #, no-wrap msgid "vmware-freebsd04.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:185 msgid "" "Choose [.guimenuitem]#Create a new virtual disk# and click [." "guimenuitem]#Continue#:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:186 #, no-wrap msgid "vmware-freebsd05.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:189 msgid "Check the configuration and click [.guimenuitem]#Finish#:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:190 #, no-wrap msgid "vmware-freebsd06.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:193 msgid "" "Choose the name of the virtual machine and the directory where it should be " "saved:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:194 #, no-wrap msgid "vmware-freebsd07.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:197 msgid "" "Press command+E to open virtual machine settings and click [.guimenuitem]#CD/" "DVD#:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:198 #, no-wrap msgid "vmware-freebsd08.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:201 msgid "Choose FreeBSD ISO image or from a CD/DVD:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:202 #: documentation/content/en/books/handbook/virtualization/_index.adoc:224 #, no-wrap msgid "vmware-freebsd09.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:205 msgid "Start the virtual machine:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:206 #, no-wrap msgid "vmware-freebsd10.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:209 msgid "Install FreeBSD as usual:" msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:210 #, no-wrap msgid "vmware-freebsd11.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:213 msgid "" "Once the install is complete, the settings of the virtual machine can be " "modified, such as memory usage and the number of CPUs the virtual machine " "will have access to:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:217 msgid "" "The System Hardware settings of the virtual machine cannot be modified while " "the virtual machine is running." msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:219 #, no-wrap msgid "vmware-freebsd12.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:223 msgid "" "The status of the CD-ROM device. Normally the CD/DVD/ISO is disconnected " "from the virtual machine when it is no longer needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:229 msgid "" "The last thing to change is how the virtual machine will connect to the " "network. To allow connections to the virtual machine from other machines " "besides the host, choose [.guimenuitem]#Connect directly to the physical " "network (Bridged)#. Otherwise, [.guimenuitem]#Share the host's internet " "connection (NAT)# is preferred so that the virtual machine can have access " "to the Internet, but the network cannot access the virtual machine." msgstr "" #. type: Target for macro image #: documentation/content/en/books/handbook/virtualization/_index.adoc:230 #, no-wrap msgid "vmware-freebsd13.png" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:233 msgid "" "After modifying the settings, boot the newly installed FreeBSD virtual " "machine." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:235 #, no-wrap msgid "Configuring FreeBSD on VMware Fusion" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:238 msgid "" "After FreeBSD has been successfully installed on macOS(R) X with VMware " "Fusion, there are a number of configuration steps that can be taken to " "optimize the system for virtualized operation." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:244 msgid "" "The most important step is to reduce the `kern.hz` tunable to reduce the CPU " "utilization of FreeBSD under the VMware Fusion environment. This is " "accomplished by adding the following line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:252 msgid "" "Without this setting, an idle FreeBSD VMware Fusion guest will use roughly " "15% of the CPU of a single processor iMac(R). After this change, the usage " "will be closer to 5%." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:256 msgid "" "All FireWire, and USB device drivers can be removed from a custom kernel " "configuration file. VMware Fusion provides a virtual network adapter used " "by the man:em[4] driver, so all network devices except for man:em[4] can be " "removed from the kernel." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:261 msgid "" "The most basic networking setup uses DHCP to connect the virtual machine to " "the same local area network as the host Mac(R). This can be accomplished by " "adding `ifconfig_em0=\"DHCP\"` to [.filename]#/etc/rc.conf#. More advanced " "networking setups are described in crossref:advanced-networking[advanced-" "networking,Advanced Networking]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:263 msgid "Install drivers and open-vm-tools" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:265 msgid "To run FreeBSD smoothly on VMWare, drivers should be installed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:269 #, no-wrap msgid "# pkg install xf86-video-vmware xf86-input-vmmouse open-vm-tools\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:272 #, no-wrap msgid "FreeBSD as a Guest on VirtualBox(TM)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:276 msgid "" "FreeBSD works well as a guest in VirtualBox(TM). The virtualization " "software is available for most common operating systems, including FreeBSD " "itself." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:278 msgid "The VirtualBox(TM) guest additions provide support for:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:280 msgid "Clipboard sharing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:281 msgid "Mouse pointer integration." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:282 msgid "Host time synchronization." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:283 msgid "Window scaling." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:284 msgid "Seamless mode." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:288 msgid "These commands are run in the FreeBSD guest." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:292 msgid "" "First, install the package:emulators/virtualbox-ose-additions[] package or " "port in the FreeBSD guest. This will install the port:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:296 #, no-wrap msgid "# cd /usr/ports/emulators/virtualbox-ose-additions && make install clean\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:299 msgid "Add these lines to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:304 #, no-wrap msgid "" "vboxguest_enable=\"YES\"\n" "vboxservice_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:307 msgid "" "If man:ntpd[8] or man:ntpdate[8] is used, disable host time synchronization:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:311 #, no-wrap msgid "vboxservice_flags=\"--disable-timesync\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:315 msgid "" "Xorg will automatically recognize the `vboxvideo` driver. It can also be " "manually entered in [.filename]#/etc/X11/xorg.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:324 #, no-wrap msgid "" "Section \"Device\"\n" "\tIdentifier \"Card0\"\n" "\tDriver \"vboxvideo\"\n" "\tVendorName \"InnoTek Systemberatung GmbH\"\n" "\tBoardName \"VirtualBox Graphics Adapter\"\n" "EndSection\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:327 msgid "" "To use the `vboxmouse` driver, adjust the mouse section in [.filename]#/etc/" "X11/xorg.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:334 #, no-wrap msgid "" "Section \"InputDevice\"\n" "\tIdentifier \"Mouse0\"\n" "\tDriver \"vboxmouse\"\n" "EndSection\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:339 msgid "" "Shared folders for file transfers between host and VM are accessible by " "mounting them using `mount_vboxvfs`. A shared folder can be created on the " "host using the VirtualBox GUI or via `vboxmanage`. For example, to create a " "shared folder called _myshare_ under [.filename]#/mnt/bsdboxshare# for the " "VM named _BSDBox_, run:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:343 #, no-wrap msgid "# vboxmanage sharedfolder add 'BSDBox' --name myshare --hostpath /mnt/bsdboxshare\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:347 msgid "" "Note that the shared folder name must not contain spaces. Mount the shared " "folder from within the guest system like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:351 #, no-wrap msgid "# mount_vboxvfs -w myshare /mnt\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:354 #, no-wrap msgid "FreeBSD as a Host with VirtualBox(TM)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:362 msgid "" "VirtualBox(TM) is an actively developed, complete virtualization package, " "that is available for most operating systems including Windows(R), macOS(R), " "Linux(R) and FreeBSD. It is equally capable of running Windows(R) or " "UNIX(R)-like guests. It is released as open source software, but with " "closed-source components available in a separate extension pack. These " "components include support for USB 2.0 devices. More information may be " "found on the http://www.virtualbox.org/wiki/Downloads[Downloads page of the " "VirtualBox(TM) wiki]. Currently, these extensions are not available for " "FreeBSD." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:364 #, no-wrap msgid "Installing VirtualBox(TM)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:368 msgid "" "VirtualBox(TM) is available as a FreeBSD package or port in package:" "emulators/virtualbox-ose[]. The port can be installed using these commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:373 #, no-wrap msgid "" "# cd /usr/ports/emulators/virtualbox-ose\n" "# make install clean\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:378 msgid "" "One useful option in the port's configuration menu is the `GuestAdditions` " "suite of programs. These provide a number of useful features in guest " "operating systems, like mouse pointer integration (allowing the mouse to be " "shared between host and guest without the need to press a special keyboard " "shortcut to switch) and faster video rendering, especially in Windows(R) " "guests. The guest additions are available in the menu:Devices[] menu, after " "the installation of the guest is finished." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:381 msgid "" "A few configuration changes are needed before VirtualBox(TM) is started for " "the first time. The port installs a kernel module in [.filename]#/boot/" "modules# which must be loaded into the running kernel:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:385 #, no-wrap msgid "# kldload vboxdrv\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:388 msgid "" "To ensure the module is always loaded after a reboot, add this line to [." "filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:392 #, no-wrap msgid "vboxdrv_load=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:395 msgid "" "To use the kernel modules that allow bridged or host-only networking, add " "this line to [.filename]#/etc/rc.conf# and reboot the computer:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:399 #, no-wrap msgid "vboxnet_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:404 msgid "" "The `vboxusers` group is created during installation of VirtualBox(TM). All " "users that need access to VirtualBox(TM) will have to be added as members of " "this group. `pw` can be used to add new members:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:408 #, no-wrap msgid "# pw groupmod vboxusers -m yourusername\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:411 msgid "" "The default permissions for [.filename]#/dev/vboxnetctl# are restrictive and " "need to be changed for bridged networking:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:416 #, no-wrap msgid "" "# chown root:vboxusers /dev/vboxnetctl\n" "# chmod 0660 /dev/vboxnetctl\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:419 msgid "" "To make this permissions change permanent, add these lines to [.filename]#/" "etc/devfs.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:424 #, no-wrap msgid "" "own vboxnetctl root:vboxusers\n" "perm vboxnetctl 0660\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:427 msgid "To launch VirtualBox(TM), type from an Xorg session:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:431 #, no-wrap msgid "% VirtualBox\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:435 msgid "" "For more information on configuring and using VirtualBox(TM), refer to the " "http://www.virtualbox.org[official website]. For FreeBSD-specific " "information and troubleshooting instructions, refer to the http://wiki." "FreeBSD.org/VirtualBox[relevant page in the FreeBSD wiki]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:437 #, no-wrap msgid "VirtualBox(TM) USB Support" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:441 msgid "" "VirtualBox(TM) can be configured to pass USB devices through to the guest " "operating system. The host controller of the OSE version is limited to " "emulating USB 1.1 devices until the extension pack supporting USB 2.0 and " "3.0 devices becomes available on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:443 msgid "" "For VirtualBox(TM) to be aware of USB devices attached to the machine, the " "user needs to be a member of the `operator` group." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:447 #, no-wrap msgid "# pw groupmod operator -m yourusername\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:450 msgid "" "Then, add the following to [.filename]#/etc/devfs.rules#, or create this " "file if it does not exist yet:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:455 #, no-wrap msgid "" "[system=10]\n" "add path 'usb/*' mode 0660 group operator\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:458 msgid "" "To load these new rules, add the following to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:462 #, no-wrap msgid "devfs_system_ruleset=\"system\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:465 msgid "Then, restart devfs:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:469 #: documentation/content/en/books/handbook/virtualization/_index.adoc:497 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1108 #, no-wrap msgid "# service devfs restart\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:472 msgid "" "Restart the login session and VirtualBox(TM) for these changes to take " "effect, and create USB filters as necessary." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:474 #, no-wrap msgid "VirtualBox(TM) Host DVD/CD Access" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:482 msgid "" "Access to the host DVD/CD drives from guests is achieved through the sharing " "of the physical drives. Within VirtualBox(TM), this is set up from the " "Storage window in the Settings of the virtual machine. If needed, create an " "empty IDECD/DVD device first. Then choose the Host Drive from the popup " "menu for the virtual CD/DVD drive selection. A checkbox labeled " "`Passthrough` will appear. This allows the virtual machine to use the " "hardware directly. For example, audio CDs or the burner will only function " "if this option is selected." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:486 msgid "" "In order for users to be able to use VirtualBox(TM)DVD/CD functions, they " "need access to [.filename]#/dev/xpt0#, [.filename]#/dev/cdN#, and [." "filename]#/dev/passN#. This is usually achieved by making the user a member " "of `operator`. Permissions to these devices have to be corrected by adding " "these lines to [.filename]#/etc/devfs.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:492 #, no-wrap msgid "" "perm cd* 0660\n" "perm xpt0 0660\n" "perm pass* 0660\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:500 #, no-wrap msgid "FreeBSD as a Host with bhyve" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:506 msgid "" "The bhyve BSD-licensed hypervisor became part of the base system with " "FreeBSD 10.0-RELEASE. This hypervisor supports several guests, including " "FreeBSD, OpenBSD, many Linux(R) distributions, and Microsoft Windows(R). By " "default, bhyve provides access to a serial console and does not emulate a " "graphical console. Virtualization offload features of newer CPUs are used " "to avoid the legacy methods of translating instructions and manually " "managing memory mappings." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:508 msgid "The bhyve design requires" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:510 msgid "an Intel(R) processor that supports Intel Extended Page Tables (EPT)," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:511 msgid "" "or an AMD(R) processor that supports AMD Rapid Virtualization Indexing " "(RVI), or Nested Page Tables (NPT)," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:512 msgid "or an ARM(R) aarch64 CPU." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:515 msgid "" "Only pure ARMv8.0 virtualization is supported on ARM, the Virtualization " "Host Extensions are not currently used. Hosting Linux(R) guests or FreeBSD " "guests with more than one vCPU requires VMX unrestricted mode support (UG)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:517 msgid "" "The easiest way to tell if an Intel or AMD processor supports bhyve is to " "run `dmesg` or look in [.filename]#/var/run/dmesg.boot# for the `POPCNT` " "processor feature flag on the `Features2` line for AMD(R) processors or " "`EPT` and `UG` on the `VT-x` line for Intel(R) processors." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:519 #, no-wrap msgid "Preparing the Host" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:523 msgid "" "The first step to creating a virtual machine in bhyve is configuring the " "host system. First, load the bhyve kernel module:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:527 #, no-wrap msgid "# kldload vmm\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:532 msgid "" "There are several ways to connect a virtual machine guest to a host's " "network; one straightforward way to accomplish this is to create a [." "filename]#tap# interface for the network device in the virtual machine to " "attach to. For the network device to participate in the network, also " "create a bridge interface containing the [.filename]#tap# interface and the " "physical interface as members. In this example, the physical interface is " "_igb0_:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:541 #, no-wrap msgid "" "# ifconfig tap0 create\n" "# sysctl net.link.tap.up_on_open=1\n" "net.link.tap.up_on_open: 0 -> 1\n" "# ifconfig bridge0 create\n" "# ifconfig bridge0 addm igb0 addm tap0\n" "# ifconfig bridge0 up\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:544 #, no-wrap msgid "Creating a FreeBSD Guest" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:548 msgid "" "Create a file to use as the virtual disk for the guest machine. Specify the " "size and name of the virtual disk:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:552 #, no-wrap msgid "# truncate -s 16G guest.img\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:555 msgid "Download an installation image of FreeBSD to install:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:560 #, no-wrap msgid "" "# fetch https://download.freebsd.org/releases/ISO-IMAGES/14.0/FreeBSD-14.0-RELEASE-amd64-bootonly.iso\n" "FreeBSD-14.0-RELEASE-amd64-bootonly.iso 426 MB 16 MBps 22s\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:565 msgid "" "FreeBSD comes with an example script `vmrun.sh` for running a virtual " "machine in bhyve. It will start the virtual machine and run it in a loop, " "so it will automatically restart if it crashes. `vmrun.sh` takes several " "options to control the configuration of the machine, including:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:567 msgid "`-c` controls the number of virtual CPUs," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:568 msgid "`-m` limits the amount of memory available to the guest," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:569 msgid "`-t` defines which [.filename]#tap# device to use," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:570 msgid "`-d` indicates which disk image to use," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:571 msgid "`-i` tells bhyve to boot from the CD image instead of the disk, and" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:572 msgid "`-I` defines which CD image to use." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:575 msgid "" "The last parameter is the name of the virtual machine and is used to track " "the running machines. The following command lists all available program " "argument options:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:579 #, no-wrap msgid "# sh /usr/share/examples/bhyve/vmrun.sh -h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:582 msgid "This example starts the virtual machine in installation mode:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:587 #, no-wrap msgid "" "# sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M -t tap0 -d guest.img \\\n" " -i -I FreeBSD-14.0-RELEASE-amd64-bootonly.iso guestname\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:591 msgid "" "The virtual machine will boot and start the installer. After installing a " "system in the virtual machine, when the system asks about dropping into a " "shell at the end of the installation, choose btn:[Yes]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:596 msgid "" "Reboot the virtual machine. While rebooting the virtual machine causes " "bhyve to exit, the [.filename]#vmrun.sh# script runs `bhyve` in a loop and " "will automatically restart it. When this happens, choose the reboot option " "from the boot loader menu to escape the loop. Now the guest can be started " "from the virtual disk:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:600 #, no-wrap msgid "# sh /usr/share/examples/bhyve/vmrun.sh -c 4 -m 1024M -t tap0 -d guest.img guestname\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:603 #, no-wrap msgid "Creating a Linux(R) Guest" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:606 msgid "" "Linux guests can be booted either like any other regular crossref:" "virtualization[virtualization-bhyve-uefi,\"UEFI-based guest\"] virtual " "machine, or alternatively, you can make use of the package:sysutils/grub2-" "bhyve[] port." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:608 msgid "" "To do this, first ensure that the port is installed, then create a file to " "use as the virtual disk for the guest machine:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:612 #, no-wrap msgid "# truncate -s 16G linux.img\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:615 msgid "" "Starting a Linux virtual machine with `grub2-bhyve` is a two-step process." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:617 msgid "First a kernel must be loaded, then the guest can be started." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:618 msgid "The Linux(R) kernel is loaded with package:sysutils/grub2-bhyve[]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:620 msgid "" "Create a [.filename]#device.map# that grub will use to map the virtual " "devices to the files on the host system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:625 #, no-wrap msgid "" "(hd0) ./linux.img\n" "(cd0) ./somelinux.iso\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:628 msgid "" "Use package:sysutils/grub2-bhyve[] to load the Linux(R) kernel from the ISO " "image:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:632 #, no-wrap msgid "# grub-bhyve -m device.map -r cd0 -M 1024M linuxguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:637 msgid "" "This will start grub. If the installation CD contains a [.filename]#grub." "cfg#, a menu will be displayed. If not, the `vmlinuz` and `initrd` files " "must be located and loaded manually:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:648 #, no-wrap msgid "" "grub> ls\n" "(hd0) (cd0) (cd0,msdos1) (host)\n" "grub> ls (cd0)/isolinux\n" "boot.cat boot.msg grub.conf initrd.img isolinux.bin isolinux.cfg memtest\n" "splash.jpg TRANS.TBL vesamenu.c32 vmlinuz\n" "grub> linux (cd0)/isolinux/vmlinuz\n" "grub> initrd (cd0)/isolinux/initrd.img\n" "grub> boot\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:651 msgid "Now that the Linux(R) kernel is loaded, the guest can be started:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:657 #, no-wrap msgid "" "# bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \\\n" " -s 3:0,virtio-blk,./linux.img -s 4:0,ahci-cd,./somelinux.iso \\\n" " -l com1,stdio -c 4 -m 1024M linuxguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:663 msgid "" "The system will boot and start the installer. After installing a system in " "the virtual machine, reboot the virtual machine. This will cause bhyve to " "exit. The instance of the virtual machine needs to be destroyed before it " "can be started again:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:667 #: documentation/content/en/books/handbook/virtualization/_index.adoc:703 #, no-wrap msgid "# bhyvectl --destroy --vm=linuxguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:671 msgid "" "Now the guest can be started directly from the virtual disk. Load the " "kernel:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:685 #, no-wrap msgid "" "# grub-bhyve -m device.map -r hd0,msdos1 -M 1024M linuxguest\n" "grub> ls\n" "(hd0) (hd0,msdos2) (hd0,msdos1) (cd0) (cd0,msdos1) (host)\n" "(lvm/VolGroup-lv_swap) (lvm/VolGroup-lv_root)\n" "grub> ls (hd0,msdos1)/\n" "lost+found/ grub/ efi/ System.map-2.6.32-431.el6.x86_64 config-2.6.32-431.el6.x\n" "86_64 symvers-2.6.32-431.el6.x86_64.gz vmlinuz-2.6.32-431.el6.x86_64\n" "initramfs-2.6.32-431.el6.x86_64.img\n" "grub> linux (hd0,msdos1)/vmlinuz-2.6.32-431.el6.x86_64 root=/dev/mapper/VolGroup-lv_root\n" "grub> initrd (hd0,msdos1)/initramfs-2.6.32-431.el6.x86_64.img\n" "grub> boot\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:688 msgid "Boot the virtual machine:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:693 #, no-wrap msgid "" "# bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \\\n" " -s 3:0,virtio-blk,./linux.img -l com1,stdio -c 4 -m 1024M linuxguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:699 msgid "" "Linux(R) will now boot in the virtual machine and eventually present you " "with the login prompt. Login and use the virtual machine. When you are " "finished, reboot the virtual machine to exit bhyve. Destroy the virtual " "machine instance:" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:706 #, no-wrap msgid "Booting bhyve Virtual Machines with UEFI Firmware" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:710 msgid "" "In addition to `bhyveload` and `grub-bhyve`, the bhyve hypervisor can also " "boot virtual machines using the UEFI firmware. This option may support " "guest operating systems that are not supported by the other loaders." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:713 msgid "" "To make use of the UEFI support in bhyve, first obtain the UEFI firmware " "images. This can be done by installing package:sysutils/bhyve-firmware[] " "port or package." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:716 msgid "" "With the firmware in place, add the flags `-l bootrom,_/path/to/firmware_` " "to your bhyve command line. The actual bhyve command may look like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:724 #, no-wrap msgid "" "# bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \\\n" " \t-s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \\\n" "\t-s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \\\n" "\t-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \\\n" "\tguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:729 msgid "" "To allow a guest to store UEFI variables, you can use a variables file " "appended to the `-l` flag. Note that bhyve will write guest modifications " "to the given variables file. Therefore, be sure to first create a per-guest-" "copy of the variables template file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:733 #, no-wrap msgid "# cp /usr/local/share/uefi-firmware/BHYVE_UEFI_VARS.fd /path/to/vm-image/BHYVE_UEFI_VARS.fd\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:736 msgid "Then, add that variables file into your bhyve arguments:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:744 #, no-wrap msgid "" "# bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \\\n" " \t-s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \\\n" "\t-s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \\\n" "\t-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,/path/to/vm-image/BHYVE_UEFI_VARS.fd \\\n" "\tguest\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:750 msgid "" "Some Linux distributions require the use of UEFI variables to store the path " "for their UEFI boot file (using `linux64.efi` or `grubx64.efi` instead of " "`bootx64.efi`, for example). It is therefore recommended to use a variables " "file for Linux virtual machines to avoid having to manually alter the boot " "partition files." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:753 msgid "" "To view or modify the variables file contents, use man:efivar[8] from the " "host." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:755 msgid "" "package:sysutils/bhyve-firmware[] also contains a CSM-enabled firmware, to " "boot guests with no UEFI support in legacy BIOS mode:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:763 #, no-wrap msgid "" "# bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \\\n" " \t-s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \\\n" "\t-s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \\\n" "\t-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CSM.fd \\\n" "\tguest\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:766 #, no-wrap msgid "Graphical UEFI Framebuffer for bhyve Guests" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:769 msgid "" "The UEFI firmware support is particularly useful with predominantly " "graphical guest operating systems such as Microsoft Windows(R)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:774 msgid "" "Support for the UEFI-GOP framebuffer may also be enabled with the `-s 29," "fbuf,tcp=_0.0.0.0:5900_` flags. The framebuffer resolution may be " "configured with `w=_800_` and `h=_600_`, and bhyve can be instructed to wait " "for a VNC connection before booting the guest by adding `wait`. The " "framebuffer may be accessed from the host or over the network via the VNC " "protocol. Additionally, `-s 30,xhci,tablet` can be added to achieve precise " "mouse cursor synchronization with the host." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:776 msgid "The resulting bhyve command would look like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:786 #, no-wrap msgid "" "# bhyve -AHP -s 0:0,hostbridge -s 31:0,lpc \\\n" " \t-s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \\\n" "\t-s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \\\n" "\t-s 29,fbuf,tcp=0.0.0.0:5900,w=800,h=600,wait \\\n" "\t-s 30,xhci,tablet \\\n" "\t-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \\\n" "\tguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:789 msgid "" "Note, in BIOS emulation mode, the framebuffer will cease receiving updates " "once control is passed from firmware to guest operating system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:791 #, no-wrap msgid "Creating a Microsoft Windows(R) Guest" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:795 msgid "" "Setting up a guest for Windows versions 10 or earlier can be done directly " "from the original installation media and is a relatively straightforward " "process. Aside from minimum resource requirements, running Windows as guest " "requires" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:797 msgid "wiring virtual machine memory (flag `-w`) and" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:798 msgid "booting with an UEFI bootrom." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:800 msgid "" "An example for booting a virtual machine guest with a Windows installation " "ISO:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:814 #, no-wrap msgid "" "bhyve \\\n" " -c 2 \\\n" " -s 0,hostbridge \\\n" " -s 3,nvme,windows2016.img \\\n" " -s 4,ahci-cd,install.iso \\\n" " -s 10,virtio-net,tap0 \\\n" " -s 31,lpc \\\n" " -s 30,xhci,tablet \\\n" " -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \\\n" " -m 8G -H -w \\\n" " windows2016\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:817 msgid "" "Only one or two VCPUs should be used during installation but this number can " "be increased once Windows is installed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:821 msgid "" "link:https://github.com/virtio-win/virtio-win-pkg-scripts/blob/master/README." "md[VirtIO drivers] must be installed to use the defined `virtio-net` network " "interface. An alternative is to switch to E1000 (Intel E82545) emulation by " "changing `virtio-net` to `e1000` in the above command line. However, " "performance will be impacted." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:823 #, no-wrap msgid "Creating a Windows 11 Guest" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:829 msgid "" "Beginning with Windows 11, Microsoft introduced a hardware requirement for a " "TPM 2 module. bhyve supports passing a hardware TPM through to a guest. " "The installation media can be modified to disable the relevant hardware " "checks. A detailed description for this process can be found on the link:" "https://wiki.freebsd.org/bhyve/Windows#iso-remaster[FreeBSD Wiki]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:834 msgid "" "Modifying Windows installation media and running Windows guests without a " "TPM module are unsupported by the manufacturer. Consider your application " "and use case before implementing such approaches." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:837 #, no-wrap msgid "Using ZFS with bhyve Guests" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:841 msgid "" "If ZFS is available on the host machine, using ZFS volumes instead of disk " "image files can provide significant performance benefits for the guest VMs. " "A ZFS volume can be created by:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:845 #, no-wrap msgid "# zfs create -V16G -o volmode=dev zroot/linuxdisk0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:848 msgid "When starting the VM, specify the ZFS volume as the disk drive:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:854 #, no-wrap msgid "" "# bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \\\n" " \t-s3:0,virtio-blk,/dev/zvol/zroot/linuxdisk0 \\\n" "\t-l com1,stdio -c 4 -m 1024M linuxguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:859 msgid "" "If you are using ZFS for the host as well as inside a guest, keep in mind " "the competing memory pressure of both systems caching the virtual machine's " "contents. To alleviate this, consider setting the host's ZFS filesystems to " "use metadata-only cache. To do this, apply the following settings to ZFS " "filesystems on the host, replacing `` with the name of the specific " "zvol dataset name of the virtual machine." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:863 #, no-wrap msgid "# zfs set primarycache=metadata \n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:866 #, no-wrap msgid "Creating a Virtual Machine Snapshot" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:872 msgid "" "Modern hypervisors allow their users to create \"snapshots\" of their state; " "such a snapshot includes a guest's disk, CPU, and memory contents. A " "snapshot can usually be taken independent of whether the guest is running or " "shut down. One can then reset and return the virtual machine to the precise " "state when the snapshot was taken." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:874 #, no-wrap msgid "ZFS Snapshots" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:877 msgid "" "Using ZFS volumes as the backing storage for a virtual machine enables the " "snapshotting of the guest's disk. For example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:881 #, no-wrap msgid "zfs snapshot zroot/path/to/zvol@snapshot_name\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:886 msgid "" "Though it is possible to snapshot a ZFS volume this way while the guest is " "running, keep in mind that the contents of the virtual disk may be in an " "inconsistent state while the guest is active. It is therefore recommended " "to first shutdown or pause the guest before executing this command. Pausing " "a guest is not supported by default and needs to be enabled first (see " "crossref:virtualization[virtualization-bhyve-snapshot-builtin,Memory and CPU " "Snapshots])" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:891 msgid "" "Rolling back a ZFS zvol to a snapshot while a virtual machine is using it " "may corrupt the file system contents and crash the guest. All unsaved data " "in the guest will be lost and modifications since the last snapshot may get " "destroyed." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:894 msgid "" "A second rollback may be required once the virtual machine is shut down to " "restore the file system to a useable state. This in turn will ultimately " "destroy any changes made after the snapshot." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:897 #, no-wrap msgid "Memory and CPU Snapshots (Experimental Feature)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:901 msgid "" "As of FreeBSD 13, bhyve has an experimental \"snapshot\" feature for dumping " "a guest's memory and CPU state to a file and then halting the virtual " "machine. The guest can be resumed from the snapshot file contents later." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:904 msgid "" "However, this feature is not enabled by default and requires the system to " "be rebuilt from source. See crossref:cutting-edge[updating-src-building, " "Building from Source] for an in-depth description on the process of " "compiling the kernel with custom options." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:909 msgid "" "The functionality is not ready for production use and limited to work for " "specific virtual machine configurations. There are multiple limitations:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:911 msgid "`nvme` and `virtio-blk` storage backends do not work yet" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:912 msgid "" "snapshots are only supported when the guest uses a single kind of each " "device, i.e. if there is more than one `ahci-hd` disk attached, snapshot " "creation will fail" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:913 msgid "" "additionally, the feature may be reasonably stable on Intel, but it probably " "won't work on AMD CPUs." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:918 msgid "" "Make sure the [.filename]#/usr/src# directory is up-to date before taking " "the following steps. See crossref:cutting-edge[updating-src-obtaining-src, " "Updating the Source] for the detailed procedure how to do this." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:921 msgid "First, add the following to [.filename]#/etc/src.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:927 #, no-wrap msgid "" "WITH_BHYVE_SNAPHOT=yes\n" "BHYVE_SNAPSHOT=1\n" "MK_BHYVE_SNAPSHOT=yes\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:932 msgid "If the system was partially or wholly rebuilt, it is recommended to run" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:937 #, no-wrap msgid "" "# cd /usr/src\n" "# make cleanworld\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:940 msgid "before proceeding." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:943 msgid "" "Then follow the steps outlined in the crossref:cutting-edge[updating-src-" "quick-start,\"Quick Start section of the Updating FreeBSD from Source\"] " "chapter to build and install world and kernel." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:945 msgid "To verify successful activation of the snapshot feature, enter" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:949 #, no-wrap msgid "# bhyvectl --usage\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:953 msgid "" "and check if the output lists a `--suspend` flag. If the flag is missing, " "the feature did not activate correctly." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:955 msgid "" "Then, you can snapshot and suspend a running virtual machine of your choice:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:959 #, no-wrap msgid "# bhyvectl --vm=vmname --suspend=/path/to/snapshot/filename\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:965 msgid "" "Provide an absolute path and filename to `--suspend`. Otherwise, bhyve will " "write snapshot data to whichever directory bhyve was started from." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:968 msgid "" "Make sure to write the snapshot data to a secure directory. The generated " "output contains a full memory dump of the guest and may thus contain " "sensitive data (i.e. passwords)!" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:971 msgid "This creates three files:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:973 msgid "memory snapshot - named like the input to `--suspend`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:974 msgid "" "kernel file - name like the input to `--suspend` with the suffix [." "filename]#.kern#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:975 msgid "" "metadata - contains meta data about the system state, named with the suffix " "[.filename]#.meta#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:977 msgid "To restore a guest from a snapshot, use the `-r` flag with `bhyve`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:981 #, no-wrap msgid "# bhyve -r /path/to/snapshot/filename\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:985 msgid "" "Restoring a guest snapshot on a different CPU architecture will not work. " "Generally, attempting to restore on a system not identical to the snapshot " "creator will likely fail." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:987 #, no-wrap msgid "Jailing bhyve" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:991 msgid "" "For improved security and separation of virtual machines from the host " "operating system, it is possible to run bhyve in a jail. See crossref:" "jails[,Jails] for an in-depth description of jails and their security " "benefits." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:993 #, no-wrap msgid "Creating a Jail for bhyve" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:996 msgid "" "First, create a jail environment. If using a UFS file system, simply run:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1000 #, no-wrap msgid "# mkdir -p /jails/bhyve\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1003 msgid "If using a crossref:zfs[,ZFS filesystem], use the following commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1008 #, no-wrap msgid "" "# zfs create zroot/jails\n" "# zfs create zroot/jails/bhyve\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1011 msgid "Then create a ZFS zvol for the virtual machine `bhyvevm0`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1016 #, no-wrap msgid "" "# zfs create zroot/vms\n" "# zfs create -V 20G zroot/vms/bhyvevm0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1019 msgid "" "If not using ZFS, use the following commands to create a disk image file " "directly in the jail directory structure:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1024 #, no-wrap msgid "" "# mkdir /jails/bhyve/vms\n" "# truncate -s 20G /jails/bhyve/vms/bhyvevm0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1027 msgid "" "Download a FreeBSD image, preferably a version equal to or older than the " "host and extract it into the jail directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1033 #, no-wrap msgid "" "# cd /jails\n" "# fetch -o base.txz http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/13.2-RELEASE/base.txz\n" "# tar -C /jails/bhyve -xvf base.txz\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1038 msgid "" "Running a higher FreeBSD version in a jail than the host is unsupported (i." "e. running 14.0-RELEASE in a jail, embedded in a 13.2-RELEASE host)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1041 msgid "Next, add a devfs ruleset to [.filename]#/etc/devfs.rules#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1065 #, no-wrap msgid "" "[devfsrules_jail_bhyve=100]\n" "add include $devfsrules_hide_all\n" "add include $devfsrules_unhide_login\n" "add path 'urandom' unhide\n" "add path 'random' unhide\n" "add path 'crypto' unhide\n" "add path 'shm' unhide\n" "add path 'zero' unhide\n" "add path 'null' unhide\n" "add path 'mem' unhide\n" "add path 'vmm' unhide\n" "add path 'vmm/*' unhide\n" "add path 'vmm.io' unhide\n" "add path 'vmm.io/*' unhide\n" "add path 'nmdmbhyve*' unhide\n" "add path 'zvol' unhide\n" "add path 'zvol/zroot' unhide\n" "add path 'zvol/zroot/vms' unhide\n" "add path 'zvol/zroot/vms/bhyvevm0' unhide\n" "add path 'zvol/zroot/vms/bhyvevm1' unhide\n" "add path 'tap10*' unhide\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1070 msgid "" "If there's another devfs rule with the numeric ID 100 in your [.filename]#/" "etc/devfs.rules# file, replace the one in the listing with another yet " "unused ID number." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1075 msgid "" "If not using a ZFS filesystem, skip the related zvol rules in [.filename]#/" "etc/devfs.rules#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1083 #, no-wrap msgid "" "add path 'zvol' unhide\n" "add path 'zvol/zroot' unhide\n" "add path 'zvol/zroot/vms' unhide\n" "add path 'zvol/zroot/vms/bhyvevm0' unhide\n" "add path 'zvol/zroot/vms/bhyvevm1' unhide\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1087 msgid "These rules will cause bhyve to" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1089 msgid "" "create a virtual machine with disk volumes called `bhyvevm0` and `bhyvevm1`," msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1091 msgid "" "use [.filename]#tap# network interfaces with the name prefix `tap10`. That " "means, valid interface names will be `tap10`, `tap100`, `tap101`, ... " "`tap109`, `tap1000` and so on." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1093 msgid "" "Limiting the access to a subset of possible [.filename]#tap# interface names " "will prevent the jail (and thus bhyve) from seeing [.filename]#tap# " "interfaces of the host and other jails." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1094 msgid "" "use [.filename]#nmdm# devices prefixed with \"bhyve\", i.e. [.filename]#/dev/" "nmdmbhyve0#." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1096 msgid "" "Those rules can be expanded and varied with different guest and interface " "names as desired." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1101 msgid "" "If you intend to use bhyve on the host as well as in a one or more jails, " "remember that [.filename]#tap# and [.filename]#nmdm# interface names will " "operate in a shared environment. For example, you can use [.filename]#/dev/" "nmdmbhyve0# only either for bhyve on the host or in a jail." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1104 msgid "Restart devfs for the changes to be loaded:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1112 msgid "" "Then add a definition for your new jail into [.filename]#/etc/jail.conf# or " "[.filename]#/etc/jail.conf.d#. Replace the interface number [." "filename]#$if# and IP address with your personal variations." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1113 #, no-wrap msgid "Using NAT or routed traffic with a firewall" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1126 #, no-wrap msgid "" "bhyve {\n" " $if = 0;\n" " exec.prestart = \"/sbin/ifconfig epair${if} create up\";\n" " exec.prestart += \"/sbin/ifconfig epair${if}a up\";\n" " exec.prestart += \"/sbin/ifconfig epair${if}a name ${name}0\";\n" " exec.prestart += \"/sbin/ifconfig epair${if}b name jail${if}\";\n" " exec.prestart += \"/sbin/ifconfig ${name}0 inet 192.168.168.1/27\";\n" " exec.prestart += \"/sbin/sysctl net.inet.ip.forwarding=1\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1128 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1165 #, no-wrap msgid " exec.clean;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1137 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1174 #, no-wrap msgid "" " host.hostname = \"your-hostname-here\";\n" " vnet;\n" " vnet.interface = \"em${if}\";\n" " path = \"/jails/${name}\";\n" " persist;\n" " securelevel = 3;\n" " devfs_ruleset = 100;\n" " mount.devfs;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1139 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1176 #, no-wrap msgid " allow.vmm;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1142 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1179 #, no-wrap msgid "" " exec.start += \"/bin/sh /etc/rc\";\n" " exec.stop = \"/bin/sh /etc/rc.shutdown\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1145 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1182 #, no-wrap msgid "" " exec.poststop += \"/sbin/ifconfig ${name}0 destroy\";\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1149 msgid "" "This example assumes use of a firewall like `pf` or `ipfw` to NAT your jail " "traffic. See the crossref:firewalls[,Firewalls] chapter for more details on " "the available options to implement this." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1150 #, no-wrap msgid "Using a bridged network connection" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1163 #, no-wrap msgid "" "bhyve {\n" " $if = 0;\n" " exec.prestart = \"/sbin/ifconfig epair${if} create up\";\n" " exec.prestart += \"/sbin/ifconfig epair${if}a up\";\n" " exec.prestart += \"/sbin/ifconfig epair${if}a name ${name}0\";\n" " exec.prestart += \"/sbin/ifconfig epair${if}b name jail${if}\";\n" " exec.prestart += \"/sbin/ifconfig bridge0 addm ${name}0\";\n" " exec.prestart += \"/sbin/sysctl net.inet.ip.forwarding=1\";\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1188 msgid "" "If you previously replaced the devfs ruleset ID 100 in [.filename]#/etc/" "devfs.rules# with your own unique number, remember to replace the numeric ID " "also in your [.filename]#jails.conf# too." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:1191 #, no-wrap msgid "Configuring the Jail" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1194 msgid "" "To start the jail for the first time and do some additional configuration " "work, enter:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1205 #, no-wrap msgid "" "# cp /etc/resolv.conf /jails/bhyve/etc\n" "# service jail onestart bhyve\n" "# jexec bhyve\n" "# sysrc ifconfig_jail0=\"inet 192.168.168.2/27\"\n" "# sysrc defaultrouter=\"192.168.168.1\"\n" "# sysrc sendmail_enable=NONE\n" "# sysrc cloned_interfaces=\"tap100\"\n" "# exit\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1208 msgid "Restart and enable the jail:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1213 #, no-wrap msgid "" "# sysrc jail_enable=YES\n" "# service jail restart bhyve\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1217 msgid "" "Afterwards, you can create a virtual machine within the jail. For a FreeBSD " "guest, download an installation ISO first:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1223 #, no-wrap msgid "" "# jexec bhyve\n" "# cd /vms\n" "# fetch -o freebsd.iso https://download.freebsd.org/releases/ISO-IMAGES/14.0/FreeBSD-14.0-RELEASE-amd64-bootonly.iso\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:1226 #, no-wrap msgid "Creating a Virtual Machine Inside the Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1229 msgid "To create a virtual machine, use `bhyvectl` to initialize it first:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1234 #, no-wrap msgid "" "# jexec bhyve\n" "# bhyvectl --create --vm=bhyvevm0\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1240 msgid "" "Creating the guest with `bhyvectl` may be required when initiating the " "virtual machine from a jail. Skipping this step may cause the following " "error message when starting `bhyve`:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1242 msgid "`vm_open: vm-name could not be opened. No such file or directory`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1245 msgid "Finally, use your preferred way of starting the guest." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1246 #, no-wrap msgid "Starting with `vmrun.sh` and ZFS" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1250 msgid "Using `vmrun.sh` on a ZFS filesystems:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1256 #, no-wrap msgid "" "# jexec bhyve\n" "# sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M \\\n" " -t tap100 -d /dev/zvols/zroot/vms/bhyvevm0 -i -I /vms/FreeBSD-14.0-RELEASE-amd64-bootonly.iso bhyvevm0\n" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1259 #, no-wrap msgid "Starting with `vmrun.sh` and UFS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1263 msgid "Using `vmrun.sh` on a UFS filesystem:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1269 #, no-wrap msgid "" "# jexec bhyve\n" "# sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M \\\n" " -t tap100 -d /vms/bhyvevm0 -i -I /vms/FreeBSD-14.0-RELEASE-amd64-bootonly.iso bhyvevm0\n" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1272 #, no-wrap msgid "Starting bhyve for an UEFI guest with ZFS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1276 msgid "" "If instead you want to use an UEFI guest, remember to first install the " "required firmware package package:sysutils/bhyve-firmware[] in the jail:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1280 #, no-wrap msgid "# pkg -j bhyve install bhyve-firmware\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1283 msgid "Then use `bhyve` directly:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1296 #, no-wrap msgid "" "# bhyve -A -c 4 -D -H -m 2G \\\n" " -s 0,hostbridge \\\n" " -s 1,lpc \\\n" " -s 2,virtio-net,tap100 \\\n" " -s 3,virtio-blk,/dev/zvol/zroot/vms/bhyvevm0 \\\n" "\t-s 4,ahci-cd,/vms/FreeBSD-14.0-RELEASE-amd64-bootonly.iso \\\n" " -s 31,fbuf,tcp=127.0.0.1:5900,w=1024,h=800,tablet \\\n" " -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \\\n" " -l com1,/dev/nmdbbhyve0A \\\n" " bhyvevm0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1299 msgid "" "This will allow you to connect to your virtual machine `bhyvevm0` through " "VNC as well as a serial console at [.filename]#/dev/nmdbbhyve0B#." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1302 #, no-wrap msgid "Virtual Machine Consoles" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1309 msgid "" "It is advantageous to wrap the bhyve console in a session management tool " "such as package:sysutils/tmux[] or package:sysutils/screen[] in order to " "detach and reattach to the console. It is also possible to have the console " "of bhyve be a null modem device that can be accessed with `cu`. To do this, " "load the [.filename]#nmdm# kernel module and replace `-l com1,stdio` with `-" "l com1,/dev/nmdm0A`. The [.filename]#/dev/nmdm# devices are created " "automatically as needed, where each is a pair, corresponding to the two ends " "of the null modem cable ([.filename]#/dev/nmdm0A# and [.filename]#/dev/" "nmdm0B#). See man:nmdm[4] for more information." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1317 #, no-wrap msgid "" "# kldload nmdm\n" "# bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s 3:0,virtio-blk,./linux.img \\\n" " -l com1,/dev/nmdm0A -c 4 -m 1024M linuxguest\n" "# cu -l /dev/nmdm0B\n" "Connected\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1319 #, no-wrap msgid "Ubuntu 13.10 handbook ttyS0\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1321 #, no-wrap msgid "handbook login:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1327 msgid "" "To disconnect from a console, enter a newline (i.e. press `RETURN`) followed " "by tilde (`~`), and finally dot (`.`). Keep in mind that only the " "connection is dropped while the login session remains active. Another user " "connecting to the same console could therefore make use of any active " "sessions without having to first authenticate. For security reasons, it's " "therefore recommended to logout before disconnecting." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1332 msgid "" "The number in the [.filename]#nmdm# device path must be unique for each " "virtual machine and must not be used by any other processes before bhyve " "starts. The number can be chosen arbitrarily and does not need to be taken " "from a consecutive sequence of numbers. The device node pair (i.e. [." "filename]#/dev/nmdm0a# and [.filename]#/dev/nmdm0b#) are created dynamically " "when bhyve connects its console and destroyed when it shuts down. Keep this " "in mind when creating scripts to start your virtual machines: you need to " "make sure that all virtual machines are assigned unique [.filename]#nmdm# " "devices." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1334 #, no-wrap msgid "Managing Virtual Machines" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1338 msgid "" "A device node is created in [.filename]#/dev/vmm# for each virtual machine. " "This allows the administrator to easily see a list of the running virtual " "machines:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1348 #, no-wrap msgid "" "# ls -al /dev/vmm\n" "total 1\n" "dr-xr-xr-x 2 root wheel 512 Mar 17 12:19 ./\n" "dr-xr-xr-x 14 root wheel 512 Mar 17 06:38 ../\n" "crw------- 1 root wheel 0x1a2 Mar 17 12:20 guestname\n" "crw------- 1 root wheel 0x19f Mar 17 12:19 linuxguest\n" "crw------- 1 root wheel 0x1a1 Mar 17 12:19 otherguest\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1351 msgid "A specified virtual machine can be destroyed using `bhyvectl`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1355 #, no-wrap msgid "# bhyvectl --destroy --vm=guestname\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1359 msgid "" "Destroying a virtual machine this way means killing it immediately. Any " "unsaved data will be lost, open files and filesystems may get corrupted. To " "gracefully shut down a virtual machine, send a `TERM` signal to its bhyve " "process instead. This triggers an ACPI shutdown event for the guest:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1365 #, no-wrap msgid "" "# ps ax | grep bhyve\n" "17424 - SC 56:48.27 bhyve: guestvm (bhyve)\n" "# kill 17424\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1368 #, no-wrap msgid "Tools and Utilities" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1371 msgid "" "There are numerous utilities and applications available in ports to help " "simplify setting up and managing bhyve virtual machines:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1372 #, no-wrap msgid "bhyve Managers" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1375 #, no-wrap msgid "Name" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1375 #, no-wrap msgid "License" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1375 #, no-wrap msgid "Package" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1377 #, no-wrap msgid "Documentation" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1378 #, no-wrap msgid "vm-bhyve" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1379 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1384 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1404 #, no-wrap msgid "BSD-2" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1380 #, no-wrap msgid "package:sysutils/vm-bhyve[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1382 #, no-wrap msgid "link:https://github.com/churchers/vm-bhyve[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1383 #, no-wrap msgid "CBSD" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1385 #, no-wrap msgid "package:sysutils/cbsd[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1387 #, no-wrap msgid "link:https://www.bsdstore.ru[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1388 #, no-wrap msgid "Virt-Manager" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1389 #, no-wrap msgid "LGPL-3" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1390 #, no-wrap msgid "package:deskutils/virt-manager[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1392 #, no-wrap msgid "link:https://virt-manager.org/[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1393 #, no-wrap msgid "Bhyve RC Script" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1394 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1399 #, no-wrap msgid "Unknown" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1395 #, no-wrap msgid "package:sysutils/bhyve-rc[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1397 #, no-wrap msgid "link:https://www.freshports.org/sysutils/bhyve-rc/[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1398 #, no-wrap msgid "bmd" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1400 #, no-wrap msgid "package:sysutils/bmd[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1402 #, no-wrap msgid "link:https://github.com/yuichiro-naito/bmd[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1403 #, no-wrap msgid "vmstated" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1405 #, no-wrap msgid "package:sysutils/vmstated[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/virtualization/_index.adoc:1407 #, no-wrap msgid "link:https://github.com/christian-moerz/vmstated[Documentation]" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1410 #, no-wrap msgid "Persistent Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1413 msgid "" "In order to configure the system to start bhyve guests at boot time, some " "configuration file changes are required." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1416 msgid "[.filename]#/etc/sysctl.conf#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1418 msgid "" "When using [.filename]#tap# interfaces as network backend, you either need " "to manually set each used [.filename]#tap# interface to UP or simply set the " "following sysctl:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1422 #, no-wrap msgid "net.link.tap.up_on_open=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1425 msgid "[.filename]#/etc/rc.conf#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1429 msgid "" "To connect your virtual machine's [.filename]#tap# device to the network via " "a [.filename]#bridge#, you need to persist the device settings in [." "filename]#/etc/rc.conf#. Additionally, you can load the necessary kernel " "modules `vmm` for bhyve and `nmdm` for [.filename]#nmdm# devices through the " "`kld_list` configuration variable. When configuring `ifconfig_bridge0`, " "make sure to replace `/` with the actual IP address of your " "physical interface ([.filename]#igb0# in this example) and remove IP " "settings from your physical device." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1436 #, no-wrap msgid "" "# sysrc cloned_interfaces+=\"bridge0 tap0\"\n" "# sysrc ifconfig_bridge0=\"inet / addm igb0 addm tap0\"\n" "# sysrc kld_list+=\"nmdm vmm\"\n" "# sysrc ifconfig_igb0=\"up\"\n" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/virtualization/_index.adoc:1439 #, no-wrap msgid "Setting the IP for a bridge device" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1443 msgid "" "For a host with an _igb0_ interface connected to the network with IP " "`10.10.10.1` and netmask `255.255.255.0`, you would use the following " "commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1450 #, no-wrap msgid "" "# sysrc ifconfig_igb0=\"up\"\n" "# sysrc ifconfig_bridge0=\"inet 10.10.10.1/24 addm igb0 addm tap0\"\n" "# sysrc kld_list+=\"nmdm vmm\"\n" "# sysrc cloned_interfaces+=\"bridge0 tap0\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1457 msgid "" "Modifying the IP address configuration of a system may lock you out if you " "are executing these commands while you are connected remotely (i.e. via " "SSH)! Take precautions to maintain system access or make those modifications " "while logged in on a local terminal session." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/virtualization/_index.adoc:1460 #, no-wrap msgid "FreeBSD as a Xen(TM)-Host" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1465 msgid "" "Xen is a GPLv2-licensed https://en.wikipedia.org/wiki/" "Hypervisor#Classification[type 1 hypervisor] for Intel(R) and ARM(R) " "architectures. FreeBSD has included i386(TM) and AMD(R) 64-Bit https://wiki." "xenproject.org/wiki/DomU[DomU] and https://en.wikipedia.org/wiki/" "Amazon_Elastic_Compute_Cloud[Amazon EC2] unprivileged domain (virtual " "machine) support since FreeBSD 8.0 and includes Dom0 control domain (host) " "support in FreeBSD 11.0. Support for para-virtualized (PV) domains has been " "removed from FreeBSD 11 in favor of hardware virtualized (HVM) domains, " "which provides better performance." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1473 msgid "" "Xen(TM) is a bare-metal hypervisor, which means that it is the first program " "loaded after the BIOS. A special privileged guest called the Domain-0 " "(`Dom0` for short) is then started. The Dom0 uses its special privileges to " "directly access the underlying physical hardware, making it a high-" "performance solution. It is able to access the disk controllers and network " "adapters directly. The Xen(TM) management tools to manage and control the " "Xen(TM) hypervisor are also used by the Dom0 to create, list, and destroy " "VMs. Dom0 provides virtual disks and networking for unprivileged domains, " "often called `DomU`. Xen(TM) Dom0 can be compared to the service console of " "other hypervisor solutions, while the DomU is where individual guest VMs are " "run." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1480 msgid "" "Xen(TM) can migrate VMs between different Xen(TM) servers. When the two xen " "hosts share the same underlying storage, the migration can be done without " "having to shut the VM down first. Instead, the migration is performed live " "while the DomU is running and there is no need to restart it or plan a " "downtime. This is useful in maintenance scenarios or upgrade windows to " "ensure that the services provided by the DomU are still provided. Many more " "features of Xen(TM) are listed on the https://wiki.xenproject.org/wiki/" "Category:Overview[Xen Wiki Overview page]. Note that not all features are " "supported on FreeBSD yet." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1482 #, no-wrap msgid "Hardware Requirements for Xen(TM) Dom0" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1486 msgid "" "To run the Xen(TM) hypervisor on a host, certain hardware functionality is " "required. Hardware virtualized domains require Extended Page Table (http://" "en.wikipedia.org/wiki/Extended_Page_Table[EPT]) and Input/Output Memory " -"Management Unit (http://en.wikipedia.org/wiki/List_of_IOMMU-" +"Management Unit (https://en.wikipedia.org/wiki/List_of_IOMMU-" "supporting_hardware[IOMMU]) support in the host processor." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1490 msgid "" "In order to run a FreeBSD Xen(TM) Dom0 the box must be booted using legacy " "boot (BIOS)." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1493 #, no-wrap msgid "Xen(TM) Dom0 Control Domain Setup" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1496 msgid "" "Users should install the package:emulators/xen-kernel[] and package:sysutils/" "xen-tools[] packages, based on Xen(TM) 4.18." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1500 msgid "" "Configuration files must be edited to prepare the host for the Dom0 " "integration after the Xen packages are installed. An entry to [.filename]#/" "etc/sysctl.conf# disables the limit on how many pages of memory are allowed " "to be wired. Otherwise, DomU VMs with higher memory requirements will not " "run." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1504 #, no-wrap msgid "# echo 'vm.max_wired=-1' >> /etc/sysctl.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1510 msgid "" "Another memory-related setting involves changing [.filename]#/etc/login." "conf#, setting the `memorylocked` option to `unlimited`. Otherwise, " "creating DomU domains may fail with `Cannot allocate memory` errors. After " "making the change to [.filename]#/etc/login.conf#, run `cap_mkdb` to update " "the capability database. See crossref:security[security-resourcelimits," "\"Resource Limits\"] for details." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1515 #, no-wrap msgid "" "# sed -i '' -e 's/memorylocked=64K/memorylocked=unlimited/' /etc/login.conf\n" "# cap_mkdb /etc/login.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1518 msgid "Add an entry for the Xen(TM) console to [.filename]#/etc/ttys#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1522 #, no-wrap msgid "# echo 'xc0 \"/usr/libexec/getty Pc\" xterm onifconsole secure' >> /etc/ttys\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1529 msgid "" "Selecting a Xen(TM) kernel in [.filename]#/boot/loader.conf# activates the " "Dom0. Xen(TM) also requires resources like CPU and memory from the host " "machine for itself and other DomU domains. How much CPU and memory depends " "on the individual requirements and hardware capabilities. In this example, " "8 GB of memory and 4 virtual CPUs are made available for the Dom0. The " "serial console is also activated, and logging options are defined." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1531 msgid "The following command is used for Xen 4.7 packages:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1538 #, no-wrap msgid "" "# echo 'hw.pci.mcfg=0' >> /boot/loader.conf\n" "# echo 'if_tap_load=\"YES\"' >> /boot/loader.conf\n" "# echo 'xen_kernel=\"/boot/xen\"' >> /boot/loader.conf\n" "# echo 'xen_cmdline=\"dom0_mem=8192M dom0_max_vcpus=4 dom0pvh=1 console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all\"' >> /boot/loader.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1541 msgid "" "For Xen versions 4.11 and higher, the following command should be used " "instead:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1547 #, no-wrap msgid "" "# echo 'if_tap_load=\"YES\"' >> /boot/loader.conf\n" "# echo 'xen_kernel=\"/boot/xen\"' >> /boot/loader.conf\n" "# echo 'xen_cmdline=\"dom0_mem=8192M dom0_max_vcpus=4 dom0=pvh console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all\"' >> /boot/loader.conf\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1554 msgid "" "Log files that Xen(TM) creates for the DomU VMs are stored in [.filename]#/" "var/log/xen#. Please be sure to check the contents of that directory if " "experiencing issues." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1557 msgid "Activate the xencommons service during system startup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1561 #, no-wrap msgid "# sysrc xencommons_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1567 msgid "" "These settings are enough to start a Dom0-enabled system. However, it lacks " "network functionality for the DomU machines. To fix that, define a bridged " "interface with the main NIC of the system which the DomU VMs can use to " "connect to the network. Replace _em0_ with the host network interface name." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1573 #, no-wrap msgid "" "# sysrc cloned_interfaces=\"bridge0\"\n" "# sysrc ifconfig_bridge0=\"addm em0 SYNCDHCP\"\n" "# sysrc ifconfig_em0=\"up\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1576 msgid "Restart the host to load the Xen(TM) kernel and start the Dom0." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1580 #, no-wrap msgid "# reboot\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1583 msgid "" "After successfully booting the Xen(TM) kernel and logging into the system " "again, the Xen(TM) management tool `xl` is used to show information about " "the domains." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1589 #, no-wrap msgid "" "# xl list\n" "Name ID Mem VCPUs State Time(s)\n" "Domain-0 0 8192 4 r----- 962.0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1595 msgid "" "The output confirms that the Dom0 (called `Domain-0`) has the ID `0` and is " "running. It also has the memory and virtual CPUs that were defined in [." "filename]#/boot/loader.conf# earlier. More information can be found in the " "https://www.xenproject.org/help/documentation.html[Xen(TM) Documentation]. " "DomU guest VMs can now be created." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1597 #, no-wrap msgid "Xen(TM) DomU Guest VM Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1604 msgid "" "Unprivileged domains consist of a configuration file and virtual or physical " "hard disks. Virtual disk storage for the DomU can be files created by man:" "truncate[1] or ZFS volumes as described in crossref:zfs[zfs-zfs-" "volume,“Creating and Destroying Volumes”]. In this example, a 20 GB volume " "is used. A VM is created with the ZFS volume, a FreeBSD ISO image, 1 GB of " "RAM and two virtual CPUs. The ISO installation file is retrieved with man:" "fetch[1] and saved locally in a file called [.filename]#freebsd.iso#." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1608 #, no-wrap msgid "# fetch https://download.freebsd.org/releases/ISO-IMAGES/14.0/FreeBSD-14.0-RELEASE-amd64-bootonly.iso -o freebsd.iso\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1611 msgid "" "A ZFS volume of 20 GB called [.filename]#xendisk0# is created to serve as " "the disk space for the VM." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1615 #, no-wrap msgid "# zfs create -V20G -o volmode=dev zroot/xendisk0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1620 msgid "" "The new DomU guest VM is defined in a file. Some specific definitions like " "name, keymap, and VNC connection details are also defined. The following [." "filename]#freebsd.cfg# contains a minimum DomU configuration for this " "example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1637 #, no-wrap msgid "" "# cat freebsd.cfg\n" "builder = \"hvm\" <.>\n" "name = \"freebsd\" <.>\n" "memory = 1024 <.>\n" "vcpus = 2 <.>\n" "vif = [ 'mac=00:16:3E:74:34:32,bridge=bridge0' ] <.>\n" "disk = [\n" "'/dev/zvol/tank/xendisk0,raw,hda,rw', <.>\n" "'/root/freebsd.iso,raw,hdc:cdrom,r' <.>\n" " ]\n" "vnc = 1 <.>\n" "vnclisten = \"0.0.0.0\"\n" "serial = \"pty\"\n" "usbdevice = \"tablet\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1640 msgid "These lines are explained in more detail:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1642 msgid "" "This defines what kind of virtualization to use. `hvm` refers to hardware-" "assisted virtualization or hardware virtual machine. Guest operating systems " "can run unmodified on CPUs with virtualization extensions, providing nearly " "the same performance as running on physical hardware. `generic` is the " "default value and creates a PV domain." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1643 msgid "" "Name of this virtual machine to distinguish it from others running on the " "same Dom0. Required." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1644 msgid "" "Quantity of RAM in megabytes to make available to the VM. This amount is " "subtracted from the hypervisor's total available memory, not the memory of " "the Dom0." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1645 msgid "" "Number of virtual CPUs available to the guest VM. For best performance, do " "not create guests with more virtual CPUs than the number of physical CPUs on " "the host." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1646 msgid "" "Virtual network adapter. This is the bridge connected to the network " "interface of the host. The `mac` parameter is the MAC address set on the " "virtual network interface. This parameter is optional, if no MAC is provided " "Xen(TM) will generate a random one." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1647 msgid "" "Full path to the disk, file, or ZFS volume of the disk storage for this VM. " "Options and multiple disk definitions are separated by commas." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1648 msgid "" "Defines the Boot medium from which the initial operating system is " "installed. In this example, it is the ISO image downloaded earlier. Consult " "the Xen(TM) documentation for other kinds of devices and options to set." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1649 msgid "" "Options controlling VNC connectivity to the serial console of the DomU. In " "order, these are: active VNC support, define IP address on which to listen, " "device node for the serial console, and the input method for precise " "positioning of the mouse and other input methods. `keymap` defines which " "keymap to use, and is `english` by default." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1651 msgid "" "After the file has been created with all the necessary options, the DomU is " "created by passing it to `xl create` as a parameter." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1655 #, no-wrap msgid "# xl create freebsd.cfg\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1664 msgid "" "Each time the Dom0 is restarted, the configuration file must be passed to " "`xl create` again to re-create the DomU. By default, only the Dom0 is " "created after a reboot, not the individual VMs. The VMs can continue where " "they left off as they stored the operating system on the virtual disk. The " "virtual machine configuration can change over time (for example, when adding " "more memory). The virtual machine configuration files must be properly " "backed up and kept available to be able to re-create the guest VM when " "needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1667 msgid "The output of `xl list` confirms that the DomU has been created." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1674 #, no-wrap msgid "" "# xl list\n" "Name ID Mem VCPUs State Time(s)\n" "Domain-0 0 8192 4 r----- 1653.4\n" "freebsd 1 1024 1 -b---- 663.9\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1681 msgid "" "To begin the installation of the base operating system, start the VNC " "client, directing it to the main network address of the host or to the IP " "address defined on the `vnclisten` line of [.filename]#freebsd.cfg#. After " "the operating system has been installed, shut down the DomU and disconnect " "the VNC viewer. Edit [.filename]#freebsd.cfg#, removing the line with the " "`cdrom` definition or commenting it out by inserting a `+#+` character at " "the beginning of the line. To load this new configuration, it is necessary " "to remove the old DomU with `xl destroy`, passing either the name or the id " "as the parameter. Afterwards, recreate it using the modified [." "filename]*freebsd.cfg*." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1686 #, no-wrap msgid "" "# xl destroy freebsd\n" "# xl create freebsd.cfg\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1690 msgid "" "The machine can then be accessed again using the VNC viewer. This time, it " "will boot from the virtual disk where the operating system has been " "installed and can be used as a virtual machine." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/virtualization/_index.adoc:1692 #, no-wrap msgid "Troubleshooting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1695 msgid "" "This section contains basic information in order to help troubleshoot issues " "found when using FreeBSD as a Xen(TM) host or guest." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:1697 #, no-wrap msgid "Host Boot Troubleshooting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1701 msgid "" "Please note that the following troubleshooting tips are intended for Xen(TM) " "4.11 or newer. If you are still using Xen(TM) 4.7 and having issues, " "consider migrating to a newer version of Xen(TM)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1705 msgid "" "In order to troubleshoot host boot issues, you will likely need a serial " "cable, or a debug USB cable. Verbose Xen(TM) boot output can be obtained by " "adding options to the `xen_cmdline` option found in [.filename]#loader." "conf#. A couple of relevant debug options are:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1707 msgid "" "`iommu=debug`: can be used to print additional diagnostic information about " "the iommu." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1708 msgid "" "`dom0=verbose`: can be used to print additional diagnostic information about " "the dom0 build process." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1709 msgid "" "`sync_console`: flag to force synchronous console output. Useful for " "debugging to avoid losing messages due to rate limiting. Never use this " "option in production environments since it can allow malicious guests to " "perform DoS attacks against Xen(TM) using the console." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1712 msgid "" "FreeBSD should also be booted in verbose mode in order to identify any " "issues. To activate verbose booting, run this command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1716 #, no-wrap msgid "# echo 'boot_verbose=\"YES\"' >> /boot/loader.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1719 msgid "" "If none of these options help solving the problem, please send the serial " "boot log to mailto:freebsd-xen@FreeBSD.org[freebsd-xen@FreeBSD.org] and " "mailto:xen-devel@lists.xenproject.org[xen-devel@lists.xenproject.org] for " "further analysis." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/virtualization/_index.adoc:1721 #, no-wrap msgid "Guest Creation Troubleshooting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1724 msgid "" "Issues can also arise when creating guests, the following attempts to " "provide some help for those trying to diagnose guest creation issues." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1727 msgid "" "The most common cause of guest creation failures is the `xl` command " "spitting some error and exiting with a return code different than 0. If the " "error provided is not enough to help identify the issue, more verbose output " "can also be obtained from `xl` by using the `v` option repeatedly." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/virtualization/_index.adoc:1743 #, no-wrap msgid "" "# xl -vvv create freebsd.cfg\n" "Parsing config from freebsd.cfg\n" "libxl: debug: libxl_create.c:1693:do_domain_create: Domain 0:ao 0x800d750a0: create: how=0x0 callback=0x0 poller=0x800d6f0f0\n" "libxl: debug: libxl_device.c:397:libxl__device_disk_set_backend: Disk vdev=xvda spec.backend=unknown\n" "libxl: debug: libxl_device.c:432:libxl__device_disk_set_backend: Disk vdev=xvda, using backend phy\n" "libxl: debug: libxl_create.c:1018:initiate_domain_create: Domain 1:running bootloader\n" "libxl: debug: libxl_bootloader.c:328:libxl__bootloader_run: Domain 1:not a PV/PVH domain, skipping bootloader\n" "libxl: debug: libxl_event.c:689:libxl__ev_xswatch_deregister: watch w=0x800d96b98: deregister unregistered\n" "domainbuilder: detail: xc_dom_allocate: cmdline=\"\", features=\"\"\n" "domainbuilder: detail: xc_dom_kernel_file: filename=\"/usr/local/lib/xen/boot/hvmloader\"\n" "domainbuilder: detail: xc_dom_malloc_filemap : 326 kB\n" "libxl: debug: libxl_dom.c:988:libxl__load_hvm_firmware_module: Loading BIOS: /usr/local/share/seabios/bios.bin\n" "...\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/virtualization/_index.adoc:1748 msgid "" "If the verbose output does not help diagnose the issue, there are also QEMU " "and Xen(TM) toolstack logs in [.filename]#/var/log/xen#. Note that the name " "of the domain is appended to the log name, so if the domain is named " "`freebsd` you should find a [.filename]#/var/log/xen/xl-freebsd.log# and " "likely a [.filename]#/var/log/xen/qemu-dm-freebsd.log#. Both log files can " "contain useful information for debugging. If none of this helps solve the " "issue, please send the description of the issue you are facing and as much " "information as possible to mailto:freebsd-xen@FreeBSD.org[freebsd-" "xen@FreeBSD.org] and mailto:xen-devel@lists.xenproject.org[xen-devel@lists." "xenproject.org] in order to get help." msgstr ""