Sam Varghese of iTWire interviews longtime FreeBSD user and sysadmin Allan Jude about the use of FreeBSD on the server.
For years now, Linux has been all the rage. But in recent times, there have been murmurings among some veterans — long-time users — after the introduction of systemd, the init system that seems to overstep its boundaries.And this talk is all about the old UNIX culture, the way one utility or application is used to do a job, do it well, and hand over the output to a second utility to process. Linux, in short, is becoming something like a Swiss army knife — complicated — and there has been talk of switching to an alternative. This is where FreeBSD comes in.Some time back, iTWire discussed the possibility of PC-BSD being used on the desktop instead of Linux. PC-BSD is more or less the same as FreeBSD; in the words of Kris Moore, it has “a vanilla FreeBSD kernel/world with some unique installation options and a slew of graphical or command-line utilities to make FreeBSD on the desktop ‘easy’.”
But Linux is more widely used on the server, where FreeBSD can be a more than adequate replacement. To get an idea of the strengths and weaknesses of this operating system, iTWire interviewed Allan Jude, the vice-president of operations at ScaleEngine, a global HTTP and video streaming content distribution network; he makes extensive use of the ZFS filesystem on FreeBSD.
Jude (pictured above) is also the host of the video podcasts BSD Now (with Moore) and TechSNAP on JupiterBroadcasting.com.A FreeBSD committer, Jude is focused on documenting ZFS and further improving the manageability of FreeBSD. He taught FreeBSD and NetBSD administration at Mohawk College in Hamilton, Canada from 2007-2010 and has 12 years of experience as a systems administrator of BSD UNIX systems.And above all, he communicates using language that any layman can understand.
iTWire: Why would you recommend FreeBSD over other server operating systems?
Allan Jude: FreeBSD provides the right hybrid of long-term support and rolling release (continuous updates). It also keeps these two parts of the system separate. Everything has its place.
The FreeBSD base system is a very powerful suite of software built or maintained by the FreeBSD Project. It provides the basic necessities required to run the operating system.
This part of the system is distributed in releases. Minor releases are usually every six months or so with a major release approximately every 2 years. Each major release branch is supported for five years. Each major release promises ABI/API stability across its minor versions. This means that if you install an application on FreeBSD 10.0, and upgrade to 10.2, your application will still work, as nothing it depends on in the base system would have changed.
Anything additional, that only a subset of people will need, is provided by the ports collection. The ports collection is updated daily. This means you can always get the latest version of the software you need, be it a web server, scripting language, library, or desktop application. This means you are not stuck with an ancient version of the scripting language or library that your application depends on, and you are free to follow the latest developments.
In addition, there is a “Quarterly” branch of the ports collection, that only receives security fixes. This is geared towards those that need a stable target to build against, instead of the latest and greatest version of everything.
How easy is it to install FreeBSD for the purpose of running a server for a small business?
(This is a good question for me, I helped add some features to the installer last year)
Installing FreeBSD is very simple. The installation doesn’t require you to answer very many questions, and it is amazingly quick.
Installing from the CD/DVD or USB image is a very quick process. There are only two real questions to worry about:
a) Should I use ZFS or UFS?
In the end, ZFS is usually the right answer, unless you have very small disks or little memory for best performance.
If using ZFS, the other question is how to arrange the disks, if in doubt, use mirrors.
b) What should I name the machine?
There are lots of theories for this, in the past I was always partial to Star Trek references, mostly ship names and classes that were easy to spell. Lately, as the number of servers I manage has exceeded 100, I’ve adopted a system using ISO countries codes, airport codes, and monotonically increasing numbers to keep track of where my servers are.
Then the installation will proceed, and at the end you can configure the server’s IP address, set the root password, and add some other users. Root is not allowed to login remotely (over ssh etc) by default, so be sure to add yourself as a user, and put them in the ‘wheel’ group (those allowed to su (switch user) to root)
Let’s assume that this business needs to manage its own website, mail and DNS using that server. What kind of hardware are we talking about? What platforms does FreeBSD support? Would it be better to use separate machines for each task or can one box do it all?
FreeBSD provides a massive collection of 25,000 applications you can install. Long before anyone dreamt of an “App Store”, FreeBSD had its collection of software know as Ports.
You can choose from a number of popular web servers (Apache, NGINX), database servers (Postgres, MySQL, MariaDB), mail servers (Postfix, Exim, OpenSMTPd), and DNS Servers (bind, nsd).
The hardware requirements will depend on the load of your sites, but most sites can run well on even relatively low-end commodity hardware.
One of the relatively unique features of FreeBSD is Jails. These are like the newly introduced containers on other operating systems, except focused on security, and battle-tested over the past 15 years.
Jails allow you to have a second installation of FreeBSD in a subdirectory, entirely isolated from the host operating system. While similar to a virtual machine, they do not suffer the same performance penalties. They also have a unique feature, the administrator on the host machine can look inside the jail, and see what is happening, without the jailed user or attacker knowing that they are being observed.
Using the jails feature, the administrator can isolate the web server, from the database server, from the dns server. If one is compromised, the others are isolated, as if they were separate machines.
Add the features of ZFS and instant snapshots, and if something does go wrong inside a jail, it can easily be reverted to a previous “known good” state.
What kind of tools are there for helping a sysadmin automate tasks on FreeBSD?
FreeBSD has many of the same tools you have on other operating systems. For Orchestration frameworks, FreeBSD is supported by Puppet, Saltstack, Ansible, CFEngine and others.
The new package management system, that was introduced to FreeBSD in 2013, makes installing and upgrading the applications on the server extremely fast and easy.
In addition, FreeBSD has some of its own tools, like sysrc, that makes it easy to safely script changes to the FreeBSD configuration files. There is active development in this area to make it even easier to manage large numbers of FreeBSD machines.
How much learning is involved when it comes to running a FreeBSD server and what sources are available to help with answers?
You can learn a lot, or just a little. Anyone who has used a UNIX-like machine before will quickly find their way around on FreeBSD. Each utility and configuration file has its own well written, up-to-date manual page.
In addition, there is the FreeBSD Handbook, a giant 31-chapter reference manual that provides details on how each subsystem works, including quick start guides and numerous examples. The handbook is updated daily, and translated into other languages by a dedicated team of translators.
If your question is not answered by this large collection of documentation, there are the FreeBSD mailing lists and forums, or your company can hire a FreeBSD Consultant.
Security-wise, how is FreeBSD compared to other operating systems used at the server-level? Any advantages that other OSs do not have? And any disadvantages?
The biggest security advantage to FreeBSD is that it comes with very little software preinstalled. The only applications that end up on your server are the ones you put there. This greatly reduces the attack surface.
FreeBSD has a number of security features, including secure levels, which allow the system to be locked down once it is set up, such that things like the firewall rules cannot be modified. So even if an attacker manages to compromise the system, they cannot weaken the security posture.
FreeBSD also has capsicum, a capabilities framework that allows applications to reduce their level of privilege when they no longer need it. An example of this is tcpdump, the most common UNIX network packet analyser. In FreeBSD, after tcpdump opens the network interface (which requires administrator privileges) it drops its administrator privileges. If a bug in tcpdump allowed an attacker to execute on the system by sending specially crafted packets that would be misinterpreted by the packet analyser, the code would be trapped in a sandbox with no privileges.
There are cases where people set up servers without adequate knowledge of what they _should_ not do. What would you recommend that sysadmins do to avoid this pitfall?
The FreeBSD Handbook provides a lot of guidance and best practices.
I would say the most important thiing is to document how the server was set up, so it is easy to keep it updated. The most common thing inexperienced sysadmins do is avoid upgrading for fear of disrupting the working system. If the system cannot be updated, it cannot be secure.
Jails are great for this, because you have have a running jail, and a second clone of that jail that has its own set of packages. This allows the administrator to do the upgrade and make sure things are working, then seamlessly flip over to the updated container.