System Notes - talisker.SGK - File Server
These notes cover the creation of a FreeBSD fileserver serving encrypted ZFS volumes via Samba.
General Info
Hostname: talisker.SGK
Version: FreeBSD 12.1
Motherboard: X8DT3-LN4F (manual saved in hw_support)
Processors: 2x L5630 Xeons (4 cores @ 2.13 GHz, low power)
Memory: 48 GB (12x 4GB R2 Registered ECC)
Note: Configured in lockstep mode, leaving 32 GB usable
Hard Drives:
3x 120 GB Intel DC S3500 (3-way boot mirror)
2x 8.0 TB WD Red (2-way mirror for media)
3x 3.0 TB WD Red (3-way mirror for personal files)
2x 2.0 TB used SAS (2-way mirror for scratch space)
Note: The onboard SAS controller is limited to 2.0 TB max drive size.
Consequently, one boot drive and the five drives >2.0 TB are on the
SATA channels and all remaining drives are on SAS, even though this
splits the boot mirror across controllers.
Installed Ports
sysutils/screen
net/samba410
-LDAP
-ADS
-AD_DC
(due to dependency errors, build devel/llvm80 and devel/meson first)
sysutils/zfs-stats
sysutils/zfstools
sysutils/bacula9-server
+MTX
dns/bind-tools
devel/git
irc/irssi
security/nmap
sysutils/smartmontools
archivers/zip
archivers/gtar
mail/ssmtp
Encrypted ZFS Mirrors
The following example creates a 2-way mirror using ada1 and ada2. First,
create the encrypted devices.
geli init -l 256 /dev/ada1
geli init -l 256 /dev/ada2
geli attach /dev/ada1
geli attach /dev/ada2
geli status
In order to be prompted for the passphrase on boot, add the following line to
/etc/rc.conf.
geli_devices="ada1 ada2"
Next, create the ZFS mirror. Enable compression by default, using LZ4 since it will abort the compression attempt if the initial results are not significant.
zpool create zfs_mirror_1 mirror /dev/ada1.eli /dev/ada2.eli
zfs set compress=lz4 zfs_mirror_1
zpool status
Automated ZFS Snapshots
Set the com.sun:auto-snapshot property on relevant zpools and verify it is
inherited.
zfs set com.sun:auto-snapshot=true zfs_mirror_1
Create /etc/cron.d/zfs-snapshots with something like the following.
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
15,30,45 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent 4
0 * * * * root /usr/local/sbin/zfs-auto-snapshot hourly 24
7 0 * * * root /usr/local/sbin/zfs-auto-snapshot daily 7
14 0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly 4
28 0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly 12
Note that you can exclude specific snapshot intervals with the following property (e.g. frequent, daily, etc).
zfs set com.sun:auto-snapshot:frequent=false zfs_mirror_1
Automated ZFS Scrubs
Create /etc/cron.d/zfs-scrubs with the following contents.
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
0 0 0 * * root /sbin/zpool scrub zroot
0 0 0 * * root /sbin/zpool scrub zfs_mirror_1
0 0 0 * * root /sbin/zpool scrub zfs_mirror_2
0 0 0 * * root /sbin/zpool scrub zfs_mirror_3
Samba Notes
Create /usr/local/etc/smb4.conf with the following contents. Add additional
entries for each zpool.
[global]
workgroup = WORKGROUP
server string = Samba Server
netbios name = Talisker
wins support = Yes
security = user
passdb backend = tdbsam
ntlm auth = yes
[zfs_mirror_1]
path = /zfs_mirror_1
valid users = ataylor
writable = yes
browsable = yes
read only = no
guest ok = no
public = no
create mask = 0666
directory mask = 0755
Create a Samba user, using a different password than the system account.
pdbedit -a ataylor
Manually start Samba.
service samba_server start
Configure Samba to autostart on boot by adding the following to /etc/rc.conf.
samba_server_enable="YES"
Status Emails
After building, run make replace inside the mail/ssmtp port to
automatically disable sendmail/etc and replace with ssmtp.
Create /usr/local/etc/ssmtp/ssmtp.conf with the following contents.
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=ataylor@subgeniuskitty.com
# The place where the mail goes. The actual machine name is required
# no MX records are consulted. Commonly mailhosts are named mail.domain.com
# The example will fit if you are in domain.com and your mailhub is so named.
mailhub=mail.subgeniuskitty.com:465
# Where will the mail seem to come from?
rewriteDomain=subgeniuskitty.com
# The full hostname
hostname=talisker.subgeniuskitty.com
# Set this to never rewrite the "From:" line (unless not given) and to
# use that address in the "from line" of the envelope.
FromLineOverride=YES
# Use SSL/TLS to send secure messages to server.
UseTLS=YES
# Credentials accepted by remote SMTP server
AuthUser=ataylor@subgeniuskitty.com
AuthPass=password_goes_here
Edit /etc/passwd and /etc/master.passwd, changing the name of the root
account from Charlie & to something suitable for the FROM: field in emails.
After, run /usr/sbin/pwd_mkdb -p /etc/master.passwd.
Create /etc/cron.d/status-emails with suitable contents. For example:
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
0 0 * * 0 root /sbin/zpool list | /usr/bin/mail -s "talisker.SGK - zpool list" ataylor@subgeniuskitty.com
0 0 * * 0 root /sbin/zpool status | /usr/bin/mail -s "talisker.SGK - zpool status" ataylor@subgeniuskitty.com
0 0 * * 0 root /sbin/zfs list -t snapshot | /usr/bin/mail -s "talisker.SGK - zfs snapshots" ataylor@subgeniuskitty.com
0 0 * * 0 root /sbin/zfs list | /usr/bin/mail -s "talisker.SGK - zfs list" ataylor@subgeniuskitty.com
0 0 * * 0 root /usr/local/bin/zfs-stats -IMAE | /usr/bin/mail -s "talisker.SGK - zfs stats" ataylor@subgeniuskitty.com