Tutorial: cvs server on FreeNAS
First, when I started to research if “cvs” would work on my FreeNAS I found a whole lot of links to cvsd… but I recall using cvs over ssh for many many projects. Couldn’t I run just cvs over ssh?
Yes You Can!!! And this makes cvs on FreeNAS easier than ever. Not much modification is required, and I am very happy to report that I’ve got mine working very well.
So let’s get into it shall we?
In order to get cvs working, we need the cvs binary. FreeNAS is a FreeBSD core underneath the covers. There are many many releases of FreeBSD so we should find out what release we have. We can do this by running uname on the command prompt of your FreeNAS.
Mine says:
nas:/mnt/default# uname -a FreeBSD nas.ejes.gotdns.org 6.4-RELEASE-p3 FreeBSD 6.4-RELEASE-p3 #0: Sat Apr 18 22:17:59 UTC 2009 root@vmbsd64i386:/usr/obj/freenas/usr/src/sys/FREENAS-i386 i386 nas:/mnt/default#
Now that I have the release number, I can simply browse the FreeBSD repository at ftp://ftp.freebsd.org (the 6.4 release is ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/6.4-RELEASE/6.4-RELEASE/packages/All/), and following the directory tree you can find most any other release.
Simply download the “cvs” binary cvs+ipv6-1.11.17_1.tbz (ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/6.4-RELEASE/6.4-RELEASE/packages/All/cvs+ipv6-1.11.17_1.tbz)
I used fetch on my system:
nas:/mnt/default# fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/6.4-RELEASE/6.4-RELEASE/packages/All/cvs+ipv6-1.11.17_1.tbz cvs+ipv6-1.11.17_1.tbz
100% of 442 kB 266 kBps
Then, in the GUI, I added a group called “cvs”, I gave it the group id 2401 because port 2401 was the cvs server port (and I may want to use pserver one day).
The Group I used for my cvs
the user _cvs for myself
Thankfully a tbz file means a tar bzipped file. So we can use tar to extract the package from freeBSD i want all my cvs stuff in one place so i’m going to extract it to my /mnt/default/cvs/tmp directory.
nas:/mnt/default/cvs/tmp# tar -vxzf cvs+ipv6-1.11.17_1.tbz x +CONTENTS x +COMMENT x +DESC x +MTREE_DIRS x man/man1/cvs.1.gz x man/man5/cvs.5.gz x man/man8/cvsbug.8.gz x bin/cvs x bin/cvsbug x bin/rcs2log x share/cvs/contrib/README x share/cvs/contrib/check_cvs x share/cvs/contrib/clmerge x share/cvs/contrib/cln_hist x share/cvs/contrib/commit_prep x share/cvs/contrib/cvs2vendor x share/cvs/contrib/cvs_acls x share/cvs/contrib/cvscheck x share/cvs/contrib/cvscheck.man x share/cvs/contrib/debug_check_log x share/cvs/contrib/intro.doc x share/cvs/contrib/log x share/cvs/contrib/log_accum x share/cvs/contrib/mfpipe x share/cvs/contrib/pvcs2rcs x share/cvs/contrib/rcs-to-cvs x share/cvs/contrib/rcs2log x share/cvs/contrib/rcslock x share/cvs/contrib/sccs2rcs x info/cvs.info x info/cvs.info-1 x info/cvs.info-10 x info/cvs.info-2 x info/cvs.info-3 x info/cvs.info-4 x info/cvs.info-5 x info/cvs.info-6 x info/cvs.info-7 x info/cvs.info-8 x info/cvs.info-9 x info/cvsclient.info x info/cvsclient.info-1 x info/cvsclient.info-2 x info/cvsclient.info-3 nas:/mnt/default/cvs/tmp#
Go back and “Give full shell access to user.” to the _cvs user and log-in or “su _cvs” to become him.
Now we have to initialize the cvs root directory; mine is /mnt/default/cvs/root. Run cvs init, and we’re off.
nas:/mnt/default/cvs/tmp# su _cvs %cvs -d ~/root init %exit nas:/mnt/default# chown -R _cvs:cvs cvs nas:/mnt/default#
Everything should be functional, all we need to do now is add anyone we want to be able to access cvs, to the “cvs” group. I added “user” as a test.
On my OpenBSD terminal I setup a simple cvs system
$ CVS_RSH=ssh cvs -d:ext:_cvs@nas:/mnt/default/cvs/root checkout .
works! GREAT!! Add my user to the “cvs” group, remove “shell” access from _cvs done!
My Remote users have to set these settings:
CVS_RSH=ssh
CVSROOT=:ext:user@host:/mnt/default/cvs/root
CVSEDITOR=nano
Now I can import directories using: cvs import -m “comment” module_name committer start
Check them out on another machine using: cvs checkout module_name
Add files or directories: cvs add “file/directory”
And Commit my changes once they’re made: cvs commit
For example:
nas:/mnt/default# ssh user@192.168.0.2 user@192.168.0.2's password: Last login: Tue Aug 4 16:46:50 2009 from 192.168.0.3 OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. $ CVS_RSH=ssh; export CVS_RSH $ CVSROOT=:ext:user@192.168.0.3:/mnt/default/cvs/root; export CVSROOT $ CVSEDITOR=nano;export CVSEDITOR=nano $ mkdir src $ cd src $ mkdir testing $ cd testing $ touch a file $ ls a file $ cvs import -m "testing" test ejes start user@192.168.0.3's password: N test/a N test/file No conflicts created by this import $ mkdir new $ cvs add n $ touch new/more $ cd .. $ ls testing $ rm -rf testing/ $ cvs checkout test user@192.168.0.3's password: cvs checkout: Updating test U test/a U test/file $ cd test $ mkdir new $ touch new/more $ cvs add new user@192.168.0.3's password: ? new/more Directory /mnt/default/cvs/root/test/new added to the repository $ cvs add new/more user@192.168.0.3's password: cvs add: scheduling file `new/more' for addition cvs add: use 'cvs commit' to add this file permanently $ cvs commit cvs commit: Examining . cvs commit: Examining new user@192.168.0.3's password: RCS file: /mnt/default/cvs/root/test/new/more,v done Checking in new/more; /mnt/default/cvs/root/test/new/more,v <-- more initial revision: 1.1 done $
Great Site
I’m into computer security (among so many other things)…
While I was stumbling around the internet today and found this site:(www.rnicrosoft.net)
Nick has some amazing stuff here, and in my opnion his site is totally worth a read.
Tutorial: Protect Folders In Windows
Sometimes we have folders and files that we don’t want anyone to be able to read… banking information, taxes, porn, lots of things.
I was thinking of this, when I decided to peek around the web to find anything that may help; and although i forget the site, i DID find something quite handy. (http://www.bukisa.com/articles/108657_remove-stored-passwords-and-hide-floder-with-recycle-bin)
Basically, it turns any named folder into the “recycle bin” by using the CLSID of the recycle bin. Interesting Stuff!
Like normal, I created a batch script for those of you interested.(http://ejesconsulting.wordpress.com/scripts/hidefolder-bat/)
Cross Mobile Platform
My wife recently showed me this site that she goes to; Women’s Health. They have an “app” so to speek, it’s a nice little slide show, in mp4 format, easy to put on all your mobile devices. I think that this is a GREAT idea because it has such cross platform potential. It’s cheap, easy and best of all supported by all the major moble operating systems.
Tutorial: Bittorrents in FreeNAS
As you might notice, I have been playing around with FreeNAS a lot lately.
Among the many features that I enjoy in the FreeNAS project, one of my very favorite ones is the Bittorrent Server that it has built in.
Really it’s just a verion of Transmission bittorrent web client which I remember from Mac OS. (http://www.transmissionbt.com/) but running in WebGUI mode (by default on your freeNAS server on port 9091 http://freenas:9091 or similar)
The features that I want specifically is the blocklist feature, which allows you to download a list of blocked ips from known malware locations or otherwise malicious sites, and the ability to encrypt my traffic so that my ISP cannot detect my bittorrent traffic.
So let’s get started:
Step 1: Let’s open our firewall to let incomming bittorrent connections through. This will help the speed of my bittorrent client dramatically. In order to trick my ISP from throttling my connections, I’ll be trying to get bittorrent to look like a VPN. This is accomplished by allowing only encrypted peers and setting the bittorrent traffic to well known VPN TCP port 1723. On the firewall I only need to forward the VPN traffic port TCP/1723 on all WAN connections to my FreeNAS server on the same port.
Step 2: Under System| Advanced | rc.conf tab in the FreeNAS webGUI; add two variables: transmission_blocklist=YES, and transmission_noblocklist=NO.
Step 3: Under Services | Bittorret; set the incomming port the 1723 (the VPN port I set earlier on my firewall), Disable UPNP, and enable Encryption. Then Save and Restart the service.
Step 4: Download the blocklistdl script from my script repo (http://ejesconsulting.wordpress.com/blocklistdl/). Its actually the same as the script from (http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=60&t=519&start=40). Place the script in a conveniant directory. I put mine in my transmission home directory in a subdirectory called “bin”. I changed the attributes to executable, and owned by “transmission:staff”; the user and group that bittorrent runs as.
Step 5: Add a cron job to the System | Advanced | Cron tab of the FreeNAS Web Gui to run the script at a predetermined time. I set min to run every Sunday night at midnight.
Step 6: While in the cron tab, I added a few timed download limits so that while I’m asleep or not home the bittorrent client can take 100% of the network bandwith, but while I’m expected to be at home it would reduce it’s available downloads to a fraction of my maximum bandwitdth.
The command is “/usr/local/bin/transmission-remote –no-uplimit –no-downlimit –auth admin:xxxxxxxx” to unlimit and “/usr/local/bin/transmission-remote –uplimit 20 –downlimit 20 –auth admin:xxxxxxxx” to limit to 20Kbps and 20Kbps upload and download while I’m home – please modify these parameters as you see fit.
As always, if you find this useful or need more info I’d be happy to help.
Updated Screenshots for MediaWiki Tutorial
-
- FreeNAS WebGUI Configuration Settings
Tutorial: Install MediaWiki on FreeNAS
- FreeNAS Services|Webserver configuration
This is a step by step tutorial on how to go from “spare computer” to NAS w/MediaWiki for home.
Let’s get all our prerequisites together first: A copy of freeNAS (www.freenas.org), a burnable CDROM, and a burner.
Burn FreeNAS onto your cdrom, and boot FreeNAS from the CDROM.
FreeNAS is quite easy to configure and setup – so I won’t cover it here.
Once you have a running FreeNAS setup, you must enable the webserver.
For simplicity, I changed my managment inteface to run on https (port 443), and my wiki page is the default http (port 80). To do this you can easily go to “System -> General” on the FreeNAS gui, then under WebGUI change the “Protocol” to HTTPS and the Port to 443.
Enable webserver under “Services -> Webserver” and put it’s “Document root” somewhere useful. I put mine on my default public drive.
- Configuration settings for your WebGUI
Now I need a user to login to FreeNAS on the command prompt. My default user can do this by setting the “Shell access” in the “Access -> Users -> Edit” menus.
Also note that I am part of the “Admin” group, which allows me to run “su” to become root.
SSH to FreeNAS and become root
Now, open up an SSH session to the FreeNAS server and become root. Your root password is the same one for the “admin” GUI.
Go to http://www.mediawiki.org and download the latest version of MediaWiki. I did it with “fetch” on my command prompt.
using fetch, I downloaded mediawiki
Then decompress it: (tar -vxzf mediawiki-1.15.0.tar.gz &&mv mediawiki-1.15.0/* . && rm -rf mediawiki-1.15.0)
Do what it says, configure it.
Then browse to your mediawiki page (it would be the root address of your NAS server).
MediaWikis database.
Fill out the questions that MediaWiki asks; but in “database config” you must configure a database and add a db to the “SQLite data directory”. I used a directory that cannot be browsed to on the web.
Then you should get a screen telling you that the installation was sucessful; next you move the “config/LocalSettings.php” file to the web-root. and change ownership of all the
Move the config, finalise the wiki
web files. (mv config/LocalSettings.php . && chown -R www *)
Now that that’s all configured, you can remove you “config” directory (if you’re making it external. )
Rudimentry tcp/ip blocking
An old throwback from Arpanet is the old “hosts” file. This was used instead of DNS servers to resolve names to ip addresses.
The Internet is so huge now that the hosts file is no longer a useful way to resolve host IP addresses to IP addresses, but this “hosts” file does still exist on all TCP/IP capable computers.
You can find yours too by looking in the right spot.
Windows
In older versions of windows (Windows Me and older) you can find your “hosts” file in your “%WINDIR%” (usually c:\windows). More modern Windows Variants (NT, 2000, XP, Vista, and 7) can be found in “%SYSTEMROOT%\System32\drivers\etc” (it’s defined in the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath registry key).
Macintosh
Older Macintosh systems (9 and earlier) it can be found in the System or Preferences folder, or in OS/X (including iPhones and iPods) in the /private/etc/hosts file.
UNIX/Linux/BSD
All UNIX based systems have a /etc/hosts file.
Netware
Netware systems it is in the “SYS:etc\hosts” directory.
OS/2
In the c:\mptn\etc\ directory.
Once you’ve determined where your hosts file is you can find that it mostly contains information about your own computer. Something like:
127.0.0.1 localhost
Hackers sometimes will put their own code in here to point you to their malicious sites:
www.evil.com www.google.com
The above would effectively send any request for www.google.com to www.evil.com instead.
We can use this to our advantage by blocking known malicious or just plain annoying sites.
Who maintains this list? The guys at MVPs.org have this as a free service. Located here: http://www.mvps.org/winhelp2002/hosts.txt
Just download that file, copy it’s entries into your “hosts” file and you should have a fairly recently up to date list of malicious sites and some rudimentary blocking to these sites.
How it works is when your computer goes to lookup the address to these malicious sites (should it ever have to), the address it gets back is 127.0.0.1 which is ALWAYS your own computer. Meaning that any time it tries to attach to a malicious site, it would actually try to attach to your own computer instead.
Remember, this doesn’t make you invincible; but it does definitely help.
FreeNAS + MediaWiki Match Made In Heaven
I love my home network; it’s well designed and more importantly secure.
As part of a modern network, Network Attached Storage is a must. Especially since I like to have all my information centrally accessable for my XBMC and my multitude of computers and remote access sites, not to mention a source repository for my projects and consulting.
I evaluated a whole lot of solutions for Network Attached Storage, including out of the box NAS appliances and even building the functionality I needed with OpenBSD or Ubuntu Server. Finally I was turned on to FreeNAS by a colligue.
FreeNAS, out of the box, came with all the functionality I needed. Web server, Bitttorrent, CIFS stack and NFS. As well as a bunch I don’t use (yet).
Configuration was a breeze, just boot from CD, and ta-da it worked beautifually.
I started doing a bit of development on the web-server portion of FreeNAS. It runs a full blown lighthttp server, with a tiny SQLite backend. This means that MediaWiki can actually work on this tiny embedded platform.
How? Simple.
In FreeNAS enable the web server, create a directory to serve from and put the latest version of MediaWiki there, configure it up, including a sqlite database (that I put in a non-browseable place for security purposes) and what do you know… home private wiki.
I’m going to start working on scripts and extensions so that my home media wiki will give information on my house, and media contained therein.
If there is enough interest, I’ll post a tutorial for setting up FreeNAS, and the MediaWiki.
Restrict a 14 year old from the internet
leave a comment »
So I’ve taken a bit of time off – to spend with my son who came to stay with me from the far away place called Orillia.
I’m quite liberal with our computing environment – so he gets his own computer and to be “self regulated” over the Internet. He knows well enough that I have quite a complex network and know all the traffic that travels through our up link to the Internet.
Giving your 14 year old unrestricted internet access has it’s ups and downs. One major down was that he managed to eat my entire Rogers High Speed Internet quota in a matter of 4 days.
That’s right 4 days.
So to limit him, I entered his MAC address in my deny list and he isn’t able to attach to the internet. Easy right? No.
I also have a Wii, which has an Internet connection, and frequently will download updates for itself. My son also loves to play the Wii.
I don’t know exactly where he got the idea, but Suddenly I noticed that my Wii was unplugged, and instead the “Wii” was browsing the Internet, Gigabytes at a time on World of Warcraft, Runescape, uTorrent, and Youtube. A browsing pattern I knew FAR too well.
He went into the Wii’s menu, looked up it’s MAC address, unplugged the Wii, then changed his own MAC address to the Wii’s easily circumventing my restrictions.
Like father like son, I suppose. Now I have to physically log into my OpenBSD server from wherever I am and forcibly unload it’s networking modules with a cron job to reload them when he would be allowed to regain access to the internet.
Written by ejes
August 18, 2009 at 1:49 pm
Posted in Commentary
Tagged with access control