diff options
| author | cvs2svn <cvs2svn@FreeBSD.org> | 1999-12-20 00:16:49 +0000 |
|---|---|---|
| committer | cvs2svn <cvs2svn@FreeBSD.org> | 1999-12-20 00:16:49 +0000 |
| commit | 37af766bc526e3dfbf5ab01dc560bd01e1adffe6 (patch) | |
| tree | 23d4a73bf955372633504b37d59c1fd7a0983bf8 /share/examples | |
| parent | 8c053ad76b76dbccf80704fc8f512958de0c049d (diff) | |
This commit was manufactured by cvs2svn to create tagrelease/3.4.0
'RELENG_3_4_0_RELEASE'.
Diffstat (limited to 'share/examples')
21 files changed, 0 insertions, 1048 deletions
diff --git a/share/examples/diskless/209.157.86.12/README b/share/examples/diskless/209.157.86.12/README deleted file mode 100644 index 0b52492979f2..000000000000 --- a/share/examples/diskless/209.157.86.12/README +++ /dev/null @@ -1,27 +0,0 @@ - - kernel, rc.local, and xdm-config are typically softlinks. Plus other - files, of course, depending on how you setup your system. - - rc.local and xdm-config might be softlinks into HT.DISKLESS, allowing - you to ease system administration when managing many diskless - workstations. You can also play other tricks, such as I play in - rc.conf.local by having it source ../HT.DISKLESS/rc.conf.local to get - class-based defaults. - - Note: the ttys file below contains an example of how to have X startup - on boot. - -apollo:/conf/209.157.86.12# ls -la -total 7 -drwxr-xr-x 2 root wheel 512 Feb 9 00:27 . -drwxr-xr-x 8 root wheel 512 Feb 8 22:48 .. -lrwxr-xr-x 1 root wheel 20 Feb 8 22:04 fstab -> ../HT.DISKLESS/fstab -lrwxr-xr-x 1 root wheel 17 Jan 24 23:33 kernel -> /kernel.diskless2 --rw-r--r-- 1 root wheel 133 Feb 8 22:04 rc.conf.local -lrwxr-xr-x 1 root wheel 23 Jan 25 00:41 rc.local -> ../HT.DISKLESS/rc.local --rw------- 1 root wheel 539 Jan 17 15:29 ssh_host_key --rw-r--r-- 1 root wheel 343 Jan 17 15:29 ssh_host_key.pub -lrwxr-xr-x 1 root wheel 26 Feb 9 00:27 syslog.conf -> ../HT.DISKLESS/syslog.conf --rw-r--r-- 1 root wheel 1408 Feb 8 19:54 ttys -lrwxr-xr-x 1 root wheel 25 Jan 25 00:38 xdm-config -> ../HT.DISKLESS/xdm-config - diff --git a/share/examples/diskless/209.157.86.12/rc.conf.local b/share/examples/diskless/209.157.86.12/rc.conf.local deleted file mode 100644 index 181c6723708f..000000000000 --- a/share/examples/diskless/209.157.86.12/rc.conf.local +++ /dev/null @@ -1,9 +0,0 @@ -# DISKLESS RC.CONF.LOCAL -# -# Override system standard /etc/rc.conf - -. /conf/HT.DISKLESS/rc.conf.local - -hostname=test2.backplane.com -start_xdm=NO - diff --git a/share/examples/diskless/209.157.86.12/ssh_host_key b/share/examples/diskless/209.157.86.12/ssh_host_key Binary files differdeleted file mode 100644 index ee90cd252e87..000000000000 --- a/share/examples/diskless/209.157.86.12/ssh_host_key +++ /dev/null diff --git a/share/examples/diskless/209.157.86.12/ssh_host_key.pub b/share/examples/diskless/209.157.86.12/ssh_host_key.pub deleted file mode 100644 index 7c99d2c0eb3b..000000000000 --- a/share/examples/diskless/209.157.86.12/ssh_host_key.pub +++ /dev/null @@ -1 +0,0 @@ -1024 33 131532587310298436102876167134780549224884868848048954510241288010381123823834489593599651234236801895942903979896941799980786675282403650831462626987993609590967535749256449810953893747928248417183421903403076895749793372279190481189373438759742396152779236777836204647146078686957945395785442097357022574693 root@apollo.backplane.com diff --git a/share/examples/diskless/HT.DISKLESS/fstab b/share/examples/diskless/HT.DISKLESS/fstab deleted file mode 100644 index f1ee38f2c2bd..000000000000 --- a/share/examples/diskless/HT.DISKLESS/fstab +++ /dev/null @@ -1,5 +0,0 @@ -# fstab for diskless machine. Root is already mounted, as is swap. -# -209.157.86.2:/usr /usr nfs ro 0 0 -209.157.86.2:/var /var nfs ro 0 0 -proc /proc procfs rw 0 0 diff --git a/share/examples/diskless/HT.DISKLESS/rc.conf.local b/share/examples/diskless/HT.DISKLESS/rc.conf.local deleted file mode 100644 index 16ddd1d7f18e..000000000000 --- a/share/examples/diskless/HT.DISKLESS/rc.conf.local +++ /dev/null @@ -1,34 +0,0 @@ -# DISKLESS RC.CONF.LOCAL -# -# Override system standard /etc/rc.conf - -ldconfig_paths="$ldconfig_paths /usr/krb5/lib" -ldconfig_paths_aout="$ldconfig_paths_aout /usr/krb5/lib/aout" - -# Must do NFS mounts early -# Must not attempt to mount root rw -# -early_nfs_mounts="YES" -root_rw_mount="NO" - -inetd_enable="NO" -portmap_enable="NO" -router_enable="NO" -cron_enable="NO" -sendmail_enable="NO" - -# Enable additional services -# - -nfs_client_enable="YES" -lpd_enable="YES" -ntpdate_enable="YES" -ntpdate_flags="apollo.backplane.com" -xntpd_enable="YES" - -if [ -f /etc/ipfw.conf ]; then - firewall_enable="YES" - firewall_type="/etc/ipfw.conf" - firewall_quiet="NO" -fi - diff --git a/share/examples/diskless/HT.DISKLESS/rc.local b/share/examples/diskless/HT.DISKLESS/rc.local deleted file mode 100755 index f473d4152168..000000000000 --- a/share/examples/diskless/HT.DISKLESS/rc.local +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/sh - -if [ -f /etc/rc.conf ]; then - . /etc/rc.conf -fi - -# Firewall helper - if we configure the firewall to let through -# ports > 4000, we need to configure the machines as such. -# - -sysctl -w net.inet.ip.portrange.first=4000 - -# Setup spool -# - -cat >> /var/spool/lpd/ljet4.ps << EOF -#!/bin/sh -# - -gs -q -dSAFER -dNOPAUSE -sDEVICE=ljet4 -r600x600 -dBitsPerPixel=1 \ - -sOutputFile=- - -EOF - -chmod 755 /var/spool/lpd/ljet4.ps - -mkdir /var/spool/ljet4 -chown daemon /var/spool/ljet4 - -# Setup remote source -# - -mount_mfs -s 600000 -T qp120at dummy /src -mount apollo:/FreeBSD /FreeBSD -mkdir /src/u3 -mkdir /src/u3/usr.obj - -# Copy of ssh_host_key* files to where sshd -# expects them, assuming you add to /usr/local/etc/sshd_config: -# -# HostKey /var/db/ssh_host_key -# -# Then restart sshd ( the /usr/local/etc/rc.d script installed by -# the port probably failed due to the lack of host keys ) - -if [ -f /conf/ME/ssh_host_key ]; then - cp /conf/ME/ssh_host_key* /var/db -else - (cd /var/db; ssh-keygen -f ssh_host_key -P "") -fi -chmod 400 /var/db/ssh_host_key -chmod 644 /var/db/ssh_host_key.pub -/usr/local/sbin/sshd - -# Copy home directory so you can login -# -# - -mount_mfs -s 65536 -T qp120at dummy /home - -if [ -d /home.diskless ]; then - cd /home.diskless - for i in *; do - if [ -f $i/home.tgz ]; then - mkdir /home/$i - chown $i /home/$i - chmod 700 /home/$i - (cd /home/$i; tar xzpf /home.diskless/$i/home.tgz) - homeok=1 - fi - done -fi - -if [ "${homeok:=0}" = "0" ]; then - echo "ERROR, NO /home.diskless DIRECTORY TO COPY TO /HOME" - sleep 10 -fi - diff --git a/share/examples/diskless/HT.DISKLESS/syslog.conf b/share/examples/diskless/HT.DISKLESS/syslog.conf deleted file mode 100644 index a7df1e96deea..000000000000 --- a/share/examples/diskless/HT.DISKLESS/syslog.conf +++ /dev/null @@ -1,3 +0,0 @@ -*.err;kern.debug;auth.notice;mail.crit;lpr.info /dev/console -*.err;kern.debug;auth.notice;mail.crit root -*.emerg * diff --git a/share/examples/diskless/HT.DISKLESS/ttys b/share/examples/diskless/HT.DISKLESS/ttys deleted file mode 100644 index 2c357d4b3b3b..000000000000 --- a/share/examples/diskless/HT.DISKLESS/ttys +++ /dev/null @@ -1,52 +0,0 @@ -# -# @(#)ttys 5.1 (Berkeley) 4/17/89 -# -# name getty type status comments -# -# This entry needed for asking password when init goes to single-user mode -# If you want to be asked for password, change "secure" to "insecure" here -console none unknown off secure -# -ttyv0 "/usr/X11R6/bin/xdm -nodaemon -config /conf/209.157.86.6/xdm-config" cons25 on secure -# Virtual terminals -ttyv1 "/usr/libexec/getty Pc" cons25 on secure -ttyv2 "/usr/libexec/getty Pc" cons25 on secure -ttyv3 "/usr/libexec/getty Pc" cons25 on secure -# Serial terminals -ttyd0 "/usr/libexec/getty std.9600" unknown off secure -ttyd1 "/usr/libexec/getty std.9600" unknown off secure -ttyd2 "/usr/libexec/getty std.9600" unknown off secure -ttyd3 "/usr/libexec/getty std.9600" unknown off secure -# Pseudo terminals -ttyp0 none network -ttyp1 none network -ttyp2 none network -ttyp3 none network -ttyp4 none network -ttyp5 none network -ttyp6 none network -ttyp7 none network -ttyp8 none network -ttyp9 none network -ttypa none network -ttypb none network -ttypc none network -ttypd none network -ttype none network -ttypf none network -ttypg none network -ttyph none network -ttypi none network -ttypj none network -ttypk none network -ttypl none network -ttypm none network -ttypn none network -ttypo none network -ttypp none network -ttypq none network -ttypr none network -ttyps none network -ttypt none network -ttypu none network -ttypv none network diff --git a/share/examples/diskless/HT.DISKLESS/xdm-config b/share/examples/diskless/HT.DISKLESS/xdm-config deleted file mode 100644 index 88ad35fbeea7..000000000000 --- a/share/examples/diskless/HT.DISKLESS/xdm-config +++ /dev/null @@ -1,15 +0,0 @@ -! $XConsortium: xdm-conf.cpp,v 1.2 93/09/28 14:30:32 gildea Exp $ -DisplayManager.errorLogFile: /var/run/xdm-errors -DisplayManager.pidFile: /var/run/xdm-pid -DisplayManager.servers: /usr/X11R6/lib/X11/xdm/Xservers-1 -DisplayManager.keyFile: /usr/X11R6/lib/X11/xdm/xdm-keys -DisplayManager.servers: /usr/X11R6/lib/X11/xdm/Xservers -DisplayManager.accessFile: /usr/X11R6/lib/X11/xdm/Xaccess -DisplayManager._0.authorize: true -DisplayManager._0.setup: /usr/X11R6/lib/X11/xdm/Xsetup_0 -DisplayManager._0.startup: /usr/X11R6/lib/X11/xdm/GiveConsole -DisplayManager._0.reset: /usr/X11R6/lib/X11/xdm/TakeConsole -DisplayManager*resources: /usr/X11R6/lib/X11/xdm/Xresources -DisplayManager*session: /usr/X11R6/lib/X11/xdm/Xsession -DisplayManager*authComplain: false - diff --git a/share/examples/diskless/HT.STD/aliases b/share/examples/diskless/HT.STD/aliases deleted file mode 100644 index 5988f793f814..000000000000 --- a/share/examples/diskless/HT.STD/aliases +++ /dev/null @@ -1,30 +0,0 @@ -# -# @(#)aliases 5.3 (Berkeley) 5/24/90 -# -# Aliases in this file will NOT be expanded in the header from -# Mail, but WILL be visible over networks or from /bin/mail. -# -# >>>>>>>>>> The program "newaliases" must be run after -# >> NOTE >> this file is updated for any changes to -# >>>>>>>>>> show through to sendmail. -# - -# Basic system aliases -- these MUST be present -MAILER-DAEMON: postmaster -postmaster: root - -# General redirections for pseudo accounts -bin: root -daemon: root -games: root -ingres: root -nobody: root -system: root -toor: root -uucp: root -usenet: root -root: root@backplane.com - -diablo: dillon -diablo-bugs: dillon - diff --git a/share/examples/diskless/HT.STD/forward.map b/share/examples/diskless/HT.STD/forward.map deleted file mode 100644 index d4253f8734c6..000000000000 --- a/share/examples/diskless/HT.STD/forward.map +++ /dev/null @@ -1,6 +0,0 @@ -# @(#)forward.map 1.1 1/17/95 -# -# Put addresses to be forwarded here. Example: -# -# garyw@mojosoft.com charliex@best.com -# diff --git a/share/examples/diskless/HT.STD/ndomain.map b/share/examples/diskless/HT.STD/ndomain.map deleted file mode 100644 index 63011d08ca91..000000000000 --- a/share/examples/diskless/HT.STD/ndomain.map +++ /dev/null @@ -1,11 +0,0 @@ -# -# example: -# fofs.com markl@shellx.best.com -# -# NOTE: FORWARD.MAP can be used to override NDOMAIN.MAP for specific -# users. NDOMAIN.MAP would then act as a catch-all -# -# NOTE: NDOMAIN.MAP only works to two levels. I.E. if you have an -# entry for fubar.com, then user@fubar.com will work and -# user@host.fubar.com will work, but NOT user@host.dom.fubar.com -# diff --git a/share/examples/diskless/HT.STD/syslog.conf b/share/examples/diskless/HT.STD/syslog.conf deleted file mode 100644 index cb92c6e6db07..000000000000 --- a/share/examples/diskless/HT.STD/syslog.conf +++ /dev/null @@ -1,11 +0,0 @@ -*.err;kern.debug;auth.notice;mail.crit /dev/console -# *.notice;kern.debug;lpr,auth.info;mail.crit /var/log/messages -*.debug;kern.debug;lpr,auth.info;mail.crit;news.crit /var/log/messages -mail.info /var/log/maillog -news.info /var/log/news -lpr.info /var/log/lpd-errs -cron.* /var/log/cron -#*.err root -#*.notice;auth.debug root -#*.alert root -*.emerg * diff --git a/share/examples/diskless/HT.STD/ttys b/share/examples/diskless/HT.STD/ttys deleted file mode 100644 index bcd059bd9091..000000000000 --- a/share/examples/diskless/HT.STD/ttys +++ /dev/null @@ -1,52 +0,0 @@ -# -# @(#)ttys 5.1 (Berkeley) 4/17/89 -# -# name getty type status comments -# -# This entry needed for asking password when init goes to single-user mode -# If you want to be asked for password, change "secure" to "insecure" here -console none unknown off secure -# -ttyv0 "/usr/libexec/getty Pc" cons25 on secure -# Virtual terminals -ttyv1 "/usr/libexec/getty Pc" cons25 on secure -ttyv2 "/usr/libexec/getty Pc" cons25 on secure -ttyv3 "/usr/libexec/getty Pc" cons25 on secure -# Serial terminals -ttyd0 "/usr/libexec/getty std.9600" unknown off secure -ttyd1 "/usr/libexec/getty std.9600" unknown off secure -ttyd2 "/usr/libexec/getty std.9600" unknown off secure -ttyd3 "/usr/libexec/getty std.9600" unknown off secure -# Pseudo terminals -ttyp0 none network -ttyp1 none network -ttyp2 none network -ttyp3 none network -ttyp4 none network -ttyp5 none network -ttyp6 none network -ttyp7 none network -ttyp8 none network -ttyp9 none network -ttypa none network -ttypb none network -ttypc none network -ttypd none network -ttype none network -ttypf none network -ttypg none network -ttyph none network -ttypi none network -ttypj none network -ttypk none network -ttypl none network -ttypm none network -ttypn none network -ttypo none network -ttypp none network -ttypq none network -ttypr none network -ttyps none network -ttypt none network -ttypu none network -ttypv none network diff --git a/share/examples/diskless/ME b/share/examples/diskless/ME deleted file mode 100644 index 85178e088a54..000000000000 --- a/share/examples/diskless/ME +++ /dev/null @@ -1,37 +0,0 @@ - -When templating, /conf/ME is typically a softlink to -/conf/<appropriate-machine>. When doing a diskless boot, /conf/ME is -retargeted by /etc/rc.diskless1 from pointing to the server to pointing -to the client's directory, /conf/<ip-address-of-client>. The retargeting -is accomplished through an MFS -o union mount. - -When templating, this softlink should be different for each machine. -When doing a diskless boot, this softlink is typically part of the / NFS -mount from the server and points to the server's conf directory, but gets -retargeted during the /etc/rc.diskless1 phase. - -System-wide configuration files must generally be targeted through /conf/ME. -For example, your /etc/rc.conf.local should become a softlink to -/conf/ME/rc.conf.local and your real rc.conf.local should go into the -appropriate /conf/<appropriate-machine> directory. This is also true of -/etc/rc.local, /etc/fstab, /etc/syslog.conf, /etc/ccd.conf, /etc/ipfw.conf, -/etc/motd, /etc/resolv.conf, and possibly even /etc/ttys ( if you want -to start an X session up on boot on certain of your machines ). - -When templating, you duplicate your / and /usr partitions on each machine's -local disk from a single master ( assuming /var and /home reside elsewhere ), -EXCEPT for the /conf/ME softlink. The /conf/ME softlink is the only thing -on / that should be different for each machine. - -There are often categories of configuration files. For example, all of your -shell machines may use one resolv.conf while all of your mail proxies may -use another. Configuration files can be categorized fairly easily through -/conf/HT.<category> directories. You put the actual configuration file in -/conf/HT.<category> and make a softlink from -/conf/ME/<appropriate-machines>/config-file to "../HT.<category/config-file". -This means that access to these files tends to run through more then one -softlink. The advantage is that for all the complexity of your /conf -directory hierarchy, most of your common config files exist in only one place -in reality. - - diff --git a/share/examples/diskless/README.BOOTP b/share/examples/diskless/README.BOOTP deleted file mode 100644 index 0032e80230e7..000000000000 --- a/share/examples/diskless/README.BOOTP +++ /dev/null @@ -1,157 +0,0 @@ - - BOOTP configuration mechanism - - Matthew Dillon - dillon@backplane.com - - BOOTP kernels automatically configure the machine's IP address, netmask, - optional NFS based swap, and NFS based root mount. The NFS server will - typically export a shared read-only /, /usr, and /var to any number of - workstations. The shared read-only root is typically either the server's - own root or, if you are more security concious, a contrived root. - - The key issue with starting up a BOOTP kernel is that you typically want - to export read-only NFS partitions from the server, yet still be able to - customize each workstation ( or not ). - - /etc/rc.diskless1 is responsible for doing core mounts and for retargeting - /conf/ME ( part of the read-only root NFS mount ) to /conf/$IP_OF_CLIENT. - /etc/rc.conf.local and /etc/rc.local, along with other machine-specific - configuration files, are typically softlinks to /conf/ME/<filename>. - - In the BOOTP workstation /conf/$IP/rc.conf.local, you must typically - turn *OFF* most of the system option defaults in /etc/rc.conf as well - as do additional custom configuration of your environment - - The /usr/src/share/examples/diskless directory contains a typical - X session / sshd based workstation configuration. The directories - involved are HT.DISKLESS/ and 192.157.86.12/. - - Essentially, the $IP/ directory ( which rc.diskless looks for in - /conf/$IP/ ) contains all the junk. The HT.DISKLESS directory exists - to hold common elements of your custom configuration so you do not have - to repeat those elements for each workstation. The example /conf - structure included here shows how to create a working sshd setup ( so - you can sshd into the diskless workstation ), retarget xdm's pid and error - files to R+W directories if /usr is mounted read-only, and retarget - syslogd and other programs. This example is not designed to run out of - the box and some modifications are required. - - >> NOTE << HT.DISKLESS/ttys contains the typical configuration required - to bring X up at boot time. Essentially, it runs xdm in the foreground - with the appropriate arguments rather then a getty on ttyv0. You must - run xdm on ttyv0 in order to prevent xdm racing with getty on a virtual - terminal. Such a race can cause your keyboard to be directed away from - the X session, essentially making the session unusable. - - Typically you should start with a clean slate by tar-copying this example - directory to /conf and then hack on it in /conf rather then in - /usr/share/examples/diskless. - - BOOTP CLIENT SETUP - - Here is a typical kernel configuration. If you have only one ethernet - interface you do not need to wire BOOTP to a specific interface name. - BOOTP requires NFS and NFS_ROOT, and our boot scripts require MFS. If - your /tmp is *not* a softlink to /var/tmp, the scripts also require NULLFS - -# BootP -# -options BOOTP # Use BOOTP to obtain IP address/hostname -options BOOTP_NFSROOT # NFS mount root filesystem using BOOTP info -options "BOOTP_NFSV3" # Use NFS v3 to NFS mount rootoptions -options BOOTP_COMPAT # Workaround for broken bootp daemons. -#options "BOOTP_WIRED_TO=de0" - -options MFS # Memory File System -options NFS # Network Filesystem -options NFS_ROOT # Nfs can be root -options NULLFS # nullfs to map /var/tmp to /tmp - - BOOTP SERVER SETUP - - The BOOTP server must be running on the same logical LAN as the the - BOOTP client(s). You need to setup two things: - - (1) You need to NFS-export /, /usr, and /var. - - (2) You need to run a BOOTP server. DHCPD can do this. - - - NFS Export: - - Here is an example "/etc/exports" file. - -/ -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192 -/usr -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192 -/var -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192 - - In order to be an NFS server, the server must run portmap, mountd, - nfsd, and rpc.statd. The standard NFS server options in /etc/rc.conf - will work ( you should put your overrides in /etc/rc.conf.local on the - server and not edit the distribution /etc/rc.conf, though ). - - BOOTP Server: - - This configuration file "/etc/dhcpd.conf" example is for - the '/usr/ports/net/isc-dhcp' dhcpd port. - - subnet 192.157.86.0 netmask 255.255.255.192 { - # range if you want to run the core dhcpd service of - # dynamic IP assignment, but it is not used with BOOTP - # workstations - range 192.157.86.32 192.157.86.62; - - # misc configuration. - # - option routers 192.157.86.2; - option domain-name-servers 192.157.86.2; - - server-name "apollo.fubar.com"; - option subnet-mask 255.255.255.192; - option domain-name-servers 192.157.86.2; - option domain-name "fubar.com"; - option broadcast-address 192.157.86.63; - option routers 192.157.86.2; - } - - host test1 { - hardware ethernet 00:a0:c9:d3:38:25; - fixed-address 192.157.86.11; - option root-path "192.157.86.2:/"; - option option-128 "192.157.86.2:/images/swap"; - } - - host test2 { - # hardware ethernet 00:e0:29:1d:16:09; - hardware ethernet 00:10:5a:a8:94:0e; - fixed-address 192.157.86.12; - option root-path "192.157.86.2:/"; - option option-128 "192.157.86.2:/images/swap"; - } - - SWAP. This example includes options to automatically BOOTP configure - NFS swap on each workstation. In order to use this capabilities you - need to NFS-export a swap directory READ+WRITE to the workstations. - - You must then create a swap directory for each workstation you wish to - assign swap to. In this example I created a dummy user 'lander' and - did an NFS export of /images/swap enforcing a UID of 'lander' for - all accesses. - - apollo:/usr/ports/net# ls -la /images/swap - total 491786 - drwxr-xr-x 2 root wheel 512 Dec 28 07:00 . - drwxr-xr-x 8 root wheel 512 Jan 20 10:54 .. - -rw-r--r-- 1 lander wheel 33554432 Dec 23 14:35 swap.192.157.86.11 - -rw-r--r-- 1 lander wheel 335544320 Jan 24 16:55 swap.192.157.86.12 - -rw-r--r-- 1 lander wheel 134217728 Jan 21 17:19 swap.192.157.86.6 - - A swap file is best created with dd: - - # create a 32MB swap file for a BOOTP workstation - dd if=/dev/zero of=swap.IPADDRESS bs=1m count=32 - - It is generally a good idea to give your workstations some swap space, - but not a requirement if they have a lot of memory. - diff --git a/share/examples/diskless/README.TEMPLATING b/share/examples/diskless/README.TEMPLATING deleted file mode 100644 index babf670c1eee..000000000000 --- a/share/examples/diskless/README.TEMPLATING +++ /dev/null @@ -1,286 +0,0 @@ - - TEMPLATING machine configurations - - Matthew Dillon - dillon@backplane.com - - This document describes a general mechanism by which you can template - / and /usr. That is, to keep a 'master template' of / and /usr on a - separate machine which is then used to update the rest of your machines. - - Generally speaking, you can't simply mirror /. You might be able to - get away with mirroring /usr. There are two main problems involved with - templating: - - (1) Avoiding overwriting run-time generated files - - By default, the system maintains a number of files in the root - partition. For example, sendmail will dbm /etc/aliases into - /etc/aliases.db. vipw or chpass or other password related routines - will regenerate the password dbm's /etc/spwd.db, /etc/pwd.db, and - passwd. /etc/namedb/s might contain generated secondaries. And - so forth. - - The templating mechanism must avoid copying over such files. - - (2) Customizing machines. - - Customizing machines is actually considerably simpler. You create - a configuration hierarchy and convert the configuration files that - have to be customized into softlinks that run through a special - softlink in the configuration directory. This will work for every - configuration file except possibly /etc/master.passwd - - For example, /etc/resolv.conf would be turned into a softlink to - /conf/ME/resolv.conf, and /conf/ME itself would be a softlink to - /conf/<HOSTNAME>. The actual resolv.conf configuration file - would reside in /conf/<HOSTNAME>. - - If you have a lot of hosts, some configuration files may be commonly - classified. For example, all your shell machines might have the - same /etc/resolv.conf. The solution is to make - /conf/<HOSTNAME>/resolv.conf a softlink to a common directory, say - /conf/HT.SHELL/resolv.conf. It may sound a little messy, but this - sort of categorization actually makes the sysadmins job much, much - easier. - - The /conf/ directory hierarchy is stored on the template and - distributed to all the machines along with the rest of the root - partition. - - This type of customization is taken from my direct experience - instituting such a system at BEST. At the time, BEST had over 45 - machines managed from a single template. - - RUN-TIME GENERATED OR MODIFIED FILES IN / or /USR - - /etc/aliases.db - /etc/master.passwd - /etc/spwd.db - /etc/pwd.db - /etc/passwd - /etc/namedb/s - /root/.history - /root/.ssh/identity - /root/.ssh/identity.pub - /root/.ssh/random_seed - /root/.ssh/known_hosts - /conf/ME - /kernel* ( note 2 ) - /dev ( note 3 ) - /var ( note 4 ) - /home ( note 4 ) - /lost+found - - /usr/lost+found - /usr/home ( note 4 ) - /usr/crash ( note 5 ) - /usr/obj ( note 5 ) - /usr/ports ( note 5 ) - /usr/src ( note 5 ) - /usr/local/crack ( note 5 ) - /usr/X11R6/lib/X11/xdm/xdm-errors ( note 6 ) - /usr/X11R6/lib/X11/xdm/xdm-pid ( note 6 ) - /usr/local/etc/ssh_host_key ( note 6 ) - /usr/local/etc/ssh_host_key.pub ( note 6 ) - /usr/local/etc/ssh_random_seed ( note 6 ) - - /conf/ME ( note 7 ) - - note 2: You typically want to update kernels manually and *NOT* - template them as a safety measure. This also allows you to run - different kernels on different machines or. - - note 3: /dev must be updated manually. Some devices, such as tty's and - pty's, use the access and/or modify time and/or user/group - operationally and regenerating the devices on the fly would be - bad. - - note 4: /var and /home are usually separately mounted partitions and - thus would not fall under the template, but as a safety measure - the template copier refuse to copy directories named 'home'. - - note 5: These are directories that are as often created directly on - /usr as they are separately-mounted partitions. You typically - do not want to template such directories. - - note 6: Note that you can solve the problem of xdm and sshd creating - files in /usr. With xdm, edit /usr/X11R6/lib/xdm/xdm-config - and change the errorLogFile and pidFile config lines. - - With sshd, add 'HostKey' and 'RandomSeed' directives to specify - /var/db for the location of the host key and run-time sshd - random seed: - - HostKey /var/db/ssh_host_key - RandomSeed /var/db/ssh_random_seed - - note 7: In this example, /conf/ME is the machine customizer and must - be pointed to the /conf/<full-host-name>/ directory, which is - different for each machine. Thus, the /conf/ME softlink - should never be overwritten by the templating copy. - - - TYPICAL CUSTOMIZED CONFIGRATION SOFTLINKS - - The following files typically need to be turned into softlinks - to /conf/ME/<filename>: - - /etc/ccd.conf -> /conf/ME/ccd.conf - /etc/ipfw.conf ... - /etc/fstab - /etc/motd - /etc/resolv.conf - /etc/aliases - /etc/sendmail.cw - /etc/organization - /etc/named.conf - /etc/rc.conf.local - /etc/printcap - /etc/inetd.conf - /etc/login.conf - /etc/gettytab - /etc/ntp.conf - /etc/exports - /root/.k5login -> /conf/ME/root/.k5login - - And, of course, /conf/ME is usually a softlink to the appropriate - /conf/<full-host-name>/. Depending on your system configuration, - there may be other files not listed above that you have to worry about. - - In many cases, /conf/ME/filename is itself a softlink to - "../HT.xxxx/filename", where HT.xxxx is something like HT.STD ... this - added complexity actually makes it easier to manage multiple - classifications of machines. - - DELETION OF FILES - - Any file found on the template destination that does not exist in the - source and is not listed as an exception by the source should be deleted. - However, deletion can be dangerous and cpdup will ask for confirmation - by default. Once you know you aren't going to blow things up, you can - turn this feature off and update your systems automatically from cron. - - By formalizing the delete operation, you can be 100% sure that it is - possible to recreate / and /usr on any machine with only the original - template and a backup of the ( relatively few ) explicitly-excepted - files. The most common mistake a sysop makes is to make a change to a - file in / or /usr on a target machine instead of the template machine. - If the target machine is updated once a night from cron, the sysop - quickly learns not to do this ( because his changes get overwritten - overnight ). With a manual update, these sorts of mistakes can propogate - for weeks or months before they are caught. - - TEMPLATE COPYING AND SAFETY - THE CPDUP PROGRAM - - The 'cpdup' program is a program which efficiently duplicates a directory - tree. The program copies source to destination, duplicating devices, - softlinks, hardlinks, files, modification times, uid, gid, flags, perms, - and so forth. The program incorporates several major features: - - * The program refuses, absolutely, to cross partition boundries. - i.e. if you were copying the template /usr from an NFS mount to - your /usr, and you had a mount point called /usr/home, the - template copying program would *NOT* descend into /usr/home on - the destination. - - This is a safety. - - * The program accesses a file called .cpignore in each directory - it descending into on the source to obtain a list of exceptions - for that directory -- that is, files not to copy or mess with. - - This is a templating function. - - * The program refuses to delete a directory on the destination - being replaced by a softlink or file on the source. - - This is a safety mechanism - - * The program is capable of maintaing MD5 check cache files and - doing an MD5 check between source and destination during the - scan. - - * The program is capable of deleting files/directories on the - destination that do not exist on the source, but asks for - confirmation by default. - - This is a templating and a safety mechanism. - - * The program uses a copy-to-tmp-and-rename methodology allowing - it to be used to update live filesystems. - - This is a templating mechanism. - - * The program, by default, tries to determine if a copy is required - by checking modify times, file size, perms, and other stat - elements. If the elements match, it does not bother to copy - ( unless an MD5 check is being made, in which case it must read - the destination file ). - - You typically run cpdup on the target machine. The target machine - temporarily mounts the template machine's / and /usr via NFS, read-only, - and runs cpdup to update / and /usr. If you use this methodology note - that THERE ARE SECURITY CONSIDERATIONS! See 'SECURITY CONSIDERATIONS WITH - NFS' below. - - Whatever script you use that does the NFS mounts should ensure that the - mount succeeded before continuing with the cpdup. - - You should create .cpignore files in the appropriate directories on the - template machine's / and /usr partitions so as not to overwrite active - files on the target. The most critical .cpignore files should be - protected with 'chflags schg .cpignore'. Specifically, the ones in / - and /etc, but possibly others as well. For example, the .cpignore - hierarchy for protect /root is: - - # /root/.cpignore contains - .history - - # /root/.ssh/.cpignore contains - random_seed - known_hosts - authorized_keys - identity - identity.pub - - WHEN INITIALLY CONVERTING A TARGET MACHINE TO USE TEMPLATING, ALWAYS - MAKE A FULL BACKUP OF THE TARGET MACHINE FIRST! You may accidently delete - files on the target during the conversion due to forgetting to enter - items into appropriate .cpignore files on the source. - - SECURITY CONSIDERATIONS WITH NFS ROOT EXPORT FROM TEMPLATE MACHINE - SECURITY CONSIDERATIONS WITH NFS USR EXPORT FROM TEMPLATE MACHINE - - There are some serious security considerations that must be taken into - account when exporting / and /usr on the template machine. - - * only export read-only - - * the password file ( aka vipw ) may not contain any crypted passwords - at all. You MUST use ssh or kerberos to access the template machine. - - You can get away with giving only root a crypted password, but only - if you disallow network root logins and only allow direct root - logins on the console. - - * The machine's private ssh_host_key usually resides in /usr/local/etc. - You must move this key to /var/db. You can softlink link so no - modification of sshd_config is required. - - * The machine's private ~root/.ssh/identity file is also exposed by - the NFS export, you should move this file to /var/db as well and - put a softlink in ~root/.ssh. - - * DON'T EXPORT /var ! Either that, or don't put the private keys - in /var/db ... put them somewhere else. - - * You may want to redirect the location of the random_seed file, which - can be done by editing ~root/.ssh/sshd_config and - /usr/local/etc/sshd_config so it is not exposed either. - - -Matt - Matthew Dillon - dillon@backplane.com - diff --git a/share/examples/netgraph/frame_relay b/share/examples/netgraph/frame_relay deleted file mode 100644 index 0becb471c810..000000000000 --- a/share/examples/netgraph/frame_relay +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -# script to set up a frame relay link on the sr card. -# The dlci used is selected below. The default is 16 -# $FreeBSD$ - -CARD=sr0 -DLCI=16 - -# create a frame_relay type node and attach it to the sync port. -ngctl mkpeer ${CARD}: frame_relay rawdata downstream - -# Attach the dlci output of the (de)multiplexor to a new -# Link management protocol node. -ngctl mkpeer ${CARD}:rawdata lmi dlci0 auto0 - -# Also attach dlci 1023, as it needs both to try autoconfiguring. -# The Link management protocol is now alive and probing.. -ngctl connect ${CARD}:rawdata ${CARD}:rawdata.dlci0 dlci1023 auto1023 - -# Attach the DLCI(channel) the Telco has assigned you to -# a node to hadle whatever protocol encapsulation your peer -# is using. In this case rfc1490 encapsulation. -ngctl mkpeer ${CARD}:rawdata rfc1490 dlci${DLCI} downstream - - -# Attach the ip (inet) protocol output of the protocol mux to the ip (inet) -# input of a netgraph "interface" node (ifconfig should show it as "ng0"). -#if interface ng0 needs to be created use a mkpeer command.. e.g. -ngctl mkpeer ${CARD}:rawdata.dlci${DLCI} iface inet inet - -# if ng0 already exists, use a CONNECT command instead of a mkpeer. e.g. -# ngctl connect ${CARD}:rawdata.dlci${DLCI} ng0: inet inet - -# Then use ifconfig on interface ng0 as usual - -# A variant on this whole set might use the 'name' command to make it more -# readable. but it doesn't work if you have multiple lines or dlcis -# e.g. -# ngctl mkpeer ${CARD}: frame_relay rawdata downstream -# ngctl name ${CARD}:rawdata mux -# ngctl mkpeer mux: lmi dlci0 auto0 -# ngctl name mux:dlci0 lmi -# ngctl connect mux: lmi: dlci1023 auto1023 -# ngctl mkpeer mux: rfc1490 dlci${DLCI} downstream -# ngctl mux:dlci${DLCI} protomux -# ngctl mkpeer protomux: iface inet inet diff --git a/share/examples/netgraph/ngctl b/share/examples/netgraph/ngctl deleted file mode 100644 index 6f9507b95e4b..000000000000 --- a/share/examples/netgraph/ngctl +++ /dev/null @@ -1,173 +0,0 @@ -# $FreeBSD$ - -# -# This is an example that shows how to send ASCII formatted control -# messages to a node using ngctl(8). -# -# What we will do here create a divert(4) tap. This simply dumps -# out all packets diverted by some ipfw(8) divert rule to the console. -# -# Lines that begin with ``$'' (shell prompt) or ``+'' (ngctl prompt) -# indicate user input -# - -# First, start up ngctl in interactive mode: - - $ ngctl - Available commands: - connect Connects hook <peerhook> of the node at <relpath> to <hook> - debug Get/set debugging verbosity level - help Show command summary or get more help on a specific command - list Show information about all nodes - mkpeer Create and connect a new node to the node at "path" - msg Send a netgraph control message to the node at "path" - name Assign name <name> to the node at <path> - read Read and execute commands from a file - rmhook Disconnect hook "hook" of the node at "path" - show Show information about the node at <path> - shutdown Shutdown the node at <path> - status Get human readable status information from the node at <path> - types Show information about all installed node types - quit Exit program - + - -# Now let's create a ng_ksocket(8) node, in the family PF_INET, -# of type SOCK_RAW, and protocol IPPROTO_DIVERT: - - + mkpeer ksocket foo inet/raw/divert - -# Note that ``foo'' is the hook name on the socket node, which can be -# anything. The ``inet/raw/divert'' is the hook name on the ksocket -# node, which tells it what kind of socket to create. - -# Lets give our ksocket node a global name. How about ``fred'': - - + name foo fred - -# Note that we used ngctl's ``name'' command to do this. However, -# the following manually constructed netgraph message would have -# acomplished the exact same thing: - - + msg foo name { name="fred" } - -# Here we are using the ASCII <-> binary control message conversion -# routines. ngctl does this for us automatically when we use the -# ``msg'' command. - -# Now lets bind the socket associated with the ksocket node to a port -# supplied by the system. We do this by sending the ksocket node a -# ``bind'' control message. Again, ngctl does the conversion of the -# control message from ASCII to binary behind the scenes. - - + msg fred: bind inet/192.168.1.1 - -# The ksocket accepts arbitrary sockaddr structures, but also has -# special support for the PF_LOCAL and PF_INET protocol families. -# That is why we can specify the struct sockaddr argument to the -# ``bind'' command as ``inet/192.168.1.1'' (since we didn't specify -# a port number, it's assumed to be zero). We could have also -# relied on the generic sockaddr syntax and instead said this: - - + msg fred: bind { family=2 len=16 data=[ 2=192 168 1 1 ] } - -# This is what you would have to do for protocol families other -# that PF_INET and PF_LOCAL, at least until special handling for -# new ones is added. - -# The reason for the ``2=192'' is to skip the two byte IP port number, -# which causes it to be set to zero, the default value for integral -# types when parsing. Now since we didn't ask for a specific port -# number, we need to do a ``getname'' to see what port number we got: - - + msg fred: getname - Rec'd response "getname" (5) from "fred:": - Args: inet/192.168.1.1:1029 - -# As soon as we sent the message, we got back a response. Here -# ngctl is telling us that it received a control message with the -# NGF_RESP (response) flag set, the reponse was to a prior ``getname'' -# control message, that the originator was the node addressable -# as ``fred:''. The message arguments field is then displayed to -# us in its ASCII form. In this case, what we get back is a struct -# sockaddr, and there we see that our port number is 1029. - -# So now let's add the ipfw divert rule for whatever packets we -# want to see. How about anything from 192.168.1.129. - - + ^Z - Suspended - $ ipfw add 100 divert 1029 ip from 192.168.1.129 to any - 00100 divert 1029 ip from 192.168.1.129 to any - $ fg - -# Now watch what happens when we try to ping from that machine: - - + - Rec'd data packet on hook "foo": - 0000: 45 00 00 3c 57 00 00 00 20 01 bf ee c0 a8 01 81 E..<W... ....... - 0010: c0 a8 01 01 08 00 49 5c 03 00 01 00 61 62 63 64 ......I\....abcd - 0020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 efghijklmnopqrst - 0030: 75 76 77 61 62 63 64 65 66 67 68 69 uvwabcdefghi - + - Rec'd data packet on hook "foo": - 0000: 45 00 00 3c 58 00 00 00 20 01 be ee c0 a8 01 81 E..<X... ....... - 0010: c0 a8 01 01 08 00 48 5c 03 00 02 00 61 62 63 64 ......H\....abcd - 0020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 efghijklmnopqrst - 0030: 75 76 77 61 62 63 64 65 66 67 68 69 uvwabcdefghi - + - Rec'd data packet on hook "foo": - 0000: 45 00 00 3c 59 00 00 00 20 01 bd ee c0 a8 01 81 E..<Y... ....... - 0010: c0 a8 01 01 08 00 47 5c 03 00 03 00 61 62 63 64 ......G\....abcd - 0020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 efghijklmnopqrst - 0030: 75 76 77 61 62 63 64 65 66 67 68 69 uvwabcdefghi - + - -# So we're seeing the output from the ksocket socket appear on the ``foo'' -# hook of ngctl's socket node. Since the packets are getting diverted, -# the 192.168.1.129 machine doesn't see any response from us. - -# Of course, any type of socket can be used, even TCP: - - + mkpeer ksocket bar inet/stream/tcp - + msg bar connect inet/192.168.1.33:13 - ngctl: send msg: Operation now in progress - + - Rec'd data packet on hook "foo": - 0000: 4d 6f 6e 20 4e 6f 76 20 32 39 20 31 37 3a 34 38 Mon Nov 29 17:48 - 0010: 3a 33 37 20 31 39 39 39 0d 0a :37 1999.. - + - -# Or, UNIX domain: - - + mkpeer ksocket bar local/stream/0 - + msg bar bind local/"/tmp/bar.socket" - + - -# Here's an example of a more complicated ASCII control message argument. -# If you look in /sys/netgraph/ng_message.h, you will see that a node -# responds to a NGM_LISTHOOKS with a struct hooklist, which contains -# an array of struct linkinfo: -# -# /* Structure used for NGM_LISTHOOKS */ -# struct linkinfo { -# char ourhook[NG_HOOKLEN + 1]; /* hook name */ -# char peerhook[NG_HOOKLEN + 1]; /* peer hook */ -# struct nodeinfo nodeinfo; -# }; -# -# struct hooklist { -# struct nodeinfo nodeinfo; /* node information */ -# struct linkinfo link[0]; /* info about each hook */ -# }; -# -# By sending a node the ``listhooks'' command using ngctl, we can see -# this structure in ASCII form (lines wrapped for readability): - - + msg bar bind local/"/tmp/bar.socket" - + msg bar listhooks - Rec'd response "listhooks" (7) from "bar": - Args: { nodeinfo={ type="ksocket" id=9 hooks=1 } - linkinfo=[ { ourhook="local/stream/0" peerhook="bar" - nodeinfo={ name="ngctl1327" type="socket" id=8 hooks=1 } } ] } - - diff --git a/share/examples/netgraph/raw b/share/examples/netgraph/raw deleted file mode 100644 index e0970f3c0b33..000000000000 --- a/share/examples/netgraph/raw +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh -# script to connect a raw synchronous card to a system interface. -# Assumes the file if_sr was compiled with options NETGRAPH. -# $FreeBSD$ - -CARD=sr0 - -# create an interface "ng0" and attach it to the sync port. -# The packets had jolly well better be ip because we are not discriminating. -ngctl mkpeer ${CARD}: iface rawdata inet - -# if ng0 already exists, use a CONNECT command instead of a mkpeer. e.g. -# ngctl connect ${CARD}: ng0: rawdata inet - -# Then use ifconfig on interface ng0 as usual - |