Tag Archives: freebsd

Keep FreeBSD Desktop Updated

While its relatively easy (or brain dead easy with GhostBSD or NomadBSD distributions) to install and configure a FreeBSD Desktop – one have to keep in mind that its also important to keep that system updated and secure.

There are many aspects about FreeBSD to keep it updates and secured.

The Table of Contents for this article is shown below:

  • FreeBSD Base System
  • Packages
  • FreeBSD Linux Browser Installer
  • WINE
  • Cargo Packages
  • FreeBSD Ports Tree
  • Summary

Lets now discuss each section one by one.

FreeBSD Base System

First is the FreeBSD Base System which is updated by the frebsd-update(8) utility. It is not often you need to do this – from my experience its once a month need usually.

The list of needed commands are shown below.

# freebsd-version
# frebsd-update fetch
# frebsd-update install

While the freebsd-version(1) will tell you what version you are currently running the freebsd-update(8) will help you to update your FreeBSD system to have latest patches installed.

… but when to update the FreeBSD Base System anyway? Well – its quite simple – check the FreeBSD Security Advisories page – and if something posted there affects you – then you should move your ass and update it πŸ™‚

Packages

After you have taken care of the FreeBSD Base System the next one to make sure you are not too much far behind are the FreeBSD packages.

You can of course check if any of your installed packages have any reported security holes as shown below.

# pkg audit -F
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

The above message shows that your installed packages are safe – but its not the message you see the most of the time πŸ™‚

Below are the commands that you would use to update your FreeBSD desktop system.

# pkg upgrade
# pkg autoremove
# pkg clean -y --all

… and yes it does include some extra steps to remove cached packages – and probably now not needed as the are already installed anyway.

I do not think that anything more should be added here – maybe a short mention about the packages branch you are using. The default one is the quarterly branch that has packages build every quarter.

Maybe its sometimes reasonable for the server like environments – but I prefer to have the latest versions of what FreeBSD maintainers do offer in their hard and often underestimated work.

This is why I always use – both on desktop and servers – the latest packages branch.

This means that packages are (re)built once a week or faster and you get what is latest and fresh.

I will not convince you what is better – you will have to decide for yourself.

FreeBSD Linux Browser Installer

The Linux Browser Installer helps a lot on FreeBSD systems. It provides browsers (via the Linux Compatibility Layer) that are not natively available on FreeBSD – but with DRM sh!t needed to access for example Netflix content.

The Linux Browser Installer is easy to install – but its also easy to update.

Below you will find commands that will keep your Linux Browser Installer updated and secure.

# git clone https://github.com/mrclksr/linux-browser-installer.git
# cd linux-browser-installer
# ./linux-browser-installer chroot upgrade

WINE

One may think that WINE is just another package and that it was already updated during the # pkg upgrade cycle – it depends – the default WINE package is for 64bit excusables … but its also possible to run (and often needed) the older 32bit executables.

The problem is that the 32bit environment has its own separate root with its own packages set.

To be honest its not a big deal – you just need to remember to update it along with other things you update periodically πŸ™‚

Below is the command that updates the 32bit WINE binaries/packages.

% /usr/local/share/wine/pkg32.sh upgrade

One of the things you need to keep in mind that it is done by you (user) and not the root user of the machine.

Cargo Packages

While 95% of this topic is covered above – no one prevents you from using the additional Cargo packages – and I do it myself also.

Its just that some software is not yet available by the official FreeBSD packages – but its already official by using the Cargo packages.

I personally use about 10 different Cargo packages that are still not available on the FreeBSD packages.

update

Here are the instructions to keep these Cargo packages updated.

First and most important – you need to install the cargo-update package to be able to update installed Cargo packages.

Then you may just use the other command to have Cargo packages updated.

# cargo install cargo-update
# cargo install-update -a

FreeBSD Ports Tree

Last but not least – the FreeBSD Ports Tree – which even if you only use binary packages – can often come handy in some exceptions.

We all know the ‘default’ rule that mixing Packages and Ports is a bad idea in the FreeBSD world – and I generally agree – its a bad idea if you do not know what you are doing.

If you do know what you are doing – you may mix anything with everything – just do not spam the FreeBSD Forums for help later πŸ™‚

The tool to update the local FreeBSD Ports Tree on your machine is still portsnap(8) and the auto argument is usually more then enough.

# portsnap auto

From the other things – you may want to setup the WRKDIRPREFIX variable to have everything built in the /usr/ports/obj directory – to have everything in one place.

# grep WRKDIRPREFIX /etc/make.conf
WRKDIRPREFIX=${PORTSDIR}/obj
# rm -rf \
    /usr/ports/obj \
    /usr/ports/distfiles

I often also clean the /usr/ports/obj and /usr/ports/distfiles directories.

Summary

Besides the things that I have wrote above I also sometimes save some binaries to the ~/scripts/bin path. There is not upgrade path for them besides manually checking the provider page.

Some examples of such software on my system are doso or cpuc ones.

As I do not have anything more to add here – please feel free to comment what is missing in keeping your workstation updated and secure.

EOF

Advertisement

Native Urban Terror on FreeBSD

Welcome to 2023 and let me start a first article of this new year with a … guest post by @NeoMoevius from Twitter. That is right. I did not invented it. I did not created it. I only partially wrote it – treat me as a ghost writer here. ll the thanks and welcomes goes directly to @NeoMoevius – I am just a messenger here πŸ™‚

This post will be about playing (and first building – of course) the Urban Terror game on FreeBSD system. It is about how to build and install Urban Terror 4.3 on FreeBSD without Linux emulation or using WINE. Natively. This will be on the latest and supported FreeBSD 13.1-RELEASE system.

There are not many steps to make it happen. First – just download the official Urban Terror ZIP file.

% mkdir _UT
% cd _UT
% fetch http://cdn.urbanterror.info/urt/43/releases/zips/UrbanTerror434_full.zip
UrbanTerror434_full.zip                         3% of 1403 MB 1836 kBps 11m38s
% unzip UrbanTerror434_full.zip
% cd UrbanTerror43
% pwd
/home/vermaden/_UT/UrbanTerror43

Lets leave that alone for now πŸ™‚

We will also need to install some dependencies.

# pkg install -y \
    devel/sdl20 \
    devel/pkgconf \
    devel/gmake \
    ftp/curl \
    graphics/sdl2_image \
    graphics/sdl2_ttf \
    audio/sdl2_mixer \
    audio/openal-soft

We will now need to download and compile source code of ioquake 3 for Urban Terror.

% mkdir _IOQ3
% cd _IOQ3
% git clone https://github.com/mickael9/ioq3.git
Cloning into 'ioq3'...
remote: Enumerating objects: 28169, done.
Receiving objects:  19% (5353/28169), 6.77 MiB | 2.24 MiB/s
% cd ioq3
% gmake
% echo ${?}
0
% cd build/release-freebsd-x86_64
% ls -l
total 2773K
drwxr-xr-x 2 vermaden vermaden       2 2023-01-20 20:11 autoupdater/
drwxr-xr-x 4 vermaden vermaden     228 2023-01-20 20:12 client/
drwxr-xr-x 2 vermaden vermaden     154 2023-01-20 20:11 ded/
drwxr-xr-x 2 vermaden vermaden     166 2023-01-20 20:12 renderergl1/
drwxr-xr-x 3 vermaden vermaden      77 2023-01-20 20:12 renderergl2/
-rwxr-xr-x 1 vermaden vermaden  862712 2023-01-20 20:12 renderer_opengl1_x86_64.so
-rwxr-xr-x 1 vermaden vermaden 1143552 2023-01-20 20:12 renderer_opengl2_x86_64.so
-rwxr-xr-x 1 vermaden vermaden 2133400 2023-01-20 20:12 urbanterror-m9.x86_64
-rwxr-xr-x 1 vermaden vermaden  970368 2023-01-20 20:11 urbanterror-server-m9.x86_64

The files that are interesting for us are listed below:

  • renderer_opengl1_x86_64.so
  • renderer_opengl2_x86_64.so
  • urbanterror-m9.x86_64
  • urbanterror-server-m9.x86_64

… and now you will need to copy these four files into the Urban Terror folder when you have uncompressed the game.

% cp \
    renderer_opengl1_x86_64.so   \
    renderer_opengl2_x86_64.so   \
    urbanterror-m9.x86_64        \
    urbanterror-server-m9.x86_64 \
    /home/vermaden/_UT/UrbanTerror43

% cd /home/vermaden/_UT/UrbanTerror43

% pwd
/home/vermaden/_UT/UrbanTerror43

% ls -l
total 8495K
drwxr-xr-x 2 vermaden vermaden      30 2023-01-20 20:19 q3ut4/
drwxr-xr-x 3 vermaden vermaden       3 2023-01-20 20:19 Quake3-UrT.app/
-rw-r--r-- 1 vermaden vermaden 1082800 2018-06-21 22:08 Quake3-UrT-Ded.exe
-rwxr-xr-x 1 vermaden vermaden  816002 2018-06-21 22:08 Quake3-UrT-Ded.i386
-rwxr-xr-x 1 vermaden vermaden  961958 2018-06-21 22:08 Quake3-UrT-Ded.x86_64
-rw-r--r-- 1 vermaden vermaden 2634689 2018-06-21 22:08 Quake3-UrT.exe
-rwxr-xr-x 1 vermaden vermaden 1702624 2018-06-21 22:08 Quake3-UrT.i386
-rwxr-xr-x 1 vermaden vermaden 1940280 2018-06-21 22:08 Quake3-UrT.x86_64
-rwxr-xr-x 1 vermaden vermaden  862712 2023-01-20 20:20 renderer_opengl1_x86_64.so
-rwxr-xr-x 1 vermaden vermaden 1143552 2023-01-20 20:20 renderer_opengl2_x86_64.so
-rwxr-xr-x 1 vermaden vermaden 2133400 2023-01-20 20:20 urbanterror-m9.x86_64
-rwxr-xr-x 1 vermaden vermaden  970368 2023-01-20 20:20 urbanterror-server-m9.x86_64

We will now try to start that Urban Terror game.

% pwd
/home/vermaden/_UT/UrbanTerror43

% ./urbanterror-m9.x86_64
ioq3-UrT m9-builds/31 freebsd-x86_64 Jan 20 2023
SSE instruction set enabled
----- FS_Startup -----
We are looking in the current search path:
/home/vermaden/.q3a/q3ut4
./q3ut4
./q3ut4/zUrT43_qvm.pk3 (4 files)
./q3ut4/zUrT43_021.pk3 (85 files)
./q3ut4/zUrT43_020.pk3 (295 files)
./q3ut4/zUrT43_019.pk3 (342 files)
./q3ut4/zUrT43_018.pk3 (801 files)
(...)

Seems to start and work properly.

Here are several shots of what I tried to play it for some single online event.

urban-terror-01

urban-terror-02

urban-terror-03

urban-terror-04

All the screens above are in the windowed more but you can switch between window and full screen with [ALT]+[ENTER] shortcut at anytime. It was just easier for me to catch several shots for this article πŸ™‚

Seems I am definitely not the best at this game :p

urban-terror-05

The Urban Terror game run smooth on my Intel HD Graphics 3000 card.

Fortunately I did not need to switch BIOS settings to start my decade old Nvidia Quadro 2000M monster :p

Not sure what I can add here – definitely a kind thank You for @NeoMoevius for his offer of making this content available for You πŸ™‚

Regards.

Connect FreeBSD to FreeIPA/Red Hat Identity Management

Corporate needs are simple – one ring to rule them all place to get users from. On the open source path there are several ways to achieve that. Alongside ‘plain’ OpenLDAP there is also FreeIPA – which is open source and free version of the Red Hat Identity Management (IDM).

FreeIPA-logo

This guide will show you how to make basic FreeIPA install and connect a FreeBSD 13.1-RELEASE system to it.

logo-freebsd

The Table of Contents for this article looks as follows.

  • Connect FreeBSD to FreeIPA/Red Hat Identity Management
  • FreeIPA
    • FreeIPA Requirements
    • FreeIPA Setup
  • FreeBSD Client
    • FreeBSD Packages
    • FreeBSD Setup
    • FreeIPA/IDM Setup Part
    • Finish Setup with Web Browser in FreeIPA/IDM Page
    • FreeBSD FreeIPA Login Test
  • FreeBSD Jail as FreeIPA/IDM Client
    • Basic FreeBSD Jail Preparations
    • Configure FreeBSD Jail to Connect to FreeIPA/IDM Server
  • Linux FreeIPA/IDM Client
    • FreeIPA/IDM Setup Part
    • Linux FreeIPA/IDM Client Setup

FreeIPA

As typical CentOS is dead (yes there is CentOS Stream available but its not a RHEL clone) I have two options here. Rocky Linux and Alma Linux. I will use the latter as it seems more popular and more up to date. In this guide the FreeIPA/IDM server will hosted on the Alma Linux 8.6 system.

To make things easier I installed that Alma Linux 8.6 with single 20GB / root on the /dev/sda1 partition. No separate /boot. No LVM. Just good old plain fucking simple single raw partition for everything. Seems no one does it these days πŸ™‚

[root@idm ~]# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   20G  0 disk
└─sda1   8:1    0   20G  0 part /

FreeIPA Requirements

The minimum hardware requirements for installing FreeIPA server are as follows.

RAM: 4GB
CPU: 2
HDD: 10GB
DNS: fully qualified domain name for FreeIPA
     must be resolvable from DNS server configured in system

For this installation I have used the 10.0.0.0/24 network.

The FreeIPA/IDM server will get the 10.0.0.40 IP.

The FreeIPA/IDM Linux client rhlike.vercorp.org will get the 10.0.0.41 IP.

The FreeIPA/IDM FreeBSD client fbsd.vercorp.org will get the 10.0.0.42 IP.

The FreeIPA/IDM FreeBSD client fbsdjail.vercorp.org will get the 10.0.0.43 IP.

For lack of better ideas I have used vercorp.org/VERCORP.ORG as domain/realm names and idm.vercorp.org as the FreeIPA/IDM hostname.

Details of FreeIPA/IDM idm.vercorp.org system below.

      IP: 10.0.0.40/24
      GW: 10.0.0.1
     DNS: 1.1.1.1
hostname: idm.vercorp.org
  domain: vercorp.org
   realm: VERCORP.ORG

FreeBSD fbsd.vercorp.org system.

      IP: 10.0.0.42/24
      GW: 10.0.0.1
hostname: fbsd.vercorp.org

FreeBSD Jail fbsdjail.vercorp.org system.

      IP: 10.0.0.43/24
      GW: 10.0.0.1
hostname: fbsdjail.vercorp.org

If you are curious what is hidden in the 10.0.0.42 IP – then its a typical Alma Linux that I first used to try if the FreeIPA/IDM works at all πŸ™‚

FreeIPA Setup

Because Anaconda is far from being a usable installer – this is how the only enp0s3 interface config looks like after manual intervention.

[root@idm ~]# cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
NAME=enp0s3
DEVICE=enp0s3
TYPE=Ethernet
BOOTPROTO=none
UUID=b49cd1ab-d3eb-421d-b408-c052acc077da
ONBOOT=yes
IPADDR=10.0.0.40
NETMASK=255.255.255.0
GATEWAY=10.0.0.1
IPV6INIT=no
DNS1=1.1.1.1
PROXY_METHOD=none
BROWSER_ONLY=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no

Before we will go into setup procedures – we will update that Alma Linux system.

[root@idm ~]# yum update -y
[root@idm ~]# reboot

After the reboot we will disable the IPv6 stack for main interface (enp0s3) as FreeIPA installer has some problem with it. We do not need IPv6 here anyway so …

[root@idm ~]# cat << EOF >> /etc/sysctl.conf
# DISABLE IPv6 FOR MAIN enp0s3 INTERFACE
net.ipv6.conf.enp0s3.disable_ipv6=1
EOF

Lets set our FreeIPA/IDM hostname if we missed that at the Anaconda installer part. We will also setup the system time zone.

[root@idm ~]# hostnamectl set-hostname idm.vercorp.org

[root@idm ~]# hostnamectl
   Static hostname: idm.vercorp.org
         Icon name: computer-vm
           Chassis: vm
        Machine ID: b8bfb8bcc23147eb9cc7b62c72a09c32
           Boot ID: 06158ef430d9467d959076ab4396314e
    Virtualization: oracle
  Operating System: AlmaLinux 8.6 (Sky Tiger)
       CPE OS Name: cpe:/o:almalinux:almalinux:8::baseos
            Kernel: Linux 4.18.0-372.26.1.el8_6.x86_64
      Architecture: x86-64

[root@idm ~]# timedatectl set-timezone Europe/Warsaw

[root@idm ~]# timedatectl set-local-rtc 0

[root@idm ~]#Β timedatectl
               Local time: Mon 2022-10-17 15:08:28 CEST
           Universal time: Mon 2022-10-17 13:08:28 UTC
                 RTC time: Sat 2022-10-15 00:28:10
                Time zone: Europe/Warsaw (CEST, +0200)
System clock synchronized: yes
              NTP service: inactive
          RTC in local TZ: no

Lets add the system IP and name to the /etc/hosts file now.

[root@idm ~]# echo "$( hostname -i | awk '{print $NF}' )   $( hostname ) $( hostname -s )" >> /etc/hosts

[root@idm ~]# grep idm /etc/hosts
10.0.0.40   idm.vercorp.org idm

[root@idm ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.40   idm.vercorp.org idm

We need to enable the FreeIPA/IDM module in yum(8).

[root@idm ~]# yum module list idm
Last metadata expiration check: 0:00:31 ago on Tue 18 Oct 2022 01:02:51 PM CEST.
AlmaLinux 8 - AppStream
Name  Stream      Profiles                                  Summary
idm   DL1         adtrust, client, common [d], dns, server  The Red Hat Enterprise Linux Identity Management system module
idm   client [d]  common [d]                                RHEL IdM long term support client module

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

[root@idm ~]# yum module enable idm:DL1 -y
Last metadata expiration check: 0:01:06 ago on Tue 18 Oct 2022 01:02:51 PM CEST.
Dependencies resolved.
=====================================================================================================
 Package                 Architecture           Version                  Repository              Size
=====================================================================================================
Enabling module streams:
 389-ds                                         1.4
 httpd                                          2.4
 idm                                            DL1
 pki-core                                       10.6
 pki-deps                                       10.6

Transaction Summary
=====================================================================================================

Complete!

Some additional step needed.

[root@idm ~]# yum distro-sync
Last metadata expiration check: 0:10:07 ago on Mon 17 Oct 2022 03:14:32 PM CEST.
Dependencies resolved.
Nothing to do.
Complete!

We will now install FreeIPA/IDM with DNS as this setup is the most simplistic one. We focus on FreeBSD part here in that article.

[root@idm ~]# yum install -y bind-utils chrony nc
[root@idm ~]# yum module install idm:DL1/dns -y

One can use the ‘interactive’ installer and answer ‘by hand’ for all the asked questions – but to be honest I prefer to type my command once and make it ‘happen’ altogether without my time wasted.

As you probably guessed – we will use the unattended mode for the FreeIPA/IDM installer.

[root@idm ~]# ipa-server-install \
    --domain vercorp.org \
    --realm VERCORP.ORG \
    --reverse-zone=0.0.10.in-addr.arpa. \
    --no-forwarders \
    --no-ntp \
    --setup-dns \
    --ds-password    [password] \
    --admin-password [password] \
    --unattended

Checking DNS domain 0.0.10.in-addr.arpa., please wait ...

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

Excluded by options:
  * Configure the NTP client (chronyd)

Warning: skipping DNS resolution of host idm.vercorp.org
Checking DNS domain vercorp.org., please wait ...
Checking DNS domain 0.0.10.in-addr.arpa., please wait ...
Checking DNS domain 0.0.10.in-addr.arpa., please wait ...
Using reverse zone(s) 0.0.10.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.

The IPA Master Server will be configured with:
Hostname:       idm.vercorp.org
IP address(es): 10.0.0.40
Domain name:    vercorp.org
Realm name:     VERCORP.ORG

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=VERCORP.ORG
Subject base: O=VERCORP.ORG
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       No forwarders
Forward policy:   only
Reverse zone(s):  0.0.10.in-addr.arpa.

Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=vercorp,dc=org ...
Perform post-installation tasks ...
  [2/41]: tune ldbm plugin
  [3/41]: adding default schema
  [4/41]: enabling memberof plugin
  [5/41]: enabling winsync plugin
  [6/41]: configure password logging
  [7/41]: configuring replication version plugin
  [8/41]: enabling IPA enrollment plugin
  [9/41]: configuring uniqueness plugin
  [10/41]: configuring uuid plugin
  [11/41]: configuring modrdn plugin
  [12/41]: configuring DNS plugin
  [13/41]: enabling entryUSN plugin
  [14/41]: configuring lockout plugin
  [15/41]: configuring topology plugin
  [16/41]: creating indices
  [17/41]: enabling referential integrity plugin
  [18/41]: configuring certmap.conf
  [19/41]: configure new location for managed entries
  [20/41]: configure dirsrv ccache and keytab
  [21/41]: enabling SASL mapping fallback
  [22/41]: restarting directory server
  [23/41]: adding sasl mappings to the directory
  [24/41]: adding default layout
  [25/41]: adding delegation layout
  [26/41]: creating container for managed entries
  [27/41]: configuring user private groups
  [28/41]: configuring netgroups from hostgroups
  [29/41]: creating default Sudo bind user
  [30/41]: creating default Auto Member layout
  [31/41]: adding range check plugin
  [32/41]: creating default HBAC rule allow_all
  [33/41]: adding entries for topology management
  [34/41]: initializing group membership
  [35/41]: adding master entry
  [36/41]: initializing domain level
  [37/41]: configuring Posix uid/gid generation
  [38/41]: adding replication acis
  [39/41]: activating sidgen plugin
  [40/41]: activating extdom plugin
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: stopping certificate server instance to update CS.cfg
  [3/29]: backing up CS.cfg
  [4/29]: Add ipa-pki-wait-running
  [5/29]: secure AJP connector
  [6/29]: reindex attributes
  [7/29]: exporting Dogtag certificate store pin
  [8/29]: disabling nonces
  [9/29]: set up CRL publishing
  [10/29]: enable PKIX certificate path discovery and validation
  [11/29]: authorizing RA to modify profiles
  [12/29]: authorizing RA to manage lightweight CAs
  [13/29]: Ensure lightweight CAs container exists
  [14/29]: Ensuring backward compatibility
  [15/29]: starting certificate server instance
  [16/29]: configure certmonger for renewals
  [17/29]: requesting RA certificate from CA
  [18/29]: publishing the CA certificate
  [19/29]: adding RA agent as a trusted user
  [20/29]: configure certificate renewals
  [21/29]: Configure HTTP to proxy connections
  [22/29]: updating IPA configuration
  [23/29]: enabling CA instance
  [24/29]: importing IPA certificate profiles
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: adding default CA ACL
  [27/29]: adding 'ipa' CA entry
  [28/29]: configuring certmonger renewal for lightweight CAs
  [29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: backing up ssl.conf
  [3/22]: disabling nss.conf
  [4/22]: configuring mod_ssl certificate paths
  [5/22]: setting mod_ssl protocol list
  [6/22]: configuring mod_ssl log directory
  [7/22]: disabling mod_ssl OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: publish CA cert
  [15/22]: clean up any existing httpd ccaches
  [16/22]: enable ccache sweep
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
  [10/12]: setting up server configuration
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
  [1/8]: creating samba domain object
  [2/8]: adding admin(group) SIDs
  [3/8]: adding RID bases
  [4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [5/8]: activating sidgen task
  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [7/8]: adding fallback group
  [8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.8

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: idm.vercorp.org
Realm: VERCORP.ORG
DNS Domain: vercorp.org
IPA Server: idm.vercorp.org
BaseDN: dc=vercorp,dc=org

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring vercorp.org as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
  1. You must make sure these network ports are open:
    TCP Ports:
      * 80, 443: HTTP/HTTPS
      * 389, 636: LDAP/LDAPS
      * 88, 464: kerberos
      * 53: bind
    UDP Ports:
      * 88, 464: kerberos
      * 53: bind

  2. You can now obtain a kerberos ticket using the command: 'kinit admin'
     This ticket will allow you to use the IPA tools (e.g., ipa user-add)
     and the web user interface.
  3. Kerberos requires time synchronization between clients
     and servers for correct operation. You should consider enabling chronyd.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@idm ~]#

Seems that all went well and now we have our FreeIPA/IDM installed.

Lets check several things.

[root@idm ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@idm ~]# systemctl list-unit-files | grep ipa | grep service
ipa-ccache-sweep.service                   disabled
ipa-custodia.service                       disabled
ipa-dnskeysyncd.service                    disabled
ipa-healthcheck.service                    disabled
ipa-ods-exporter.service                   disabled
ipa-otpd@.service                          static
ipa.service                                enabled

Seems to be installed and working.

What about the /etc/sssd/sssd.conf config.

[root@idm ~]# cat /etc/sssd/sssd.conf
[domain/vercorp.org]

id_provider = ipa
ipa_server_mode = True
ipa_server = idm.vercorp.org
ipa_domain = vercorp.org
ipa_hostname = idm.vercorp.org
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo

domains = vercorp.org
[nss]
homedir_substring = /home
memcache_timeout = 600

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = ipaapi, root

[session_recording]

There is also /etc/ssh/ssh_config.d/04-ipa.conf file …

[root@idm ~]# cat /etc/ssh/ssh_config.d/04-ipa.conf
# IPA-related configuration changes to ssh_config
#
PubkeyAuthentication yes
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes

# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
Match exec true
  ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

For some reason we need to manually enable and start the Apache HTTP server.

[root@idm ~]# systemctl enable --now httpd

You can now access the FreeIPA/IDM at your browser on the http://idm.vercorp.org address. If you use the http://10.0.0.40 IP then you will be redirected to the http://idm.vercorp.org address so make sure you have added that host to your local /etc/hosts file.

FreeIPA-login-page

FreeIPA-login

On the second screen you will see that I have already created the vermaden user.

FreeBSD Client

We will get straight into the point. After having FreeBSD 13.1-RELEASE installed in the most ‘default’ way in the bsdinstall(8) installer – the Auto ZFS road – we will now fetch the up to date FreeBSD Ports tree with portsnap(8) tool.

This is the main /etc/rc.conf config file.

# cat /etc/rc.conf
hostname="fbsd"
ifconfig_vtnet0="inet 10.0.0.42 netmask 255.255.255.0"
defaultrouter="10.0.0.1"
sshd_enable="YES"
moused_enable="YES"
dumpdev="AUTO"
zfs_enable="YES"
syslogd_flags="-ss"
sssd_enable="YES"

FreeBSD Packages

We need to have FreeBSD Ports tree.

# portsnap auto

Lets check what is the current default SAMBA version on FreeBSD.

# grep -i samba /usr/ports/Mk/*default*
        PYTHON2 PYTHON3 RUBY RUST SAMBA SSL TCLTK VARNISH
SAMBA_DEFAULT?=         4.12

To omit a lot of pointless compilation I will first install all precompiled packages – that would also install needed dependencies. Then we will rebuild just the several needed packages.

# pkg install krb5 sudo cyrus-sasl cyrus-sasl-gssapi pam_mkhomedir openldap26-client samba412

Settings in the /etc/make.conf file.

# cat /etc/make.conf
# USE /usr/ports/obj PLACE
WRKDIRPREFIX=${PORTSDIR}/obj

OPTIONS_UNSET=       DOCS EXAMPLES DEBUG X11
OPTIONS_UNSET+=      DBUS GSSAPI_BASE GSSAPI_HEIMDAL
OPTIONS_SET+=        GSSAPI_MIT
WITH_GSSAPI=         yes
WANT_OPENLDAP_SASL=  yes

Lets configure the needed ports.

# \
for I in /usr/ports/security/sudo \
         /usr/ports/security/sssd \
         /usr/ports/security/krb5 \
         /usr/ports/security/cyrus-sasl2-gssapi \
         /usr/ports/security/pam_mkhomedir \
         /usr/ports/net/openldap26-client
do
  make -C ${I} rmconfig
done

# \
for I in /usr/ports/security/sudo \
         /usr/ports/security/sssd \
         /usr/ports/security/krb5 \
         /usr/ports/security/cyrus-sasl2-gssapi \
         /usr/ports/security/pam_mkhomedir \
         /usr/ports/net/openldap26-client
do
  make -C ${I} config-recursive
done

The curses(3X) selection will look more or less like these below.

=> security/sudo | OPTIONS___________________________________________________________________________
[x] AUDIT              Enable BSM audit support
[ ] DISABLE_AUTH       Do not require authentication by default
[ ] DISABLE_ROOT_SUDO  Do not allow root to run sudo
[ ] DOCS               Build and/or install documentation
[ ] EXAMPLES           Build and/or install examples
[ ] INSULTS            Enable insults on failures
[x] LDAP               LDAP protocol support
[ ] NLS                Native Language Support
[ ] NOARGS_SHELL       Run a shell if no arguments are given
[ ] OPIE               Enable one-time passwords (no PAM support)
[ ] PAM                Pluggable authentication module support
[ ] PYTHON             Enable python plugin support
[x] SSSD               Enable SSSD backend support.
=> security/sudo | Kerberos 5 Authentication (no PAM support)
( ) GSSAPI_BASE        GSSAPI support via base system (needs Kerberos)
( ) GSSAPI_HEIMDAL     GSSAPI support via security/heimdal
(*) GSSAPI_MIT         GSSAPI support via security/krb5


=> security/sssd | OPTIONS___________________________________________________________________________
[ ] DOCS  Build and/or install documentation
[x] SMB   Install IPA and AD providers (requires Samba4)


=> security/cyrus-sasl2-gssapi | OPTIONS_____________________________________________________________
( ) GSSAPI_BASE     GSSAPI support via base system (needs Kerberos)
( ) GSSAPI_HEIMDAL  GSSAPI support via security/heimdal
(*) GSSAPI_MIT      GSSAPI support via security/krb5


=> net/openldap26-client | OPTIONS___________________________________________________________________
[ ] DEBUG   Build with debugging support
[ ] DOCS    Build and/or install documentation
[ ] FETCH   Enable fetch(3) support
[x] GSSAPI  With GSSAPI support


=> security/krb5 | OPTIONS___________________________________________________________________________
[ ] DNS_FOR_REALM  Enable DNS lookups for Kerberos realm names
[ ] EXAMPLES       Build and/or install examples
[x] KRB5_HTML      Install krb5 HTML documentation
[x] KRB5_PDF       Install krb5 PDF documentation
[x] LDAP           LDAP protocol support
[ ] LMDB           OpenLDAP Lightning Memory-Mapped Database support
[ ] NLS            Native Language Support
=> security/krb5 | Command Line Editing for kadmin and ktutil
(*) READLINE       Command line editing via libreadline
( ) LIBEDIT        Command line editing via libedit

We can now check what options have been saved.

# cat /var/db/ports/security_sudo-sssd/options
_OPTIONS_READ=sudo-sssd-1.9.11p3
_FILE_COMPLETE_OPTIONS_LIST=AUDIT DISABLE_AUTH DISABLE_ROOT_SUDO DOCS EXAMPLES INSULTS LDAP NLS NOARGS_SHELL OPIE PAM PYTHON SSSD GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
OPTIONS_FILE_SET+=AUDIT
OPTIONS_FILE_SET+=GSSAPI_MIT
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_SET+=NLS
OPTIONS_FILE_SET+=SSSD
OPTIONS_FILE_UNSET+=DISABLE_AUTH
OPTIONS_FILE_UNSET+=DISABLE_ROOT_SUDO
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=EXAMPLES
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=INSULTS
OPTIONS_FILE_UNSET+=NOARGS_SHELL
OPTIONS_FILE_UNSET+=OPIE
OPTIONS_FILE_UNSET+=PAM
OPTIONS_FILE_UNSET+=PYTHON

# cat /var/db/ports/security_sssd/options
_OPTIONS_READ=sssd-1.16.5_6
_FILE_COMPLETE_OPTIONS_LIST=DOCS SMB
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_SET+=SMB

# cat /var/db/ports/security_cyrus-sasl2/options
_OPTIONS_READ=cyrus-sasl-2.1.28
_FILE_COMPLETE_OPTIONS_LIST=ALWAYSTRUE AUTHDAEMOND DOCS KEEP_DB_OPEN  OBSOLETE_CRAM_ATTR OBSOLETE_DIGEST_ATTR  SASLDB_IN_VAR BDB1 BDB GDBM LMDB ANONYMOUS CRAM DIGEST LOGIN NTLM OTP PLAIN SCRAM
OPTIONS_FILE_SET+=ANONYMOUS
OPTIONS_FILE_SET+=AUTHDAEMOND
OPTIONS_FILE_SET+=BDB1
OPTIONS_FILE_SET+=CRAM
OPTIONS_FILE_SET+=DIGEST
OPTIONS_FILE_SET+=LOGIN
OPTIONS_FILE_SET+=NTLM
OPTIONS_FILE_SET+=OBSOLETE_CRAM_ATTR
OPTIONS_FILE_SET+=OBSOLETE_DIGEST_ATTR
OPTIONS_FILE_SET+=OTP
OPTIONS_FILE_SET+=PLAIN
OPTIONS_FILE_SET+=SCRAM
OPTIONS_FILE_UNSET+=ALWAYSTRUE
OPTIONS_FILE_UNSET+=BDB
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=GDBM
OPTIONS_FILE_UNSET+=KEEP_DB_OPEN
OPTIONS_FILE_UNSET+=LMDB
OPTIONS_FILE_UNSET+=SASLDB_IN_VAR

# cat /var/db/ports/net_openldap26-client/options
_OPTIONS_READ=openldap26-client-2.6.3
_FILE_COMPLETE_OPTIONS_LIST=DEBUG DOCS FETCH GSSAPI
OPTIONS_FILE_SET+=GSSAPI
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=FETCH

# cat /var/db/ports/security_krb5/options
# This file is auto-generated by 'make config'.
# Options for krb5-1.20
_OPTIONS_READ=krb5-1.20
_FILE_COMPLETE_OPTIONS_LIST=DNS_FOR_REALM EXAMPLES KRB5_HTML KRB5_PDF LDAP LMDB NLS READLINE LIBEDIT
OPTIONS_FILE_UNSET+=DNS_FOR_REALM
OPTIONS_FILE_UNSET+=EXAMPLES
OPTIONS_FILE_SET+=KRB5_HTML
OPTIONS_FILE_SET+=KRB5_PDF
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=LMDB
OPTIONS_FILE_SET+=NLS
OPTIONS_FILE_SET+=READLINE
OPTIONS_FILE_UNSET+=LIBEDIT

… and build them.

# \
for I in /usr/ports/security/sudo \
         /usr/ports/security/sssd \
         /usr/ports/security/krb5
         /usr/ports/security/cyrus-sasl2-gssapi \
         /usr/ports/security/pam_mkhomedir \
         /usr/ports/net/openldap26-client \
do
  make -C ${I} build
done

… unsinstall them and create their packages.

# \
for I in /usr/ports/security/sudo \
         /usr/ports/security/sssd \
         /usr/ports/security/krb5
         /usr/ports/security/cyrus-sasl2-gssapi \
         /usr/ports/security/pam_mkhomedir \
         /usr/ports/net/openldap26-client \
do
  make -C ${I} deinstall package
done

After some time we have our built packages.

# find /usr/ports/obj/ -name \*.pkg
/usr/ports/obj/usr/ports/lang/perl5.32/work/perl-5.32.1/symbian/ext/Moped/Msg/Msg.pkg
/usr/ports/obj/usr/ports/security/pam_mkhomedir/work/pkg/pam_mkhomedir-0.2.pkg
/usr/ports/obj/usr/ports/security/cyrus-sasl2-gssapi/work/pkg/cyrus-sasl-gssapi-2.1.28.pkg
/usr/ports/obj/usr/ports/security/krb5/work/pkg/krb5-1.20.pkg
/usr/ports/obj/usr/ports/security/sudo/work/pkg/sudo-1.9.11p3.pkg
/usr/ports/obj/usr/ports/security/sssd/work-default/pkg/sssd-1.16.5_6.pkg
/usr/ports/obj/usr/ports/net/openldap26-client/work/pkg/openldap26-client-2.6.3.pkg

In the future I need to add some short guide to build them regularly with Synth or Poudriere πŸ™‚

Now we need to install these packages in quite nontypical way. One by one – in specified order. It will not be needed it we would have a separate additional pkg(8) repository with Poudriere build packages.

Our packages:

# ls -1 *.pkg
cyrus-sasl-gssapi-2.1.28.pkg
krb5-1.20.pkg
openldap26-client-2.6.3.pkg
pam_mkhomedir-0.2.pkg
sssd-smb4-1.16.5_6.pkg
sudo-sssd-1.9.11p3.pkg

… and their install process.

# pkg install -y c-ares

# pkg add sssd-smb4-1.16.5_6.pkg

# pkg install -y cyrus-sasl-gssapi-2.1.28.pkg
(...)
New packages to be INSTALLED:
        cyrus-sasl: 2.1.28
        cyrus-sasl-gssapi: 2.1.28
        krb5: 1.20
(...)

# pkg delete -f -y krb5
(...)
Installed packages to be REMOVED:
        krb5: 1.20
(...)

# pkg add krb5-1.20.pkg

# pkg install -y sssd

# pkg add sudo-sssd-1.9.11p3.pkg

# pkg delete -f -y sssd
(...)
Installed packages to be REMOVED:
        sssd: 1.16.5_6
(...)

# pkg install ding-libs ldb21 nspr nss pcre samba412

# pkg add sssd-smb4-1.16.5_6.pkg

FreeBSD Setup

Create needed dirs.

# mkdir -p \
    /usr/local/etc/ipa \
    /var/log/sssd \
    /var/run/sss/private \
    /var/db/sss

Set system hostname.

# hostname fbsd.vercorp.org

# hostname
fbsd.vercorp.org

Fetch the FreeIPA/IDM certificate.

# fetch -o /usr/local/etc/ipa/ca.crt http://10.0.0.40/ipa/config/ca.crt

FreeIPA/IDM Setup Part

We need to execute several instructions on the FreeIPA/IDM to connect FreeBSD client to it.

Its adding the A and PTR records in DNS for the 10.0.0.42 address and adding the fbsd.vercorp.org host.

We also need to generate the key for our fbsd.vercorp.org system.

[root@idm ~]# kinit admin
Password for admin@VERCORP.ORG:

[root@idm ~]# ipa dnsrecord-add vercorp.org fbsd --a-rec=10.0.0.42 --a-create-reverse
  Record name: fbsd
  A record: 10.0.0.42

[root@idm ~]# ipa host-add fbsd.vercorp.org
-----------------------------
Added host "fbsd.vercorp.org"
-----------------------------
  Host name: fbsd.vercorp.org
  Principal name: host/fbsd.vercorp.org@VERCORP.ORG
  Principal alias: host/fbsd.vercorp.org@VERCORP.ORG
  Password: False
  Keytab: False
  Managed by: fbsd.vercorp.org

[root@idm ~]# ipa-getkeytab -s idm.vercorp.org -p host/fbsd.vercorp.org@VERCORP.ORG -k /root/fbsd.vercorp.org.keytab
Keytab successfully retrieved and stored in: /root/fbsd.vercorp.org.keytab

Now we need to get ‘our’ key from FreeIPA/IDM server … along with proper /etc/hosts file.

# scp root@10.0.0.40:/root/fbsd.vercorp.org.keytab /usr/local/etc/ipa/krb5.keytab

# cat << EOF > /etc/hosts
::1              localhost localhost.my.domain
127.0.0.1        localhost localhost.my.domain
10.0.0.40        idm.vercorp.org  idm
10.0.0.42        fbsd.vercorp.org fbsd
EOF

Now the /usr/local/etc/openldap/ldap.conf file.

# cat << EOF > /usr/local/etc/openldap/ldap.conf
BASE        dc=org,dc=vercorp
URI         ldap://idm.vercorp.org/
#SIZELIMIT  12
#TIMELIMIT  15
#DEREF      never
SASL_MECH   GSSAPI
SASL_REALM  VERCORP.ORG
ssl         start_tls
TLS_CACERT  /usr/local/etc/ipa/ca.crt
EOF

… and /etc/krb5.conf file.

# cat << EOF > /etc/krb5.conf
[libdefaults]
  default_realm = VERCORP.ORG
  default_keytab_name = FILE:/usr/local/etc/ipa/krb5.keytab
  default_tkt_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
  default_tgs_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  VERCORP.ORG = {
    kdc = idm.vercorp.org:88
    master_kdc = idm.vercorp.org:88
    admin_server = idm.vercorp.org:749
    default_domain = vercorp.org
    pkinit_anchors = FILE:/usr/local/etc/ipa/ca.crt
}

[domain_realm]
  .vercorp.org = VERCORP.ORG
  vercorp.org = VERCORP.ORG

[logging]
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmin.log
  kadmin_local = FILE:/var/log/krb5/kadmin_local.log
  default = FILE:/var/log/krb5/krb5lib.log
EOF

… and /usr/local/etc/sssd/sssd.conf file.

# cat << EOF > /usr/local/etc/sssd/sssd.conf

[domain/vercorp.org]
# debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = VERCORP.ORG
ipa_domain = vercorp.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = fbsd.vercorp.org
chpass_provider = ipa
ipa_server = _srv_, idm.vercorp.org
ldap_tls_cacert = /usr/local/etc/ipa/ca.crt
krb5_keytab = /usr/local/etc/ipa/krb5.keytab

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = vercorp.org

[nss]
filter_users = root,toor
homedir_substring = /usr/home/%u

[pam]

[sudo]
# debug_level = 0x3ff0

[ssh]
EOF

# chmod 600 /usr/local/etc/sssd/sssd.conf

FreeBSD have user account under /usr/home to make sure /home also points there.

# ln -s /usr/home /home

The automatic startup of sssd(8) daemon (not to confuse with sshd(8)) needs to be also configured.

# sysrc sssd_enable=YES
# service sssd start

We also need to configure /etc/nsswitch.conf file.

# cp /etc/nsswitch.conf /etc/nsswitch.conf.BCK

# diff -u /etc/nsswitch.conf.BCK /etc/nsswitch.conf
--- /etc/nsswitch.conf.BCK      2022-10-24 20:10:09.163251000 +0200
+++ /etc/nsswitch.conf  2022-10-24 20:10:57.207406000 +0200
@@ -2,15 +2,17 @@
 # nsswitch.conf(5) - name service switch configuration file
 # $FreeBSD$
 #
-group: compat
+group: files sss
 group_compat: nis
 hosts: files dns
-netgroup: compat
+# netgroup: compat
 networks: files
-passwd: compat
+passwd: files sss
 passwd_compat: nis
 shells: files
 services: compat
 services_compat: nis
 protocols: files
 rpc: files
+sudoers: sss files
+netgroup: files

The final /etc/nsswitch.conf file looks as follows.

# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#
group: files sss
group_compat: nis
hosts: files dns
# netgroup: compat
networks: files
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
sudoers: sss files
netgroup: files

Now the /etc/pam.d/system file.

# cp /etc/pam.d/system /root/etc---pam.d---system.BCK

# diff -u  /root/etc---pam.d---system.BCK /etc/pam.d/system
--- /root/etc---pam.d---system.BCK      2022-10-24 20:13:05.546657000 +0200
+++ /etc/pam.d/system   2022-10-24 20:16:36.722666000 +0200
@@ -7,19 +7,23 @@
 # auth
 auth           sufficient      pam_opie.so             no_warn no_fake_prompts
 auth           requisite       pam_opieaccess.so       no_warn allow_local
-#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+auth           sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           sufficient      /usr/local/lib/pam_sss.so       use_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass nullok

 # account
 #account       required        pam_krb5.so
 account                required        pam_login_access.so
 account                required        pam_unix.so
+account                required        /usr/local/lib/pam_sss.so       ignore_unknown_user ignore_authinfo_unavail

 # session
 #session       optional        pam_ssh.so              want_agent
 session                required        pam_lastlog.so          no_fail
+session                required        /usr/local/lib/pam_mkhomedir.so mode=0700

 # password
 #password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       sufficient      /usr/local/lib/pam_sss.so       use_authtok
 password       required        pam_unix.so             no_warn try_first_pass

The final /etc/pam.d/system file looks as follows.

# cat /etc/pam.d/system
#
# $FreeBSD$
#
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_sss.so       use_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
account         required        /usr/local/lib/pam_sss.so       ignore_unknown_user ignore_authinfo_unavail

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_lastlog.so          no_fail
session         required        /usr/local/lib/pam_mkhomedir.so mode=0700

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_sss.so       use_authtok
password        required        pam_unix.so             no_warn try_first_pass

Now its time for /etc/pam.d/sshd file.

# cp /etc/pam.d/sshd /root/etc---pam.d---sshd.BCK

# diff -u /root/etc---pam.d---sshd.BCK /etc/pam.d/sshd
--- /root/etc---pam.d---sshd.BCK        2022-10-24 20:17:34.063630000 +0200
+++ /etc/pam.d/sshd     2022-10-24 20:19:16.165810000 +0200
@@ -7,8 +7,9 @@
 # auth
 auth           sufficient      pam_opie.so             no_warn no_fake_prompts
 auth           requisite       pam_opieaccess.so       no_warn allow_local
-#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+auth           sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           sufficient      /usr/local/lib/pam_sss.so       use_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass

 # account
@@ -16,11 +17,14 @@
 #account       required        pam_krb5.so
 account                required        pam_login_access.so
 account                required        pam_unix.so
+account                required        /usr/local/lib/pam_sss.so       ignore_unknown_user ignore_authinfo_unavail

 # session
 #session       optional        pam_ssh.so              want_agent
 session                required        pam_permit.so
+session                required        /usr/local/lib/pam_mkhomedir.so mode=0700

 # password
 #password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       sufficient      /usr/local/lib/pam_sss.so       use_authtok
 password       required        pam_unix.so             no_warn try_first_pass

Final /etc/pam.d/sshd file below.

# cat /etc/pam.d/sshd
#
# $FreeBSD$
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_sss.so       use_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
account         required        /usr/local/lib/pam_sss.so       ignore_unknown_user ignore_authinfo_unavail

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so
session         required        /usr/local/lib/pam_mkhomedir.so mode=0700

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_sss.so       use_authtok
password        required        pam_unix.so             no_warn try_first_pass

Small modification in the /etc/ssh/ssh_config and /etc/ssh/sshd_config files.

# cat << EOF >> /etc/ssh/ssh_config
GSSAPIAuthentication yes
EOF

# cat << EOF >> /etc/ssh/sshd_config
GSSAPIAuthentication yes
UsePAM yes
EOF

Finish Setup with Web Browser in FreeIPA/IDM Page

Visit the https://idm.vercorp.org/ipa/ui/#/e/hbacrule/details/freebsd page.

Next create the HBAC Rule named freebsd as showed below.

idm-1-hbac-rules-menu

idm-2-hbac-rules-freebsd

idm-3-hbac-rules-freebsd-details

… and the Sudo Rule named freebsd name.

idm-4-sudo-rules-menu

idm-5-sudo-rules-freebsd

idm-6-sudo-rules-freebsd-details

FreeBSD FreeIPA Login Test

After all these time consuming and pointless instructions we can now finally try to login to our FreeBSD client.

% ssh -l vermaden 10.0.0.42
(vermaden@10.0.0.42) Password:
Last login: Mon Oct 24 21:06:36 2022 from 10.0.0.3
FreeBSD 13.1-RELEASE releng/13.1-n250148-fc952ac2212 GENERIC

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
You can upload the dmesg of your system to help developers get an overview of commonly
used hardware and peripherals for FreeBSD. Use the curl package to upload it like this:
curl -v -d "nickname=$USER" -d "description=FreeBSD/$(uname -m) on \
$(kenv smbios.system.maker) $(kenv smbios.system.product)" -d "do=addd" \
--data-urlencode 'dmesg@/var/run/dmesg.boot' http://dmesgd.nycbug.org/index.cgi

vermaden@fbsd:~ $ :> ~/.hushlogin

vermaden@fbsd:~ $ id
uid=1408200003(vermaden) gid=1408200000(admins) groups=1408200000(admins)

vermaden@fbsd:~ $ pwd
/home/vermaden

vermaden@fbsd:~ $ grep vermaden /etc/passwd /etc/group
vermaden@fbsd:~ $

vermaden@fbsd:~ $ getent passwd vermaden
vermaden:*:1408200003:1408200000:vermaden vermaden:/home/vermaden:/bin/sh

vermaden@fbsd:~ $ sudo su -
Password for vermaden@VERCORP.ORG:

root@fbsd:~ # logout

vermaden@fbsd:~ $ sudo -i

root@fbsd:~ #

Strange … seems to work properly πŸ™‚

FreeBSD Jail as FreeIPA/IDM Client

As ‘full’ FreeBSD system is able to connect to the FreeIPA/IDM server we will not configure FreeBSD Jail to do the same.

The FreeIPA/IDM FreeBSD client fbsdjail.vercorp.orgwill get the 10.0.0.43 IP.

Basic FreeBSD Jail Preparations

Lets setup the Jail for a start.

# mkdir -p /jail/fbsdjail /jail/BASE

# cd /jail/fbsdjail

# fetch -o /jail/BASE/13.1-RELEASE-base.txz https://download.freebsd.org/ftp/releases/amd64/13.1-RELEASE/base.txz

# tar --unlink -xvf ../BASE/13.1-RELEASE-base.txz

# cat << EOF > /etc/jail.conf
# GLOBAL
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.clean;
  exec.consolelog = "/var/log/jail_${name}_console.log";
  mount.devfs;
  host.hostname = ${name};
  path = /jail/${name};

# JAILS
  fbsdjail {
    ip4.addr = 10.0.0.43;
    host.hostname = fbsdjail.vercorp.org;
    interface = wlan0;
    allow.raw_sockets;
    allow.sysvipc;
  }
EOF

# cat /etc/resolv.conf | tee /jail/fbsdjail/etc/resolv.conf
nameserver 10.0.0.1

# echo 10.0.0.43 fbsdjail.vercorp.org fbsdjail | tee -a /etc/hosts | tee -a /jail/fbsdjail/etc/hosts

# cat /etc/hosts /jail/fbsdjail/etc/hosts
10.0.0.43 fbsdjail.vercorp.org fbsdjail
10.0.0.43 fbsdjail.vercorp.org fbsdjail

# cat << EOF > /jail/fbsdjail/etc/rc.conf
# DAEMONS | yes
  syslogd_flags="-ss"
  sshd_enable=YES

# OTHER
  clear_tmp_enable=YES
  clear_tmp_X=YES
  dumpdev=NO
  update_motd=NO
EOF

# sed -i '' s/quarterly/latest/g /jail/fbsdjail/etc/pkg/FreeBSD.conf

# grep latest /jail/fbsdjail/etc/pkg/FreeBSD.conf
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",

Now we can start our FreeBSD Jail.

# service jail onestart fbsdjail
Starting jails: fbsdjail.

# jls
   JID  IP Address      Hostname                      Path
     1  10.0.0.43       fbsdjail.vercorp.org          /jail/fbsdjail

# jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
     1  fbsdjail.vercorp.org          /jail/fbsdjail
        fbsdjail                      ACTIVE
        3
        10.0.0.43

# jexec fbsdjail

root@fbsdjail:/ #

Our FreeBSD Jail works. Lets move to next steps.

Configure FreeBSD Jail to Connect to FreeIPA/IDM Server

I could not repaste all of the instructions above – the ones that we used for a ‘full’ FreeBSD system – but the same applies to a FreeBSD Jail. πŸ™‚

This means that earlier Basic FreeBSD Jail Preparations section covers all that is needed in case of ‘full’ FreeBSD versus FreeBSD Jail when it comes to the FreeIPA/IDM connection.

Linux FreeIPA/IDM Client

This article is not about Linux client – which is pretty straight-forward to connect to the FreeIPA/IDM server – but for the completness of the topic – here are the instructions I used to attach Alma Linux to the FreeIPA/IDM server.

Linux rhlike.vercorp.org system.

      IP: 10.0.0.41/24
      GW: 10.0.0.1
hostname: rhlike.vercorp.org

First – install the @idm:client and sssd packages.

client # yum -y install @idm:client sssd

FreeIPA/IDM Setup Part

Now – as earlier with FreeBSD – the FreeIPA/IDM part comes to play.

[root@idm ~]# kinit admin
Password for admin@VERCORP.ORG:

[root@idm ~]# klist
Ticket cache: KCM:0
Default principal: admin@VERCORP.ORG

Valid starting       Expires              Service principal
10/19/2022 13:33:52  10/20/2022 13:11:28  krbtgt/VERCORP.ORG@VERCORP.ORG

[root@idm ~]# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@VERCORP.ORG, root@VERCORP.ORG
  UID: 1896600000
  GID: 1896600000
  Account disabled: False

  User login: vermaden
  First name: vermaden
  Last name: vermaden
  Home directory: /home/vermaden
  Login shell: /bin/sh
  Principal name: vermaden@VERCORP.ORG
  Principal alias: vermaden@VERCORP.ORG
  Email address: vermaden@vercorp.org
  UID: 1896600003
  GID: 1000
  Account disabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@idm ~]# id vermaden
uid=1408200003(vermaden) gid=1408200000(admins) groups=1408200000(admins)

[root@idm ~]# ipa dnsrecord-add vercorp.org rhlike --a-rec 10.0.0.41
  Record name: rhlike
  A record: 10.0.0.41

We are done on the FreeIPA/IDM side.

Linux FreeIPA/IDM Client Setup

We will now continue our work on the Linux client.

client # echo "10.0.0.40   idm.vercorp.org"    >> /etc/hosts

client # echo "10.0.0.41   rhlike.vercorp.org" >> /etc/hosts

client # hostnamectl set-hostname rhlike.vercorp.org

client # cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.40   idm.vercorp.org
10.0.0.41   rhlike.vercorp.org

client # ipa-client-install --uninstall

client # ipa-client-install \
           --hostname=rhlike.vercorp.org \
           --mkhomedir \
           --server=idm.vercorp.org \
           --domain vercorp.org \
           --realm VERCORP.ORG

This program will set up IPA client.
Version 4.9.8

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Client hostname: rhlike.vercorp.org
Realm: VERCORP.ORG
DNS Domain: vercorp.org
IPA Server: idm.vercorp.org
BaseDN: dc=vercorp,dc=org

Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@VERCORP.ORG:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=VERCORP.ORG
    Issuer:      CN=Certificate Authority,O=VERCORP.ORG
    Valid From:  2022-10-18 14:52:50
    Valid Until: 2042-10-18 14:52:50

Enrolled in IPA realm VERCORP.ORG
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm VERCORP.ORG
Systemwide CA database updated.
Hostname (rhlike.vercorp.org) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host rhlike.vercorp.org: 10.0.0.41.
Missing reverse record(s) for address(es): 10.0.0.41.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring vercorp.org as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

client # reboot

Now we will test how it goes with login against the FreeIPA/IDM server.

laptop % ssh -l vermaden 10.0.0.41
(vermaden@10.0.0.41) Password:
(vermaden@10.0.0.41) Password expired. Change your password now.
Current Password:
(vermaden@10.0.0.41) New password:
(vermaden@10.0.0.41) Retype new password:
Last failed login: Wed Oct 19 00:47:57 CEST 2022 from 10.0.0.3 on ssh:notty
There was 1 failed login attempt since the last successful login.
/usr/bin/id: cannot find name for group ID 1000

[vermaden@rhlike ~]$ w
 00:48:16 up 29 min,  2 users,  load average: 0.22, 0.13, 0.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.0.0.3         00:40   58.00s  0.03s  0.03s -bash
vermaden pts/1    10.0.0.3         00:48    0.00s  0.02s  0.01s w

[vermaden@rhlike ~]$ sudo su -

[root@rhlike ~]# getent passwd admin
admin:*:1896600000:1896600000:Administrator:/home/admin:/bin/bash

[root@rhlike ~]# getent passwd vermaden
vermaden:*:1896600003:1000:vermaden vermaden:/home/vermaden:/bin/sh

Seems to work at least OK πŸ™‚

I do not have anything more to add to this guide.

If you have – then please let me know in comments πŸ™‚

Regards.

EOF

FreeBSD Cope with WiFi Fuckup

I really wanted the name of this article does not sound dramatically but I was not able to invent any other title … none the less the wireless/WiFi topic can be problematic on the FreeBSD land. Its a known feat of FreeBSD that is does its job best at the server room and that laptop/desktop based configurations tend to need some ‘love’ to be usable. The worst thing of that part is lack of WiFi kernel drivers at all or slower then possible speed like 802.11g on 802.11n capable chips – often as old as 11 years old Intel Ultimate-N 6300 450Mbps card that runs only at 802.11g speed on FreeBSD. The aim of this article is to show you the alternatives and possibilities when it comes to wireless and/or WiFi problems that you may encounter on FreeBSD UNIX system.

Replace Unsupported Hardware

Assuming your laptop came with WiFi card that is not supported at all by FreeBSD drivers – one of the options can be to replace the mSATA or M.2 card with the supported one. It may be difficult because of BIOS blacklisting/whitelisting so there is possibility that it may be needed to flash your laptop/system with a hacked BIOS that does not have this blacklisting/whitelisting and allows ALL possible chips to be installed into it. This may be sometimes not possible of course and it really PITA that some/many manufacturers create such blacklisting/whitelisting bullshit without any reasonable reason then money heist.

Tiny USB WiFi Dongle

If your WiFi card is not supported at all and its not possible to replace it with mSATA and/or M.2 WiFi chip then you may use some tiny USB WiFi dongle with – for example – Realtek RTL8188CUS chip – which is supported on FreeBSD. While the chip itself is 802.11n 150Mbps capable the FreeBSD drivers only support 802.11g mode on it – but its still better then none connectivity at all.

Such tiny USB dongle can be shown below.

realtek

The more in depth article about that Realtek RTL8188CUS chip is available here –Β Realtek RTL8188CUS – USB 802.11n WiFi ReviewΒ – in one of my earlier articles.

Smartphone USB Tethering

One of the alternative possibilities is to use your smartphone with USB cable to provide the Internet connection. The main benefit of this approach is that you probably always have your smartphone with you anyway. The only additional needed/missing part is the USB cable (which is not that a problem anyway once you order it). This comes handy in more then one way. The first and obvious way is to just use that smartphone with USB cable attached to your FreeBSD to provide Internet connection no matter if that smartphone provides that connection using LTE/4G connection or WiFi connection to some WiFi hotspot. Another reason why this setup comes handy is when you have your WiFi chipset supported … and still are not able to connect to some WiFi hotspot. Recently I was at my buddy’s home where he had open WiFi network available. My phone connected to it without a problem but FreeBSD with 11 years old Intel 6300 card … was not able to connect to it no matter what. To be precise the wpa_supplicant(8) showed the CTRL-EVENT-CONNECTED status but the dhclient was not able to get the IP for some reason. This is where my smartphone came handy as it was able to connect to that open unencrypted network and FreeBSD used it by the USB tethering method. Below I will show you how to use the USB tethering on FreeBSD.

The first thing is to attach your smartphone by USB cable to your FreeBSD system. After you have done that you will need to configure your smartphone to enable USB tethering. Below you will find such configuration for Android smartphone.

usb-tethering

After you have chosen these settings you wull see the ue0 device in your ifconfig(8) interfaces listing.

% ifconfig
em0: flags=8c22<broadcast,oactive,simplex,multicast> metric 0 mtu 1500
        options=481249b<rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,lro,wol_magic,vlan_hwfilter,nomap>
        ether f0:de:f1:68:bc:ab
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<performnud,ifdisabled,auto_linklocal>
lo0: flags=8049<up,loopback,running,multicast> metric 0 mtu 16384
        options=680003<rxcsum,txcsum,linkstate,rxcsum_ipv6,txcsum_ipv6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1/8
        groups: lo
        nd6 options=21<performnud,auto_linklocal>
vboxnet0: flags=8802<broadcast,simplex,multicast> metric 0 mtu 1500
        ether 0a:00:27:00:00:00
        media: Ethernet autoselect
        status: active
        nd6 options=29<performnud,ifdisabled,auto_linklocal>
ue0: flags=8802<broadcast,simplex,multicast> metric 0 mtu 1500
        ether 02:2a:71:6a:08:01
        nd6 options=29<performnud,ifdisabled,auto_linklocal>

The next (and last) step is to use dhclient(8) daemon to acquire the IP address using DHCP. Here is the command I used.

# dhclient ue0
DHCPDISCOVER on ue0 to 255.255.255.255 port 67 interval 4
DHCPOFFER from 192.168.73.209
DHCPREQUEST on ue0 to 255.255.255.255 port 67
DHCPACK from 192.168.73.209
bound to 192.168.73.16 -- renewal in 1799 seconds.

You can now test your connection with ping(8) command for example.

% ping -c 1 e.pl
PING e.pl (195.46.43.240): 56 data bytes
64 bytes from 195.46.43.240: icmp_seq=0 ttl=53 time=65.638 ms

--- e.pl ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 65.638/65.638/65.638/0.000 ms

You can now see that you got the needed IP address on your ue0 interface.

% ifconfig ue0
ue0: flags=8843<up,broadcast,running,simplex,multicast> metric 0 mtu 1500
        ether 02:2a:71:6a:08:01
        inet 192.168.73.16/24 broadcast 192.168.73.255
        nd6 options=29<performnud,ifdisabled,auto_linklocal>
</performnud,ifdisabled,auto_linklocal></up,broadcast,running,simplex,multicast>

This means that your Internet connection over USB tethering is functional.

One of the additional benefits of this approach is that USB connection also provides the power to your smartphone – which means that you only need one cable for both Internet connection and power for the smartphone device.

Mobile Router with RJ45 Cable

There is also additional option available and it provides similar possibilities to USB tethering – its using some mobile wireless router what would connect to LTE/4G network or some WiFi access point and will also have RJ45 socket so you will be able to connect to it with the RJ45 port on your laptop/desktop FreeBSD system.

You can find many such devices in real cheap price such as Overmax 3G or RAVPower RP-WD03-BK to name some. They come in $15 to $30 price range which should be marked as affordable for most people. Additional bonus from these devices is that they also serve as powerbank function. Also being powered its not needed to also power them up all the time – as the often allow for whole day function on the battery itself.

The Overmax 3G device is shown below.

overmax-3g

The RAVPower RP-WD03-BK is shown below.

ravpower

Bhyve wifibox VM

There is also one additional way to get your WiFi connection – use bhyve(8) virtualization. With wifibox you will deploy Linux VM – and use Linux wireless drivers for the card that may be unsupported on FreeBSD system. It works because of bhyve(8) PCI passthrough feature. You just pass the WiFi card directly to Linux VM.

The biggest advantage of wifibox is that everything is shipped in single FreeBSD package that can be easily installed and removed. You will just have to add wifibox package with pkg(8) – the FreeBSD package manager.

It also comes with rc(8) service script that automatically starts that Linux VM upon FreeBSD boot – and stops gracefully on shutdown.

Summary

What works best? To be honest its still more convenient to use builtin WiFi chip even at slower 802.11g speeds then using any other methods described in this article. Next one is using the mobile router with RJ45 cable. The next one (and somewhat slower one) is the USB tethering method – but while slower I was able to successfully post that article using it – so its not a major drawback. At the least one is using the wifibox way. Its generally up to You – what makes less PITA for you.

I of course hope that WiFi will get some more love in the FreeBSD land and that such ‘strange’ methods would not be needed to ‘just’ connect to the Internet.

Regards.

Desktop Environments Resource Usage Comparison

Some of them use more RAM. Some less. Today in a rather simplified benchmark I will check some popular desktop environments for their RAM usage. I recently came to see some more or less old comparisons of various desktop environments RAM usage.

They were focused on difference between XFCE and KDE/Plasma environments. I am used to idea that XFCE is smaller and lighter of the two – so it should be also lighter on resources – but these two movies state that they RAM usage is similar and sometimes even KDE/Plasma is lighter. These results seemed strange to me so I wanted to test them under latest FreeBSD 13.1-RELEASE UNIX system.

Example XFCE on FreeBSD desktop screenshot from the XFCE Cupertino Way article.

xfce-ghostbsd

Upon some popular demand I also added GNOME (the 42 version) to the comparison.

Today we will test these desktop environments:

  • XFCE (4.16)
  • MATE (1.26)
  • KDE/Plasma (5.24)
  • Openbox (3.6)
  • GNOME (42)

We all know that Openbox is just a window manager but I wanted to include it here just from comparison.

Test Environment and Process

To save time I used VirtualBox virtual machine for the purpose of these simplified benchmarks. For that purpose he created VM had:

  • 1 x CPU
  • 8 GB RAM
  • 128 MB GPU Memory
  • 30 GB Disk

After installing the vanilla FreeBSD 13.1-RELEASE I switched to the latest pkg(8) repository. Then I added needed packages:

# pkg install xorg xfce kde5 mate openbox dzen2 tint2 xbindkeys xterm geany gnome

All of the desktop environments and their dependencies were installed on that test machine. The main FreeBSD config at /etc/rc.conf file had following contents.

% cat /etc/rc.conf
hostname="freebsd"
ifconfig_em0="DHCP"
sshd_enable="YES"
moused_enable="YES"
powerd_enable="YES"
dumpdev="AUTO"
zfs_enable="YES"
dbus_enable="YES"

The only thing I added after installation was the dbus service startup. I did not changed any settings in these environments. The were compared at their default settings.

The test was rather simple and naive but these were the tasks that I done on each of them.

  • Run gstat(8) command in terminal application.
  • Display /etc/ in file manager with scroll to end of display of dir.
  • Open /etc/ssh/moduli file in text editor with scroll to end of file.

These were different for various environments:

XFCE

  • xfce4-terminal
  • thunar
  • mousepad

MATE

  • mate-terminal
  • caja
  • pluma

KDE/Plasma

  • konsole
  • dolphin
  • kate

Openbox

  • xterm
  • caja
  • geany

GNOME

  • gnome-terminal
  • nautilus
  • gedit

I powered off that FreeBSD machine before each test – so each test looked like:

  • boot cold FreeBSD system
  • login into system (in text console)
  • type xinit(1) command
  • do the 3 defined tasks

Each desktop environment had different ~/.xinitrc file. Below you will find their contents.

% cat ~/.xinitrc.xfce
. /usr/local/etc/xdg/xfce4/xinitrc

% cat ~/.xinitrc.mate
exec ck-launch-session mate-session

% cat ~/.xinitrc.kde
exec ck-launch-session startplasma-x11

% cat ~/.xinitrc.openbox
dzen2 &
tint2 &
xbindkeys &
exec openbox

% cat ~/.xinitrc.gnome
exec gnome-session

Each of them were started like that:

% xinit ~/.xinitrc.xfce

% xinit ~/.xinitrc.mate

% xinit ~/.xinitrc.kde

% xinit ~/.xinitrc.openbox

% xinit ~/.xinitrc.gnome

RAM Usage Results

To be honest I was surprised by the results.

Clean Text Console FreeBSD

The text console of FreeBSD 13.1-RELEASE system used about 97 MB of RAM. That result is the sum of the RES column from the top(1) command.

Below you will find the top(1) output for FreeBSD text console only system.

% top -b -o res 1000
last pid:   871;  load averages:  1.92,  0.90,  0.36; battery: 99%  up 0+00:01:09    00:34:01
28 processes:  2 running, 26 sleeping
CPU:  2.0% user,  0.0% nice,  3.7% system,  0.2% interrupt, 94.0% idle
Mem: 18M Active, 21M Inact, 138M Wired, 40K Buf, 7746M Free
ARC: 43M Total, 18M MFU, 23M MRU, 335K Header, 1556K Other
     20M Compressed, 61M Uncompressed, 3.09:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  852 vermaden      1  20    0    21M  9492K RUN      0:00   0.00% sshd
  849 root          1  33    0    21M  9300K select   0:00   0.00% sshd
  799 root          1  22    0    21M  8208K select   0:00   0.00% sshd
  817 root          1  20    0    18M  7140K select   0:00   0.00% sendmail
  820 smmsp         1  52    0    18M  6704K pause    0:00   0.00% sendmail
  749 messagebus    1  52    0    14M  3648K select   0:00   0.00% dbus-daemon
  853 vermaden      1  20    0    13M  3256K wait     0:00   0.00% sh
  871 vermaden      1  20    0    14M  3220K RUN      0:00   0.00% top
  846 vermaden      1  52    0    13M  3208K ttyin    0:00   0.00% sh
  838 root          1  25    0    13M  3100K wait     0:00   0.00% login
  463 _dhcp         1  52    0    13M  2828K select   0:00   0.00% dhclient
  668 root          1  20    0    13M  2748K select   0:00   0.00% syslogd
  830 root          1  52    0    13M  2736K wait     0:00   0.00% sh
  402 root          1  52    0    13M  2708K select   0:00   0.00% dhclient
  399 root          1  52    0    13M  2632K select   0:00   0.00% dhclient
  802 root          1  20    0    13M  2516K nanslp   0:00   0.00% cron
  831 root          1  52    0    13M  2440K piperd   0:00   0.00% logger
  754 root          1  52    0    13M  2380K select   0:00   0.00% moused
  837 root          1  52    0    13M  2316K select   0:00   0.00% logger
  842 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  845 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  843 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  844 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  841 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  839 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  840 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  833 root          1  52    0    12M  2080K nanslp   0:00   0.00% sleep
  464 root          1  20    0    11M  1540K select   0:00   0.00% devd

XFCE

Next one is XFCE and it used about 1548 MB of RAM.

Below you will find the top(1) output for XFCE.

% top -b -o res 1000
last pid:  1076;  load averages:  0.58,  0.84,  0.51; battery: 99%  up 0+00:07:06    00:31:07
71 processes:  2 running, 69 sleeping
CPU:  7.6% user,  0.1% nice,  6.5% system,  1.1% interrupt, 84.8% idle
Mem: 292M Active, 337M Inact, 389M Wired, 56K Buf, 6897M Free
ARC: 240M Total, 98M MFU, 133M MRU, 1762K Header, 7212K Other
     194M Compressed, 461M Uncompressed, 2.37:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  945 vermaden      3  20    0   344M   251M select   0:11   0.00% Xorg
 1010 vermaden      4  20    0   311M   121M select   0:01   0.00% kgpg
 1004 vermaden      5  20    0   196M   100M select   0:04   0.00% xfwm4
 1008 vermaden      4  20    0   130M    92M select   0:01   0.00% xfdesktop
  948 vermaden      4  20    0   172M    76M select   0:04   0.00% xfce4-session
 1012 vermaden      6  40   19   160M    63M select   0:00   0.00% tumblerd
 1064 vermaden      5  21    0    89M    59M select   0:05   0.00% mousepad
 1013 vermaden      3  20    0   130M    52M select   0:00   0.00% kalendarac
 1007 vermaden      4  24    0    75M    51M select   0:04   0.00% thunar
 1006 vermaden      4  20    0    75M    48M select   0:04   0.00% xfce4-panel
 1056 vermaden      4  20    0    69M    42M select   0:01   0.00% xfce4-terminal
 1020 vermaden      4  20    0    65M    41M select   0:00   0.00% wrapper-2.0
 1021 vermaden      4  20    0    65M    41M select   0:00   0.00% wrapper-2.0
 1022 vermaden      4  20    0    52M    32M select   0:00   0.00% wrapper-2.0
 1005 vermaden      4  20    0    49M    30M select   0:02   0.00% xfsettingsd
 1019 vermaden      4  20    0    46M    30M select   0:00   0.00% wrapper-2.0
 1027 vermaden      3  40   19   256G    29M select   0:00   0.00% baloo_file
 1009 vermaden      4  20    0    46M    28M select   0:00   0.00% xfce4-power-manager
  975 polkitd       7  20    0  2125M    27M select   0:01   0.00% polkitd
 1029 vermaden      4  20    0    45M    27M select   0:00   0.00% xfce4-notifyd
  977 vermaden      5  20    0    49M    26M select   0:01   0.00% mate-screensaver
  983 root          7  20    0    64M    16M select   0:01   0.00% bsdisks
  981 vermaden      5  20    0    27M    11M select   0:00   0.00% gvfs-udisks2-volume
 1067 vermaden      5  20    0    24M    10M select   0:00   0.00% gvfsd-network
 1038 vermaden      4  20    0    27M    10M select   0:00   0.00% gvfsd-trash
 1070 vermaden      4  20    0    24M    10M select   0:00   0.00% gvfsd-dnssd
 1063 vermaden      4  20    0    24M    10M select   0:00   0.00% gvfsd-computer
  865 vermaden      1  20    0    21M  9492K RUN      0:00   0.00% sshd
 1042 vermaden      2  22    0    86M  9440K select   0:00   0.00% pulseaudio
  862 root          1  28    0    21M  9264K select   0:00   0.00% sshd
  979 vermaden      4  32    0    24M  8836K select   0:00   0.00% gvfsd
  973 vermaden      4  20    0    21M  8712K select   0:00   0.00% at-spi2-registryd
  966 vermaden      5  20    0    21M  8296K select   0:00   0.00% at-spi-bus-launcher
  972 root         16  20    0    24M  8256K select   0:00   0.00% console-kit-daemon
  815 root          1  22    0    21M  8208K select   0:00   0.00% sshd
  991 vermaden      5  20    0    21M  7948K select   0:00   0.00% gvfs-gphoto2-volume
 1044 root          4  22    0    20M  7916K select   0:00   0.00% accounts-daemon
 1040 vermaden      4  20    0    19M  7460K select   0:00   0.00% gvfsd-metadata
 1017 root          4  20    0    19M  7452K select   0:00   0.00% upowerd
  988 vermaden      5  20    0    19M  7208K select   0:00   0.00% gvfs-mtp-volume-mon
  833 root          1  20    0    18M  7140K select   0:00   0.00% sendmail
 1066 vermaden      4  20    0    19M  7004K select   0:00   0.00% dconf-service
  969 vermaden      4  20    0    19M  6936K select   0:00   0.00% xfconfd
  998 vermaden      1  21    0    18M  6900K select   0:00   0.00% ssh-agent
  836 smmsp         1  52    0    18M  6576K pause    0:00   0.00% sendmail
  960 vermaden      1  20    0    14M  4580K select   0:01   0.00% dbus-daemon
 1003 vermaden      1  20    0    16M  4116K select   0:00   0.00% gpg-agent
  765 messagebus    1  20    0    14M  4100K select   0:00   0.00% dbus-daemon
  955 vermaden      1  23    0    15M  3912K select   0:00   0.00% dbus-launch
  967 vermaden      1  20    0    14M  3812K select   0:01   0.00% dbus-daemon
 1058 vermaden      1  20    0    14M  3772K nanslp   0:00   0.00% gstat
 1076 vermaden      1  20    0    14M  3464K RUN      0:00   0.00% top
 1057 vermaden      1  28    0    13M  3276K wait     0:00   0.00% sh
  866 vermaden      1  20    0    13M  3256K wait     0:00   0.00% sh
  941 vermaden      1  20    0    13M  3212K wait     0:00   0.00% sh
  854 root          1  20    0    13M  3136K wait     0:00   0.00% login
  944 vermaden      1  20    0    14M  3096K wait     0:00   0.00% xinit
  479 _dhcp         1  52    0    13M  2828K select   0:00   0.00% dhclient
  684 root          1  20    0    13M  2748K select   0:00   0.00% syslogd
  418 root          1   4    0    13M  2708K select   0:00   0.00% dhclient
  415 root          1  49    0    13M  2632K select   0:00   0.00% dhclient
  818 root          1  20    0    13M  2516K nanslp   0:00   0.00% cron
  770 root          1  20    0    13M  2404K select   0:00   0.00% moused
  855 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  858 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  861 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  859 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  860 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  856 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  857 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  480 root          1  20    0    11M  1540K select   0:00   0.00% devd

MATE

Next one is MATE and it used about 1361 MB of RAM.

This is first strange thing for me. Keep in mind that MATE is a fork of GNOME 2 which was expected to be heavy compared to light XFCE … at least more then a decade ago. Seems that now MATE developers are doing better job then XFCE devs πŸ™‚

Below you will find the top(1) output for MATE.

% top -b -o res 1000
last pid:   966;  load averages:  1.75,  1.02,  0.43; battery: 99%  up 0+00:01:53    00:40:42
66 processes:  2 running, 64 sleeping
CPU: 25.7% user,  0.0% nice,  8.9% system,  0.4% interrupt, 65.0% idle
Mem: 279M Active, 269M Inact, 381M Wired, 56K Buf, 6986M Free
ARC: 230M Total, 88M MFU, 131M MRU, 1753K Header, 8250K Other
     183M Compressed, 435M Uncompressed, 2.37:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  857 vermaden      3  23    0   344M   246M select   0:08   7.96% Xorg
  922 vermaden      4  20    0   311M   122M select   0:01   0.00% kgpg
  869 vermaden      5  20    0   172M    77M select   0:01   0.00% mate-session
  913 vermaden      6  20    0    92M    68M select   0:03   0.00% caja
  961 vermaden      5  29    0    91M    59M select   0:07  15.97% pluma
  951 vermaden      5  20    0    86M    55M select   0:01   0.00% mate-terminal
  919 vermaden      3  20    0   130M    52M select   0:00   0.00% kalendarac
  911 vermaden      5  20    0    74M    49M select   0:01   0.00% mate-panel
  941 vermaden      5  20    0    70M    45M select   0:00   0.00% notification-area-a
  902 vermaden      5  20    0    70M    44M select   0:01   0.00% marco
  917 vermaden      4  20    0    66M    43M select   0:00   0.00% mate-volume-control
  899 vermaden      6  20    0    60M    38M select   0:02   0.00% mate-settings-daemo
  939 vermaden      5  20    0    60M    38M select   0:00   0.00% clock-applet
  927 vermaden      5  20    0    57M    37M select   0:00   0.00% wnck-applet
  921 vermaden      5  20    0    55M    35M select   0:00   0.00% mate-power-manager
  915 vermaden      5  20    0    50M    32M select   0:00   0.00% mate-screensaver
  864 polkitd       7  20    0  2125M    27M select   0:00   0.00% polkitd
  914 vermaden      4  20    0    44M    26M select   0:00   0.00% polkit-mate-authent
  883 root          7  52    0    64M    16M select   0:00   0.00% bsdisks
  881 vermaden      5  20    0    27M    12M select   0:00   0.00% gvfs-udisks2-volume
  962 vermaden      5  20    0    24M    11M select   0:00   0.00% gvfsd-network
  965 vermaden      4  20    0    24M    10M select   0:00   0.00% gvfsd-dnssd
  954 vermaden      4  20    0    24M    10M select   0:00   0.00% gvfsd-computer
  929 vermaden      4  20    0    26M    10M select   0:00   0.00% gvfsd-trash
  852 vermaden      1  20    0    21M  9480K RUN      0:00   0.00% sshd
  931 vermaden      2  21    0    86M  9396K select   0:00   0.00% pulseaudio
  849 root          1  30    0    21M  9300K select   0:00   0.00% sshd
  879 vermaden      4  28    0    24M  9180K select   0:00   0.00% gvfsd
  901 vermaden      4  20    0    21M  8860K select   0:00   0.00% at-spi2-registryd
  895 vermaden      5  20    0    21M  8272K select   0:00   0.00% gvfs-gphoto2-volume
  862 root         16  20    0    24M  8244K select   0:00   0.00% console-kit-daemon
  799 root          1  23    0    21M  8208K select   0:00   0.00% sshd
  875 vermaden      5  20    0    21M  8128K select   0:00   0.00% at-spi-bus-launcher
  956 vermaden      4  20    0    19M  7704K select   0:00   0.00% gvfsd-metadata
  893 vermaden      5  20    0    19M  7544K select   0:00   0.00% gvfs-mtp-volume-mon
  924 root          4  20    0    19M  7524K select   0:00   0.00% upowerd
  817 root          1  20    0    18M  7140K select   0:00   0.00% sendmail
  897 vermaden      4  20    0    19M  6936K select   0:00   0.00% dconf-service
  820 smmsp         1  52    0    18M  6700K pause    0:00   0.00% sendmail
  912 vermaden      1  20    0    17M  4892K piperd   0:00   0.00% libgtop_server2
  873 vermaden      1  20    0    14M  4164K select   0:00   0.00% dbus-daemon
  860 vermaden      1  22    0    17M  4124K wait     0:00   0.00% ck-launch-session
  876 vermaden      1  20    0    14M  4004K select   0:01   0.00% dbus-daemon
  749 messagebus    1  20    0    14M  3984K select   0:00   0.00% dbus-daemon
  872 vermaden      1  20    0    15M  3912K select   0:00   0.00% dbus-launch
  953 vermaden      1  20    0    14M  3708K nanslp   0:00   0.00% gstat
  966 vermaden      1  20    0    14M  3392K RUN      0:00   0.00% top
  853 vermaden      1  20    0    13M  3248K wait     0:00   0.00% sh
  846 vermaden      1  21    0    13M  3212K wait     0:00   0.00% sh
  952 vermaden      1  38    0    13M  3208K wait     0:00   0.00% sh
  838 root          1  25    0    13M  3100K wait     0:00   0.00% login
  856 vermaden      1  20    0    14M  3096K wait     0:00   0.00% xinit
  463 _dhcp         1  52    0    13M  2828K select   0:00   0.00% dhclient
  668 root          1  20    0    13M  2748K select   0:00   0.00% syslogd
  402 root          1  52    0    13M  2708K select   0:00   0.00% dhclient
  399 root          1  52    0    13M  2632K select   0:00   0.00% dhclient
  802 root          1  20    0    13M  2516K nanslp   0:00   0.00% cron
  754 root          1  20    0    13M  2404K select   0:00   0.00% moused
  839 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  845 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  841 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  843 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  842 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  844 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  840 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  464 root          1  20    0    11M  1540K select   0:00   0.00% devd

KDE/Plasma

Next one is KDE/Plasma and without surprise (at least for me) it uses more RAM then other desktop environments – about 2843 MB of RAM – that is more then twice as much as MATE and almost twice as much as XFCE.

Below you will find the top(1) output for KDE/Plasma.

% top -b -o res 1000
last pid:  1075;  load averages:  2.10,  1.56,  0.79; battery: 99%  up 0+00:05:22    00:38:14
67 processes:  2 running, 65 sleeping
CPU: 30.8% user,  0.1% nice,  8.8% system,  0.2% interrupt, 60.0% idle
Mem: 530M Active, 316M Inact, 441M Wired, 56K Buf, 6633M Free
ARC: 272M Total, 119M MFU, 139M MRU, 2012K Header, 12M Other
     211M Compressed, 514M Uncompressed, 2.44:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  935 vermaden     12  21    0   588M   298M select   0:22   0.00% plasmashell
  874 vermaden      3  23    0   344M   241M select   0:15   9.96% Xorg
 1065 vermaden      7  30    0   365M   190M select   0:12  15.97% kate
  918 vermaden      5  31    0   376M   179M select   0:22  15.97% kwin_x11
 1035 vermaden      8  20    0   320M   156M select   0:03   0.00% dolphin
 1029 vermaden      3  20    0   312M   150M select   0:02   0.00% konsole
  959 vermaden      4  20    0   314M   143M select   0:01   0.00% kgpg
 1063 vermaden      5  52    0   304M   140M select   0:02   0.00% kioslave5
 1073 vermaden      4  20    0   303M   139M select   0:01   0.00% kioslave5
  916 vermaden     11  20    0   179M    84M select   0:02   0.00% kded5
  958 vermaden      3  20    0   147M    67M select   0:01   0.00% kalendarac
  944 vermaden      4  20    0   174M    63M select   0:01   0.00% DiscoverNotifier
  941 vermaden      6  20    0   130M    58M select   0:01   0.00% polkit-kde-authenti
  920 vermaden      4  20    0   131M    58M select   0:01   0.00% ksmserver
  940 vermaden      7  20    0   118M    56M select   0:01   0.00% org_kde_powerdevil
  942 vermaden      3  20    0   128M    56M select   0:01   0.00% kaccess
  922 vermaden      3  20    0   127M    55M select   0:01   0.00% kglobalaccel5
  968 vermaden      7  20    0   104M    47M select   0:01   0.00% kactivitymanagerd
  905 vermaden      3  20    0   127M    45M select   0:00   0.00% klauncher
  901 vermaden      3  26    0   113M    43M select   0:00   0.00% plasma_session
  904 vermaden      1  20    0   112M    41M select   0:00   0.00% kdeinit5
  885 vermaden      3  38    0   113M    41M select   0:00   0.00% startplasma-x11
 1041 vermaden      2  42    0    88M    37M select   0:00   0.00% kioslave5
 1069 vermaden      1  23    0   256G    37M select   0:00   0.00% kioslave5
 1039 vermaden      1  36    0   256G    37M select   0:00   0.00% kioslave5
 1027 vermaden      1  36    0   256G    36M select   0:00   0.00% kioslave5
  997 vermaden      3  28    0    86M    35M select   0:00   0.00% kioslave5
  943 vermaden      3  40   19   256G    32M select   0:00   0.00% baloo_file
  945 vermaden      4  20    0    87M    32M select   0:00   0.00% gmenudbusmenuproxy
  939 vermaden      3  20    0    83M    30M select   0:00   0.00% xembedsniproxy
  976 vermaden      3  20    0    76M    28M select   0:00   0.00% kscreen_backend_lau
  881 polkitd       7  20    0  2125M    27M select   0:00   0.00% polkitd
  926 root          7  20    0    67M    19M select   0:00   0.00% bsdisks
  966 vermaden      2  20    0    86M  9520K select   0:00   0.00% pulseaudio
  852 vermaden      1  20    0    21M  9512K RUN      0:00   0.00% sshd
  849 root          1  33    0    21M  9300K select   0:00   0.00% sshd
  879 root         16  20    0    24M  8320K select   0:00   0.00% console-kit-daemon
  799 root          1  22    0    21M  8208K select   0:00   0.00% sshd
  937 root          4  20    0    19M  7404K select   0:00   0.00% upowerd
  817 root          1  20    0    18M  7140K select   0:00   0.00% sendmail
  982 vermaden      4  20    0    19M  6732K select   0:00   0.00% dconf-service
  820 smmsp         1  52    0    18M  6704K pause    0:00   0.00% sendmail
  749 messagebus    1  20    0    14M  4452K select   0:00   0.00% dbus-daemon
  896 vermaden      1  28    0    15M  4252K select   0:00   0.00% dbus-launch
  897 vermaden      1  20    0    14M  4164K select   0:01   0.00% dbus-daemon
  877 vermaden      1  21    0    17M  4124K wait     0:00   0.00% ck-launch-session
 1034 vermaden      1  20    0    14M  3836K nanslp   0:00   0.00% gstat
 1075 vermaden      1  20    0    14M  3392K RUN      0:00   0.00% top
  853 vermaden      1  20    0    13M  3256K wait     0:00   0.00% sh
 1032 vermaden      1  26    0    13M  3232K wait     0:00   0.00% sh
  846 vermaden      1  20    0    13M  3212K wait     0:00   0.00% sh
  838 root          1  25    0    13M  3100K wait     0:00   0.00% login
  873 vermaden      1  20    0    14M  3096K wait     0:00   0.00% xinit
  463 _dhcp         1  52    0    13M  2828K select   0:00   0.00% dhclient
  668 root          1  20    0    13M  2748K select   0:00   0.00% syslogd
  402 root          1  52    0    13M  2708K select   0:00   0.00% dhclient
  399 root          1  52    0    13M  2632K select   0:00   0.00% dhclient
  802 root          1  20    0    13M  2516K nanslp   0:00   0.00% cron
  754 root          1  20    0    13M  2404K select   0:01   0.00% moused
  842 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  845 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  843 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  844 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  841 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  839 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  840 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  464 root          1  20    0    11M  1540K select   0:00   0.00% devd

Openbox

Not really a desktop environment but just for the sake of comparison I wanted to check it. With the default ‘ugly’ settings it consumed about 614 MB or RAM.

Below you will find the top(1) output for Openbox.

% top -b -o res 1000
last pid:   991;  load averages:  0.66,  0.77,  0.43; battery: 99%  up 0+00:04:35    00:52:31
43 processes:  1 running, 41 sleeping, 1 stopped
CPU:  8.8% user,  0.0% nice,  3.8% system,  0.5% interrupt, 86.9% idle
Mem: 126M Active, 196M Inact, 391M Wired, 40K Buf, 7210M Free
ARC: 210M Total, 78M MFU, 120M MRU, 1783K Header, 10M Other
     164M Compressed, 374M Uncompressed, 2.28:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  894 vermaden      3  20    0   307M   217M select   0:02   0.00% Xorg
  942 vermaden      6  20    0   208M   112M select   0:02   0.00% caja
  981 vermaden      3  20    0   100M    60M select   0:02   0.00% geany
  897 vermaden      1  20    0    54M    25M select   0:00   0.00% openbox
  898 vermaden      1  20    0    53M    25M select   0:01   0.00% tint2
  939 vermaden      1  20    0    25M    13M select   0:00   0.00% xterm
  916 vermaden      1  20    0    25M    13M select   0:00   0.00% xterm
  986 vermaden      1  20    0    21M  9500K select   0:00   0.00% sshd
  983 root          1  28    0    21M  9360K select   0:00   0.00% sshd
  953 vermaden      4  20    0    21M  9228K select   0:00   0.00% at-spi2-registryd
  949 vermaden      5  49    0    21M  8736K select   0:00   0.00% at-spi-bus-launcher
  934 vermaden      1  20    0    20M  8608K STOP     0:00   0.00% dzen2
  799 root          1  20    0    21M  8208K select   0:00   0.00% sshd
  817 root          1  20    0    18M  7140K select   0:00   0.00% sendmail
  955 vermaden      4  30    0    19M  6916K select   0:00   0.00% dconf-service
  820 smmsp         1  52    0    18M  6636K pause    0:00   0.00% sendmail
  946 vermaden      1  30    0    15M  4380K select   0:00   0.00% dbus-launch
  947 vermaden      1  43    0    14M  3908K select   0:00   0.00% dbus-daemon
  937 vermaden      1  20    0    14M  3760K nanslp   0:00   0.00% gstat
  950 vermaden      1  20    0    14M  3732K select   0:00   0.00% dbus-daemon
  749 messagebus    1  52    0    14M  3648K select   0:00   0.00% dbus-daemon
  991 vermaden      1  22    0    14M  3428K RUN      0:00   0.00% top
  987 vermaden      1  21    0    13M  3316K wait     0:00   0.00% sh
  918 vermaden      1  20    0    13M  3292K wait     0:00   0.00% sh
  941 vermaden      1  22    0    13M  3280K wait     0:00   0.00% sh
  982 vermaden      1  52    0    13M  3272K ttyin    0:00   0.00% sh
  846 vermaden      1  20    0    13M  3212K wait     0:00   0.00% sh
  838 root          1  26    0    13M  3100K wait     0:00   0.00% login
  893 vermaden      1  20    0    14M  3096K wait     0:00   0.00% xinit
  463 _dhcp         1  52    0    13M  2828K select   0:00   0.00% dhclient
  668 root          1  20    0    13M  2748K select   0:00   0.00% syslogd
  402 root          1   4    0    13M  2708K select   0:00   0.00% dhclient
  399 root          1  52    0    13M  2632K select   0:00   0.00% dhclient
  802 root          1  20    0    13M  2516K nanslp   0:00   0.00% cron
  754 root          1  20    0    13M  2404K select   0:00   0.00% moused
  843 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  842 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  845 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  844 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  840 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  839 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  841 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  464 root          1  20    0    11M  1540K select   0:00   0.00% devd


GNOME

GNOME with the same test procedure used 2622 MB of RAM.

Below you will find the top(1) output for GNOME.

% top -b -o res 1000
last pid:  1114;  load averages:  2.62,  1.76,  0.81; battery: 99%  up 0+00:03:38    12:44:58
91 processes:  2 running, 89 sleeping
CPU: 45.9% user,  0.0% nice,  9.1% system,  0.3% interrupt, 44.7% idle
Mem: 531M Active, 560M Inact, 2152K Laundry, 522M Wired, 56K Buf, 6295M Free
ARC: 319M Total, 151M MFU, 156M MRU, 2354K Header, 9740K Other
     266M Compressed, 640M Uncompressed, 2.41:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  904 vermaden      9  23    0  2656M   379M select   0:29   9.96% gnome-shell
  855 vermaden      3  22    0   333M   238M select   0:10   6.98% Xorg
 1040 vermaden     12  20    0   349M   192M select   0:10   0.00% epiphany-search-pro
  962 vermaden      4  20    0   312M   136M select   0:01   0.00% kgpg
 1026 vermaden      8  20    0   215M   125M select   0:01   0.00% gnome-calendar
 1107 vermaden      5  20    0   187M   108M select   0:01   0.00% gnome-control-cente
  958 vermaden      7  20    0   211M    81M select   0:01   0.00% evolution-alarm-not
 1058 vermaden     15  20    0   194M    78M select   0:01   0.00% WebKitNetworkProces
 1071 vermaden      6  20    0   144M    77M select   0:03   0.00% nautilus
 1112 vermaden      5  52    0    85M    59M select   0:13  19.97% gedit
 1065 vermaden      5  20    0   114M    56M select   0:01   0.00% gnome-terminal-serv
  961 vermaden      3  20    0   132M    53M select   0:00   0.00% kalendarac
  917 vermaden      5  20    0   146M    51M select   0:00   0.00% goa-daemon
 1034 vermaden      5  20    0    70M    50M select   0:00   0.00% seahorse
  921 vermaden      7  20    0   109M    48M select   0:00   0.00% evolution-addressbo
  919 vermaden     10  20    0    81M    44M select   0:00   0.00% evolution-calendar-
  912 vermaden      5  20    0    78M    42M select   0:00   0.00% evolution-source-re
  950 vermaden      6  20    0  2134M    39M select   0:00   0.00% gjs-console
  931 vermaden      6  20    0  2134M    39M select   0:00   0.00% gjs-console
  935 vermaden      5  20    0   119M    32M select   0:00   0.00% gsd-media-keys
  939 vermaden      5  20    0    51M    30M select   0:00   0.00% gsd-xsettings
  937 vermaden      5  20    0    49M    30M select   0:00   0.00% gsd-power
  957 vermaden      3  40   19   256G    28M select   0:00   0.00% baloo_file
  907 vermaden      7  20    0    83M    28M select   0:00   0.00% gnome-shell-calenda
  947 vermaden      5  20    0    46M    28M select   0:00   0.00% gsd-keyboard
  994 vermaden      4  20    0    46M    28M select   0:00   0.00% ibus-extension-gtk3
  993 vermaden      4  20    0    46M    27M select   0:00   0.00% ibus-ui-gtk3
  893 polkitd       7  20    0  2125M    27M select   0:00   0.00% polkitd
  965 vermaden      5  20    0    48M    27M select   0:00   0.00% zeitgeist-datahub
  952 vermaden      4  24    0    49M    26M select   0:00   0.00% gsd-printer
  859 vermaden      5  20    0    49M    20M select   0:00   0.00% gnome-session-binar
  874 root          7  20    0    67M    16M select   0:00   0.00% bsdisks
  956 vermaden      4  20    0    27M    14M select   0:00   0.00% ibus-daemon
  942 vermaden      5  20    0    27M    13M select   0:00   0.00% gsd-datetime
  945 vermaden      5  20    0    26M    13M select   0:00   0.00% gsd-sound
  943 vermaden      6  20    0    25M    12M select   0:00   0.00% gsd-smartcard
  940 vermaden      4  20    0    27M    11M select   0:00   0.00% gsd-print-notificat
 1092 vermaden      4  20    0    24M    11M select   0:00   0.00% gvfsd-dnssd
 1082 vermaden      5  20    0    24M    11M select   0:00   0.00% gvfsd-network
  872 vermaden      5  20    0    27M    11M select   0:00   0.00% gvfs-udisks2-volume
 1041 vermaden      4  20    0    24M    11M select   0:00   0.00% gvfsd-trash
 1062 vermaden      4  20    0    24M    11M select   0:00   0.00% gvfsd-burn
  976 vermaden      4  20    0    25M    10M select   0:00   0.00% zeitgeist-daemon
  902 vermaden      5  20    0    23M    10M select   0:00   0.00% gnome-keyring-daemo
  894 vermaden      1  20    0    21M  9488K RUN      0:00   0.00% sshd
  944 vermaden      5  20    0    21M  9356K select   0:00   0.00% gsd-housekeeping
  887 root          1  24    0    21M  9332K select   0:00   0.00% sshd
  933 vermaden      4  20    0    21M  9252K select   0:00   0.00% at-spi2-registryd
  925 vermaden      2  21    0    86M  9216K select   0:00   0.00% pulseaudio
  870 vermaden      4  20    0    24M  8860K select   0:00   0.00% gvfsd
  934 vermaden      5  20    0    20M  8616K select   0:00   0.00% gsd-usb-protection
  891 root         16  20    0    24M  8488K select   0:00   0.00% console-kit-daemon
  811 root          1  20    0    21M  8208K select   0:00   0.00% sshd
  867 vermaden      5  20    0    21M  8128K select   0:00   0.00% at-spi-bus-launcher
  927 root          4  20    0    20M  8040K select   0:00   0.00% accounts-daemon
  941 vermaden      5  20    0    20M  7976K select   0:00   0.00% gsd-sharing
  886 vermaden      5  20    0    21M  7936K select   0:00   0.00% gvfs-gphoto2-volume
  936 vermaden      5  20    0    20M  7936K select   0:00   0.00% gsd-a11y-settings
  923 vermaden      4  20    0    19M  7716K select   0:00   0.00% gvfsd-metadata
  910 root          4  20    0    19M  7620K select   0:00   0.00% upowerd
  881 vermaden      5  20    0    19M  7220K select   0:00   0.00% gvfs-mtp-volume-mon
  938 vermaden      4  20    0    19M  7180K select   0:00   0.00% gsd-screensaver-pro
  825 root          1  20    0    18M  7140K select   0:00   0.00% sendmail
  914 vermaden      4  20    0    19M  7128K select   0:00   0.00% dconf-service
  828 smmsp         1  52    0    18M  6704K pause    0:00   0.00% sendmail
  864 vermaden      1  20    0    14M  5268K select   0:01   0.00% dbus-daemon
  753 messagebus    1  20    0    14M  4280K select   0:00   0.00% dbus-daemon
  863 vermaden      1  21    0    15M  3912K select   0:00   0.00% dbus-launch
  868 vermaden      1  20    0    14M  3812K select   0:00   0.00% dbus-daemon
 1067 vermaden      1  20    0    14M  3704K nanslp   0:00   0.00% gstat
 1114 vermaden      1  20    0    14M  3420K RUN      0:00   0.00% top
  895 vermaden      1  20    0    13M  3252K wait     0:00   0.00% sh
  851 vermaden      1  22    0    13M  3212K wait     0:00   0.00% sh
 1066 vermaden      1  26    0    13M  3208K wait     0:00   0.00% sh
  843 root          1  23    0    13M  3100K wait     0:00   0.00% login
  854 vermaden      1  20    0    14M  3096K wait     0:00   0.00% xinit
  858 vermaden      1  21    0    13M  3016K wait     0:00   0.00% sh
  467 _dhcp         1  52    0    13M  2828K select   0:00   0.00% dhclient
  672 root          1  20    0    13M  2748K select   0:00   0.00% syslogd
  406 root          1   4    0    13M  2708K select   0:00   0.00% dhclient
  403 root          1  44    0    13M  2632K select   0:00   0.00% dhclient
  814 root          1  26    0    13M  2516K nanslp   0:00   0.00% cron
  757 root          1  20    0    13M  2404K select   0:00   0.00% moused
  850 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  847 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  848 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  844 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  849 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  845 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  846 root          1  52    0    13M  2248K ttyin    0:00   0.00% getty
  468 root          1  20    0    11M  1540K select   0:00   0.00% devd

Summary of the RAM usage results are below.

  MB  ENVIRONMENT
----  --------------------
  97  FreeBSD Text Console
 614  Openbox
1361  MATE
1548  XFCE
2622  GNOME
2843  KDE/Plasma

Seems that MATE

CPU Time Usage Results

As I already had the top(1) outputs I also compared the CPU time used for that limited test. I will not post the top(1) results again as they are posted above. The Seconds column below is the sum of the TIME field from the top(1) command output.
Here are the results of used CPU time.

SECONDS  ENVIRONMENT
-------  --------------------
      0  FreeBSD Text Console
      7  Openbox
     26  MATE
     42  XFCE
     72  GNOME
     92  KDE/Plasma

Seems that MATE is twice as light on resources then XFCE. World has changed a lot since GNOME 2 was considered heavy fully fledged desktop environment while XFCE was light and fast … but even that ‘hungry’ XFCE takes only half of the time that KDE/Plasma uses for the same tasks.

Subjective Experience

The Openbox ‘environment’ started fastest and was most responsive to operate.

Both MATE and XFCE started little slower but after they loaded the desktop and taskbars they were snappy and fast to use.

On the other hand the KDE/Plasma took longest to load and each application I started – I needed to wait ‘a little’ with ‘bouncing mouse cursor’ for them to load. Also scrolling the /etc/ssh/moduli file to its end in Kate took REALLY long … even with Logitech M720 mouse which scroll wheel was spinning freely (without clicks). I want to mention that I am not disappointed by KDE/Plasma. Its just slower when used in a limiter 1 CPU and 8 GB RAM environment. Probably the load times and usability is a lot better on a 4 CORE system with 16 GB of RAM on fast NVMe SSD disk while we used rather slow virtual machine.

After adding GNOME to comparison it felt even slower then KDE/Plasma. Probably because GNOME requires hardware 3D acceleration for smooth operation. With its software rendering it felt really sluggish … while consuming less RAM and CPU time then KDE/Plasma.

Summary

Not sure how useful that is but I just was curious and wanted to check it out – and as I did I share what I found.

UPDATE 1 – Added freecolor(1) and htop(1) RAM Measurements

After suggestions from other places I added freecolor(1) and htop(1) measurements when it comes to RAM usage. Here are the results.

            | htop(1) | conky(1) | freecolor(1)
    FreeBSD |  112 MB |    - -   |  157 MB 
    Openbox |  237 MB |  460 MB  |  382 MB 
       MATE |  508 MB |  778 MB  |  788 MB 
       XFCE |  533 MB |  794 MB  |  829 MB 
helloSystem |  585 MB |    - -   |  830 MB 
      GNOME |  625 MB |  990 MB  | 1000 MB 
 KDE/Plasma |  730 MB | 1659 MB  | 1167 MB

Hope that helps.

EOF

Split Audio Files into Parts

I recently got in the need of splitting quite large amount of audio files into smaller equal parts. The first thought that came to my mind was – probably thousand or more people had similar problem in the past so its already solved – so I went directly to the web search engine.

The found solutions seem not that great or work partially only … or not work like I expected them to work. After looking at one of the possible solutions in a bash(1) script I started to modify it … but it turned out that writing my own solution was faster and easier … and simpler.

Today I will share with you my solution to automatically split audio files into small equal parts.

Existing Solutions

In my search for existing solutions I indeed found some tools that will allow me to achieve what I need. I will not try to talk them one after another.

mp3splt

The first one I found was the audio/mp3splt port (and package) available on FreeBSD. So I installed it with typical pkg(8) command as shown below.

# pkg install mp3splt

It installed properly … but returned Segmentation Fault instead of actually working. I even submitted a PR for that in the FreeBSD Bugzilla – 264866 – but no update till now.

Thus I removed that package and went to search for something that works.

Brasero

Someone on some forum suggested using CD/DVD burning software – Brasero – because one of its features is audio splitting – so I installed the sysutils/brasero package now.

# pkg install brasero

It turns out that it really works. Some screenshots below.

brasero.1

brasero.2

… but that did not satisfied my because I wanted an automated/unattended solution instead of ‘clicking’ each file separately to split them. I also did not liked the fact that I needed to specify time in seconds.

mp3split

Do not confuse with mentioned earlier mp3splt command. The mp3split is a unattended one created in a bash(1) script – https://diegosanchezp.github.io/blog/mp3split/ – available and described here. One of its downsides (for me) was that it needed additional external ‘list’ file with times and titles for the parts.

I did not wanted to write this each time so I generated a long enough list file that will cover any possible file no matter the length with the following loop.

% seq 0 10 10000 \
    | while read MIN
      do
        seq 0 10 50 \
          | while read SEC
            do
              echo ${MIN}:${SEC}
            done
      done > list.txt

% head list.txt
0:0
0:10
0:20
0:30
0:40
0:50
10:0
10:10
10:20
10:30

I needed to split these audio files every 10 minutes. I redirected that output into the list.txt file. I then fetched and made executable the mentioned mp3split script.

% fetch https://raw.githubusercontent.com/diegosanchezp/mp3split/master/mp3split.sh

% chmod +x mp3split.sh

% ./mp3split.sh --help
zsh: ./mp3split.sh: bad interpreter: /bin/bash: no such file or directory

% head -1 ./mp3split.sh
#!/bin/bash

So now we will have to remove linuxisms from the script. Lets hope its only the interpreter part.

% head -1 ./mp3split.sh
#! /usr/bin/env bash

% ./mp3split.sh --help
./mp3split.sh: illegal option -- -
Invalid option: -
Usage:
  mp3split [OPTIONS] inputaudio tracklist
Options:
  -s: do a simulation without writing anything to disk
  -h: print this help
  -e extension: set output extension, if extension is equal to "" keep extension of input file
  The script will output all the splitted files in the
  current/working directory.


Better. Lets try to use it.

% ./mp3split.sh LARGE-AUDIO-FILE.mp3 list.txt

=== Begin to create mp3 split files ===
0:0.mp3: Protocol not found
Processed 0:0 to 0:10; 0:0.mp3
0:10.mp3: Protocol not found
Processed 0:10 to 0:20; 0:10.mp3
0:20.mp3: Protocol not found
Processed 0:20 to 0:30; 0:20.mp3
0:30.mp3: Protocol not found
Processed 0:30 to 0:40; 0:30.mp3
0:40.mp3: Protocol not found
Processed 0:40 to 0:50; 0:40.mp3
0:50.mp3: Protocol not found
Processed 0:50 to 10:0; 0:50.mp3
10:0.mp3: Protocol not found
Processed 10:0 to 10:10; 10:0.mp3
10:10.mp3: Protocol not found
Processed 10:10 to 10:20; 10:10.mp3
10:20.mp3: Protocol not found
Processed 10:20 to 10:30; 10:20.mp3
10:30.mp3: Protocol not found
Processed 10:30 to 10:40; 10:30.mp3
10:40.mp3: Protocol not found
Processed 10:40 to 10:50; 10:40.mp3
10:50.mp3: Protocol not found
Processed 10:50 to 20:0; 10:50.mp3
20:0.mp3: Protocol not found
Processed 20:0 to 20:10; 20:0.mp3
20:10.mp3: Protocol not found
Processed 20:10 to 20:20; 20:10.mp3
20:20.mp3: Protocol not found
Processed 20:20 to 20:30; 20:20.mp3
^C

Some strange error message Protocol not found … after small investigation it turns out that two characters fix for the ffmpeg(1) command will do. The diff(1) is available below.

% diff -u mp3split.sh mp3split.sh.FIXED.sh
--- mp3split.sh 2022-06-25 22:34:25.499718000 +0200
+++ mp3split.sh.FIXED.sh        2022-06-25 22:37:45.580845000 +0200
@@ -25,7 +25,7 @@
   outfile="$tracktitle.$ext"

   # Begin splitting files with ffmpeg
-  [ ! "$simulate" = true ] && ffmpeg -nostdin -y -loglevel error -i "$inputaudio" -ss "$start" -to "$end" -acodec copy "$outfile"
+  [ ! "$simulate" = true ] && ffmpeg -nostdin -y -loglevel error -i "$inputaudio" -ss "$start" -to "$end" -acodec copy ./"$outfile"

   echo "Processed $start to $end; $outfile"
 }

Now lets try to use the fixed version.

% ./mp3split.sh.FIXED.sh LARGE-AUDIO-FILE.mp3 list.txt

=== Begin to create mp3 split files ===
Processed 0:0 to 0:10; 0:0.mp3
Processed 0:10 to 0:20; 0:10.mp3
Processed 0:20 to 0:30; 0:20.mp3
Processed 0:30 to 0:40; 0:30.mp3
Processed 0:40 to 0:50; 0:40.mp3
Processed 0:50 to 10:0; 0:50.mp3
Processed 10:0 to 10:10; 10:0.mp3
Processed 10:10 to 10:20; 10:10.mp3
Processed 10:20 to 10:30; 10:20.mp3
Processed 10:30 to 10:40; 10:30.mp3
Processed 10:40 to 10:50; 10:40.mp3
Processed 10:50 to 20:0; 10:50.mp3
Processed 20:0 to 20:10; 20:0.mp3
Processed 20:10 to 20:20; 20:10.mp3
Processed 20:20 to 20:30; 20:20.mp3
Processed 20:30 to 20:40; 20:30.mp3
Processed 20:40 to 20:50; 20:40.mp3
Processed 20:50 to 30:0; 20:50.mp3
Processed 30:0 to 30:10; 30:0.mp3
Processed 30:10 to 30:20; 30:10.mp3
Processed 30:20 to 30:30; 30:20.mp3
Processed 30:30 to 30:40; 30:30.mp3
Processed 30:40 to 30:50; 30:40.mp3
Processed 30:50 to 40:0; 30:50.mp3
Processed 40:0 to 40:10; 40:0.mp3
Processed 40:10 to 40:20; 40:10.mp3
Processed 40:20 to 40:30; 40:20.mp3
Processed 40:30 to 40:40; 40:30.mp3
Processed 40:40 to 40:50; 40:40.mp3
Processed 40:50 to 50:0; 40:50.mp3
Processed 50:0 to 50:10; 50:0.mp3
Processed 50:10 to 50:20; 50:10.mp3
Processed 50:20 to 50:30; 50:20.mp3
Processed 50:30 to 50:40; 50:30.mp3
Processed 50:40 to 50:50; 50:40.mp3
Invalid duration specification for to: 60:0
Processed 50:50 to 60:0; 50:50.mp3
Invalid duration specification for ss: 60:0
Processed 60:0 to 60:10; 60:0.mp3
Invalid duration specification for ss: 60:10
Processed 60:10 to 60:20; 60:10.mp3
Invalid duration specification for ss: 60:20
Processed 60:20 to 60:30; 60:20.mp3
Invalid duration specification for ss: 60:30
Processed 60:30 to 60:40; 60:30.mp3
Invalid duration specification for ss: 60:40
Processed 60:40 to 60:50; 60:40.mp3
Invalid duration specification for ss: 60:50
Processed 60:50 to 70:0; 60:50.mp3
Invalid duration specification for ss: 70:0
Processed 70:0 to 70:10; 70:0.mp3
Invalid duration specification for ss: 70:10
Processed 70:10 to 70:20; 70:10.mp3
^C

Great … so after the file ended it will still try EVERY goddamn position from the list.txt file. It was also not able to reach the final ‘ending’ part without ‘visiting’ each time from the list.txt file. Enough is enough. I tried.

Custom Script Solution

After trying to modify the mp3split script even more I came to the conclusion that it will take less time to write my own solution from scratch … and this is exactly what I did. I wrote the audio-split.sh in POSIX /bin/sh interpreter for portability. After an hour later 50 lines of code did exactly what I needed – not counting the __usage() function for help information.

code.fixed

Here is the __usage() contents by the way.

help

The idea/needs were:

  • split large file automatically/unattended into equal parts
  • create new dir in which these parts are created
  • new dir must have same name as specified file (without extension)
  • each part will get a ' - xxx' suffix (like ' - 001' for first part) with original extension

… and they were met.

Here is the output of running audio-split.sh command.

% ffmpeg -i LARGE-AUDIO-FILE.mp3 2>&1 | grep Duration
  Duration: 00:44:55.99, start: 0.025057, bitrate: 171 kb/s

% audio-split.sh 10 LARGE-AUDIO-FILE.mp3
LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 001.mp3
LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 002.mp3
LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 003.mp3
LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 004.mp3
LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 005.mp3

% du -sm LARGE-AUDIO-FILE.mp3
56      LARGE-AUDIO-FILE.mp3

% du -smc LARGE-AUDIO-FILE/*
13      LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 001.mp3
13      LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 002.mp3
13      LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 003.mp3
13      LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 004.mp3
7       LARGE-AUDIO-FILE/LARGE-AUDIO-FILE - 005.mp3
56      total

The total size is the same (or similar in larger files). After listening to the parts I came to the conclusion that it works properly. The audio file is about 45 minutes long and the script created 4 10 minutes long files and 1 that is less then 5 minutes. Not sure if you also have such needs but if yes then you may now use another solution – audio-split.sh – for it πŸ™‚

EOF

Is FreeBSD a Real UNIX?

That question has been asked and answered many times … but the answer was not always obvious to everyone.

Also today is the FreeBSD day – FreeBSD was created exactly 29 years ago – also on 19th on June.

UNIX System

The first UNIX was the AT&T UNIX whose development started in 1969 at Bell Labs. Then AT&T licensed UNIX to outside parties in late 1970s which have life many UNIX variants like:

  • AIX from IBM
  • BSD (Berkeley Software Distribution) at University of California
  • SunOS/Solaris from Sun Microsystems
  • HP-UX from HP
  • Xenix from Microsoft

Of course AT&T also worked on UNIX and in the late 1980s jointly with Sun Microsystems they released the UNIX System V Release 4 (SVR4). Then in early 1990s the AT&T company sold its UNIX rights to Novell. Then Novell sold UNIX trademark to Open Group. This UNIX journey ends here as its Open Group ownership and they allow the use of the UNIX trademark for certified operating systems that comply with the Single UNIX Specification (SUS) (and pay $100 000 in the certification process).

BSD UNIX

The BSD UNIX had quite unusual version numbering with 1BSD, 2BSD, 3BSD for subsequent releases.

Below you will find most of them listed with some of their features.

1BSD

  • run PDP-11
  • ex(1) editor

2BSD

  • run PDP-11
  • vi(1) editor
  • C shell

3BSD

  • run VAX-11
  • DEC VT100 terminal

4BSD

  • run VAX-11
  • DARPA funding for CSRG
  • job control in C shell
  • delivermail(8) – antecedent of sendmail(8)
  • improved signals
  • Curses programming library

4.1BSD

  • performance improvements
  • on par with VMS on many benchmarks

4.2BSD

  • BBN preliminary TCP/IP implementation
  • Berkeley Fast File System
  • disk quotas
  • job control
  • run Motorola 68000
  • introduction of Daemon mascot

daemon.1983

4.3BSD

  • improved performance
  • more diverged TCP/IP implementation from BBN

4.3BSD-Reno

  • move towards POSIX compliance
  • NFS implementation
  • status key (CTRL-T)
  • run HP 9000
  • named as “Greatest Software Ever Written”

4.3BSD-Net/1

  • most standard UNIX utilities reimplemented without AT&T code
  • nvi(1) – new vi(1)
  • only few AT&T files remained in kernel

4.3BSD-Net/2

  • all AT&T standard UNIX utilities reimplemented without AT&T code
  • nearly complete operating system that was freely distributable

386BSD (sometimes also called 386/BSD)

  • run Intel 80386
  • basically 4.3BSD-Net/2 ported to x86
  • base for NetBSD
  • base for FreeBSD on 1.0-2.2.8 releases

BSD/386 (later renamed BSD/OS) by BSDi

  • legal trouble with AT&T
  • AT&T USL versus BSDi lawsuit filed against 4.3BSD-Net/2
  • from 18,000 files only 3 had to be removed and 70 modified to show AT&T USL copyright.

4.4BSD-Encumbered

  • released only to AT&T USL licensees

4.4BSD-Lite

  • no longer requires AT&T USL license
  • contained other changes over 4.4BSD-Encumbered

4.4BSD-Lite2

  • last BSD UNIX release
  • after this release CSRG was dissolved
  • FreeBSD since 3.0 also used that code

Intel/x86 Port

The 386BSD UNIX (sometimes also called 386/BSD) was port of the 4.3BSD-Net/2 UNIX to the Intel/x86 architecture. Like recently FreeBSD added support for RISC-V or ARM64. When 386BSD UNIX existed – a group of people took that code and decided that they will develop it under FreeBSD name with their our own way of doing things like serving packages etc.

As you can see the FreeBSD UNIX is – with large simplification – nothing more then 4.3BSD-Net/2 ported to the x86 architecture. But can you call it UNIX? That depends.

FreeBSD UNIX

Let me give you an example from other industry. Can you call Tesla a ‘car’? Yes. Why? Because no one has the copyright for the ‘car’ term. Now imagine this – some company owns the copyright to the ‘car’ term. Now you would not be allowed to call Tesla a ‘car’ without first asking that company for permission. Without such permission you could name Tesla only a car-like vehicle … or automobile – but not simply a ‘car’.

Lets get back to the computing world. Can you officially name FreeBSD a UNIX? No. That is because Open Group company owns copyright to the ‘UNIX’ term. You can call it only a UNIX-like system … but that does not mean its not UNIX. You just can not call it like that because of the lawyers.

NetBSD team also gave good example with their ‘duck’ explanation – https://mollari.netbsd.org/about/call-it-a-duck.html – available here.

Apple paid $100 000 to call their Mac OS X (now macOS) system a UNIX officially.

Linux UNIX

Can you call Linux a UNIX system? Depends which one πŸ™‚ Currently RHEL (Red Hat Enterprise Linux) is not a certified UNIX – Red Hat did not made the $100 000 worth official certification process with Open Group – you can not name RHEL a UNIX system … but RHEL fork can be called officially UNIX. The Inspur-UX is official UNIX because they did that $100 000 certification with Open Group. Probably because they thought that calling their RHEL fork ‘UNIX’ will make their business better.

Does it makes sense? No. But that is just business. Do not seek logic here. Money only.

Summary

Depends if you want the truth or just what the law officially allows πŸ™‚ If you want the truth then yes – FreeBSD is a UNIX system – same as NetBSD or OpenBSD for example. But if you want to obey the law then you can not name these systems UNIX.

EOF

NFS Server Inside FreeBSD VNET Jail

FreeBSD Jails is a great piece of container technology pioneered several years before Solaris Zones. Not to mention 15 years before Docker was born. Today they still work great and offer some new features like entire network stack for each Jail called VNET. Unfortunately they also have downsides. For example anything related to NFS is broken inside FreeBSD Jails (especially when they are VNET based Jails) and the relevant 251347 Bug Report remains unsolved.

There is however a way to run NFS server inside VNET based FreeBSD Jail – we will use userspace NFS server implementation instead of using the FreeBSD base system kernel space NFS server. Its available as net/unfs3 package and this is exactly what we will gonna use for this guide.

unfs3


Same in plain text below.

/ % cd /usr/ports/net/unfs3

/usr/ports/net/unfs3 % cat pkg-descr
UNFS3 is a user-space implementation of the NFSv3 server specification. It
provides a daemon for the MOUNT and NFS protocols, which are used by NFS
clients for accessing files on the server.
Since it runs in user-space, you can use it in a jail.

WWW: https://unfs3.github.io/

/usr/ports/net/unfs3 % pkg info -l unfs3           
unfs3-0.9.22_2:
        /usr/local/man/man7/tags.7.gz
        /usr/local/man/man8/unfsd.8.gz
        /usr/local/sbin/unfsd
        /usr/local/share/licenses/unfs3-0.9.22_2/BSD3CLAUSE
        /usr/local/share/licenses/unfs3-0.9.22_2/LICENSE
        /usr/local/share/licenses/unfs3-0.9.22_2/catalog.mk

Its also pity that VNET feature for FreeBSD Jails is not well documented. Search the FreeBSD Handbook or FreeBSD FAQ for the VNET or VIMAGE keywords. Not a single match. There are only man pages and some stuff left in the /usr/share/examples/jails dir. There is also FreeBSD Mastery: Jails book by Michael W. Lucas but its 3 years old already.

Setup

Below you will find the list of systems we will use in this guide.

10.0.10.250  host
10.0.10.251  nfs_server

The host is a common FreeBSD server installed on a physical or virtual machine. We will also use it as out NFS client and mount the NFS share there. The nfs_server is a FreeBSD Jail with VNET separate network stack enabled. We will run NFS server from this host nfs_server system. Both of them run latest FreeBSD 13.1-RELEASE but I suspect that it should also work the same on older versions.

FreeBSD Host and NFS Client (host)

First we will setup the host machine. Its typical default ZFS FreeBSD install – nothing special about that. To use the VNET enabled Jails we will use jib tool from the /usr/share/examples/jails directory as we will need it to automate epair(4) interfaces management.

root@host:/ # install -o root -g wheel -m 0555 /usr/share/examples/jails/jib /usr/sbin/jib

Our next step would be to fetch and setup the nfs_server FreeBSD Jail. We will not waste time in compilation – we will fetch the base.txz directly from FreeBSD page.

root@host:/ # mkdir -p /jail/BASE
root@host:/jail/BASE # cd /jail/BASE
root@host:/jail/BASE # fetch http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/13.1-RELEASE/base.txz
root@host:/jail/BASE # mv base.txz 13.1-base.txz

Now the nfs_server FreeBSD Jail.

root@host:/ # mkdir -p /jail/nfs_server
root@host:/jail/nfs_server # cd /jail/nfs_server
root@host:/jail/nfs_server # tar -xzf /jail/BASE/13.1-base.txz --unlink

The main FreeBSD /etc/rc.conf configuration file does not hold any special setting – pretty usual stuff.

root@host:/ # cat /etc/rc.conf
# NETWORK
  hostname="host"
  ifconfig_em0="inet 10.0.10.250/24 up"
  defaultrouter="10.0.10.1"
  gateway_enable="YES"

# DAEMONS
  dumpdev="AUTO"
  sshd_enable="YES"
  zfs_enable="YES"
  sendmail_enable="NO"
  sendmail_submit_enable="NO"
  sendmail_outbound_enable="NO"
  sendmail_msp_queue_enable="NO"
  update_motd="NO"

# JAILS
  jail_enable="YES"
  jail_parallel_start="YES"
  jail_list="nfs_server"

The nfs_server FreeBSD Jail as configured in the /etc/jail.conf config file.

root@host:/ # cat /etc/jail.conf
nfs_server {
  path = "/jail/${name}";
  host.hostname = "${name}";
  allow.raw_sockets = 1;
  allow.set_hostname = 1;
  allow.sysvipc = 1;
  mount.devfs;
  exec.clean;
  vnet;
  vnet.interface = "e0b_${name}";
  exec.prestart += "/usr/sbin/jib addm -b _bridge0 ${name} em0";
  exec.poststop += "/usr/sbin/jib destroy ${name}";
  exec.start += "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_${name}_console.log";
}

… and last but not least lets make sure the following DNS haiku will not bother us πŸ™‚

dns

Setup the /etc/hosts on the host system.

root@host:/ # tail -3 /etc/hosts
10.0.10.250 host
10.0.10.251 nfs_server

FreeBSD NFS Server VNET Jail (nfs_server)

As our FreeBSD Jail is installed we will now start it and configure it.

root@host:/ # service jail onestart nfs_server

root@host:/ # jls
   JID  IP Address      Hostname                      Path
     1                  nfs_server                    /jail/nfs_server

root@host:/ # jexec 1

root@nfs_server:/ # 

First we will install latest net/unfs3 package – this userspace NFS server is also very minimal and does not have any dependencies.

root@nfs_server:/ # echo nameserver 1.1.1.1 > /etc/resolv.conf

root@nfs_server:/ # sed -i '' s/quarterly/latest/g /etc/pkg/FreeBSD.conf

root@nfs_server:/ # pkg install unfs3

root@nfs_server:/ # pkg info -qoa
ports-mgmt/pkg
net/unfs3

Now we will configure our NFS share under /share dir and start the unfsd(8) userspace NFS server.

root@nfs_server:/ # mkdir /share

root@nfs_server:/ # cat /etc/exports
/share  10.0.10.250(rw,no_root_squash,no_all_squash)

… last but not least – DNS πŸ™‚

root@nfs_server:/ # tail -3 /etc/hosts
10.0.10.250 host
10.0.10.251 nfs_server

As we are using VNET network stack in a FreeBSD Jail we will have to address the network interface in the Jails /etc/rc.conf file. The unfsd(8) daemon does not start without rpcbind service so we will also enable it.

root@nfs_server:/ # cat /etc/rc.conf
# NETWORK
  hostname="nfs_server"
  ifconfig_e0b_nfs_server="10.0.10.251/24 up"
  defaultrouter="10.0.10.1"

# DAEMONS
  sshd_enable="YES"
  rpcbind_enable="YES"
  sendmail_enable="NO"
  sendmail_submit_enable="NO"
  sendmail_outbound_enable="NO"
  sendmail_msp_queue_enable="NO"

We will make unfsd(8) start automatically at Jails start with plain old /etc/rc.local file.

root@nfs_server:/ # cat /etc/rc.local 
/usr/local/sbin/unfsd &

We will not restart our FreeBSD Jail to make these changes take effect.

root@host:/ # service jail onerestart nfs_server

root@host:/ # jls
   JID  IP Address      Hostname                      Path
     2                  nfs_server                    /jail/nfs_server

root@host:/ # jexec 2

root@nfs_server:/ # 

After startup we can see that unfsd(8) is listening on a NFS 2049 port.

root@nfs_server:/ # sockstat -l4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sshd       1261  4  tcp4   *:22                  *:*
root     sendmail   1241  5  tcp4   127.0.0.1:25          *:*
root     unfsd      1223  3  udp4   *:2049                *:*
root     unfsd      1223  4  tcp4   *:2049                *:*
root     rpcbind    1196  9  udp4   *:111                 *:*
root     rpcbind    1196  10 udp4   *:842                 *:*
root     rpcbind    1196  11 tcp4   *:111                 *:*
root     syslogd    1188  6  udp4   *:514                 *:*
  

We should have our epair(4) interface called e0b_nfs_server addressed properly.

root@nfs_server:/ # ifconfig 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
e0b_nfs_server: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 0e:27:dd:b3:81:88
        hwaddr 02:30:0d:9f:57:0b
        inet 10.0.10.251 netmask 0xffffff00 broadcast 10.0.10.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Mount /share on NFS Client

I added that NFS entry to the /etc/fstab file on the host machine.

root@host:~ # cat /etc/fstab 
#DEV         #MNT       #TYPE    #OPT  #DUMP/PASS
/dev/ada0p1  /boot/efi  msdosfs  rw    2 2
/dev/ada0p3  none       swap     sw    0 0

#DEV                #MNT  #TYPE  #OPT       #DUMP/PASS
10.0.10.251:/share  /mnt  nfs    rw,noauto  0 0

We will now attempt to mount the /share NFS export on the host machine.

root@host:/ # mount /mnt

root@host:/ # mount | grep share
10.0.10.251:/share on /mnt (nfs)

root@host:/ # cd /mnt

root@host:/mnt # :> FILE

root@host:/mnt # ls -l FILE
-rw-r--r-- 1 root root 0 2022-05-21 22:53 FILE

root@host:/mnt # rm FILE

Seems to work properly.

Here are also network interfaces on the host machine.

root@host:/ # ifconfig 
em0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:b3:81:88
        inet 10.0.10.250 netmask 0xffffff00 broadcast 10.0.10.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em0_bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 58:9c:fc:10:ff:dd
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: e0a_nfs_server flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 20000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
e0a_nfs_server: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:27:dd:b3:81:88
        hwaddr 02:30:0d:9f:57:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


Future of NFS Server in Jails

This setup – while allowing to run the NFS server inside FreeBSD Jail with even VNET enabled has its drawbacks unfortunately. First is that it is run in userspace instead of kernel space – which means its slower. Second is that the unfsd(8) only implements NFS version 3 – so no version 4 is not possible.

freebsd-foundation-logo

Where we can go from here? Like with WiFi stuff IMHO the FreeBSD Foundation could step in to sponsor the missing bits of NFS server and VNET to make these native tools work they should. Its up to you to put the pressure on the FreeBSD Foundation when they as what are you missing from the FreeBSD UNIX system that could be improved with one of their projects. You may also join the discussion at the 251347 Bug Report of course.

I think its a big loss that native kernel space NFS server is not currently possible with VNET FreeBSD Jails.

EOF

FreeBSD 13.1 on ThinkPad W520

I created whole FreeBSD Desktop series … but I never created an article describing how I run FreeBSD on my own daily driver – the Lenovo ThinkPad W520 from 2011 – the last one with the so much appreciated 7-row keyboard. In this article I will share how I configured FreeBSD to make the most of it. If you are curious why I use such old laptop then my older Epitaph to Laptops article explains that in detail.

This is the Table of Contents for this article.

  • FreeBSD 13.1 on ThinkPad W520
  • ThinkPad W520
  • Specifications
  • FreeBSD System Configuration
  • Desktop Environment
    • Openbox
    • XFCE
    • GNOME
  • Accessories
    • Smaller Power Supply
    • Mouse Companion
    • Two Additional USB 3.0 Ports
    • Larger Custom Battery
  • Experience
  • Summary

ThinkPad W520

This machine was out-fucking-standing when it was released in 2011 … and expensive as hell also πŸ™‚ With 4 physical cores and up to 32 GB RAM only a few laptops could compete with it – Dell Precision M4600 – also could do that back then … but not exactly the same. You see – the last Dell Precision to carry similar 7-row keyboard was Dell Precision M4500 – but that one was from 2010 and was able to pack only … 8 GB RAM (official) and 16 GB RAM (unofficial) – so its not a fair comparison. Today 11 years (!) later ThinkPad W520 is still very capable and powerful machine. The only thing that you may need to do is to replace the thermal paste. I also did that – Classic ThinkPad Thermal Paste Change – as described here.

0THIS-w520-freebsd

To make you imagine how big that 11 years time span in IT is I will try to show you example with a car. Its like driving 30 years old Mercedes-Benz W124 from 1992 today because IT world and hardware changes and improves a lot faster then automobile industry. The Mercedes-Benz W124 with its indestructible automatic transmission and engine along with comfortable suspension and automatic air conditioning – offers daily experience not that far away from today’s cars – the meritum is definitely fulfilled. I know that from first hand since I owned one not that long ago. Not to mention its legendary reliability. Its also a car that is very liked by mechanics as its very ‘serviceable’ and has lots of space for everything. You do not need to disassemble entire front bumper and the headlight just to replace a broken light beam.

w520.mercedes.w124

This is the same that I would say about ThinkPad W520 today. You can put three (!) storage devices at the same time. Two 2.5 SATA drives and one mSATA disk. Assuming you would use 8 TB 2.5 Samsung QVO drives and 2 TB mSATA drive you would have 18 TB of storage … in a 11 years old laptop. You can grow that to 19TB with 1TB SD card in the slot … and we even did not touched any USB ports yet. Today you are able to get ThinkPad W520 in nice condition for about $300 if you are not heisty and getting 32 GB of DDR3 RAM costs another $100 so its pretty affordable hardware.

Specifications

For the record below You will find specs of mine machine. I also added driver and/or package that is used to support these devices.

CPU: Intel Core i7-2820QM 2.30GHz (4C/8T) Sandy Bridge 32nm
RAM: 32 GB (4 * 8GB DDR3)
HDD0: 128GB mSATA Samsung PM830 (system)
HDD1: 4 TB 2.5 SATA Samsung 860 QVO (data)
GFX0: Intel HD Graphics 3000 (integrated) [graphics/drm-kmod]
GFX1: Nvidia Quadro 2000M (discrete) [x11/nvidia-driver-390] {nvidia}
SCR: 15.6 1920x1080
USB: 2 x USB 2.0 + 2 x USB 3.0 [ehci(4) + xhci(4)]
AUDIO: Conexant CX20590 [snd_hda(4)]
PORTS0: 1 x VGA
PORTS1: 1 x DisplayPort
PORTS2: 1 x eSata
SD: Card Reader 5in1 [sdhci(4)]
LAN: 10/100/1000 Intel 82579LM Gigabit [em(4)]
WIFI: Intel Centrino Ultimate-N 6300 AGN 802.11n [iwn(4)]
BT: Bluetooth 3.0 [ng_ubt(4)]
CAM: Webcam 720p [multimedia/webcamd]

Articles such as this one often focuses on what works and is supported by FreeBSD and what is problematic or does not work at all. The very nice thing about ThinkPad W520 under FreeBSD command is that EVERYTHING works. From Bluetooth through Card Reader and also multiple suspend/resume cycles. I am doing months of uptime on that laptop and I reboot only when I need to update the system or I want to test something … but that often also does not need reboot now as you can just reroot into other BE as described in my other ZFS Boot Environments Revolutions article.

I do not need the compute power of discrete Nvidia Quadro 2000M card so I disabled it in the BIOS – but when I tried it with drivers from the FreeBSD Ports – everything worked as desired. I use integrated Intel HD Graphics 3000 which is more then enough for my needs. To be honest I would get ThinkPad T520 which can be bought with integrated graphics only but it has two downsides. The T520 does not have any USB 3.0 ports – that one I could probably live with but … it comes only with Dual Core CPUs. You can of course place a Quad Core CPU in it by yourself – but as W520 exist I do not see a reason not to get one πŸ™‚

FreeBSD System Configuration

From many things that I really like about FreeBSD (more here – Quare FreeBSD? – in separate article) is that it can be mostly configured using just 3 files. This configuration already features all power management settings that I described in the The Power to Serve – FreeBSD Power Management article.

I installed FreeBSD in a pretty standard way with GELI full disk encryption enabled and with ZFS as the filesystem as I can not live without ZFS Boot Environments. The FreeBSD installer automatically detects and applies the so called ‘Lenovo Fix‘. When in doubt the installation procedure is described in the FreeBSD Desktop – Part 2.1 – Install FreeBSD 12 article.

Main FreeBSD configuration files.

  • /etc/rc.conf – system and services configuration
  • /etc/sysctl.conf – runtime parameters configuration
  • /boot/loader.conf – parameters configurable at boot

I will also include these below as they are also important:

  • /etc/devfs.rules – devices configuration
  • /etc/fstab – filesystems configuration
  • /etc/ttys – terminal initialization configuration
  • /etc/wpa_supplicant.conf – WiFi configuration
  • /usr/local/etc/automount.confautomount(8) configuration
  • /usr/local/etc/doas.confdoas(1) configuration
  • id(1) groups membership
  • /usr/local/etc/X11/xorg.conf.d/* – X11 configuration

First the main /etc/rc.conf configuration file.

% cat /etc/rc.conf
# SILENCE # ------------------------------------------------------------------
  rc_startmsgs=NO

# NETWORK # ------------------------------------------------------------------
  hostname=w520.local
  background_dhclient=YES
  extra_netfs_types=NFS
  defaultroute_delay=3
  defaultroute_carrier_delay=3
  gateway_enable=YES
  harvest_mask=351
  rtsol_flags="-i"
  rtsold_flags="-a -i"

# MODULES/COMMON/BASE # ------------------------------------------------------
  kld_list="${kld_list} /boot/modules/i915kms.ko"
  kld_list="${kld_list} fusefs coretemp sem cpuctl ichsmb cuse"
  kld_list="${kld_list} libiconv cd9660_iconv msdosfs_iconv udf_iconv"

# MODULES/VIRTUALBOX # -------------------------------------------------------
  vboxnet_enable=YES
  kld_list="${kld_list} vboxdrv vboxnetadp vboxnetflt"

# POWER
  performance_cx_lowest=C1
  economy_cx_lowest=Cmax
  powerd_enable=YES
  powerd_flags="-n adaptive -a hiadaptive -b adaptive -m 800 -M 2000"

# DAEMONS | yes # ------------------------------------------------------------
  zfs_enable=YES
  xdm_enable=YES
  xdm_tty=ttyv4
  nfs_client_enable=YES
  ubuntu_enable=YES
  moused_enable=YES
  syslogd_flags='-s -s'
  sshd_enable=YES
  local_unbound_enable=YES
  webcamd_enable=YES
  rctl_enable=YES

# DAEMONS | no # -------------------------------------------------------------
  linux_enable=NO
  sendmail_enable=NONE
  sendmail_submit_enable=NO
  sendmail_outbound_enable=NO
  sendmail_msp_queue_enable=NO

# FS # -----------------------------------------------------------------------
  fsck_y_enable=YES
  clear_tmp_enable=YES
  clear_tmp_X=YES
  growfs_enable=YES

# OTHER # --------------------------------------------------------------------
  keyrate=fast
  keymap=pl.kbd
  virecover_enable=NO
  update_motd=NO
  devfs_system_ruleset=desktop
  hostid_enable=NO
  savecore_enable=NO

Now the runtime parameters /etc/sysctl.conf file.

% cat /etc/sysctl.conf
# SECURITY
  security.bsd.see_jail_proc=0
  security.bsd.unprivileged_proc_debug=0

# SECURITY/RANDOM PID
  kern.randompid=1

# ANNOYING THINGS
  vfs.usermount=1
  kern.coredump=0
  hw.syscons.bell=0
  kern.vt.enable_bell=0

# ZFS DELETE FUCKUP TRIM (DEFAULT: 64)
  vfs.zfs.vdev.trim_max_active=1

# ZFS ARC TUNING
  vfs.zfs.arc.min=134217728
  vfs.zfs.arc.max=536870912

# ZFS ARC FREE ENFORCE @ 1024 \* 1024 \* 3
  vfs.zfs.arc_free_target=3145728

# JAILS/ALLOW UPGRADES IN JAILS
  security.jail.chflags_allowed=1

# JAILS/ALLOW RAW SOCKETS
  security.jail.allow_raw_sockets=1

# DESKTOP/INTERACTIVITY
  kern.sched.preempt_thresh=224

# DESKTOP QUANTUM FOR TIMESHARE THREADS IN stathz TICKS (12) NomadBSD
  kern.sched.slice=3

# DESKTOP/IRIDIUM/CHROMIUM
  kern.ipc.shm_allow_removed=1

# SAMPLE RATE CONVERTER QUALITY (0=low .. 4=high) (1) NomadBSD
  hw.snd.feeder_rate_quality=3

# PERFORMANCE/ALL SHARED MEMORY SEGMENTS WILL BE MAPPED TO UNPAGEABLE RAM
  kern.ipc.shm_use_phys=1

# VIRTUALBOX aio(4) SETTINGS
  vfs.aio.max_buf_aio=8192
  vfs.aio.max_aio_queue_per_proc=65536
  vfs.aio.max_aio_per_proc=8192
  vfs.aio.max_aio_queue=65536

# NETWORK/DO NOT SEND RST ON SEGMENTS TO CLOSED PORTS
  net.inet.tcp.blackhole=2

# NETWORK/DO NOT SEND PORT UNREACHABLES FOR REFUSED CONNECTS
  net.inet.udp.blackhole=1

# NETWORK/LIMIT ON SYN/ACK RETRANSMISSIONS (3)
  net.inet.tcp.syncache.rexmtlimit=0

# NETWORK/USE TCP SYN COOKIES IF THE SYNCACHE OVERFLOWS (1)
  net.inet.tcp.syncookies=0

# NETWORK/ASSIGN RANDOM ip_id VALUES (0)
  net.inet.ip.random_id=1

# NETWORK/ENABLE SENDING IP REDIRECTS (1)
  net.inet.ip.redirect=0

# NETWORK/IGNORE ICMP REDIRECTS (0)
  net.inet.icmp.drop_redirect=1

# NETWORK/DROP TCP PACKETS WITH SYN+FIN SET (0)
  net.inet.tcp.drop_synfin=1

# NETWORK/RECYCLE CLOSED FIN_WAIT_2 CONNECTIONS FASTER (0)
  net.inet.tcp.fast_finwait2_recycle=1

# NETWORK/CERTAIN ICMP UNREACHABLE MESSAGES MAY ABORT CONNECTIONS IN SYN_SENT (1)
  net.inet.tcp.icmp_may_rst=0

Now the boot parameters in /boot/loader.conf file.

% cat /boot/loader.conf
# CONSOLE COMMON
  autoboot_delay=1       # OPTION '-1' MEANS NO WAIT AND 'NO' MEANS INFINITE WAIT
  hw.usb.no_boot_wait=0  # DO NOT WAIT FOR USB DEVICES FOR ROOT (/) FILESYSTEM
  boot_mute=YES          # SAME AS '-m' IN LOADER - MUTE CONSOLE WITH FreeBSD LOGO
  loader_logo=none       # DESIRED LOGO: fbsdbw beastiebw beastie none
  loader_menu_frame="none"
  screen.font="6x12"

# CONSOLE RESOLUTION
  efi_max_resolution="1920x1080"

# WINE FIX
  machdep.max_ldt_segment=2048

# MODULES - BOOT
  geom_eli_load=YES
  zfs_load=YES

# drm-kmod PACKAGE - USE SEMAPHORES FOR INTER-RING SYNC
  compat.linuxkpi.semaphores=1

# drm-kmod PACKAGE - ENABLE POWER-SAVING RENDER C-STATE 6
  compat.linuxkpi.enable_rc6=7

# drm-kmod PACKAGE - ENABLE POWER-SAVING DISPLAY C-STATES
  compat.linuxkpi.enable_dc=2

# drm-kmod PACKAGE - ENABLE FRAME BUFFER COMPRESSION FOR POWER SAVINGS
  compat.linuxkpi.enable_fbc=1

# ENABLE SYNAPTICS
  hw.psm.synaptics_support=1

# DISABLE /dev/diskid/* ENTRIES FOR DISKS
  kern.geom.label.disk_ident.enable=0

# DISABLE /dev/gptid/* ENTRIES FOR DISKS
  kern.geom.label.gptid.enable=0

# TERMINAL vt(4) COLORS
  kern.vt.color.0.rgb="#000000"
  kern.vt.color.1.rgb="#dc322f"
  kern.vt.color.2.rgb="#859900"
  kern.vt.color.3.rgb="#b58900"
  kern.vt.color.4.rgb="#268bd2"
  kern.vt.color.5.rgb="#ec0048"
  kern.vt.color.6.rgb="#2aa198"
  kern.vt.color.7.rgb="#94a3a5"
  kern.vt.color.8.rgb="#586e75"
  kern.vt.color.9.rgb="#cb4b16"
  kern.vt.color.10.rgb="#859900"
  kern.vt.color.11.rgb="#b58900"
  kern.vt.color.12.rgb="#268bd2"
  kern.vt.color.13.rgb="#d33682"
  kern.vt.color.14.rgb="#2aa198"
  kern.vt.color.15.rgb="#6c71c4"

# RACCT/RCTL RESOURCE LIMITS
  kern.racct.enable=1

# DISABLE ZFS PREFETCH
  vfs.zfs.prefetch_disable=1

# POWER MGMT / POWER OFF DEVICES WITHOUT ATTACHED DRIVER
  hw.pci.do_power_nodriver=3

# POWER MANAGEMENT FOR EVERY USED AHCI CHANNEL (ahcich 0-7)
  hint.ahcich.0.pm_level=5
  hint.ahcich.1.pm_level=5
  hint.ahcich.2.pm_level=5
  hint.ahcich.3.pm_level=5
  hint.ahcich.4.pm_level=5
  hint.ahcich.5.pm_level=5
  hint.ahcich.6.pm_level=5
  hint.ahcich.7.pm_level=5

# GELI THREADS
  kern.geom.eli.threads=4

Now the mentioned /etc/devfs.rules file.

% cat /etc/devfs.rules
[desktop=10]
add path 'acd*'      mode 0660 group operator
add path 'cd*'       mode 0660 group operator
add path 'da*'       mode 0660 group operator
add path 'pass*'     mode 0660 group operator
add path 'xpt*'      mode 0660 group operator
add path 'fd*'       mode 0660 group operator
add path 'md*'       mode 0660 group operator
add path 'uscanner*' mode 0660 group operator
add path 'ugen*'     mode 0660 group operator
add path 'usb/*'     mode 0660 group operator
add path 'video*'    mode 0660 group operator
add path 'cuse*'     mode 0660 group operator
add path 'lpt*'      mode 0660 group cups
add path 'ulpt*'     mode 0660 group cups
add path 'unlpt*'    mode 0660 group cups

Filesystems and SWAP configuration.

% cat /etc/fstab
# SWAP
  /dev/gpt/swap0  none  swap  sw  0 0

# FreeBSD PSEUDO - NEEDED BY wine(1)
  procfs  /proc  procfs  rw  0 0

# Ubuntu Linux PSEUDO
  linprocfs  /compat/ubuntu/proc     linprocfs  rw,late                    0 0
  linsysfs   /compat/ubuntu/sys      linsysfs   rw,late                    0 0
  devfs      /compat/ubuntu/dev      devfs      rw,late                    0 0
  fdescfs    /compat/ubuntu/dev/fd   fdescfs    rw,late,linrdlnk           0 0
  tmpfs      /compat/ubuntu/dev/shm  tmpfs      rw,late,size=1g,mode=1777  0 0
  /home      /compat/ubuntu/home     nullfs     rw,late                    0 0
  /tmp       /compat/ubuntu/tmp      nullfs     rw,late                    0 0

Terminals configuration under /etc/ttys file. Important part is the ttyv4 entry to match the xdm_tty=ttyv4 value from /etc/rc.conf file.

% grep '^[^#]' /etc/ttys | cat
console none                            unknown off insecure
ttyv0   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv1   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv2   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv3   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv4   "/usr/libexec/getty Pc"         xterm   off secure
ttyv5   "/usr/libexec/getty Pc"         xterm   off secure
ttyv6   "/usr/libexec/getty Pc"         xterm   off secure
ttyv7   "/usr/libexec/getty Pc"         xterm   off secure
ttyv4   "/usr/local/bin/xdm -nodaemon"  xterm   off secure
ttyu0   "/usr/libexec/getty 3wire"      vt100   onifconsole secure
ttyu1   "/usr/libexec/getty 3wire"      vt100   onifconsole secure
ttyu2   "/usr/libexec/getty 3wire"      vt100   onifconsole secure
ttyu3   "/usr/libexec/getty 3wire"      vt100   onifconsole secure
dcons   "/usr/libexec/getty std.9600"   vt100   off secure
xc0     "/usr/libexec/getty Pc"         xterm   onifconsole secure
rcons   "/usr/libexec/getty std.9600"   vt100   onifconsole secure

Wireless config – as an example for different network types. As you have seen I did not included any network information in the /etc/rc.conf file – this is because I use my own network.sh solution to connect to various both wire and wireless networks – FreeBSD Network Management with network.sh Script – described in detail here.

# cat /etc/wpa_supplicant.conf
# GENERAL
eapol_version=2
ap_scan=1
fast_reauth=1

# OPEN NETWORKS
network={
  key_mgmt=NONE
  priority=0
}

# NETWORK WITH HIDDEN SSID
network={
  scan_ssid=1
  ssid="hidden-network"
  psk="12341234"
  priority=0
}

# NAMED OPEN NETWORK
network={
  ssid="Free_Internet"
  key_mgmt=NONE
  priority=0
}

# NORMAL WPA/WPA2 SECURED NETWORK
network={
  ssid="SECURED"
  psk="12345678"
}

The automount(8) config.

% cat /usr/local/etc/automount.conf
  USERUMOUNT=YES
  USER=vermaden
  FM='caja --no-desktop'
  NICENAMES=YES

The doas(1) configuration.

# cat /usr/local/etc/doas.conf
# CORE
  permit nopass keepenv root     as root
  permit nopass keepenv vermaden as root

# THE network.sh SCRIPT
  # pw groupmod network -m YOURUSERNAME
  # cat /usr/local/etc/doas.conf
  permit nopass :network as root cmd /etc/rc.d/netif args onerestart
  permit nopass :network as root cmd /usr/sbin/service args squid onerestart
  permit nopass :network as root cmd dhclient
  permit nopass :network as root cmd ifconfig
  permit nopass :network as root cmd killall args -9 dhclient
  permit nopass :network as root cmd killall args -9 ppp
  permit nopass :network as root cmd killall args -9 wpa_supplicant
  permit nopass :network as root cmd ppp
  permit nopass :network as root cmd route
  permit nopass :network as root cmd tee args -a /etc/resolv.conf
  permit nopass :network as root cmd tee args /etc/resolv.conf
  permit nopass :network as root cmd umount
  permit nopass :network as root cmd wpa_supplicant

Groups I am member of with id(1) output.

% id vermaden | tr ' ' '\n' | tr ',' '\n'
uid=1000(vermaden)
gid=1000(vermaden)
groups=1000(vermaden)
0(wheel)
5(operator)
44(video)
69(network)
145(webcamd)
920(vboxusers)

Current X11 configuration.

% cat /usr/local/etc/X11/xorg.conf.d/card.conf
Section "Device"
  Identifier "Card0"
  Option "DPMS"
  Driver "intel"
  Option "DRI" "3"
  Option "AccelMethod" "sna"
  Option "TearFree" "true"
EndSection

% cat /usr/local/etc/X11/xorg.conf.d/flags.conf
Section "ServerFlags"
  Option "DontZap" "off"
EndSection

% cat /usr/local/etc/X11/xorg.conf.d/keyboard.conf
Section "InputDevice"
  Identifier "Keyboard0"
  Driver "kbd"
  Option "XkbLayout" "pl"
  Option "XkbOptions" "terminate:ctrl_alt_bksp,ctrl:nocaps"
EndSection

% cat /usr/local/etc/X11/xorg.conf.d/touchpad.conf
Section "InputClass"
  Identifier "touchpad"
  MatchIsTouchpad "on"
  Driver "libinput"
  Option "Tapping" "on"
  Option "NaturalScrolling" "on"
EndSection

I also do not rely on ‘stock’ fan speeds and set my own speeds according to CPU temperature with acpi-thinkpad-fan.sh script.

Desktop Environment

Openbox

As for the ‘desktop environment’ that I use – its my custom setup with Openbox along with tools like Tint2 and Dzen2 – for the most basic setup. The screenshot is from FreeBSD 11.1 but it looks exactly the same today.

freebsd-desktop-2019-04

I described this setup in details in the entire FreeBSD Desktop series.

XFCE

I have also tried XFCE – I liked it especially with the Global Menu app-menu plugin. You go this way with this XFCE Cupertino Way handy guide.

xfce-ghostbsd

GNOME

I also tried GNOME for a test – it did not suit me well so I went back to my Openbox setup – but You may find it more comfortable to use. Here is the FreeBSD GNOME 3 Fast Track article that will help you with that.

gnome-4-apps

Accessories

There are some accessories that are very handy with the ThinkPad W520 laptop. I will describe them below.

Smaller Power Supply

The ThinkPad W520 comes with quite large brick of ThinkPad 170W Power Supply. It works. Its OK … but you can use smaller one and more universal at the same time. I use the ThinkPad 135W Power Supply that originally was sold with ThinkPad W510 – the earlier model. Besides being smaller in size it also has one additional advantage. Its plug is round and also fits into other ThinkPads from this line like ThinkPad X220 or ThinkPad T420s. The original ThinkPad 170W Power Supply unfortunately only fits into the ThinkPad W520 laptop. Below you can compare their sizes.

w520.ps

Mouse Companion

After checking many mouse models – as described in the UNIX Mouse Shootout article – I finally settled with Logitech Triathlon M720 mouse. I have plugged the Lenovo USB Receiver into the back ‘powered’ USB port. While I use that mouse over the USB receiver you can also connect it using Bluetooth – also to other computers. This mouse has a special dedicated button to switch between 3 different computers. Unfortunately the copy-paste between them does not work πŸ™‚

mouse-M720

If you would like to ‘save’ that port for something else then you may use special USB board adapter that you will place in the Bluetooth module under the palm rest. You would loose Bluetooth support then of course – but not everyone uses that. Its available for example on Aliexpress site and looks like that.

w520.usb-bluetooth-pink

I do not use it as I do not need the ‘back’ USB port so below you will find its mounted picture on the ThinkPad X220 laptop instead – along with the Lenovo USB Receiver attached.

w520.usb-bluetooth

Two Additional USB 3.0 Ports

The ThinkPad W520 comes with not well known today ExpressCard port. With this cheap adapter from Aliexpress you can add two additional USB 3.0 ports. You may of course do not need that many ports – but if you are left handed then you probably use mouse on the left of your laptop – then USB ports on the right will be handy.

w520.express

These USB 3.0 ports may be also useful with some bhyve(8) setups. Currently its not supported to pass-thru just a single USB port to a virtual machine. You need to pass thru entire controller. This way you can pass-thru that controller to bhyve(8) VM and have another USB 3.0 ports on the host.

Larger Custom Battery

The original largest extended battery for ThinkPad W520 had 9400mAh capacity. Its possible to get even larger custom extended battery but in the same physical size and shape – with 9600mAh capacity – and for only about $50. To remind you the original one costs closer to $200 unfortunately. I got mine from this Aliexpress page. With my power settings and with this battery along with enabled WiFi and screen brightness just one step less then maximum brightness it show more then 7 hours of time left in acpiconf(8) command.

% acpiconf -i 0
Design capacity:        10368 mAh
Last full capacity:     10368 mAh
Technology:             secondary (rechargeable)
Design voltage:         10800 mV
Capacity (warn):        518 mAh
Capacity (low):         18 mAh
Low/warn granularity:   1 mAh
Warn/full granularity:  1 mAh
Model number:           42T4763
Serial number:              1
Type:                   LION
OEM info:               SANYO
State:                  discharging
Remaining capacity:     97%
Remaining time:         7:17
Present rate:           1393 mA (17086 mW)
Present voltage:        12266 mV

As you can see from the command above this custom battery size is even reported as closer to 10400mAh instead of advertised 9600maH. I do not know how to check which one is closer to truth – but the fact is that it allows longer work then the official one – and for smaller price.

Experience

This laptop along with its smaller and lighter brothers such as ThinkPad X220 or ThinkPad T420s are the best machines I know to work on FreeBSD … but maybe its because I do not use newer laptops πŸ™‚ The general experience of FreeBSD on ThinkPad W520 is stable and uninterrupted work count in days and weeks of uptime. The suspend/resume works like a charm with many cycles possible – not just one. I one even recorded such suspend/resume cycle with many applications and games running on a busy FreeBSD system. Its available here FreeBSD 12.2 Suspend/Resume on a Vimeo page.

Here is now its being used daily.

w520.real

Summary

I have been using this laptop since many years and I even laugh that as its a decade old – I would use it for the next decade πŸ™‚ Most/all of this configuration applies to other ThinkPad models from this lineup like X220/T420s/T420/T520 … probably even L520 (but I did not tested that one).

EOF

Automated Kickstart Install of RHEL/Clones

There are two approaches to making your life more automated about installing multiple instances of operating systems. You can either maintain up-to-date templates for them or you can have automated/scripted installations. In this article I will share how to generate ISO image and Kickstart configuration to install Red Hat Enterprise Linux (and its clones such as Alma/Rocky/CentOS/Scientific/…) in easy and fast way. For the process I will use 8.5 version of RHEL.

Here is the Table of Contents for this article.

  • Logo
  • Possibilities
  • Environment
    • FreeBSD – www
    • RHEL Client – kickme
  • Validate
  • Generation
    • kickstart.config
    • kickstart.skel
    • kickstart.sh
    • ISO
  • Result
  • Alternatives
  • Summary

Logo

Shortly after IBM acquisition Red Hat started to use kinda boring ‘just a red hat’ logo – but its earlier logo – shown below – was more interesting.

rhel-logo

If you stare long enough you will see two dinosaurs. The Tyrannosaurus (red) punching a Triceratops (white) in the head. Once you see it you will not be able to unsee it πŸ™‚

Possibilities

There are many ways to do that automated Kickstart installation. You can use NFS/HTTP/FTP/HTTPS or your own generated DVD media … or use ‘stock’ DVD and Kickstart config available somewhere on the network.

I will use the following method that I find currently is best suited for my needs:

  • FreeBSD host with NGINX serving RHEL 8.5 DVD content (rhel-8.5-x86_64-dvd.iso) over HTTP.
  • Generate small (less then 1 MB in size) ISO with Kickstart config on it.
  • Boot from small rhel-8.5-x86_64-boot.iso ISO and also with generated Kickstart ISO.

Environment

I will use VirtualBox for this demo with NAT Network configuration for the virtual machines network adapters. The nat0 VirtualBox network is defined as 10.0.10.0/24 and I use Port Forwarding to access these machines from the FreeBSD host system.

Machines:

  • 10.0.10.210 - www – FreeBSD system with NGINX to serve RHEL 8.5 DVD contents
  • 10.0.10.199 - kickme – RHEL machine that would be installed with automated Kickstart install

FreeBSD – www

Below you will find the FreeBSD machine configuration as seen on VirtualBox.

vm-www

Its default FreeBSD ZFS install on single disk. Nothing fancy here to be honest. Below you will find its configuration from /etc/rc.conf file. I also installed the nginx package but the only thing I did with NGINX was to enable it to start automatically. I used the default stock config that points at /usr/local/www/nginx place. I later copied the RHEL 8.5 DVD contents to the /usr/local/www/nginx/rhel-8.5 directory. It takes about 10 GB.

www # cat /etc/rc.conf
hostname=www
ifconfig_em0="inet 10.0.10.210 netmask 255.255.255.0"
defaultrouter=10.0.10.1
sshd_enable=YES
nginx_enable=YES
zfs_enable=YES
dumpdev=AUTO
sendmail_enable=NO
sendmail_submit_enable=NO
sendmail_outbound_enable=NO
sendmail_msp_queue_enable=NO
update_motd=NO

Here is the unmodified NGINX config but with comments non displayed.

www # grep -v '#' /usr/local/etc/nginx/nginx.conf | grep '^[^#]'
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;
        location / {
            root   /usr/local/www/nginx;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }
    }
}

Here are the contents of the /usr/local/www/nginx/rhel-8.5 directory after copying here contents of RHEL 8.5 DVD.

www:~ # ls -l /usr/local/www/nginx/rhel-8.5/
total 71
-r--r--r--  1 root  wheel     60 Apr  6 21:34 .discinfo
-r--r--r--  1 root  wheel   1560 Apr  6 21:34 .treeinfo
dr-xr-xr-x  4 root  wheel      4 Apr  6 21:50 AppStream
dr-xr-xr-x  4 root  wheel      4 Apr  6 21:53 BaseOS
dr-xr-xr-x  3 root  wheel      3 Apr  6 21:53 EFI
-r--r--r--  1 root  wheel   8154 Apr  6 21:53 EULA
-r--r--r--  1 root  wheel  18092 Apr  6 21:53 GPL
-r--r--r--  1 root  wheel   1669 Apr  6 21:53 RPM-GPG-KEY-redhat-beta
-r--r--r--  1 root  wheel   5135 Apr  6 21:53 RPM-GPG-KEY-redhat-release
-r--r--r--  1 root  wheel   1796 Apr  6 21:53 TRANS.TBL
-r--r--r--  1 root  wheel   1455 Apr  6 21:53 extra_files.json
dr-xr-xr-x  3 root  wheel      6 Apr  6 21:54 images
dr-xr-xr-x  2 root  wheel     16 Apr  6 21:54 isolinux
-r--r--r--  1 root  wheel    103 Apr  6 21:54 media.repo

RHEL Client – kickme

Below you will find the RHEL machine that will be used for the automated Kickstart installation – also as seen on VirtualBox.

vm-kickme

To make that example more interesting (and more corporate) I added second NIC for the backup network – so we will also have to generate additional route for it in the Kickstart config.

The kickme RHEL machine needs to have two (2) CD-ROM drives. In the PRIMARY (the one to boot from) we will load the rhel-8.5-x86_64-boot.iso ISO file. In the SECONDARY one we will load our generated kickme.oemdrv.iso ISO file containing Kickstart config file.

Validate

There also exists pykickstart package which offers ksvalidator tool. Theoretically it allows you to make sure that your Kickstart config has proper syntax and that it would work – but only in theory. Here is what it RHEL documentation states about its accuracy.

rhel-ksvalidator

It means that you will not know if your Kickstart config will work until you really try it – thus I do not cared that much about this tool as is not available on FreeBSD.

Generation

Now to the most important part – Kickstart generation and ISO generation. Probably the easiest way to create new Kickstart config is to install ‘by hand’ new RHEL system under virtual machine and then take the generated by Anaconda /root/anaconda-ks.cfg file as a starting point. This is what I also did.

When you would like to install next host you will have to edit the hostname and IP addresses for next host in that Kickstart file – which seems not very convenient to say the least. In order to make that less PITA I created a kickstart.sh script that will read values from kickstart.config file and then put them into the kickstart.skel file that would be base for our future installations. Then the kickstart.sh will copy the generated Kickstart file and used Kickstart config with that hostname as a backup or for future reference – or for example for documentation purposes.

kickstart.config

Here is how such kickstart.config file looks like.

# cat kickstart.config
  SYSTEM_NAME=kickme
  REPO_SERVER_IP=10.0.10.210
  INTERFACE1=enp0s3
  IP_ADDRESS1=10.0.10.199
  NETMASK1=255.255.255.0
  INTERFACE2=enp0s8
  IP_ADDRESS2=10.0.90.199
  NETMASK2=255.255.255.0
  GATEWAY=10.0.10.1
  NAMESERVER1=1.1.1.1
  NAMESERVER2=9.9.9.9
  NTP1=132.163.97.6
  NTP2=216.239.35.0
  ROUTE_NET=10.0.40.10/24
  ROUTE_VIA=10.0.20.1

kickstart.skel

The kickstart.skel file is little longer – this is our barebone for the Kickstart configs.

# cat kickstart.skel
#version=RHEL8

# USE sda DISK
ignoredisk --only-use=sda

# CLEAR DISK PARTITIONS BEFORE INSTALL
clearpart --all --initlabel

# USE text INSTALL
text

# USE ONLINE INSTALLATION MEDIA
url --url=http://REPO_SERVER_IP/rhel-8.5/BaseOS --noverifyssl

# KEYBOARD LAYOUTS
keyboard --vckeymap=us --xlayouts='us','pl'

# LANGUAGE
lang en_US.UTF-8

# NETWORK INFORMATION
network --bootproto=static --device=INTERFACE1 --ip=IP_ADDRESS1 --netmask=NETMASK1 --gateway=GATEWAY --nameserver=NAMESERVER1,NAMESERVER2 --noipv6 --activate
network --bootproto=static --device=INTERFACE2 --ip=IP_ADDRESS2 --netmask=NETMASK2 --noipv6 --activate --onboot=on
network --hostname=SYSTEM_NAME

# REPOS
repo --name="AppStream" --baseurl=http://REPO_SERVER_IP/rhel-8.5/AppStream

# ROOT PASSWORD
rootpw --plaintext asd

# DISABLE Setup Agent ON FIRST BOOT
firstboot --disable

# DISABLE SELinux AND FIREWALL
selinux --disabled
firewall --disabled

# OMIT X11
skipx

# REBOOT AND EJECT BOOT MEDIUM
reboot --eject

# TIMEZONE
timezone Europe/Warsaw --isUtc --nontp

# PARTITIONS
part   /boot/efi --fstype="efi"   --size=600  --ondisk=sda --label=EFI  --fsoptions="umask=0077,shortname=winnt"
part   /boot     --fstype="xfs"   --size=1024 --ondisk=sda --label=BOOT --fsoptions="rw,noatime,nodiratime"
part   pv.475    --fstype="lvmpv" --size=1    --ondisk=sda --grow

# LVM
volgroup rootvg --pesize=4096 pv.475
logvol /         --fstype="xfs"   --size=1024 --name=root --label="ROOT" --vgname=rootvg --fsoptions="rw,noatime,nodiratime"
logvol /usr      --fstype="xfs"   --size=5120 --name=usr  --label="USR"  --vgname=rootvg --fsoptions="rw,noatime,nodiratime"
logvol /var      --fstype="xfs"   --size=3072 --name=var  --label="VAR"  --vgname=rootvg --fsoptions="rw,noatime,nodiratime"
logvol /tmp      --fstype="xfs"   --size=1024 --name=tmp  --label="TMP"  --vgname=rootvg --fsoptions="rw,noatime,nodiratime"
logvol /opt      --fstype="xfs"   --size=1024 --name=opt  --label="OPT"  --vgname=rootvg --fsoptions="rw,noatime,nodiratime"
logvol /home     --fstype="xfs"   --size=1024 --name=home --label="HOME" --vgname=rootvg --fsoptions="rw,noatime,nodiratime"
logvol swap      --fstype="swap"  --size=4096 --name=swap --label="SWAP" --vgname=rootvg

# RPM PACKAGES
%packages
@^minimal-environment
kexec-tools
nfs-utils
nfs4-acl-tools
perl
chrony
%end

# KDUMP
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end

# POST INSTALL COMMANDS TO EXECUTE
%post --log=/root/ks-post.log --interpreter=/usr/bin/bash

  # POST: route
  echo ROUTE_NET via ROUTE_VIA > /etc/sysconfig/network-scripts/route-INTERFACE2

  # POST: chrony CONFIG
  cat << TIME > /etc/chrony.conf
server NTP1 iburst
server NTP2 iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony
keyfile /etc/chrony.keys
leapsectz right/UTC
TIME

  # POST: chrony SERVICE
  systemctl enable chronyd

%end

# PASSWORD REQUIREMENTS
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end

kickstart.sh

… and last but not least – the kickstart.sh script. It does not take any arguments – it just loads the kickstart.config file variables and then replaces all config options in kickstart.skel with sed(1) to generate new Kickstart file as files/${SYSTEM_NAME}.cfg file. It also copies that config into files/${SYSTEM_NAME}.config for convenience.

# cat kickstart.sh
#! /bin/sh

if [ ! -f kickstart.config ]
then
  echo "ERROR: file 'kickstart.config' not available"
  exit 1
fi

if [ ! -f kickstart.skel ]
then
  echo "ERROR: file 'kickstart.skel' not available"
  exit 1
fi

. "$( pwd )/kickstart.config"

mkdir -p files ksfloppy iso

cp kickstart.config files/${SYSTEM_NAME}.config

if [ ${?} -eq 0 ]
then
  echo "INFO: kickstart config copied to 'files/${SYSTEM_NAME}.config' location"
else
  echo "ERROR: could not copy config to 'files/${SYSTEM_NAME}.config' location"
  exit 1
fi

sed                                           \
  -e s@SYSTEM_NAME@${SYSTEM_NAME}@g           \
  -e s@SALT_MINION_NAME@${SALT_MINION_NAME}@g \
  -e s@SALT_MASTER_IP@${SALT_MASTER_IP}@g     \
  -e s@REPO_SERVER_IP@${REPO_SERVER_IP}@g     \
  -e s@RHEL_MAJOR@${RHEL_MAJOR}@g             \
  -e s@RHEL_VERSION@${RHEL_VERSION}@g         \
  -e s@RHEL_ARCH@${RHEL_ARCH}@g               \
  -e s@INTERFACE1@${INTERFACE1}@g             \
  -e s@IP_ADDRESS1@${IP_ADDRESS1}@g           \
  -e s@NETMASK1@${NETMASK1}@g                 \
  -e s@INTERFACE2@${INTERFACE2}@g             \
  -e s@IP_ADDRESS2@${IP_ADDRESS2}@g           \
  -e s@NETMASK2@${NETMASK2}@g                 \
  -e s@GATEWAY@${GATEWAY}@g                   \
  -e s@NAMESERVER1@${NAMESERVER1}@g           \
  -e s@NAMESERVER2@${NAMESERVER2}@g           \
  -e s@NTP1@${NTP1}@g                         \
  -e s@NTP2@${NTP2}@g                         \
  -e s@ROUTE_NET@${ROUTE_NET}@g               \
  -e s@ROUTE_VIA@${ROUTE_VIA}@g               \
  kickstart.skel > files/${SYSTEM_NAME}.cfg

if [ ${?} -eq 0 ]
then
  echo "INFO: kickstart file 'files/${SYSTEM_NAME}.cfg' generated"
else
  echo "ERROR: failed to generate 'files/${SYSTEM_NAME}.cfg' kickstart file"
  exit 1
fi

echo "INFO: mkisofs(8) output BEGIN"
echo "-----------------------------"

mkisofs -J -R -l -graft-points -V "OEMDRV" \
        -input-charset utf-8 \
        -o iso/${SYSTEM_NAME}.oemdrv.iso \
        ks.cfg=files/${SYSTEM_NAME}.cfg ksfloppy

echo "-----------------------------"
echo "INFO: mkisofs(8) output ENDED"

if [ ${?} -eq 0 ]
then
  echo "INFO: ISO image 'iso/${SYSTEM_NAME}.oemdrv.iso' generated"
else
  echo "ERROR: failed to generate 'iso/${SYSTEM_NAME}.oemdrv.iso' ISO image"
  exit 1
fi

ISO

It finishes its work in less then a second. Here is its output.

kickstart.sh

… and the generated ISO file.

# ls -lh iso/kickme.oemdrv.iso
-rw-r--r--  1 root  wheel   366K Apr 10 21:57 iso/kickme.oemdrv.iso

Result

Now – when you boot the kickme VirtualBox virtual machine with CD-ROM devices loaded you will end up with RHEL system installed according to your generated Kickstart config. Here are some files from the kickme RHEL installed system.

Filesystems with LABELs such as BOOT or VAR defined.

# lsblk -i -f
NAME            FSTYPE      LABEL UUID                                   MOUNTPOINT
sda
|-sda1          xfs         BOOT  b5c66ea5-b38a-4072-b1a8-0d5882ace179   /boot
|-sda2          vfat        EFI   BB7A-4BFD                              /boot/efi
`-sda3          LVM2_member       e9BwIq-4I2W-zX6y-As42-f9N2-WTTR-WfHKdC
  |-rootvg-root xfs         ROOT  dbf8dd30-51cc-408a-9d05-b1ae67c0637c   /
  |-rootvg-swap swap        SWAP  c8a016b5-f43d-4510-9703-e9c68f02ae64   [SWAP]
  |-rootvg-usr  xfs         USR   c6694796-a5bd-4833-9a6b-a740e8bf83bf   /usr
  |-rootvg-home xfs         HOME  5264afe6-5d9c-4dc3-9d8d-e19078864aea   /home
  |-rootvg-opt  xfs         OPT   039e9575-3af8-4a8b-95c0-54fb8a515f70   /opt
  |-rootvg-tmp  xfs         TMP   11709a48-a64f-4b93-86a3-e943ff9ecf01   /tmp
  `-rootvg-var  xfs         VAR   ed20343c-b915-4234-b13e-0c6c94e03edc   /var
sr0
sr1

The /etc/fstab file with rw,noatime,nodiratime mount options.

# grep '^[^#] /etc/fstab
/dev/mapper/rootvg-root /                       xfs     rw,noatime,nodiratime 0 0
UUID=b5c66ea5-b38a-4072-b1a8-0d5882ace179 /boot xfs     rw,noatime,nodiratime 0 0
UUID=BB7A-4BFD          /boot/efi               vfat    defaults,uid=0,gid=0,umask=077,shortname=winnt 0 2
/dev/mapper/rootvg-home /home                   xfs     rw,noatime,nodiratime 0 0
/dev/mapper/rootvg-opt  /opt                    xfs     rw,noatime,nodiratime 0 0
/dev/mapper/rootvg-tmp  /tmp                    xfs     rw,noatime,nodiratime 0 0
/dev/mapper/rootvg-usr  /usr                    xfs     rw,noatime,nodiratime 0 0
/dev/mapper/rootvg-var  /var                    xfs     rw,noatime,nodiratime 0 0
/dev/mapper/rootvg-swap none                    swap    defaults        0 0

Networking on two network interfaces and additional route generated.

# cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
# Generated by parse-kickstart
TYPE=Ethernet
DEVICE=enp0s3
UUID=e1fddd41-f398-4c1d-8bef-e28ef705d568
ONBOOT=yes
IPADDR=10.0.10.199
NETMASK=255.255.255.0
GATEWAY=10.0.10.1
IPV6INIT=no
DNS1=1.1.1.1
DNS2=9.9.9.9
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME="System enp0s3"

# cat /etc/sysconfig/network-scripts/ifcfg-enp0s8
# Generated by parse-kickstart
TYPE=Ethernet
DEVICE=enp0s8
UUID=5454b587-8c29-41a7-93f8-532c814865de
ONBOOT=yes
IPADDR=10.0.90.199
NETMASK=255.255.255.0
IPV6INIT=no
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME="System enp0s8"

# cat /etc/sysconfig/network-scripts/route-enp0s8
10.0.40.10/24 via 10.0.20.1

# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 1.1.1.1
nameserver 9.9.9.9

Alternatives

Its also possible to use the livemedia-creator from the lorax package … but I would omit it. To be honest I tried it – and it did not worked at all. I started the following process … and it run for more then a DAY and produced NOTHING.

# livemedia-creator \
    --make-iso \
    --ram 4096 \
    --vcpus 4 \
    --iso=/mnt/rhel-8.5-x86_64-boot.iso \
    --ks=/mnt/mykick.cfg

The log file for the operation was also EMPTY. At least that was the run when using the virt-install option with creating everything under virtual machine. This also intrigue me a lot. Why use virtual machines just to create installation media? Its just a bunch of files. There are better options available such as chroot(8) for example … or even so glorified containers such as Docker or Podman. Why use fully fledged virtual machine just to create ISO image? This is a big mystery for me.

Seems that livemedia-creator also has --no-virt option available … but as documentation states – it can “render the entire system unusable” – not very production ready solution for my taste. Below is a screenshot from the official RHEL documentation.

rhel-render

Pity that livemedia-creator did not worked for me – but I already have a working process for that.

Some people also suggested these as valuable alternatives:

Maybe some day I will find time to check them out.

Summary

I am not the best at summaries so I will just write here that the article has ended successfully πŸ™‚

Regards.

EOF