Network Booting FreeBSD

Standard

Installing an operating system is easy for a computer or two.  What about installing for multiples of them?  In some situations, one wants to save money and time from buying that many boot devices and maintain the disk images separately.  Network boot comes handy.  It is relatively easy with FreeBSD, especially since we do not need whatever RAM disk image just to load whatever drivers.

The idea is, we have one computer holding the disk image, and let other computers obtain the image from there and start their journeys.  We first let these computers obtain their network information.  Together with the network configuration, these computers also get the location to download the network boot loader.  With the network boot loader, they will able to mount a network file system.

I tried to avoid GPL software.  Otherwise I would have tried something more integrated.  Anyway, that software piece got discovered huge vulnerabilities recently…

Assumptions

I will assume you have your cloud environment, with a network isolated from elsewhere.  For example, in Virtual Box, create a “host-only” network and plug in your computers (vtnet1, 10.0.250.0/24).  To make dynamic IP address allocation possible, one will want to enable promiscuous mode of the interfaces.  Of course, in addition, one will need a out-going “NAT” network for internet access (vtnet0).  I leave other details as readers’ exercise.

Operating System Files

Similar to setting up a full-blown jail or installing without an installer, one needs to deploy a directory to hold the operating system files.  In this exercise, I randomly picked a directory “/compute”.

# mkdir /compute
# tar Jxf base.txz -C /compute
# tar Jxf kernel.txz -C /compute

Dynamic Host Configuration

Typical computers nowadays can be configured to boot from the network in the BIOS.  The first thing such computers do is to of course obtain network configuration.  Therefore, the dynamic host configuration server is the first thing we need to set.  In this practice, I used the OpenBSD DHCP Daemon.  The usage is similar to that described in the handbook.

# pkg install dhcpd

The file dhcpd.conf(5) “/usr/local/etc/dhcpd.conf” is as follows.  In short, it allows IP addresses be allocated for 7200 seconds per lease.  And for the subnet 10.0.250.0/24, the addresses 10.0.250.10 to 10.0.250.250 can be allocated to the computers dynamically.  The default gateway will be 10.0.250.1.  More importantly, when the computer boots, it should obtain the file “/boot/pxeboot” (from the DHCP server, by default), and mount the NFS location “10.0.250.1:/compute” as root file system.

default lease-time 7200;
max-lease-time 7200;
subnet 10.0.250.0 netmask 255.255.255.0 {
  range 10.0.250.10 10.0.250.250;
  option routers 10.0.250.1;
  option rootpath "10.0.250.1:/compute"
  filename "/boot/pxeboot"
}

And the rc.conf(5) file “/etc/rc.conf” appended as follows.  As you guess it right, just one statement to enable the DHCP server.

dhcpd_enable="YES"

Trivial File Transfer

By no means I say the file transfer protocol is trivial.  The so-called “trivial file transfer” is yet another protocol for transferring file without complicated handshakes.  Here I used the package “tftp-hpa”.

# pkg install tftp-hpa

By default, it uses the directory “/usr/local/tftp”.  But we can act lazy.  The rc.conf(5) gets appended as follows:

tftpd_enable="YES"
tftpd_flags="-s /compute"

If you concern the security, you should make a single directory (like the default /usr/local/tftp) and copy the file “/compute/boot/pxeboot” there.  Right, one file will do.

Network File System

To let the system boot, we prepare a network file system, and make the /compute accessible.  The exports(5) file “/etc/exports” look as follows:

/compute -network 10.0.250.0/24 -alldirs -maproot=root

And the rc.conf(5) is appended as follows.  You may want to refer here if you want to run it behind a firewall.

nfs_server_enable="YES"

Starting the Services

As a friendly reminder, you will need to enable and start the services – the DHCP daemon, the TFTP daemon, and the network file system.  You will need proper firewall rules to allow network traffic.  In particular, you will need UDP port 67, 68, and 69 for DHCP and TFTP to work.

How it Works

DHCP Requests: At the beginning, the computer tries to obtain network configuration by broadcasting requests.  If you are stuck here, try to fix the DHCP daemon.

螢幕快照 2017-10-20 上午12.21.16

TFTP for Boot Loader: After obtaining the network configuration, the computer tries to obtain the boot loader with TFTP.  If you are stuck here, fix the TFTP configurations.

螢幕快照 2017-10-20 上午12.23.35

Network File System: With the first stage boot loader ready, it tries to mount the network file system.  If you are stuck here, check the network file system configurations.

螢幕快照 2017-10-20 上午12.22.14

The Loader: When you see this screen, most of the services, DHCP, FTFP, and NFS, are already used.  If you are stuck beyond this point, read the error message, and good luck…

螢幕快照 2017-10-20 上午12.23.52

Advertisements

Customising FreeBSD

Standard

In this article, I share my my usual customisation steps to a fresh FreeBSD installation.  FreeBSD is very minimal, but one can definitely even go further.  These steps are similar to Charray’s approach to FreeBSD 8, and they are updated for FreeBSD 11 with the software RAID skipped.

Major Edited on 2 Feb 2017: Fixing the WordPress Auto-corrption.

Major Edited on 17 Feb 2017: Updating periodic configuration and firewall rules.

Step 1: Disabling Sendmail

FreeBSD has minimal set of services enabled.  However, there is one more service I want to disable—sendmail.  It is a really traditional mail server.  If you ask me, I would say there is nothing wrong with it.  I just do not want a mail server running on every server.

Simply, add this line in “/etc/rc.conf”:

sendmail_enable="NONE"

Usually, to disable a service, one use the word “NO”.  But sendmail is an exception, one has to use “NONE” to disable everything.  (You can refer to “/etc/rc.d/sendmail” if you understand the scripting language.)  To stop the sendmail, either stop the service gracefully or in brute force.  “pkill” means kill processes with the given name;  “-9” means the most forceful way:

pkill -9 sendmail

If you want to see what other services can be enabled or disabled, check “/etc/defaults/rc.conf”, just make sure not to change the default file.

Step 2: Disabling Periodic Mails

What are the consequences disabling the local mail server?  By default, FreeBSD performs some periodic checks and sends the results to the mail server, and also does some mail server housekeeping.  We can disable the mails and redirect them to the “/var/log” directory, and then also disable the mail server housekeeping.  Add these lines to a new “/etc/periodic.conf”:

daily_output="/var/log/daily.log"
weekly_output="/var/log/weekly.log"
monthly_output="/var/log/monthly.log"
daily_status_security_output="/var/log/daily.log"
weekly_status_security_output="/var/log/weekly.log"
monthly_status_security_output="/var/log/monthly.log"
daily_clean_hoststat_enable="NO"
daily_backup_aliases_enable="NO"
daily_status_mailq_enable="NO"
daily_status_include_submit_mailq="NO"
daily_status_mail_rejects_enable="NO"
daily_queuerun_enable="NO"

Since periodic mails are not long-running services (they are started indirectly by another service), the changes are taken effetely on the next run.

Step 3: Disabling Terminals

FreeBSD comes with seven virtual text terminals so one can switch between while working with it.  To my taste, I do not use these terminals, especially when it is on the cloud.  These configuration are in “/etc/ttys”.  One can change “on” to “off” to switch off the terminals “ttyv2” to “ttyv7”.  Let me be lazy and tell you the script for so.

sed -ibak '/ttyv2/s/on /off/; /ttyv3/s/on /off/; /ttyv4/s/on /off/; /ttyv5/s/on /off/; /ttyv6/s/on /off/; /ttyv7/s/on /off/' /etc/ttys

Then, to make it effective, send a hangup signal to the “init” process.  It is the very first process started directly by the kernel so it is having process number 1 every single time.

kill -HUP 1

Step 4: Enabling Time Services

Computers are usually keeping the time in inaccurate manners even if you have them constantly powered.  It is nice to have the time synchronised to somewhere better prepared.

ntpd_enable="YES"

By default, the system will point to places predefined by the FreeBSD distributions which can be changed in “/etc/ntpd.conf”.   For purpose of a single FreeBSD server, it is already good enough.  Finally, to start the service:

service ntpd start

The “ntpd” service will synchronise and drift the system clock accordingly.

Step 5: Enabling Firewall

Edit the file “/etc/pf.conf”.  This is usually the template I start from.  In short, it does the following: 1) set up a spammer table; 2) allow local network; 3) drop the spammers; 4) do not allow intranet addresses on the external interfaces; 5) allow connections to particular ports; 6) treat a user as spammer if there are more than 100 existing connections; 7) treat a user as spammer if there are more than 100 connection attempts per second.

extif="vtnet0"
tcpports="{22,80,443}"
martians="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,
  10.0.0.0/8,169.254.0.0/16,192.0.2.0/24,
  0.0.0.0/8,240.0.0.0/4}"
table <spammers> persist
set skip on lo

block all
block drop in quick from <spammers> to any
block drop in quick on $extif from $martians to any
pass out quick inet proto udp from any to 255.255.255.255 port {67,68}
block drop out quick on $extif from any to $martians

pass out quick
pass in quick inet proto icmp from any to any
pass in quick inet proto tcp from any to any port $tcpports keep state \
  (max-src-conn 100, max-src-conn-rate 100/1 \
   overload <spammers> flush global)

Then, we add a line in “/etc/crontab” to clear the spammers after 1 day (86400 seconds).  The check is taken once every 5 minutes.  Sometimes legitimate users are blocked due to network resends.  It is therefore important to unblock them before they raise a complaint.

*/5 * * * * root /sbin/pfctl -t spammers -T expire 86400 > /dev/null 2>&1

To enable the firewall, find a physical connection (or the cloud remote management console) and issue the command:

service pf start

Your network connections will be dropped.  It is not disastrous if you can reconnect.  But it definitely is, if something is wrong with your script.  You have been warned.

Step 6: Personalisation

Personally, I like “tcsh” with autocomplete and the current directory hint in the shell.  Also, I prefer being prompted when I am going to overwrite a file.  Here is what I do to the “.cshrc” file:

alias h history 25
alias j jobs -l
alias la ls -aF
alias lf ls -FA
alias ll ls -lAF
umask 22
set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin $HOME/bin)
setenv EDITOR vi
setenv PAGER more
setenv BLOCKSIZE K
if ($?prompt) then
  alias ls ls -G
  alias cp cp -i
  alias mv mv -i
  alias rm rm -i
  alias ln ln -i
  alias link link -i
  if ($uid == 0) then
    set user = root
  endif
  set prompt="%B%n%b@%B%m%b %B%~%b%# "
  set noclobber
  set rmstar
  set autolist
  set filec
  set history = 1000
  set savehist = (1000 merge)
  set autolist = ambiguous
  set autoexpand
  set autorehash
  set mail = (/var/mail/$USER)
  if ($?tcsh) then
     bindkey "^W" backward-delete-word
     bindkey -k up history-search-backward
     bindkey -k down history-search-forward
  endif
endif

And I want to make sure “tcsh” is my shell:

chpass -s /bin/tcsh

And finally, if I want to share this with upcoming new users, I will put it to the skeleton directory:

cp -a /root/.cshrc /usr/share/skel/dot.cshrc

And another thing I like to customise is “vim”.  I edit the “.vimrc” file as follows.  Interestingly, while some would argue it is not comprehensive enough, I really made my research-related programming on such a simple environment.

set nomodeline
set copyindent
set autoindent
set nowrap
set cc=80
syntax on

Then share it in the skeleton directory:

cp -a /root/.vimrc /usr/share/skel/dot.vimrc

Step 7: Initialisation Scripts

Finally, in Vultr, I have the initialisation scripts as follows.  This way, I can get the operating system customised to my flavour when it finishes booting.  I will skip my explanation for laziness sake.  Até a proxima semana.

#!/bin/sh -x

#
# Disable Sendmail
#
logger Disabling Sendmail
sysrc sendmail_enable="NONE"

#
# Disable Periodic Email
#
logger Disabling Periodic Emails
pfile="/etc/periodic.conf"
sysrc -f $pfile daily_output="/var/log/daily.log"
sysrc -f $pfile daily_output="/var/log/daily.log"
sysrc -f $pfile weekly_output="/var/log/weekly.log"
sysrc -f $pfile monthly_output="/var/log/monthly.log"
sysrc -f $pfile daily_status_security_output="/var/log/daily.log"
sysrc -f $pfile weekly_status_security_output="/var/log/weekly.log"
sysrc -f $pfile monthly_status_security_output="/var/log/monthly.log"
sysrc -f $pfile daily_clean_hoststat_enable="NO"
sysrc -f $pfile daily_backup_aliases_enable="NO"
sysrc -f $pfile daily_status_mailq_enable="NO"
sysrc -f $pfile daily_status_include_submit_mailq="NO"
sysrc -f $pfile daily_status_mail_rejects_enable="NO"
sysrc -f $pfile daily_queuerun_enable="NO"

#
# Disable TTYs
#
logger Disabling Virtual Terminals
sed -ibak '/ttyv2/s/on /off/; /ttyv3/s/on /off/; /ttyv4/s/on /off/; /ttyv5/s/on /off/; /ttyv6/s/on /off/; /ttyv7/s/on /off/' /etc/ttys

#
# NTP service
#
logger Configuring NTP
sysrc ntpd_enable="YES"

#
# PF service
#
logger Configuring PF
cat > /etc/pf.conf << EOF
extif="vtnet0"
tcpports="{22,80,443}"
martians="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,
  10.0.0.0/8,169.254.0.0/16,192.0.2.0/24,
  0.0.0.0/8,240.0.0.0/4}"
table <spammers> persist
set skip on lo

block all
block drop in quick from <spammers> to any
block drop in quick on \$extif from \$martians to any
pass out quick inet proto udp from any to 255.255.255.255 port {67,68}
block drop out quick on \$extif from any to \$martians

pass out quick
pass in quick inet proto icmp from any to any
pass in quick inet proto tcp from any to any port \$tcpports keep state \
  (max-src-conn 100, max-src-conn-rate 100/1 \
   overload <spammers> flush global)
EOF
cat >> /etc/crontab << EOF
*/5 * * * * root /sbin/pfctl -t spammers -T expire 86400 > /dev/null 2>&1
EOF
sysrc pf_enable="YES"

#
# Shell environment
#
logger Configuring TCSH environment
cat > /root/.cshrc << EOF
alias h history 25
alias j jobs -l
alias la ls -aF
alias lf ls -FA
alias ll ls -lAF

umask 22

set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin \$HOME/bin)

setenv EDITOR vi
setenv PAGER more
setenv BLOCKSIZE K

if (\$?prompt) then
  alias ls ls -G
  alias cp cp -i
  alias mv mv -i
  alias rm rm -i
  alias ln ln -i
  alias link link -i

   if (\$uid == 0) then
     set user = root
   endif

   set prompt="%B%n%b@%B%m%b %B%~%b%# "
   set noclobber
   set rmstar
   set autolist
   set filec
   set history = 1000
   set savehist = (1000 merge)
   set autolist = ambiguous
   set autoexpand
   set autorehash
   set mail = (/var/mail/\$USER)
   if (\$?tcsh) then
     bindkey "^W" backward-delete-word
     bindkey -k up history-search-backward
     bindkey -k down history-search-forward
   endif
endif
EOF
cp -a /root/.cshrc /usr/share/skel/dot.cshrc
chpass -s /bin/tcsh root #

# VIM environment
logger VIM environments
cat > /root/.vimrc << EOF
set nomodeline
set copyindent
set autoindent
set nowrap
set cc=80
syntax on
EOF
cp -a /root/.vimrc /usr/share/skel/dot.vimrc

#
# Refresh the pkg and install packages
#
logger Configuring Packages 
export ASSUME_ALWAYS_YES=yes
/usr/sbin/pkg bootstrap -f
/usr/local/sbin/pkg-static delete \*
/usr/local/sbin/pkg-static update
/usr/local/sbin/pkg-static upgrade
/usr/local/sbin/pkg-static install vim-lite tmux

#
# Restart the TTYs
# Send ALARM signal to reload rc.conf
#
kill -HUP 1
kill -SIGALRM $RC_PID
sysctl -f /etc/sysctl.conf

Starting with FreeBSD on the Cloud

Standard

This article describes how one can get some FreeBSD virtual instances on the Internet quick.  For cost-saving, Vultr, which charges hourly, is used.  The exercise will finish within an hour or two.

Objectives

  1. Start some FreeBSD instances
  2. Experiment some configurations
  3. Setup password-less logins

Step 0: Why (and why not) FreeBSD

FreeBSD is an operating system.  If you are reading this article online, I am almost certain you know one particular operating system.  There are various operating systems for daily computing activities—Windows, [M]acOS, iOS, Solaris, etc.  (In case you want to say an L-word, click here.)  In addition to one’s personal taste.  The official website gives a perfect explanation.

FreeBSD is an advanced computer operating system used to power modern servers, desktops, and embedded platforms.  A large community has continually developed it for more than thirty years.  Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

What would be valid reasons not to use FreeBSD?  Indeed, there are also a lot but I like to put only one here.  FreeBSD is best operated in commands, not mouse clicks.  If you insist using only mouse clicks for your tasks, you are likely to try Microsoft Windows.

(As a side note, some would say FreeBSD is only a server operating system.  You can watch some counter-examples in Charray’s YouTube channel or Riba’s channel.  Once it is set up, the mental workload to use it is minimal.  I had been using it for most of my research career and at least the mascot had not killed me!)

Step 1: Get an Online Account and Deposit

I feel like scamming telling you to prepaid for a service, but please trust me.  There are of course postpaid services, but they are usually more expensive and less controllable.  Think what happens in event of a bill shock.  If you feel really uncertain, you can deposit as little as a few dollars.  Best of all, the provider Vultr we use today accepts other payment methods like Paypal and Bitcoin, which helps you to reduce chance of having the credit card number stolen.

To register, fill in the “Create Account” form and answer the questions.  You are reminded to use a valid email address since it is critical for creating virtual machines.  The so-called “Password” field here does not refer to the password of your email account, but a new password for this new service.  Never use your existing email password when applying other services.

screen-shot-2017-01-17-at-10-46-38-pm

After the first login, you will be guided to deposit some money to the account.  Please check your email box and reply to the email verification as well.

screen-shot-2017-01-17-at-10-44-34-pm

Step 2: Submit a Form for Virtual Machines

Once you have deposited money, you can direct to the “Server” page.  The plus sign on the far-right is the one for submitting for virtual machines.

screen-shot-2017-01-17-at-10-56-20-pm

In the form, you can first select the region closest to you, select “FreeBSD 11 x64”, “20 GB SSD” plan, and the “Enable Private Network” option.  Leave the “Startup Scripts” and “SSH Keys” unselected.  Your new account is not supposed to have any yet.

screen-shot-2017-01-17-at-11-21-29-pm

screen-shot-2017-01-17-at-11-16-04-pm

screen-shot-2017-01-17-at-11-16-18-pm

Once you are comfortable with the choice, click “Deploy Now”.  No, soon you will discover, you are not getting charged 10 dollars immediately.  Be brave.

Step 3: Wait

You can refresh faster by clicking the “Server” pane.  The instance will go through several stages when it is in preparation—installing, resizing, starting, etc.  But there is a catch.  Once it is started, it is not necessary really started.  In context of cloud provider, a machine is considered started even when it is booting through the firmware and startup scripts!  By the way, you are being charged for one hour of usage—2 cents.

screen-shot-2017-01-20-at-8-57-22-pm

screen-shot-2017-01-20-at-8-57-56-pm

screen-shot-2017-01-20-at-8-58-10-pm

You can reveal a new page by clicking the machine name.  Inside you can have options such as viewing the console, switching off the machine, reinstalling, etc.  The password can also be revealed in an extra click.

screen-shot-2017-01-20-at-8-58-15-pm

Step 4: Login and some Configurations

With the given IP address, the username, and the password, you can login through the secured shell.  For Unix-like operating systems, there is usually a tool “Terminal” where you can use the command “ssh” directly.  (For Windows, you can consider using putty.  It starts with a point-and-click interface for making the connection.)  The basic command for the “ssh” is:

ssh <username>@<host>

And the dialog will be like:

Last login: Fri Jan 20 20:52:50 on ttys001

kinsonchan@almond ~% ssh root@45.76.147.176
The authenticity of host '45.76.147.176 (45.76.147.176)' can't be established.
RSA key fingerprint is 9c:1e:0e:9c:f0:ba:38:56:5a:9a:90:54:68:aa:aa:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '45.76.147.176' (RSA) to the list of known hosts.
Password for root@vultr.guest:
Last login: Fri Jan 20 12:59:05 2017
FreeBSD 11.0-RELEASE-p2 (GENERIC) #0: Mon Oct 24 06:55:27 UTC 2016

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
#

You can then edit the main configuration file.  Unlike most operating systems, the configuration of FreeBSD is quite centralised to several files, mostly “/etc/rc.conf”.  You can use “vi” if you like.  But since you are reading this article, you are likely to use “ee” instead.  As I will show in upcoming articles, I have some preferences in what services to enable and disable.  I will edit the file with command:

ee /etc/rc.conf

And update the screen content as follows.  Use arrow keys to navigate.

^[ (escape) menu ^y search prompt ^k delete line ^p prev li ^g prev page
^o ascii code    ^x search     ^l undelete line  ^n next li ^v next page
^u end of file   ^a begin of line ^w delete word   ^b back 1 char
^t top of text   ^e end of line   ^r restore word  ^f forward 1 char
^c command       ^d delete char   ^j undelete char ^z next word
=====line 6 col 17 lines from top 6 =====================================
hostname="vultr.guest"
sshd_enable="YES"
static_routes="linklocal"
ifconfig_vtnet0="DHCP"
sendmail_enable="NONE"
ntpd_enable="YES"

After that, press the “Esc” button for a menu, then “a” twice to save and exit.  By the way, if you are experienced, the meaning of the file is literally setting the hostname and services.  Unlike some other operating systems, in FreeBSD it is done all in one place.  Neat.

Step 5: Password-less Login

Inside the same prompt, you can issue the command “ssh” to itself.  Strangely, it asks you for a password.

# ssh localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:+.......
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts
Password for root@vultr.guest:

This is no good if you are asked the password for every login.  Let us solve it with “ssh-keygen” and put it as a default login.   For demonstration purpose, let us execute this on the same machine.

# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Er4yNuYmjvbmTOlJP6sNFCV6QuD++45MeFBv5A6QFmg root@vultr.guest
The key's randomart image is:
+---[RSA 2048]----+
|+o . .           |
|+E+ o            |
|.B + ..          |
|o = =. .         |
| o o +o S        |
|  = =  o         |
| . O*..          |
| oX=O=           |
|o.=&=*o          |
+----[SHA256]-----+

After the dialogue and the messy picture, what else do you get?  Some files in the “.ssh” folder.  You can list them with the “ls” command.

# ls .ssh
id_rsa  id_rsa.pub  known_hosts

The “id_rsa” is your private file.  It should be kept within your own computers only, not those owned by anyone else.  The “id_rsa.pub” is your public key.  You can install it to the machines where you need the password-less login.  The file content can be listed with “cat” command.

# cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD93syOQa78tYAysC52H/gUNIMQRjJpu/zKIbc0qFsGFouv9OtnehFix/EIeIBQmYIVv0gRmfI9qiFx2TQpkk0AHvmDew5VfWFeszfGOQnI3xU8hSeG7kKENMozGT+yh5RbjL6ZGRu/cWX5+K9M96kuNbI7CFU0p/muzqeQgOtYsGx+G1qnrW6K6EDFD8guNPF5JXBb88x8WaL7ooqNUZhTbLVIxHtycMqArka84Wvmvi3lJvVQGygid9qLO9WL8NaQ3KaithAR05sNoLw2y+AoXHfRLWoWRMrXvaVE3PrkntnLIi6Cvn/+HsuBdF71/cDu6TCLfU/SlTxdpYY/omez root@vultr.guest

This piece of string (from “ssh-rsa” to the end) can be put into the SSH key place of the cloud.  Then, when you start a new machine next time (left as your exercise… do you have two more cents to try?), you can login without the password.  What about the machines that are already provisioned, like the one we already have?  Put them in “.ssh/authorized_keys”.

Screen Shot 2017-01-20 at 9.52.28 pm.png

# mkdir -p .ssh
# chmod 0700 .ssh
# touch .ssh/authorized_keys
# chmod 0600 .ssh/authorized_keys
# cat .ssh/id_rsa.pub >> .ssh/authorized_keys

You can see the commands are all executed without a line of output.  This is the philosophy of Unix—return nothing on success.  After this, you will find the file “.ssh/authorized_keys” contains the line of the “.ssh/id_rsa.pub”.  (You can verify this with the “ee” command.)  If things are going well, “ssh localhost” this time should be connected without password.

Step 6: Clean up

When you are finished, go to the cloud provider page, select the machine, activate the pop-up menu and select “Server Destroy”.  Hopefully, we finish this exercise before being charged too much.

screen-shot-2017-01-20-at-10-04-12-pm

In my case here, I have spent only three cents for demonstration on this blog.  Three cents are way cheaper than my own manpower to find a computer and install FreeBSD thereon.  This is why some people are so attracted to public cloud services.

In this article, we have went through starting FreeBSD instances, some basic configuration exercise, and finally experimented one of the ways for password-less login.  Next week, we will likely continue with my preferred customisations and installing an example server application.

Picking a Cloud Provider

Standard

Here are some of my suggestions about picking a cloud provider.  I will mostly cover the billing cycle and the network metering.  As time goes on and more articles are ready, there will be more links and contents in this page.

Billing Cycle

Users have to pay in order to deploy virtual machines on the Internet.  Yet, different providers have different charging models.  Some are paid before use; some are paid after.  Some charges per hour; some charges per week or per month.

Be careful when you are asked to prepay for longer periods.  The services are usually not refundable and need your extra caution.  Firstly, the service qualities are not completely quantifiable; few people is able to guarantee the service qualities through the long period.  Secondly, you are unlikely to foresee your requirements for long period, such as the size, quantities of hardware resources, etc.

Especially when you are experimenting, I recommend you starting with services that are charged per hour.  You will be experimenting different operating systems and deployment scripts.  With hourly charges, you can easily discard your used virtual machines and start over.  When you become an expert in automated deployments, you can experiment large scale clusters and discard them before they burn a hole in your wallet.  In situations where hourly charges are not possible, look for services that allows redeployment.

Network Metering

There are different preferences when it comes to the network charges.  Usually, network traffics within the same data centre (like between neighbouring virtual machines) are free.  The providers charge mostly on the Internet traffics, especially out-going ones.

Some people prefer metered bandwidth for guaranteed service levels.  It is believed that, with metered bandwidth, the cloud providers can reasonably stop abusive neighbours from causing havocs and collect money for the premium network traffic.  How true this statement is depends on the provider and requires your experiments.

Meanwhile, some people prefer unmetered bandwidth for easier billing purpose.  With the network bandwidth removed from the formula, those compute services are usually in a flat rate, such as $20 for one month.  This makes new comers feeling more comfortable since they need not to worry about bill shocks.  Of course, the free network does not mean you can do whatever you like, you are still bound to the acceptable use policy and you are likely to be throttled when your site becomes too popular.

If the configuration allows, you can setup proxy servers and network gateways so you can cache and control some Internet traffic.  The system update patches and deployment packages from the respective HTTP servers can be cached so that repeated accesses to a manifest is faster and free (as in the Intranet).  The Internet gateway is helpful in consolidating network bandwidth; instead of paying 1-Mbps network for each of your 10 virtual machines, you can have a shared 5-Mbps gateway and make sure the bandwidth is better utilised.

For experiment purpose, it is best to pick a service that is unmetered, or those that comes with large quantity bandwidth free of charge.  When you are getting serious, you can also consider dedicated bandwidth as a mean to guarantee your service level and avoid bill shocks.

Points of Presence

Last but not the least, pay attention to the points of presence of each provider.  You are going to have different network bandwidth and latencies to each of the points.  The different points are also likely to have different regulating laws.  Try to use the services in countries that support free speech should you worry about Internet censorship.

Affiliated Links

Here you can find some affiliated cloud providers who support FreeBSD.  The information are valid as of early January 2017.

  • Vultr charges per hour in flat rates and supports FreeBSD, OpenBSD, Linux and Windows.  It provides high-speed solid-state drives (SSDs) and the virtual machines come with large complimentary network traffic.  There are a bit more than a dozen points of presence.
  • RootBSD charges per month or per year.  As the name suggests, it supports FreeBSD, OpenBSD, NetBSD, and Linux.  It provides on high-speed SSDs and come with large complimentary network traffic.  There are a bit more than two dozens points of presence.
  • Fengqi Asia accepts payments as short as a week and free trials are negotiable.  It provides Joyent container and storage (ZFS) technologies.  The network is unmetered or you can buy dedicated bandwidth.  It supports FreeBSD, SmartOS, Linux and Windows and provides services in Hong Kong.