summaryrefslogtreecommitdiff
path: root/stories/projects
diff options
context:
space:
mode:
authorerdgeist <erdgeist@bauklotz.local>2015-08-16 16:38:25 +0200
committererdgeist <erdgeist@bauklotz.local>2015-08-16 16:38:25 +0200
commit23f0e1561767dd8a396188e317bae5920d171ea8 (patch)
treea67f44e39ad8a45e42d60634488a65c37f3ad432 /stories/projects
Initial import of my nikola website
Diffstat (limited to 'stories/projects')
-rw-r--r--stories/projects/Telefonbuch.rst7
-rw-r--r--stories/projects/anonbox.rst7
-rw-r--r--stories/projects/briefkasten.rst6
-rw-r--r--stories/projects/el.rst72
-rw-r--r--stories/projects/elektropost.rst197
-rw-r--r--stories/projects/etherpad.rst237
-rwxr-xr-xstories/projects/ezjail.conf.5229
-rw-r--r--stories/projects/ezjail.rst412
-rw-r--r--stories/projects/ezjail_philosophy.rst50
-rw-r--r--stories/projects/jaildaemon.rst77
-rw-r--r--stories/projects/minimunin.rst75
-rw-r--r--stories/projects/opentracker.rst136
-rw-r--r--stories/projects/timestretch.rst63
-rw-r--r--stories/projects/vchat-client.rst267
14 files changed, 1835 insertions, 0 deletions
diff --git a/stories/projects/Telefonbuch.rst b/stories/projects/Telefonbuch.rst
new file mode 100644
index 0000000..4c4260c
--- /dev/null
+++ b/stories/projects/Telefonbuch.rst
@@ -0,0 +1,7 @@
1.. link:
2.. description: is a project to quickly dump a certain kind of digital phone books.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: Telefonbuch
6.. slug: ../arts/software/Telefonbuch/index
7.. prio: 98
diff --git a/stories/projects/anonbox.rst b/stories/projects/anonbox.rst
new file mode 100644
index 0000000..404ddbb
--- /dev/null
+++ b/stories/projects/anonbox.rst
@@ -0,0 +1,7 @@
1.. link:
2.. description: is a web service to generate and maintain throw away email addresses, instanced on anonbox.net, including a javascript implementation of a unicode capable mbox-to-html renderer.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: anonbox
6.. slug: ../arts/software/anonbox/index
7.. prio: 99
diff --git a/stories/projects/briefkasten.rst b/stories/projects/briefkasten.rst
new file mode 100644
index 0000000..de4c8cd
--- /dev/null
+++ b/stories/projects/briefkasten.rst
@@ -0,0 +1,6 @@
1.. link:
2.. description: is a web service to anonymously submit messages via the web generating PGP mails and is instanced on the zeit-online briefkasten.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: briefkasten
6.. slug: ../arts/software/briefkasten/index
diff --git a/stories/projects/el.rst b/stories/projects/el.rst
new file mode 100644
index 0000000..8633181
--- /dev/null
+++ b/stories/projects/el.rst
@@ -0,0 +1,72 @@
1.. link:
2.. description: is a unix tool aiding the Telefonbuch project for export and search queries.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: el
6.. subtitle: extract lines from text files
7.. slug: ../arts/software/el/index
8.. prio: 100
9
10.. contents::
11 :depth: 1
12 :class: ezjail-toc
13
14----
15
16Overview
17========
18
19*el* (from extract lines) is a unix tool to efficiently extract lines from a text file using a dynamic line end index. Its command line syntax is tuned to work with other posix tools – especially grep – to easily operate on poor man's databases where each of the database's columns is in a separate newline separated file.
20
21Since *el* mmaps the whole file, it does not work on streams.
22
23----
24
25Build instructions
26==================
27
28Get the source from my git repository ``git clone git://erdgeist.org/el`` and type ``make`` in the directory ``el``. *el* has no further dependencies and can just be copied to ``/usr/local/bin`` or wherever your binaries reside.
29
30----
31
32Invocation
33==========
34
35In its simplest form just run::
36
37 echo 1 2 3 4 5 6 7 8 9 10 | el file.txt
38
39to extract lines 1 to 10 from the file ``file.txt`` and print them to stdout. *el* also accepts white space separated line numbers with the ``-i`` parameter and can default to hexadecimal numbers with the ``-x`` switch::
40
41 el -i "10 11 12 13" -x file1.txt file2.txt
42
43extracts line 16 to 19 from the files ``file.txt`` and ``file2.txt``, each line separated by the tab character. If your line numbers start at ``0``, *el* will add 1, if it is run with the ``-0`` switch.
44
45The reason reading line numbers from stdin and not from command line by default becomes apparent, when you use the combining features of *el*, as it can parse and generate output as the ``grep`` posix tool does.
46
47If you use the ``-n`` switch, each extracted line is prefixed by it's line number and a colon, just as ``grep`` does. If you use the ``-g`` switch, *el* will also **expect** the line numbers on stdin to be terminated by a colon followed by garbage until next newline. So you can feed results from ``grep -n`` directly to it. With the ``-G`` option, not only will *el* parse the line numbers from ``grep``'s output, but also append the extracted lines from each file to the input line. In order to chain several ``grep`` and *el* commands, best combine the ``-Gn`` switches as in this example::
48
49 grep -n Manager positions.txt | el -Gn firstname.txt lastname.txt | grep Jon | el -Gn salary.txt
50
51This will produce, an output like this::
52
53 17:Manager\tJon\tMiller\t$1200
54 23:Manager\tJon\tDoe\t$1600
55
56given that all the text files contain corresponding rows of information about the staff.
57
58----
59
60Author
61======
62
63*el* was written by `Dirk Engling <mailto:erdgeist@erdgeist.org>`_, who likes to hear from happy customers.
64
65----
66
67License
68=======
69
70*el* is considered `beer ware </beerware.html>`_.
71
72
diff --git a/stories/projects/elektropost.rst b/stories/projects/elektropost.rst
new file mode 100644
index 0000000..b8ad9d1
--- /dev/null
+++ b/stories/projects/elektropost.rst
@@ -0,0 +1,197 @@
1.. link:
2.. description: is an ongoing mail server and webmail frontend project, documented to be set up on a FreeBSD jail and instanced on elektropost.org.
3.. tags: project
4.. date: 2014/02/01 19:10:08
5.. title: elektropost
6.. subtitle: a FreeBSD jail based mail server project.
7.. slug: ../arts/software/elektropost/index
8.. prio: 750
9
10.. contents::
11 :depth: 1
12 :class: ezjail-toc
13
14----
15
16Overview
17========
18
19`Here is a raw sketch </epost.pdf>`_ of how the elektropost setup works.
20
21Send feedback to `erdgeist <mailto:erdgeist@erdgeist.org>`_.
22
23----
24
25Install qmail
26=============
27
28* ``make patch`` in /usr/ports/mail/qmail-tls, choose SMTP_AUTH_PATCH, BIG_TODO_PATCH, BIG_CONCURRENCY_PATCH, DISCBOUNCES_PATCH and SPF_PATCH, keep RCDLINK
29* apply patch http://erdgeist.org/arts/software/Code/elektropost/validrcptto.cdb.patch.new to qmail-tls/work/qmail-1.03
30* apply patch http://erdgeist.org/arts/software/Code/elektropost/qmail-smtpd.c.privacy.patch to qmail-tls/work/qmail-1.03
31* ``make install`` in /usr/ports/mail/qmail-tls
32* add "QMAIL_SLAVEPORT=tls" in /etc/make.conf
33
34----
35
36Configure qmail
37===============
38
39* In /var/qmail/control check/edit all files
40* create a servercert.pem. On elektropost this one is used for lighty and dovecot as well, YMMV
41* install http://erdgeist.org/arts/software/Code/elektropost/tcp.smtp to /etc/tcp.smtp and alter it accordingly to your needs, ie fix/insert to "cat /etc/tcp.smtp | tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp"
42
43 * for this you will need to ``make install`` in /usr/ports/sysutils/ucspi-tcp
44 * select SSL, leave MAN checked
45* ``ln -s /var/qmail/boot/qmail-smtpd.rcNG /usr/local/etc/rc.d/qmail-smtpd``
46* ``ln -s /var/qmail/boot/maildir /usr/local/etc/rc.d/qmail``
47* ``echo 'qmailsmtpd_enable="YES"' >> /etc/rc.conf``
48* ``echo 'qmailsmtpd_checkpassword="/usr/local/vpopmail/bin/vchkpw"' >> /etc/rc.conf``
49
50----
51
52Install vpopmail
53================
54
55* ``make install`` in /usr/ports/mail/vpopmail
56* Use default options for ucspi-tcp
57* ``chown vpopmail:vchkpw /usr/local/vpopmail``
58* ``chmod u+s ~vpopmail/bin/vchkpw``
59* ``pw user mod vpopmail -s /bin/sh``
60
61----
62
63Configure vpopmail
64==================
65
66* ``echo elektropost.org > /usr/local/vpopmail/etc/defaultdomain``
67
68----
69
70Install dovecot
71===============
72
73* ``make install`` in /usr/ports/mail/dovecot
74* choose option VPOPMAIL, keep the rest (maybe disable IPV6)
75* ``echo 'dovecot_enable="YES"' >> /etc/rc.conf``
76
77----
78
79Configure dovecot
80=================
81
82* ``cp /usr/local/etc/dovecot-example.conf /usr/local/etc/dovecot.conf``
83* Change: protocols = imap imaps pop3s
84* Change: listen = and ssl_listen = to match your ip addresses
85* Change: ssl_cert_file = /var/qmail/control/servercert.pem
86* Change: ssl_key_file = /var/qmail/control/servercert.pem
87* Change: mail_location = maildir:%h/Maildir
88* Change: first_valid_uid = 1
89* Change: first_valid_gid = 1
90* Change: max_mail_processes = 1024
91* Change: auth_username_format = %Ln@%Ld
92* Change: #passdb pam { and #} if you do not have local user mail
93* Change: #userdb passwd { and #} if you do not have local user mail
94* Change: userdb vpopmail { and } to use vpopmail's vchkpw
95
96----
97
98Install lighty
99==============
100
101* ``make install`` in /usr/ports/www/lighttpd
102* ``echo 'lighttpd_enable="YES"' >> /etc/rc.conf``
103
104----
105
106Configure lighty
107================
108
109* ``cp /usr/local/etc/lighttpd.conf.sample /usr/local/etc/lighttpd.conf``
110* Change: "mod_fastcgi",
111* Change: server.document-root = "/usr/local/www/squirrelmail/"
112* Change: server.port = 443
113* Change::
114
115 cgi.assign = ( ".pl" => "/usr/bin/perl",
116 ".cgi" => "/usr/bin/perl",
117 "/cgi-bin/qmailadmin" => "",
118 "/ezmlm-cgi" => "" )
119
120* Change: ssl.engine = "enable"
121* Change: ssl.pemfile = "/var/qmail/control/servercert.pem"
122* To inform users to use https, put a document to /usr/local/www/data/index.html and add::
123
124 #compatibility
125 $SERVER["socket"] == "<insert your ip address>:80" {
126 ssl.engine = "disable"
127 server.name = "<your fqdn>"
128 server.document-root = "/usr/local/www/data"
129 }
130
131----
132
133Install squirrelmail
134====================
135* ``make install`` in /usr/ports/mail/squirrelmail
136* Use default options for php5
137* Follow the instructions squirrelmail port prints out
138
139----
140
141Install qmailadmin / ezmlm-idx
142==============================
143
144* ``make install WITH_SPAM_DETECTION=TRUE SPAM_COMMAND="| /usr/local/bin/spamc -f | /usr/local/bin/maildrop" CGIBINDIR=www/squirrelmail/cgi-bin CGIBINSUBDIR= WEBDATADIR=www/squirrelmail WEBDATASUBDIR=qmailadmin in /usr/ports/mail/qmailadmin``
145* Use default options for ezmlm-idx
146
147----
148
149Install qmailadmin plugin for squirrelmail
150==========================================
151
152* ``make install`` in /usr/ports/mail/squirrelmail-qmailadmin_login-plugin
153
154----
155
156Install maildrop
157================
158
159* ``make install`` in /usr/ports/mail/maildrop
160
161----
162
163Install the maildrop spam sort magic
164====================================
165
166* install http://erdgeist.org/arts/software/Code/elektropost/maildroprc to /usr/local/etc/maildroprc
167
168----
169
170Install spamassassin
171====================
172
173* ``make install`` in /usr/ports/mail/p5-Mail-SpamAssassin, keep SPAMC, SSL, uncheck all others
174* ``echo '-d 192.168.0.2' > /usr/local/etc/mail/spamassassin/spamc.conf``
175
176----
177
178Install the Valid RCPTTO checking stuff
179=======================================
180
181* install http://erdgeist.org/arts/software/Code/elektropost/mkvalidrcptto to /usr/local/vpopmail/bin/mkvalidrcptto
182* ``chmod +x /usr/local/vpopmail/bin/mkvalidrcptto``
183* ``cpan install CDB_File`` to help perl understand cdb files
184* ``make install`` in /usr/ports/databases/cdb/
185* Add a script to your crontab (e.g. /usr/local/vpopmail/etc/tidymail.sh) that contains::
186
187 /usr/local/vpopmail/bin/mkvalidrcptto | /usr/local/bin/cdbmake-12 /var/qmail/control/validrcptto.cdb /tmp/validrcptto.tmp
188
189----
190
191Install the auto trash-pruning script
192=====================================
193
194* Add a script to your crontab (e.g. /usr/local/bin/prune-trash.sh) that contains::
195
196 find -E /usr/local/vpopmail/domains/ -type f -iregex "^.*/maildir/.*\.(junk|trash|spam)(\.[^/]+)?/(new|cur|tmp)/.*$" -mmin +86400 -delete
197
diff --git a/stories/projects/etherpad.rst b/stories/projects/etherpad.rst
new file mode 100644
index 0000000..cc75def
--- /dev/null
+++ b/stories/projects/etherpad.rst
@@ -0,0 +1,237 @@
1.. link:
2.. description: is a documentation project on how to setup the classic etherpad software in a FreeBSD jail.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: etherpad
6.. slug: ../arts/software/etherpad/index
7
8.. contents::
9 :depth: 1
10 :class: ezjail-toc
11
12----
13
14Overview
15========
16
17This is how to install the etherpad from http://etherpad.org/ in a FreeBSD-8.2 jail. (N.B: Things are reported not to work with newer versions.)
18
19This guide assumes, you have sudo, bash and an editor of your choice installed. Reserve around 2GB space for the jail. If you're using a different shell, use ``setenv`` to configure the environment variables set by ``export`` in this guide. Send feedback to `erdgeist <mailto:erdgeist-etherpad@erdgeist.org>`_. Many regards to `this guide <http://pauleira.com/13/installing-etherpad/>`_, it helped me a lot.
20
21----
22
23Install Scala + Java
24====================
25
26Since etherpad does not build under the version of scala that is shipped with FreeBSD-8.2 (i.e. scala-2.8.0), we have to manually install scala-2.7.7. However, scala brings nice dependencies that help with the manual installation of the jdk. So we install scala-2.8.0 to get the dependencies, then deinstall it and install java and scala.
27
28* Fetch jdk here: `<jdk-1.6.0.3p4_15.tbz>`_
29* Fetch scala-2.7.7 here: `<scala-2.7.7.tbz>`_
30
31Then type::
32
33 pkg_add -r scala
34 pkg_delete -f scala\*
35 pkg_add jdk-1.6.0.3p4_15.tbz scala-2.7.7.tbz
36
37----
38
39Install mysql, fastjar and java connector
40=========================================
41
42Type::
43
44 pkg_add -r mysql55-server mysql-connector-java fastjar
45 echo mysql_enable=YES >> /etc/rc.conf
46 /usr/local/etc/rc.d/mysql-server start
47
48----
49
50Prepare mysql
51=============
52
53Connection in a jail comes from the jail IP, not from 127.0.0.1, so enter IPADDRESS accordingly
54
55``mysql -u root``
56
57and in the mysql shell::
58
59 create database etherpad;
60 grant all privileges on etherpad.* to 'etherpad'@'IPADDRESS' identified by 'MYSQLPASS_CHANGEME';
61
62----
63
64Checkout etherpad
65=================
66
67Type::
68
69 pkg_add -r git
70 cd /usr/local
71 git clone git://github.com/ether/pad.git
72
73known good commit 94d5b2dfd65abbee5a06d80d94cdb00a7947d9b1, otoh: you might want to check `my issue about this commit <https://github.com/ether/pad/issues/293>`_, overlay windows are broken atm.
74
75----
76
77Configure etherpad
78==================
79
80Type::
81
82 cd /usr/local/pad/etherpad
83 cp etc/etherpad.localdev-default.properties etc/etherpad.local.properties
84
85and in your ``etc/etherpad.local.properties`` do:
86
87* Change: devMode = false
88* Change: etherpad.isProduction = true
89* Change: etherpad.proAccounts = true
90* Change: etherpad.adminPass = ADMINPASS_CHANGEME
91* Change: etherpad.isProduction = true
92* Change: etherpad.SQL_PASSWORD = MYSQLPASS_CHANGEME
93* Change: listen = 0.0.0.0:9000
94* Change: topdomains = pads.domain.tld,localhost
95* Change: customEmailAddress = admin@pads.domain.tld
96* Change: transportUseWildcardSubdomains = false
97* Change: useHttpsUrls = true
98
99Remember the passwords well, take special care about trailing spaces! Now setup your domain in the following files:
100
101* src/main.js
102* src/static/crossdomain.xml
103* src/etherpad/pro/pro_utils.js
104* src/etherpad/control/pad/pad_control.js
105* src/etherpad/control/global_pro_account_control.js
106
107To disable a per-pad quota, comment out the call to _checkPadQuota in src/etherpad/control/pad/pad_control.js
108
109----
110
111Rebuild the JAR
112===============
113
114Type::
115
116 export JAVA_HOME="/usr/local/jdk1.6.0/"
117 export JAVA="/usr/local/jdk1.6.0/bin/java"
118 export SCALA="/usr/local/share/scala-2.7.7/bin/scala"
119 export SCALA_HOME="/usr/local/share/scala-2.7.7/"
120 export SCALA_LIBRARY_JAR="/usr/local/share/scala-2.7.7/lib/scala-library.jar"
121 export PATH=/usr/local/share/scala-2.7.7/bin/:$PATH
122 export MYSQL_CONNECTOR_JAR="/usr/local/share/java/classes/mysql-connector-java.jar"
123 export mysql=mysql
124
125Rebuild the ace dependency
126--------------------------
127
128This is especially important if you see this (google hint): ``net.appjet.bodylock.JSRuntimeException: Error: Neither module exists: etherpad.collab.ace.easysync2, etherpad.collab.ace.easysync2.``::
129
130 cd /usr/local/pad/infrastructure/ace
131 bin/make normal etherpad
132
133Rebuild the JAR with correct settings
134-------------------------------------
135
136Type::
137
138 cd /usr/local/pad/etherpad
139 bin/rebuildjar.sh
140
141----
142
143Install nginx
144=============
145
146Type::
147
148 cd /usr/ports/www/nginx
149 make install clean
150
151and be sure to select HTTPS.
152
153----
154
155Create Self Signed Certificates
156===============================
157
158For whatever your domain is, substitute it in the following commands::
159
160 openssl genrsa -out pads.domain.tld.key 1024
161 openssl req -new -key pads.domain.tld.key -out pads.domain.tld.csr
162 echo "subjectAltName=DNS:pads.domain.tld,DNS:*.pads.domain.tld" >pads.domain.tld.conf
163 openssl x509 -req -days 365 -in pads.domain.tld.csr -signkey pads.domain.tld.key -text -extfile pads.domain.tld.conf -out pads.domain.tld.crt
164 cat pads.domain.tld.crt pads.domain.tld.key >/usr/local/etc/nginx/pads.domain.tld.pem
165
166----
167
168Configure nginx
169===============
170
171Nginx configs were provided by cryx. Thank you. Fetch ``nginx.conf`` here: `<nginx.conf>`_ and put it to ``/usr/local/etc/nginx/``. Then in your local ``nginx.conf`` do:
172
173* Change: server_name pads.domain.tld \*.pads.domain.tld; take special care to include the wildcard subdomains
174* Change: ssl_certificate pads.domain.tld.pem; as created above
175
176Fetch ``nginx-etherpad.conf`` here: `<nginx-etherpad.conf>`_ and put it to ``/usr/local/etc/nginx/``. Then in your local ``nginx-etherpad.conf`` do:
177
178* Change: server_name pads.domain.tld \*.pads.domain.tld; take special care to include the wildcard subdomains
179* Change: proxy_pass http://pads.domain.tld:9000/;
180
181Type::
182
183 mkdir /var/log/www/; chown www:www /var/log/www
184 echo nginx_enable=YES >> /etc/rc.conf
185
186----
187
188Install start script
189====================
190
191Fetch rc script here: `<etherpad>`_ and put it to ``/usr/local/etc/rc.d/``.
192
193Type::
194
195 chmod +x /usr/local/etc/rc.d/etherpad
196 echo etherpad_enable=YES >> /etc/rc.conf
197 mkdir /var/run/etherpad; chown etherpad /var/run/etherpad
198 chown -R etherpad:etherpad /usr/local/pad
199
200----
201
202Install openoffice
203==================
204
205If you want to export word and pdf documents, you need to install openoffice and run it as a headless service.
206
207Fetch the libreoffice package here: http://wiki.bsdforen.de/anwendungen/libreoffice_aus_inoffiziellen_paketen#freebsd_amd64i386_87-stable_kamikaze or, a know working mirror for `<libreoffice-3.3.3.tbz>`_, MD5 (libreoffice-3.3.3.tbz) = 028d259735b361e46af8a9e253f168a8.
208
209Install dependencies, ignore warnings about already installed older versions::
210
211 pkg_add -r xineramaproto xf86vidmodeproto xextproto videoproto renderproto randrproto printproto kbproto inputproto fixesproto dri2proto damageproto compositeproto font-util encodings libtextcat expat gnome_subr ca_root_nss hicolor-icon-theme gnomehier lp_solve python27 xcb-proto perl hu-hunspell poppler-data png lcms jpeg jbigkit tiff openjpeg jasper curl pkg-config xproto pixman libtasn1 libfontenc libXdmcp libXau libICE libSM freetype2 mkfontscale mkfontdir fontconfig font-misc-meltho font-misc-ethiopic font-bh-ttf bitstream-vera xorg-fonts-truetype pcre orc m4 libpthread-stubs libxcb xcb-util libdrm libX11 libXt libXrender libXft libXfixes libXext libXxf86vm libXv libXrandr libXpm libXp libXmu libXinerama libXi libXdamage libXcursor libXcomposite libXaw libGL libGLU libltdl libffi libcheck icu db41 libiconv libxml2 raptor rasqal redland gettext libgpg-error libgcrypt glib gamin gio-fam-backend shared-mime-info libIDL gdk-pixbuf desktop-file-utils dbus libgee dbus-glib eggdbus cairo poppler bison gobject-introspection gstreamer gstreamer-plugins polkit pango ORBit2 lzo2 gnutls cups-client atk gtk dconf gconf2 libgsf libwpd libwps libwpg libxslt
212
213Install the local package::
214
215 pkg_add -f libreoffice-3.3.3.tbz
216
217Fetch rc script here: `<soffice>`_ and put it to ``/usr/local/etc/rc.d/``. Then type::
218
219 chmod +x /usr/local/etc/rc.d/soffice
220 echo soffice_enable=YES >> /etc/rc.conf
221
222----
223
224Configure name server
225=====================
226
227Add records for the pads and wildcard subdomains, for tinydns this is::
228
229 +pads.domain.tld:192.168.0.23:43200
230 +*.pads.domain.tld:192.168.0.23:43200
231
232----
233
234Filter local services
235=====================
236
237Add rules to filter ports 9000 and 3306 to pf.
diff --git a/stories/projects/ezjail.conf.5 b/stories/projects/ezjail.conf.5
new file mode 100755
index 0000000..f35d412
--- /dev/null
+++ b/stories/projects/ezjail.conf.5
@@ -0,0 +1,229 @@
1.Dd December 5, 2013
2.Dt EZJAIL.CONF 5 USD
3.Os FreeBSD
4.Sh NAME
5.Pa ezjail.conf
6.Nd configuration file for ezjail script
7.Sh DESCRIPTION
8The file
9.Pa ezjail.conf
10contains settings that control the operation of the ezjail
11.Xr rc 8
12script. It is also read by the
13.Cm ezjail-admin
14utility to figure out where it should perform its actions. Its path is
15set at installation time to
16.Pa EZJAIL_PREFIX/etc/ezjail.conf ,
17with an example file installed at
18.Pa EZJAIL_PREFIX/etc/ezjail.conf.sample .
19.Pp
20This file is really a shell script that is sourced by the
21.Cm ezjail-admin
22command at run-time.
23.Dq (str)
24denotes a string; it should be enclosed in quotes if it contains space.
25.Dq (bool)
26notes a boolean, whose possible values are
27.Dq YES
28and
29.Dq NO .
30.Sh PATH OPTIONS
31.Bl -tag -width option
32.It ezjail_jaildir (str)
33Location of jail root directories.
34.br
35Default:
36.Em /usr/jails .
37.It ezjail_jailtemplate (str)
38Location of template jail used to create a new jail
39.br
40Default:
41.Em ${ezjail_jaildir}/newjail .
42.It ezjail_jailbase (str)
43Location of base jail, the one that is mounted to all jails
44.br
45Default:
46.Em ${ezjail_jaildir}/basejail .
47.It ezjail_sourcetree (str)
48Location of your copy of FreeBSD's source tree (refer to the
49.Xr ezjail-admin 8
50utility for more information).
51.br
52Default:
53.Em /usr/src .
54.It ezjail_flavours_dir (str)
55Location of the flavours, where each directory is a different flavour.
56.br
57Default:
58.Em ${ezjail_jaildir}/flavours .
59.It ezjail_ftphost (str)
60This is where the install subcommand defaults to fetch its packages from.
61.br
62Default:
63.Em ftp.freebsd.org .
64.It ezjail_archivedir (str)
65This is the default archive location for the
66.Cm ezjail-admin archive
67command.
68.br
69Default:
70.Em ${ezjail_jaildir}/ezjail_archives .
71.El
72.Sh JAIL ADMIN OPTIONS
73.Bl -tag -width option
74.It ezjail_default_execute (str)
75This is the default command executed in a jail by
76.Cm ezjail-admin console .
77.br
78Default:
79.Em /usr/bin/login -f root .
80.It ezjail_exec_start (str)
81The command to execute in a jail when starting it.
82.br
83Default:
84.Em /bin/sh /etc/rc .
85.El
86.Sh JAIL CREATION OPTIONS
87Default options for newly created jails. Used by the
88.Xr ezjail-admin 1
89utility. Be careful about disabling
90.Em ezjail_mount_enable .
91.Bl -tag -width option
92.It ezjail_mount_enable (bool)
93Controls whether
94.Pa /etc/fstab. Ar hostname
95should be executed at jail startup time.
96.br
97Default:
98.Em YES .
99.It ezjail_devfs_enable (bool)
100Controls whether newly created jails are given a working
101.Pa /dev
102directory. (Refer to
103.Xr devfs 5
104and
105.Xr jail 8
106for more information).
107.br
108Default:
109.Em YES .
110.It ezjail_devfs_ruleset (str)
111Specifies which devfs ruleset should apply for newly created jails.
112(Refer to
113.Xr devfs 5
114and
115.Xr jail 8
116for more information).
117.br
118Default:
119.Em devfsrules_jail .
120.It ezjail_procfs_enable (bool)
121Controls whether newly created jails are given a working
122.Pa /proc
123directory. (Refer to
124.Xr procfs 5
125and
126.Xr jail (8)
127for more information).
128.br
129Default:
130.Em YES .
131.It ezjail_fdescfs_enable (bool)
132Controls whether newly created jails are given a working
133.Pa /dev/fd/
134directory. (Refer to
135.Xr fdescfs (5)
136and
137.Xr jail (8)
138for more information).
139.br
140Default:
141.Em YES .
142.It ezjail_uglyperlhack (bool)
143Set to YES, if ezjail should provide a soft link from
144.Pa /usr/bin/perl
145to
146.Pa /usr/local/bin/perl
147in base jail.
148.br
149Default:
150.Em YES .
151.It ezjail_default_flavour (str)
152Controls which flavours should be used for newly created jails if none
153are given on the command line.
154.br
155Default:
156.Em none .
157.It ezjail_imagetype (one of simple, bde, eli, zfs)
158Type of jail to create when creating a jail with the
159.Fl i
160flag without specifying the type explicitly.
161.br
162Default:
163.Em simple
164.El
165.Sh ZFS OPTIONS
166.Bl -tag -width option
167.It ezjail_use_zfs (bool)
168Set to YES, if ezjail should manage basejail and newjail in a separate
169ZFS-datasets.
170.br
171Default:
172.Em NO .
173.It ezjail_use_zfs_for_jails (bool)
174Set to YES, if ezjail should manage all new jails in their own
175ZFS-datasets. To override that on the command line, use
176.Cm ezjail-admin create -c simple
177for image based jails or
178.Cm ezjail-admin create -c ''
179for non-image jails.
180.br
181Default:
182.Em NO .
183.It ezjail_jailzfs (str)
184The name of the parent ZFS-dataset which ezjail will use to create
185jails on. It will be mounted in
186.Em ezjail_jaildir .
187Setting this will automatically enable ezjail managing jails in separate
188ZFS-datasets.
189.br
190Default:
191.Em none .
192.It ezjail_zfs_properties (str)
193Default properties ZFS will use for creating datasets. See
194.Xr zfs 1m
195for details. ADVANCED, be very careful!
196.br
197Default:
198.Em none .
199.It ezjail_default_retention_policy (str)
200Policy for the
201.Cm ezjail-admin snapshot
202subcommand to keep older snapshots. See
203.Xr ezjail-admin 1
204for details.
205.br
206Default:
207.Em none .
208.El
209.Sh FILES
210EZJAIL_PREFIX/etc/ezjail.conf
211.br
212EZJAIL_PREFIX/etc/rc.d/ezjail.sh
213.Sh SEE ALSO
214.Xr ezjail-admin 1 ,
215.Xr ezjail 5 ,
216.Xr jail 8 ,
217.Xr devfs 5 ,
218.Xr fdescfs 5 ,
219.Xr procfs 5 .
220.Sh AUTHOR
221Dirk Engling
222.Aq erdgeist@erdgeist.org .
223.Pp
224The man page is based on a draft by
225.An JoeB
226.Aq joeb1@a1poweruser.com
227and was rewritten by
228.An Frederic Perrin
229.Aq frederic.perrin@resel.fr .
diff --git a/stories/projects/ezjail.rst b/stories/projects/ezjail.rst
new file mode 100644
index 0000000..4eb4b65
--- /dev/null
+++ b/stories/projects/ezjail.rst
@@ -0,0 +1,412 @@
1.. link:
2.. description: is a jail management framework for the FreeBSD operating system, aiming to aid in setting up und updating virtual FreeBSD instances.
3.. tags: project
4.. date: 2000/02/01 19:10:08
5.. title: ezjail
6.. subtitle: Jail administration framework
7.. slug: ../arts/software/ezjail/index
8.. prio: 900
9
10.. contents::
11 :depth: 1
12 :class: ezjail-toc
13
14----
15
16News
17====
18
19.. image:: http://www.freebsd.org/gifs/daemon_hammer-tn25.jpg
20 :align: right
21
22.. post-list::
23 :tags: ezjail
24 :template: list_projectnews.tmpl
25 :stop: 5
26
27----
28
29Overview
30========
31
32A `Jail <http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/jail.html>`_ in FreeBSD-speak is one or more tasks with the same kernel Jail-ID, bound on zero or more IP addresses, having the same chroot-environment. One usecase of the FreeBSD Jail Subsystem is to provide virtual FreeBSD-systems within a Host-system. ezjail `is about making this as easy as possible <philosophy.html>`_, aiming for minimum system resource usage. All further references to the term Jail are to a virtual FreeBSD-system consisting of a host name, an IP-address and a Jail root.
33
34The jail(8) man page outlines the way to create Jails, however, when you need several Jails, complete Jail Directory Trees quickly use much of your valuable hard disc space. ezjail avoids this by using FreeBSDs nullfs feature. Most of the base system (/bin, /boot, /sbin, /lib, /libexec, /rescue, /usr/{bin, include, lib, libexec, ports, sbin, share, src}) only exists in one copy in the Host-system and is being mounted read only into all Jails via nullfs. Those Jails are quite slim (around 2mb each) and only consist of some soft links into the basejail mount point and non-shared directories like /etc, /usr/local, etc.
35
36The ezjail approach offers lots of advantages:
37
38* You save disc space, inodes and even memory since the system only needs to hold one copy of base system binaries for all Jails
39* You can update all Jails on a single base directory, since it is so eazy, you might actually end up doing it
40* Intruders compromising Jails are unable to install standard rootkits (as the base system is mounted read only)
41* Since ezjail is written entirely in sh, there is no need to install other script languages into the hostsystem
42* As the base system is provided via soft links, the enjailed users can choose not to use the mounted world
43* ezjail offers full zfs integration and can help you automatize your file system configuration
44* An often underestimated fact: less complexity means more security.
45
46----
47
48Quick start
49===========
50
51To set up your first very simple ezjail, just install ezjail from ``sysutils/ezjail`` port or via ``pkg_add -r ezjail`` and enable it by setting ``ezjail_enable=YES`` in your in your ``/etc/rc.conf``. Assuming your network interface is em0, just type (as root)::
52
53 ezjail-admin install
54 ezjail-admin create example.com 'em0|10.0.0.2'
55 ezjail-admin start example.com
56
57and you're done. Get a shell in your new jail with the::
58
59 ezjail-admin console example.com
60
61command. As with any vanilla FreeBSD installation, you might probably need to touch /etc/ and maybe copy your host's /etc/resolv.conf.
62
63----
64
65Slow start
66==========
67
68ezjail comes with some sane defaults, but can be configured globally and per jail using the config file /usr/local/etc/ezjail.conf (copy the sample from /usr/local/etc/ezjail.conf.sample) and the per-jail config files under /usr/local/etc/ezjail/ (those are created automatically with the jails and managed by the ezjail-admin config command).
69
70ZFS
71---
72
73ezjail integrates nicely with zfs, ready to manage all jails in its own file system. So if your system has a zpool configured, tell ezjail to use zfs and which zpool to use for its house keeping:
74
75* uncomment the ``ezjail_use_zfs=YES``
76* point the ``ezjail_jailzfs`` variable to a file system that will be created by ezjail-admin install, (e.g. ``tank/ezjail``)
77
78while you're at it, you can tell ezjail to create all future jails in their own file system (which defaults to be a child of ``ezjail_jailzfs``)
79
80* uncomment ``ezjail_use_zfs_for_jails=YES``
81
82now the commands in the quick start example should set up a zfs hierarchy ready to use all the nifty features of zfs.
83
84Flavours
85--------
86
87ezjail can help you with the otherwise tedious task of decorating the interior of new jails–those come as naked FreeBSD installations by default. A set of files to copy, packages to install and scripts to execute is called "flavour". ezjail comes with an example flavour called "example" that comes pre-tuned for the use in jails, with an appropriate ``rc.conf``, ``make.conf``, ``periodic.conf`` and ``/usr/local/etc/sudoers``.
88
89You are encouraged to copy the flavour and modify the contained script to suit your needs–flavours reside in the directory configured with the ``ezjail_flavours_dir`` variable, which defaults to ``/usr/jails/flavours``. But just calling::
90
91 ezjail-admin create -f example example.com 'em0|10.0.0.2'
92
93
94should do. Note, that the flavour script is being run the first time the jail starts, so calling::
95
96 ezjail-admin console -f example.com
97
98
99is a nice idea. You can use the shell to further configure the new jail.
100
101The basejail
102------------
103
104All jails share a read only mounted copy of the FreeBSD base system, in ezjail this is called basejail. The quick start section gave a glimpse on the most simple way to install just the basics, but no ports tree, no man pages (pre FreeBSD-9) and no sources. You can run the ``ezjail-admin install`` command with the options -P, -M and -S again to install these distribution packages without installing the base system again, or just call ``ezjail-admin install -spm`` from start. ezjail uses the portsnap command to provide (and later update) the ports tree. If you do not want to install the OS version running in the host system, call::
105
106 ezjail-admin install -r 2.2.8-RELEASE
107
108
109If you want to install your base system from source, use the ``ezjail-admin setup`` command (also called ``ezjail-admin update``); assuming you have already built your world for the host system, you would just call::
110
111 ezjail-admin setup -i
112
113
114to run a make installworld from your source directory, which defaults to ``/usr/src``. To run a make buildworld before the installworld, call::
115
116 ezjail-admin setup -b
117
118For binary installations, ezjail uses the freebsd-update tool to keep the basejail up to date,::
119
120 ezjail-admin update -u
121
122should do the trick.
123
124Image and crypto jails
125----------------------
126
127Before the dawn of zfs, simple means to set limits on jails, like quotas, were hard to achieve. ezjail's answer were image jails, file backed "memory" disc images containing an ufs with the jail's content. When geom appeared with the very useful gbde and geli crypto layers for geom, encrypting image jails became possible. ezjail would handle creating and later attaching and detaching those images for you.
128
129Now simple image jails are not as hot anymore and personally I would recommend using geli to encrypt the provider for your zpool to apply proper crypto to all your jails. Still, there may be valid use cases for image jail. Call::
130
131 ezjail-admin create -i -s 2G example.com 10.0.0.2
132
133to create a two gigabyte md-image with an ufs file system and install the jail inside. To configure the jail without starting it, use the attach and detach subcommands of ``ezjail-admin config``, like this::
134
135 ezjail-admin config -i attach example.com
136 cd /usr/jails/example.com
137 # … do your thing …
138 ezjail-admin config -i detach example.com
139
140Should the file system need some love, e.g. after a spontanous reboot or system crash, call::
141
142 ezjail-admin config -i fsck example.com
143
144to tidy up the mess–it ain't zfs, after all. By default ufs soft updates are enabled, so background fsck should occur for minor wrinkles, when an image jail starts.
145
146To create encrypted image jails, use the -c switch and either pass bde or eli and follow the instructions on screen::
147
148 ezjail-admin create -c eli -i 16G example.com 10.0.0.3
149
150Note, that ezjail creates image jails by filling them from ``/dev/zero`` or ``/dev/random``, for performance reasons (reduce seeks with this file system inside a file system hack) and for security reasons (do not leak information about which blocks have been written for crypto jails), so creating huge image jails may take a while. Also note, that crypto jails would block the boot process (unless the passphrase is provided via a file or some fetch magic via stdin). So they are being marked as attachblocking and not started during boot time. You need to start them using ``ezjail-admin startcrypto``.
151
152Further reading
153---------------
154
155To get further details about all the options for ezjail-admin and all knobs and bolts, I recommend the excellent man pages: ezjail-admin, an overview over ezjail and the ezjail config file.
156
157----
158
159Version History
160===============
161
162Since ezjail is useful under FreeBSD only, you might want to install it from ports ``sysutils/ezjail``. An `ezjail cvsweb (deprecated) </cvsweb/ezjail/>`_ and `ezjail gitweb </gitweb/ezjail/>`_ are available, plus there is a `fresh checkout <ezjail/>`_. The most current version is available via cvs. Use ``git clone git://erdgeist.org/ezjail`` or the legacy view ``cvs -d :pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co ezjail`` with an empty passwort to check it out. Just type ``sudo make install`` to install it. Older versions may be found here (checksums in tooltips):
163
164* CURRENT - not packaged yet
165* V3.4.1 ezjail-3.4.1.tar.bz2 (2014-06-10)
166
167 * Fixed a fatal bug in unfinished parts of the new troubleshoot subcommand
168
169* V3.4 ezjail-3.4.tar.bz2 (2014-06-10)
170
171 * Began a troubleshoot subcommand that will in future check for unintuitive reasons for the jails to fail.
172 * Fixed a bug where Jails configured .norun were reported failing to start with the ezjail-admin start subcommand. Thanks to John Grasty.
173 * Create /var/ports/packages and /var/ports/distfiles in new jails to reflect custom /etc/make.conf.
174 * The Makefile now supports staging.
175 * Implement a test parameter for the ezjail-admin config -r subcommand that reports the runnable state. This can also be used to test for an ezjail's existence.
176 * Fixed a bug where ezjail-admin would not find jails with jid > 99999. Thanks to Mathieu Arnold.
177 * Fixed a bug where ezjail-admin delete and ezjail-admin config would not find the zpool the jail was created in.
178 * Implemented a jail snapshot mechanism for zfs jails with configurable retention policy.
179 * Fixed a bug where ezjail-admin restore with a path to an archive would not use the correct jail name and thus fail. Thanks to Ollivier Robert.
180* V3.3 ezjail-3.3.tar.bz2 (2013-04-20)
181
182 * Due to recent circumstances, I added a license file.
183 * Properly handle ip addresses with prefixed interface names, so they appear readable in the jail list and they will not be checked for on ezjail-admin create. Since FreeBSD 9.0 you can configure ip addresses with interface prefix (e.g. em1|10.0.0.1). This feature of jail(8) is now also documented in the ezjail's man pages.
184 * Using CVS to update ports was deprecated for a while. FreeBSD does not offer the anoncvs server, anymore. So ezjail_portscvsroot is gone.
185 * Added a -z option to ezjail-admin create to allow creating zfs jails in a different zpool or under a different zfs parent file system than the one ezjail uses for house keeping. Thanks to Cryx.
186 * Add the a man page authors section to the man pages.
187 * Also read and dump jail_JAIL_parameters when changing jail options. Thanks to Виталий Владимирович.
188 * ezjail-admin update and ezjail-admin upgrade now call freebsd-update install until no more update steps are necessary. Previously upgrades were not installed completely, as freebsd-update uses several passes.
189 * Now properly support the new distributions layout.
190 * Do not run chflags -R noschg when deleting image jails. The whole file system is being thrown away, anyway. Thanks to tomster.
191* V3.2.3 ezjail-3.2.3.tar.bz2 (2012-09-23)
192
193 * Fixed a bug that made ezjail-admin update not find the source tree. Thanks to Paul Macdonald.
194 * Fixed ezjail-admin console to not start all jails when the -f option is requested.
195* V3.2.2 ezjail-3.2.2.tar.bz2 (2012-09-10)
196
197 * Jails can now default to being created in zfs, set ezjail_use_zfs_for_jails="YES" in your ezjail.conf to do that.
198 * Cleaned up the zfs code to ensure the ezjail zfs in a central place.
199* V3.2.1 ezjail-3.2.1.tar.bz2 (2012-02-02)
200
201 * Fixed ezjail-admin list to work properly without jails.
202 * A helper script ezjail-clone.sh has been added to the repository that aids in importing whole server setups into an ezjail-system.
203 * ezjail-admin update now ensures that all files with schg set are also updated. Thanks to Geoffroy Desvernay.
204 * Fixed the way ezjail-admin create tests for local IP addresses. The old test using ping with a given TTL did not work reliable. Now we use ping and try to use the IP address as source address.
205 * Fixed a bug where pids not belonging to a Jail were reported as jailed. Thanks to Thomas Steen Rasmussen.
206 * Fixed a bug in ezjail-admin delete -f where all Jails were stopped, not only the one to be deleted. Tanks to Thomas Steen Rasmussen.
207 * Fixed a bug in ezjail-admin create that overwrote all flavours scripts with the successor by not counting the flavours correctly. Thanks to Geoffroy Desvernay.
208* V3.2 ezjail-3.2.tar.bz2 (2012-01-07)
209
210 * The man pages have been completely rewritten and are much easier to understand now.
211 * Default archive location now is ezjail_archives under ezjail_jaildir. Before it defaulted to the current directory.
212 * ezjail-admin install now understands FreeBSD's new naming scheme on the release ftp servers.
213 * /usr/games/ has gone.
214 * ezjail-admin delete now takes an -f parameter that forces stopping the Jail before deleting it
215 * The rc.d/ezjail.sh script has been renamed to rc.d/ezjail in accordance to FreeBSD guide lines.
216 * When using ezjail-admin to start Jails, checks now are properly extended to all versions of the (one|force|...) prefixes.
217 * When installing the basejail from a server, we now also look in the ftp server's Archive directory.
218 * The check for already listening services has been augmented to support multiple IPs and v6 addresses.
219 * Before removing Jails the system immutable flag is now cleared.
220 * ezjail-admin now collects its Jail list more to the standard.
221 * Unknow Jail image types now default to directory based.
222 * Experimental freebsd-upgrade support.
223 * Fix one misspelling that wrongly reported success for attaching a console to a Jail not running.
224 * The ezjail rc script now correctly also re-attaches images on restart.
225 * There now is a Jail name auto completion script for zsh.
226* V3.1 ezjail-3.1.tar.bz2 (2010-02-26)
227
228 * Introduced support for creating ezjails and the basejail in ZFS file systems.
229 * Attaching ZFS-datasets to ezjails is now supported.
230 * Support for cpusets and altered network view for ezjails.
231 * The ezjail-admin archive command now uses the cpio format for its archives.
232 * Since FreeBSD 8 does not support rc.d-scripts ending in .sh, the flavourizing script has been renamed accordingly.
233 * The ezjail-admin list command now supports multiple IP addresses for a jail.
234 * The ezjail-admin command now returns 0 if no error occurs.
235 * You can now specify a default flavour in your ezjail.conf that is applied to any new Jail.
236 * Renamed the default flavour to example to avoid confusion. default flavour was never applied by default.
237 * ezjail-admin create and ezjail-admin config no longer fail if they can't create a soft link in ezjail_jaildir. They now use mktemp to get a unique one.
238 * ezjail-admin create now allow multiple flavours to be applied to new jails. They are executed in the order provided with the -f option.
239* V3.0 ezjail-3.0.tar.bz2 (2008-09-26)
240
241 * Introduced an ezjail-admin restore command that can be used to easily deploy a backed up version of an ezjail's archive.
242 * Introduced an ezjail-admin archive command that – accompanied by the newly introduced create -a option – can be used to take (automated) backups of your jails and reinstall them.
243 * Introduced the ezjail-admin console sub command. This will jexec into a Jail identified by its Jail name. It can also bring up non-running jails if run with the -f switch.
244 * ezjail-admin update does not (re)build the whole world by default, anymore. You have to provide -b (buildworld, installworld), -i (installworld only) or (as a new option) -u to use freebsd-update to update your base jail.
245 * ezjail-admin now silently proxies everthing that looks like it was meant for ezjail.sh over to ezjail.sh.
246 * ezjail-admin now reports its version number along with synopsis information.
247 * ezjail.sh now stops ezjails in reverse startup order.
248 * ezjail.sh now reports ezjails configured norun as "skipping [jailname]" and blocking as "skipping blocking [jailname]".
249 * ezjail-admin now find .s its stuff. Using '*' never found dot-files and could have led to a "too many parameters" situation.
250 * Fixed a bug where image jails would not be run with ezjail.sh restart when not running or would not have their images attached when already running. Thanks to hukl for bug report.
251 * Fixed the missing lib32 packag on amd64 platforms when doing ezjail-admin install.
252 * sudo now checks permissions on its sudoers file and stops, if it is not 0440. Fixed ezjails Makefile to install sudoers to default flavour. (However, if you already installed ezjail, you might want to manually chmod 0440 ${ezjail_flavours}/default/usr/local/etc/sudoers and all corresponding sudoers files in all jails.)
253 * Fixed a bug, where an image Jail was incorrectly reported not attached.
254
255.. class:: closed
256
257* V2.1. ezjail-2.1.tar.bz2 (2007-07-31)
258
259 * Introduced a ezjail-admin config -n newname sub command to enable renaming jails.
260 * Introduced a ezjail-admin config -i fsck sub command to fsck images.
261 * Use the sendmail_submit_enable, sendmail_outbound_enable and sendmail_msp_queue_enable in the default-flavour rc.conf to allow easier fine-grained control for sendmail.
262 * ezjail-admin create now ignores .dot-files in directories meant to be Jail roots. That way directories coming fresh from newfs won't be mistaken as used.
263 * Fixed a bug where portsnap would be called with fetch rather than cron from my ezjail-admin update -P.
264 * Enable soft updates for image jails.
265 * Now taking copies of soft linked packages inside jails. They would not be visible.
266 * Fail, when trying to install or update ezjails world, if in a secure level > 0. Too many bad things happen in secure levels.
267 * ezjail.sh now also checks for root directory to prevent strange effects in /etc/rc.d/jail.
268 * Default flavours /etc/periodic.conf now makes all periodic scripts log to files instead of sending mails. Most often this is what you want in your jails.
269 * Started learning groff and went over man pages. Not many visible changes here.
270* V2.0.1 ezjail-2.0.1.tar.bz2 (2006-07-24)
271
272 * DESTDIR was ignored for sub targets in an ezjail-admin update -p under certain circumstances. See this report for more details. Thanks go to Simon L. Nielsen.
273 * Fixed some qoutation/expansion issues with tr parameters in the form [:alnum:] which were expanded to the files : a l n u and m, if existing. Also an apparent bug in tr was circumvented which incorrectly replaced A-Z to a-z in certain LANG settings. Thanks agains to Simon L. Nielsen.
274 * ezjail_ftphost was ignored when specified in PREFIX/etc/ezjail.conf. Thanks to Edwin Groothuis.
275* V2.0 ezjail-2.0.tar.bz2 (2006-05-31)
276
277 * The default way to create the basejail will become the newly introduced ezjail-admin install subcommand. In its default configuration the base system is fetched from an ftp-Server. Fetching ports, source, man pages is possible with -p, -s and -m switch. Implementing this feature finally brings the promised ease of use and allows: cd /usr/ports/sysutils/ezjail; make install; ezjail-admin install; ezjail-admin create test.com 10.1.1.1 on a vanilla FreeBSD server, i.e. without installing /usr/src.
278 * A new concept of how to manage your Jails has been introduced: Image Jails. They come in plain, gbde and geli encrypted. ezjail-admin create, ezjail-admin delete and ezjail.sh have been updated to provide the functionality needed.
279 * ezjail.sh now provides more information to rcorder which took control over the execution of new style localpkg scripts. These changes in FreeBSD rc scripts led to ezjail.sh not being started under certain circumstances. It will REQUIRE: sshd, making administration on a server running many jails a lot more peaceful. Thanks to Oli.
280 * When called without specific Jail names (e.g. at system start), ezjail.sh now runs rcorder on its config file list located in PREFIX/etc/ezjail/ before processing them. That way you can manually construct a dependency tree and for example start your name server Jail first and your data base-Jail before your web server Jail. However, some basic knowledge in bourne shell and the rcorder command is required. Beware of circles.
281 * ezjail-admin create now installs flavours with an unconditional flag. Previously files were not copied, if an "older" version existed. Thanks to Matthias Lederhofer.
282 * ezjail-admin list has been heavily extended. It now lists Jails in the same order they are being run on system startup. This is to help debugging the dependency tree. It further now also lists jails status (Directory based, Image, BDE crypto image or ELI crypto image) and running state (Running, Attached, Stopped or Norun). Thanks to Bas Dakkenhorst for useful diffs.
283 * ezjail-admin create now prepends all Jail configs with empty rcorder control statements to make altering the config easier.
284 * ezjail.sh now excludes Jail configs whose file name contain '.' (dots). This way it is possible to configure a Jail config test_org.norun to temporary exclude it from auto run process.
285 * ezjail introduces an option ezjail_uglyperlhack (defaults to YES) which creates a soft link from /usr/bin/perl to /usr/local/bin/perl in the base jail. This is useful since perl was expelled from base system in FreeBSD 5 but still many scripts rely on #!/usr/bin/perl.
286 * /usr/games and /usr/libdata have now become part of the basejail. Someone please kick me for missing that until now. Saves another 100k in newjail. Hopefully I got them all by now ;) Thanks to Vivek Khera.
287* V1.3.1 ezjail-1.3.1.tar.bz2 (2006-03-13)
288
289 * ezjail.sh did not ignore the jail_list from rc.conf as it should due to a legacy name space clash. This led to no ezjail being started at system startup when some non-ezjail-Jails exist in the system. Thanks to Cryx.
290 * ezjail-admin now prevents a Jail called fulljail to be created and refines the error message in case the user wants to create basejail, newjail or flavours.
291 * ezjail-admin now again allows recreating Jails with the -x option. This was broken when introducing the Jail root check in V 1.3. Thanks to Mike Harding.
292 * An experimental script ezjail-release.sh has been added to CVS which allows creating the basejail from FreeBSD ftp-Server. However, this script has known issues, like updating existing basejail's ports does not remove obsolete files, also there is no documentation.
293* V1.3 ezjail-1.3.tar.bz2 (2006-02-16)
294
295 * Removed an ugly shell variable quoting bug that led to ezjail.sh fail for multiple jails. Thanks to Alex Moura. PLEASE UPDATE FROM 1.2 as fast as possible.
296 * ezjail-admin create now checks, whether a given Jail root already exists and refuses to install. Thanks to Mark Bucciarelli for finding this one.
297 * /boot and /rescue have now become part of the basejail. Someone please kick me for missing that until now. New jails now are < 2 MB in size.
298* V1.2 ezjail-1.2.tar.bz2 (2006-02-10)
299
300 * A subsystem providing auto configuration on Jail has been created. You may specify flavours at Jail creation. See section Flavours.
301 * ezjail-admin update now allows cvs co or cvs up of ports in the basejail by providing the -p or -P option.
302 * /lib and /libexec have now become part of the basejail. Someone please kick me for missing that until now.
303 * ezjail-admin now allows setup as an alias command to update to reduce confusion.
304 * ezjail-admin delete now ensures, that the Jail is not running. Deleting running Jails led to panics in several occasions.
305 * ezjail-admin update now performs several checks to make sure the source tree is really there and complete.
306 * ezjail-admin create now tests for services listening on the new Jails IP or on all IPs and warns if it finds any.
307 * ezjail-admin create now replaces any character in Jail name not suitable for shell variables by underscore. This leads to the situation that two jails must not have identical names after them being piped through tr -c [:alnum:] _, thanks go to Gunjin.
308 * A default installation PREFIX is provided now. Installing to / seems not too useful and should not be default.
309 * Documentation has been rewritten and simplified a lot.
310* V1.1 ezjail-1.1.tar.bz2 (2005-10-26)
311
312 * minor typo in ezjail.sh, changed #/bin/sh to #!/bin/sh, thanks go to Alex Samorukov.
313 * Makefile ensures that all directories are there when installing. Helps with odd $PREFIXes
314 * ezjail-admin now creates $basejail/usr itself, since cpio creates missing intermediate directories in 0700 which is bad
315 * ezjail-admin now verifies the existence of its basejail before creating Jails
316* V1.0 ezjail-1.0.tar.bz2 (2005-10-14)
317
318 * first release
319 * made FreeBSD port for ezjail
320 * actually implemented ezjail-admin delete feature
321 * documentation completed
322 * lots of bug fixes I can't remember anymore, however V0.1 has never been used by anyone but me
323* V0.1 ezjail-0.1.tar.bz2 (2005-09-26)
324
325 * highly experimental version
326 * first real world testing on a server system with >20 jails
327* V0.0 - Not packaged (2005-09-04)
328
329 * first alpha version
330
331FAQ
332===
333
334Q: I have created a Jail but it won't come up when I run /usr/local/etc/rc.d/ezjail start JAILNAME
335 A: Please check, that the Jail is really "not comming up" by examining the output of the command jls. Unlike the command jail which leaves you with an interactive shell in your Jail, rc.d/ezjail is an rc-script. It is most commonly meant to run at system startup and shutdown where entering an interactive shell would interrupt the boot process. If you want an interactive shell in your Jail after starting it, use the command ezjail-admin console JAILNAME.
336
337 A: Please check, that you have enabled ezjail by adding the line ezjail_enable="YES" to rc.conf.
338
339 A: Please check, that you have enabled ezjail BEFORE you ran the rc.d/ezjail script the first time. See the rc.d introduction for further details.
340
341 A: If this is the case, check the console output in /var/log/jail_JAILNAME_console.log. Most commonly you'll find reasons for your jails startup failure there.
342
343Q: Why does ezjail want an extra copy of ports tree for its base jail? Isn't that just waste of disc space? Can't we just use the base systems ports tree?
344 A: Counter question: why do we need an extra copy of the base system? Isn't that just waste of disc space? Can't we just mount / as basejail to all jails?
345
346 ezjail philosophy very much is influenced by its history: it was created to simplify administration of a shell server with many actual users. Even if you would trust all your users, you may not trust all software they do install and hence not anything done in any Jail. So I decided to strictly seperate what you can access within Jails from everything the host system needs to operate. This boundary is ezjail_root.
347
348 For the ports case I would not like everyone to know which port is installed in host system, as might be guessed by work/-directories, this might reveal attack vectors to the host system. A problem like ignoring ro flags when mounting from fstab may give you an idea why I consider that boundary essential to system security.
349
350 If you know what you're doing and are sure, your host system has an WRKDIRPREFIX none of the Jails can access, you might follow these instructions to mount ports via nullfs. Another way of doing this is to mv /usr/ports/ /usr/jails/basejail/usr/ports/; ln -s /usr/jails/basejail/usr/ports /usr/ports; in host system. ezjail will not offer this as an option.
351
352Q: What exactly is the difference between the template Jail and a Flavour?
353 A: In simple words: THE template is all directories that FreeBSD thinks your system needs besides the sharable files in your basejail, like /etc/ and /var/. It is being recreated everytime you ezjail-admin update. So it is not meant to be modified by the user to distribute settings to all Jails to be created. A Flavour on the other hand is set up by the user, contains all non-sharable files not in the base system that you think belongs to a newly created Jail (usually stuff in /usr/local/ and your settings in /etc/). You may have several Flavours each customized for a certain job: an httpd-Flavour, a shell-server only Flavour, a full featured bamp-server and so on. Flavours are never modified by ezjail, the template should not be modified by the user.
354
355Q: I am running version x of ezjail and want to upgrade to version y. Is there a safe upgrade path without losing all of my Jails?
356 A: ezjail is basically just two scripts. The config files have been designed to be future compatible. So installing any version from ports, cvs or tar ball by ezjails Makefile will do the job of upgrading. Your Jails are safe.
357
358Q: I have created some jails prior to using ezjail. How can I import them as ezjails?
359 A: There now is an import helper script in the ezjail tar bundle that assist you with moving complete systems into ezjails by turning them into ezjail-admin restore-able ezjail archives.
360
361 A: Assume your Jail is under /legacyjail Basically you only need to create an empty directory /legacyjail/basejail/ and call ezjail-admin create -x -r /legacyjail JAILNAME JAILIP and your Jail enjoys all of ezjails starting/stopping capabilities..
362
363 To make the Jail a complete ezjail, e.g. use the basejail/, use the following code snippet after stopping the Jail. (Replace /legacyjail with the path to your Jail).
364
365 .. code-block:: sh
366
367 cd /legacyjail
368 mkdir OLDBASE
369 for dir in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/libexec usr/ports usr/sbin usr/src usr/share; do
370 mv ${dir} OLDBASE/; ln -s /basejail/${dir} ${dir}
371 done
372
373 There is a chance that your binaries require some of the libraries in its old base system. If they don't, you can remove OLDBASE, if they do, use the following snippet to create the old libs.
374
375Q: The clock inside my Jails always shows the wrong time. Why is that?
376 A: Create a soft link from /etc/localtime to the appropriate time zone file, in my case: /usr/share/zoneinfo/Europe/Berlin.
377
378Q: I messed up the whole show and ezjails files are around EVERYWHERE. Some of them wont even go away, if I rm -rf them as root. How do I get a clean start?
379 A: On a standard FreeBSD installation several files are being installed with the "system immutable" flag set. Type man chflags for more details. However, to reset everything to a state with no jails and no files lurking around use the following lines, on kern secure level 0, as root, on a standard ``ezjail.conf``
380
381 .. code-block:: sh
382
383 chflags -R noschg /usr/jails/
384 rm -rf /usr/jails/
385 rm -rf /usr/local/etc/ezjail/
386 rm /etc/fstab.*
387
388 If you configured ezjail to use zfs, you can just throw away ezjail's parent zfs, as configured in ezjail_jailzfs.
389
390Q: Your HTML sucks.
391 A: This is not a question. But yeah, I know.
392
393----
394
395Author/Contact
396==============
397
398ezjail was written by Dirk Engling with lot of support from the ezjail community. We like to hear from happy customers. My personal address is erdgeist@erdgeist.org. Requests should go to the project mailing list ezjail@erdgeist.org. You can subscribe to that list at ezjail-subscribe@erdgeist.org. There is an IRC channel #ezjail on ircnet. Please send bug reports, comments and feature requests. Donations are welcome… in form of beer. See…
399
400----
401
402License
403=======
404
405ezjail is considered `beer ware </beerware.html>`_.
406
407----
408
409Thanks
410======
411
412Here I need to re-add a modernized list of thanks.
diff --git a/stories/projects/ezjail_philosophy.rst b/stories/projects/ezjail_philosophy.rst
new file mode 100644
index 0000000..52e2f7f
--- /dev/null
+++ b/stories/projects/ezjail_philosophy.rst
@@ -0,0 +1,50 @@
1.. link:
2.. description: the philosophy behind the ezjail framework
3.. tags:
4.. date: 2015/02/01 19:10:08
5.. title: ezjail - philosophy
6.. slug: ../arts/software/ezjail/philosophy
7
8.. contents::
9 :depth: 1
10 :class: ezjail-toc
11
12----
13
14Overview
15========
16
17Computer programs tend to contain programming errors. Chances to avoid them in every program that provides services to the internet are low. What is needed is a way of limiting the impact of programming errors to the system hosting the service.
18
19Computers become faster and their resources in terms of memory, mass storage and internet connectivity can suite several users at once. This led to the development of time sharing computing, most popular in Unix. The next level of abstraction is virtual servers enabling every owner of such an entity to create users and use the power of multitasking as well, without even noticing that the machine is not completely under his control.
20
21Some server software expects its configuration to be always in the same location in file system and makes changing this location difficult to impossible. Some server software requires certain privileges you would not want to grant it, even if you would assume it being error-free. Some users want certain privileges you would not want to grant them, even if you would assume they know what they are doing. What is needed is a way of limiting the impact of permissions you have to grant.
22
23Historical approaches
24=====================
25
26Several approaches to achieve most of the above have been made. It has shown that the most secure way to do so is to physically separate services to different machines. Of course, this has its costs, is a lot more complex since you have to reproduce and administrate the setup over and over. And, of course, it contradicts the idea of using the grown performance as shown in the second paragraph. Luckily most of the problems were solvable, solutions being condensed in the ezjail script set.
27
28FreeBSD has introduced the concept of jails to eliminate shortcomings seen in so called chroot-environments. chroot changes the file system root for certain programs, leaving them without any means of even expressing the need for access to resources outside their constricted world. Jails take this approach a little further, they represent virtual computers (virtual server), each bound to a single internet address having its file system root somewhere under the real computers (hosting server) file system root. Certain rulesets forbid jailed programs access to specific devices, for example hard drives or kernel memory.
29
30In theory this concept enables you to lock in each (server-)program you run on your computer to its own virtual world limiting the impact it may (deliberately or by mistake) have on other services. In practice each program depends on a set of libraries, tools, configuration directories, system users, other installed software and so on. In short: most servers need at least a small subset of the host servers operating system (OS). Complete virtual servers, of course, need a whole copy of the host servers OS.
31
32Problems in historical approaches
33=================================
34
35Locking in a single program that way may work out fine, as it "only" doubles the size your operating system needs on hard disc, and hard disc space is becoming cheaper as I write, the FreeBSD OS only needs around 100MB. However, copying all the data does not scale well when you need hundreds of programs being jailed or want to provide dozens of virtual computers. Further, distributing OS software updates to all this instances, which possibly even were created from different versions of the OS source code, becomes an administration nightmare.
36
37Although hard disc space is becoming less of an issue, OSs tend to assume the space rather being occupied by few large files then many small files. So they reserve a limited number of control structures for storing files and directories, called "inodes". Now, copying the whole OS many times consumes many of those valuable inodes on disc, eventually preventing the creation of new virtual servers. Worse: since each library, each executable and each configuration file of the OS exists as several copies, the OS has no way of telling that they're the same and thus has to load each copy to memory, if any of the virtual servers or jailed programs need them.
38
39To complete the picture of the situation I was confronted with when starting the ezjail project: the way to install a copy of the OS to create a virtual server involved (and still involves) installing a copy of the OS source code and invoking several commands to compile, install and configure it. This still left the administrator with the need to start the virtual server by hand and entering a lot of complicated configuration statements to the OSs startup scripts in order to have them run automatically when the server starts up. Jailing programs or virtual servers was rather complicated, achieving any of the goals set at the beginning of this text far away.
40
41Developing a solution
42=====================
43
44It was very helpful that Unix' file system hierarchy reflects historic optimizations. The `Filesystem Hierarchy Standard <http://www.pathname.com/fhs/>`_ defines a set of "sharable files", mostly OS binaries, libraries, header files and resources. Those directories are meant to be shared by several computers (via Net-boot, eventually read only from CD-ROM). "unsharable files" on the other hand, contain configuration data, dynamic data like user mails, installed applications etc. While the former directories only need to exist once for all jails and can be provided in a read only fashion, the latter must be provided for each jail and, of course, be writable.
45
46And here a path to the solution shows: most modern OSs know a way of "local mount"/"loopback mount"/"null mount" directories back into the directory hierarchy. That way it is possible to provide all sharable files in a read only fashion to the chroot environment of jailed programs. All unique data a virtual server need is in the "unshared files" which must be copied for each of them. Fortunately, these files are just 2MB in size on the FreeBSD OS. How the sharable files are being provided is subject to implementation. The ezjail project mounts one directory containing all those shareable files and provides soft links from all directories not in the unshared files part of the OS.
47
48Besides having a central point for OS updating all instances at once, this approach can prevent standard root kits to install, since most of the binaries they usually replace are in the unshared files, yet, when someone really wants to install their own version of the OS binaries, one can do so by just removing the soft links and provide self compiled system binaries. System administrators know exactly, which OS version problems in virtual servers are related to, since all virtual servers have the same base system.
49
50Everything left to do is to provide a neat interface, do some sanity checks, wrap it properly around the existing scripts of your OS and find a nice name. In my case: `ezjail <ezjail.html>`_.
diff --git a/stories/projects/jaildaemon.rst b/stories/projects/jaildaemon.rst
new file mode 100644
index 0000000..cc818e3
--- /dev/null
+++ b/stories/projects/jaildaemon.rst
@@ -0,0 +1,77 @@
1.. description: is a tool for the FreeBSD operating system to allow flexible and secure communication from jail environments to the host system.
2.. tags: project
3.. date: 2015/02/18 19:10:08
4.. title: jaildaemon
5.. subtitle: A fixed command-line interface for FreeBSD jails to their host system
6.. slug: ../arts/software/jaildaemon/index
7.. prio: 850
8
9.. contents::
10 :depth: 1
11 :class: ezjail-toc
12
13----
14
15Overview
16========
17
18.. image:: http://www.freebsd.org/gifs/daemon_hammer-tn25.jpg
19 :align: right
20
21Virtual FreeBSD jail based server environments can not easily trigger actions in the host system, most prominently restarting themselves (if they ``kill -1`` everything, they usually stay shut down) and trigger actions like routing table updates, triggering zfs snapshots or rollbacks and configuring ``tun/tap``-Devices (as an openvpnd would).
22
23There are several less-than-optimal solutions for that problem: granting forced-command ssh access to jails, polling some Jail-state from within the host system or dig some proprietary socket holes through the Jail's barrier, exposing a root-shell attack vector to the outside world.
24
25*jaildaemon* aims to solve the problem in a simple and straight forward way while trying to minimize the attack surface for adversaries from the Jail and the network. It is a tiny daemon running in the host system that forks a probe process with a single associated command on demand, attaches it to a single jail and (optionally) assigns it a verbose proctitle. When the Jail's root user sends a SIGHUP to this probe process, it dies with a magic exit code, signalling the daemon to execute the associated command (in host context). You can chose to have the daemon restart the probe process after the command is executed (e.g. when it triggers updating routing tables) or just wait for it to be restarted by the Jail management tool (e.g. when using ``/usr/local/etc/rc.d/ezjail restart shell.foo.com`` as a reboot helper).
26
27----
28
29Code
30====
31
32You can always get the latest version of *jaildaemon*, use ``git clone git://erdgeist.org/jaildaemon`` or the legacy view ``cvs -d :pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co jaildaemon`` with an empty password to check it out. There is a *jaildaemon* tarball, but no versioning yet. You can scroll through the source at `jaildaemon gitweb </gitweb/jaildaemon>`_ or `jaildaemon cvsweb (deprecated) </cvsweb/jaildaemon>`_. Typing ``make install`` installs the binary in your ``${PREFIX}/bin`` (or ``/usr/local``, if none is set) and the rc-script to ``${PREFIX}/etc/rc.d/``.
33
34A tight integration with `ezjail </arts/software/ezjail/>`_ is, of course, following soon.
35
36----
37
38Examples
39========
40
41Start the daemon as root with ``jaildaemon -D``, with optional parameters ``p`` and ``f`` to request the pidfile being written or to specify a different controlling command unix domain socket location (that is used by *jaildaemon* when run in client mode to communicate with the server, and defaults to ``/var/run/jaildaemon.pipe``), respectively.
42
43If you installed the package, you can just enable *jaildaemon* in your ``/etc/rc.conf``, by adding ``jaildaemon_enable=YES``. It should then start at reboot, or when you run ``/usr/local/etc/rc.d/jaildaemon start``.
44
45Start a new probe process in a Jail (in this example jid 23) to trigger the execution of the script::
46
47 /usr/local/bin/parse_route_config -s /usr/jails/shell.foo.com/
48
49while identifying as 'route config update' in the jail and respawn::
50
51 jaildaemon -j 23 -c '/usr/local/bin/parse_route_config -s /usr/jails/shell.foo.com/' -t 'route config update' -r
52
53From within the jail (``ezjail-admin console shell.foo.com``) trigger the command by ``pkill -HUP -f 'route config update'``.
54
55Start a (non-spawning) Jail reboot trigger::
56
57 jaildaemon -j 23 -c '/usr/local/etc/rc.d/ezjail restart shell.foo.com' -t REBOOT
58
59Now, from within that Jail, reboot via ``pkill -HUP -f REBOOT``.
60
61----
62
63Version history
64===============
65
66* Version 0.2:
67
68 * Fixed a bug where *jaildaemon* when run from /etc/rc would ignore SIGHUP by default.
69 * You can now make the probe drop into another uid, so that non-root-processes can trigger actions, as well.
70 * Allow *jaildaemon* to accept the jailname for the -j parameter, as well.
71
72----
73
74License
75=======
76
77*jaildaemon* was written by `Dirk Engling <mailto:erdgeist@erdgeist.org>`_ with lots of help from sg and is considered `beer ware </beerware.html>`_.
diff --git a/stories/projects/minimunin.rst b/stories/projects/minimunin.rst
new file mode 100644
index 0000000..170c30a
--- /dev/null
+++ b/stories/projects/minimunin.rst
@@ -0,0 +1,75 @@
1.. link:
2.. description: is a tiny munin-node implementation for FreeBSD written in pure bourne shell providing basic plugin support.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: minimunin
6.. subtitle: A tiny munin-node implementation for FreeBSD written in pure bourne shell providing basic plugin support
7.. slug: ../arts/software/minimunin/index
8.. prio: 800
9
10.. contents::
11 :depth: 1
12 :class: ezjail-toc
13
14----
15
16Overview
17========
18
19.. image:: http://www.freebsd.org/gifs/daemon_hammer-tn25.jpg
20 :align: right
21
22`munin <http://munin-monitoring.org/>`_ is an open source multi platform service monitoring framework, written in perl. Munin nodes report server statistics to their respective masters. Unfortunally, the munin-node script is written in perl, too – even though the language features never actually are used. On a FreeBSD system this introduces unnecessary dependencies. *minimunin* tries to address this: It was implemented as a simple shell script triggered from inetd.conf and comes with some handy built in monitoring commands. Most of the munin plugins should also work.
23
24----
25
26Code
27====
28
29You can always get the latest version of *minimunin*, use ``git clone git://erdgeist.org/minimunin` or the legacy view ``cvs -d :pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co minimunin`` with an empty password to check it out. There is a `minimunin tarball <minimunin-0.2.tar.bz2>`_. You can scroll through the source at `minimunin gitweb </gitweb/minimunin>` or `minimunin cvsweb (deprecated) </cvsweb/minimunin>`_. Typing ``make install`` installs the binary in your ``${PREFIX}/bin`` (or ``/usr/local``, if none is set).
30
31----
32
33Installation
34============
35
36After getting *minimunin* either from source or by installing the FreeBSD port/package, you need to activate *minimunin*. Just add the line::
37
38 munin stream tcp nowait nobody /usr/libexec/tcpd /usr/local/bin/minimunin
39
40to your ``/etc/inetd.conf``. Alternatively, if you plan to run plugins that require root permissions (e.g. for changing to a different user via the plugin config), add::
41
42 munin stream tcp nowait root /usr/libexec/tcpd /usr/local/bin/minimunin`` to your ``/etc/inetd.conf
43
44In both cases you need to enable inetd by setting ``inetd_enable="YES"`` in your ``/etc/rc.conf`` and restart inetd with the ``service inetd start`` command. You may also want to restrict access to your munin node via the ``/etc/hosts.allow`` and ``/etc/hosts.deny`` configuration files.
45
46----
47
48Plugins
49=======
50
51Munin has been designed to allow administrators to `write their own plugins <http://munin-monitoring.org/wiki/HowToWritePlugins>`_ to provide statistics not covered by the base installation. You can find `many munin plugins here <http://munin-monitoring.org/browser/munin-contrib/plugins>`_. *minimunin* can execute those plugins, as well. It expects plugin files in the folder /usr/local/etc/minimunin-plugins and will ignore `wild card plugins <http://munin-monitoring.org/wiki/WildcardPlugins>`_. In order to use them (after reading the documentation on the project website ;) create the appropriate soft link, e.g. ``ln -s if_ /usr/local/etc/minimunin-plugins/if_bge0``. Please note that the plugins must be executable and you may need to install further dependencies for plugins, such as perl, python or monitoring helpers.
52
53munin plugins `can be configured with ini-file style config files <http://munin-monitoring.org/wiki/plugin-conf.d>`_. *minimunin* expects config to reside under ``/usr/local/etc/minimunin-configs``, either as a single config file or a directory containing respective configs. Currently *minimunin* only supports the config parameters ``env.``-variables, ``user`` and ``command``. The ``group`` and ``timeout`` config parameters are not supported. The ``user`` parameter only works if *minimunin* finds itself being root and otherwise silently ignores the ``user`` parameter.
54
55----
56
57Version history
58===============
59
60* V0.2 `minimunin-0.2.tar.bz2 <minimunin-0.2.tar.bz2>`_ (2014-13-02)
61
62 * Fixed a bug where uptime was not reported correctly. Thanks to Lothar Schmidt.
63 * Fixed a bug where only the last environment setting of a plugin config was obeyed. Thanks to Philipp Wünsche.
64* V0.1 `minimunin-0.1.tar.bz2 <minimunin-0.1.tar.bz2>`_ (2013-09-29)
65
66 * First version, no diffs to previous ones ;)
67
68----
69
70License
71=======
72
73*minimunin* was written by `Dirk Engling <mailto:erdgeist@erdgeist.org>`_ and is considered `beer ware </beerware.html>`_.
74
75Please do not even think about hesitating to contact me via email or `@erdgeist <http://twitter.com/erdgeist>`_ on twitter.
diff --git a/stories/projects/opentracker.rst b/stories/projects/opentracker.rst
new file mode 100644
index 0000000..294d2c9
--- /dev/null
+++ b/stories/projects/opentracker.rst
@@ -0,0 +1,136 @@
1.. link:
2.. description: is a highly scalable tracker software for the bittorrent protocol, currently in use on the largest bulk trackers around.
3.. tags: project
4.. date: 2015/02/19 19:10:08
5.. title: opentracker
6.. subtitle: An open and free bittorrent tracker
7.. slug: ../arts/software/opentracker/index
8.. prio: 1000
9
10.. contents::
11 :depth: 1
12 :class: ezjail-toc
13
14----
15
16.. image:: opentracker_beta3.png
17 :align: left
18 :width: 200px
19
20Overview
21========
22
23*opentracker* is a open and free `bittorrent tracker <http://wiki.theory.org/BitTorrentSpecification>`_ project. It aims for minimal resource usage and is intended to run at your wlan router. Currently it is deployed as an open and free tracker instance. Read our `free and open tracker blog <http://opentracker.blog.h3q.com/>`_ and announce your torrents there (but do not hesitate to setup your own free trackers!).
24
25----
26
27Version History
28===============
29
30*opentracker* is currently only available from CVS. A tar ball will be rolled soon. Use ``git clone git://erdgeist.org/opentracker`` or the legacy view ``cvs -d :pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co opentracker`` with an empty passwort to check it out. An `*opentracker* gitweb </gitweb/opentracker/>`_ and an `*opentracker* cvsweb (deprecated) </cvsweb/opentracker/>`_ are available.
31
32----
33
34Build instructions
35==================
36
37Until *opentracker* is declared official release ready, the way to install it is::
38
39 cvs -d :pserver:cvs@cvs.fefe.de:/cvs -z9 co libowfat
40 cd libowfat
41 make
42 cd ..
43 # LEGACY: cvs -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co opentracker
44 git clone git://erdgeist.org/opentracker
45 cd opentracker
46 make
47
48That should leave you with an exectuable called ``opentracker`` and one debug version ``opentracker.debug``.
49
50Some variables in *opentracker*'s Makefile control features and behaviour of *opentracker*. Here they are:
51
52* ``-DWANT_V6`` makes *opentracker* an IPv6-only tracker. More in the v6-section below.
53* *opentracker* can deliver gzip compressed full scrapes. Enable this with ``-DWANT_COMPRESSION_GZIP`` option.
54* Normally *opentracker* tracks any torrent announced to it. You can change that behaviour by enabling ONE of ``-DWANT_ACCESSLIST_BLACK`` or ``-DWANT_ACCESSLIST_WHITE``. Note, that you have to provide a whitelist file in order to make *opentracker* do anything in the latter case. More in the closed mode section below.
55* *opentracker* can run in a cluster. Enable this behaviour by enabling ``-DWANT_SYNC_LIVE``. Note, that you have to configure your cluster before you can use *opentracker* when this option is on.
56* Some statistics *opentracker* can provide are sensitive. You can restrict access to these statistics by enabling ``-DWANT_RESTRICT_STATS``. See section statistics for more details.
57* Fullscrapes is bittorrent's way to query a tracker for all tracked torrents. Since it's in the standard, it is enabled by default. Disable it by commenting out ``-DWANT_FULLSCRAPE``.
58* By default *opentracker* will only allow the connecting endpoint's IP address to be announced. Bittorrent standard allows clients to provide an IP address in its query string. You can make *opentracker* use this IP address by enabling ``-DWANT_IP_FROM_QUERY_STRING``.
59* Some experimental or older, deprecated features can be enabled by the ``-DWANT_LOG_NETWORKS``, ``-DWANT_SYNC_SCRAPE`` or ``-DWANT_IP_FROM_PROXY`` switch.
60* Currently there is some packages for some linux distributions and OpenBSD around, but some of them patch Makefile and default config to make *opentracker* closed by default. I explicitly don't endorse those packages and will not give support for problems stemming from these missconfigurations.
61
62----
63
64Invocation
65==========
66
67*opentracker* can be run by just typing ``./opentracker``. This will make *opentracker* bind to ``0.0.0.0:6969`` and happily serve all torrents presented to it. If ran as root, *opentracker* will immediately chroot to . (or any directory given with the -d option) and drop all priviliges after binding to whatever tcp or udp ports it is requested.
68
69When options were few, *opentracker* used to accept all of them from command line. While this still is possible for most options, using them is quite unhandy: an example invocation would look like ``./opentracker -i 23.23.23.7 -p 80 -P 80 -p 6969 -i 23.23.23.8 -p 80 -r http://www.mytorrentsite.com/ -d /usr/local/etc/opentracker -w mytorrents.list -A 127.0.0.1``.
70
71*opentracker* now uses a config file that you can provide with the ``-f`` switch.
72
73----
74
75Config file
76===========
77
78*opentracker*'s config file is very straight forward and a very well documented example config can be found in the file `opentracker.conf.sample </gitweb/opentracker/tree/opentracker.conf.sample>`_.
79
80----
81
82Closed mode
83===========
84
85While personally I like my tracker to be open, I can see that there's people that want to control what torrents to track – or not to track. If you've compiled *opentracker* with one of the accesslist-options (see Build instructions above), you can control which torrents are tracked by providing a file that contains a list of human readable info_hashes. An example whitelist file would look like ::
86
87 0123456789abcdef0123456789abcdef01234567
88 890123456789abcdef0123456789abcdef012345
89
90To make *opentracker* reload it's white/blacklist, send a ``SIGHUP`` unix signal.
91
92----
93
94Statistics
95==========
96
97Given its very network centric approach, talking to *opentracker* via http comes very naturally. Besides the ``/announce`` and ``/scrape`` paths, there is a third path you can access the tracker by: ``/stats``. This request takes parameters, for a quick overview just inquire `/stats?mode=everything``.
98
99Statistics have grown over time and are currently not very tidied up. Most modes were written to dump legacy-SNMP-style blocks that can easily be monitored by `MRTG <http://oss.oetiker.ch/mrtg/>`_. These modes are: ``peer``, ``conn``, ``scrp``, ``udp4``, ``tcp4``, ``busy``, ``torr``, ``fscr``, ``completed``, ``syncs``. I'm not going to explain these here.
100
101The ``statedump`` mode dumps non-recreatable states of the tracker so you can later reconstruct an *opentracker* session with the -l option. This is beta and wildly undocumented.
102
103You can inquire *opentracker*'s version (i.e. CVS versions of all its objects) using the ``version`` mode.
104
105----
106
107Philosophy
108==========
109
110A torrent tracker basically is an http-Server that collects all clients ip addresses into pools sorted by one of the request strings parameters and answers all other clients that specified this exact same parameter a list of all other recent clients. All technologies to implement this are around for more than twenty years. Still most implementations suck performancewise.
111
112Utilizing the highly scalable server framework from `libowfat <http://www.fefe.de/libowfat/>`_, *opentracker* can easily serve multiple thousands of requests on a standard plastic WLAN-router, limited only by your kernels capabilities ;)
113
114One important design decision of *opentracker* was to not store any data persistently. This reduces wear&tear on hard disks and eliminates problems with corrupt databases.
115
116----
117
118Author
119======
120
121*opentracker* was written by `Dirk Engling <mailto:erdgeist@erdgeist.org>`_, who likes to hear from happy customers.
122
123----
124
125Thanks
126======
127
128A project like this one is impossible without lots of help from friends. It is powered by beer, much energy and love, batches of bug reports and support on the operating system integration side by denis, taklamakan, cryx, supergrobi and – his libowfat always on the bleeding edge – Fefe. Thanks are also due to Hannes for helping me out with designing internal data representation.
129
130----
131
132License
133=======
134
135*opentracker* is considered `beer ware </beerware.html>`_.
136
diff --git a/stories/projects/timestretch.rst b/stories/projects/timestretch.rst
new file mode 100644
index 0000000..15ce5ca
--- /dev/null
+++ b/stories/projects/timestretch.rst
@@ -0,0 +1,63 @@
1.. link:
2.. description: is a fast implementation for SOLA, a sample time stretching algorithm.
3.. tags: project
4.. date: 2015/02/01 19:10:08
5.. title: timestretch
6.. subtitle: a fast sample time stretching implementation
7.. slug: ../arts/software/timestretch/index
8
9.. contents::
10 :depth: 1
11 :class: ezjail-toc
12
13Overview
14========
15
16When reducing or increasing the playback speed of an audio recording, it's pitch usually changes, leading to an audible "mickey mouse" effect. The `SOLA algorithm <http://en.wikipedia.org/wiki/Audio_time-scale/pitch_modification#SOLA>`_ provides a way to change the speed without altering the pitch.
17
18----
19
20Details
21=======
22
23The basic idea behind the method lies in the inherent redundancy in the periodic waves of spoken words or music. A vowel consists of overlayed and repeating waves where a human ear would not mind a single one of those repetitions being there or not:
24
25.. image:: timestretch_1.png
26
27
28If we want to play a sample faster, we can try to find the period length corresponding to the base frequency of the recording in that place and overlap some periods, cross fading the first snippet one into the other. Or put it more visually intuitive:
29
30.. image:: timestretch_2.png
31
32
33Obviously the recording is shorter than before, meaning it can be played in less time. In order to reduce the play time by a fixed ratio, we can alter the length of the overlapping windows (bright blue).
34
35To find the perfect offset to overlay our samples at, we simply brute force the sum of all differences of all samples for each offset, using the `mean squared error <http://en.wikipedia.org/wiki/Mean_squared_error>`_ and selecting the offset where the error is minimal – a process commonly called auto correlation. In our implementation this error is further biased towards the center of our window, so that the algorithm is not forced into selecting some sub optimal (and audibly bad) positions after a while, if the inherent period length the overlapping length differs only slightly.
36
37----
38
39Build instructions
40==================
41
42*timestretch* is available from my git repository. Use ``git clone git://erdgeist.org/timestretch`` to check it out. An `timestretch gitweb </gitweb/timestretch/>`_ is available.
43
44Currently there's only one source file containing the setup routine ``calc_convert_values``, which takes sample rate (used to calculate a proper window length in ms, based on heuristic values) and a tempo, which is a floating point value giving the rate in which to slow down or speed up the recording. It fills global variables you might want to put in a context struct for your project. At exit, the value ``g_input_length`` is the minimum number of samples expected for later processing, ``g_output_length`` is the exact amount of samples produced by each run.
45
46The actual work is done in the ``process_frame`` function which takes a pointer to the input and output buffer, the pointer to some scratch space (set up in ``calc_convert_values`` in this implementation) and a ``frame_flag`` indicating if this is the first frame (where nothing is there to cross fade with), a normal frame and the last frame, where no samples are kept for later cross fading and the caller can continue to resume to non-timestretched playback again.
47
48----
49
50Author
51======
52
53*timestretch* was written by `Dirk Engling <mailto:erdgeist@erdgeist.org>`_, who likes to hear from happy customers.
54
55----
56
57License
58=======
59
60*timestretch* is considered `beer ware </beerware.html>`_.
61
62
63
diff --git a/stories/projects/vchat-client.rst b/stories/projects/vchat-client.rst
new file mode 100644
index 0000000..f540f04
--- /dev/null
+++ b/stories/projects/vchat-client.rst
@@ -0,0 +1,267 @@
1.. link:
2.. description: is a curses based chat client for the arcane vchat protocol.
3.. tags: project
4.. date: 2014/02/01 19:10:08
5.. title: vchat-client
6.. slug: ../arts/software/vchat-client/index
7
8Newbies Guide to vchat via 'Buntclient'
9=======================================
10
111. Get the Source, Luke
12-----------------------
13
14Make sure, you got a shell and the tool called cvs.
15cd to a directory the source shall reside in.
16
17Type::
18
19 $ cvs -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot login
20 $ cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client
21
22(press return at password prompt)
23
24
252. Do the verpile
26-----------------
27
28Enter the vchat-client/ directory.
29Type::
30
31 $ make
32
33If that fails due to some readline fuckups, try again with::
34
35 $ make OLDREADLINE=-DOLDREADLINE
36
37If you are administrator of your computer and want to install
38vchat-client permanently, type::
39
40 $ make install
41
42You may also run the binary from its compile location.
43
44
453. Get protected
46----------------
47
48Run the script vchat-keygen, located in the vchat-client/ directory.
49Follow its instructions.
50
51
524. Home sweet Home
53------------------
54
55Create a .vchat/ directory in your homedir. ::
56
57 $ cd
58 $ mkdir .vchat/
59
60Copy your key to the .vchat/ directory::
61
62 $ cp ~/.vchat.key ~/.vchat/key
63
64Whenever your signed cert arrives from vchat at vchat.berlin.ccc dot de,
65copy it to the .vchat/ directory as well::
66
67 $ cp ~/.vchat.cert ~/.vchat/cert
68
69In order to modify the look of your client, you may copy one of
70the sample-xxx.fmt files to the .vchat/ directory::
71
72 $ cd vchat-client/
73 $ cp sample-erdgeist.fmt ~/.vchat/formats
74
75If you want to set the chat server to vchat.berlin.ccc.de now,
76type::
77
78 $ echo host=vchat.berlin.ccc.de >> ~/.vchat/config
79
80If you want to ignore SSL-warnings due to missing CA-files, type::
81
82 $ echo ignssl=1 >> ~/.vchat/config
83
84If you don't want to ignore SSL-warnings, get the root-certificates from:
85
86 http://www.cacert.org/certs/class3.txt
87 and
88 http://www.cacert.org/certs/root.txt
89
90and copy them into your openssl-certs directory. For example::
91
92 # cp root.txt /etc/ssl/certs/
93 # cp class3.txt /etc/ssl/certs/
94 # cd /etc/ssl/certs
95 # ln -s root.txt `openssl x509 -in root.txt -hash | head -n 1`.0
96 # ln -s class3.txt `openssl x509 -in class3.txt -hash | head -n 1`.0
97
98Now you can type::
99
100 $ echo ignssl=0 >> ~/.vchat/config
101
102
103If you want a seperate private message window, type::
104
105 $ echo messages=10 >> ~/.vchat/config
106
107If you want to have no topic line, like in the oldschool client,
108do not choose a private message window an type::
109
110 $ echo usetopicbar=0 >> ~/.vchat/config
111
1125. First bunt
113-------------
114
115Check, whether you REALLY got a signed cert.
116
117[....
118If you did not get a reply from vchat at vchat.berlin.ccc dot de within
1193 days, this might either be due to you not being known to the
120certificate masters, or simply because of the verpeil. You may,
121after 3 days, contact me at erdgeist at erdgeist dot org. If I don't
122reply, too, reconsider your lifestyle.
123....]
124
125Start the client::
126
127 $ vchat-client
128
129or ::
130
131 $ vchat-client/vchat-client
132
133Enter the passphrase to your private key, if you added one.
134
135Look around. If the Umlautz are broken, try to trouble shoot here:
136https://freepad.erdgeist.org/p/fT9OoDoLMx
137
138Try to feel comfortable with the new look of your vchat-
139environment. Close your mouth. Try playing around with the
140following commands:
141
142If you did not enable the seperate private message window,
143ignore this part:
144
145[ STARTIGNORE
146
147Press Ctrl-G and Ctrl-T several times.
148Press Ctrl-X, then send yourself a private message, watch, what
149happens
150Press Ctrl-C ONCE!!!
151Press Ctrl-R and watch the asteriks at the very right of your
152screen, this one indicates, which window to scroll back
153
154ENDIGNORE]
155
156Press Ctrl-B Ctrl-F, if you collected some text in your
157message window. This should scroll back and forth.
158A red console bar should indicate, that you scrolled up.
159
160Press Ctrl-L to redraw and reset scroll indices.
161
162Play around with the completion:
163
164Hitting <TAB> at start of line will complete to ::
165
166 .m <lastpersonyouexchangedprivatemessageswith>
167
168if you hit <TAB> more often, you will cycle through this list,
169sorted by the last time you exchanges PMs with.
170
171Hitting <TAB> when you already typed some letters but no space
172yet will expand to all nicks in your current channel. You may
173cycle through this list, too.
174
175Hitting tab anywhere else expands to all nicks in all channels.
176
177Most other readline hotkeys (Ctrl-U, Ctrl-K, Ctrl-W, Ctrl-A...)
178will work as expected.
179
180
1816. Commandoe
182------------
183
184In addition to the server commands (.h, .m, .a, .s ...) the
185client brings its own set of commands, which will be triggered
186IRC-style by /COMMAND. These may be abbrevated to the lowest
187unambigous substring.
188
189Try /HELP for a first glimpse.
190The status window may be forced off by hitting Ctrl-X.
191
192/HELP KEYS should give you a short summary of available hot
193key commands.
194
195Some client commands are wrappers around server commands::
196
197 /ME == .a
198 /MSG == .m
199 /M == .m
200 /QUIT == .x
201
202The other commands are used to enable client side filtering
203and highlighting.
204
205Try::
206
207 /HELP FILTERS
208 /HELP FLT
209 /HELP FILTERS
210
211Highlight yourself::
212
213 /FLT 6 <nickname>
214
215if you don't see anything getting highlighted, you probably
216have a mac. If you got this far despite of that problem, you
217will surely find a way to enable colors in your terminal.
218
219Remove the filter rule::
220
221 /rmflt 1
222
223Zoom in all channel leaves::
224
225 /flt + left channel
226
227List your filter rules::
228
229 /lsflt
230
231Remove all filters::
232
233 /clflt
234
235Ignore all server leave and join messages::
236
237 /flt - ((left|joined|entered) (the )?(channel|chat))
238
239Reenable those lines::
240
241 /rmflt ((left|joined|entered) (the )?(channel|chat))
242
243Note: zoom overrides ignore.
244
245Be careful about setting your filters, as these are treated
246as regular expressions, which easily may lead to time
247consuming evaluations. Avoid brackets.
248
249
2507. Fiiiiiiiiieschas
251-------------------
252
253As I am still young *cough cough* I am _STILL_ willing to
254implement features of all stupidity grades. Contact me
255with /m erdgeist <feature request> at any time.
256
257
2588. You help
259-----------
260
261Since you will probably start fiddeling around with your
262.vchat/formats file, I'd appreciate getting YOUR format,
263too, as this may be helpful for others to make their own.
264Just send them to erdgeist at erdgeist dot org. Bug reports,
265feature request that are to long for the chat and diffs
266implementing some features are welcome at this address,
267too.