a short recap of things decided upon IRC discussion, in order of priority
- prepare a local backup of the server setup, all inclusive
- prepare a remote backup, on EU mirror
- upgrade the base system and packages (it will remain based on quartely reposiory).
- other ... install and use beadm to allow instant recovery by rebooting, just in case.
ghostbsd server
Re: ghostbsd server
Good to hear! I'll comment on a few things here:
What do you consider part of the server setup (except for /etc and /usr/local/etc)? What about other valuable data (db dumps, website stuff, ...)?ASX wrote:- prepare a local backup of the server setup, all inclusive
Any ideas how to do this? I have a little bit of experience using Bacula and if you don't prefer any other solution, I'd suggest that one. But I'd have to look into getting transport encryption using TLS working. I've attempted that briefly and I think that I know what needs to be done for that, but I'd have to make sure.- prepare a remote backup, on EU mirror
On the Canadian server, I guess. What is the usual update strategy so far? Quarterly is fine IMO. BTW: What is the current structure of the Canadian server? Do we have something like dev/testing/prod jails?- upgrade the base system and packages (it will remain based on quartely reposiory).
Totally makes sense. Does anybody of you have experience with this, yet?- other ... install and use beadm to allow instant recovery by rebooting, just in case.
Re: ghostbsd server
The server is using a ZFS filesystem, so I guess that a snapshot/clone is a start.
We need to backup everything, , mainly to protect us against something going wrong with software upgrades:
server config, and jails
You should have received an email from me, for additional details. I'm open to discuss details and implementation.
As for remote backup, I tend to use rsync (which flow thru ssh), but again I'm open to alternative
As for beadm, I'm currently making some test here on a separate local machine
We need to backup everything, , mainly to protect us against something going wrong with software upgrades:
server config, and jails
You should have received an email from me, for additional details. I'm open to discuss details and implementation.
As for remote backup, I tend to use rsync (which flow thru ssh), but again I'm open to alternative
As for beadm, I'm currently making some test here on a separate local machine
Re: ghostbsd server
Just noticed one things about partition layout:
The swap is mirrored and should NOT, there is no reason to mirror a swap partition.
I'm going to change this soon, so that we will have 2 GB swap instead of 1 GB.
Code: Select all
root@server:~ # gpart show -p
=> 40 3907029088 ada0 GPT (1.8T)
40 1024 ada0p1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 2097152 ada0p2 freebsd-swap (1.0G)
2099200 3904929792 ada0p3 freebsd-zfs (1.8T)
3907028992 136 - free - (68K)
=> 40 3907029088 ada1 GPT (1.8T)
40 1024 ada1p1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 2097152 ada1p2 freebsd-swap (1.0G)
2099200 3904929792 ada1p3 freebsd-zfs (1.8T)
3907028992 136 - free - (68K)
I'm going to change this soon, so that we will have 2 GB swap instead of 1 GB.
Re: ghostbsd server
I just wanted to create users for us on the canadian server so we can get away from root login over SSH. But I have to admit that I'm a bit confused about the current state of the keys! Please help me make some sense from it. Here's what I've found:
/root/.ssh/authorized_keys:
But first things first: Why are we using two authorized_key files? I've seen this on very, very old machines in the past but this one is new, right? As far as I know, OpenSSH originally suggested putting newer keys (for usage with protocol 2!) in authorized_keys2. That was a suggestion from the last millennium, though, and the file authorized_keys2 has been deprecated basically forever. Protocol version 1 has been deprecated as well for more than a decade and disabled with OpenSSH 7.0, after all, so it doesn't make any sense to stick with it. Or did I overlook something here?
Just curious: Is there a reason that you're preferring the ecdsa keys? That tech is based on the NSA curves after all and smart people have expressed doubts about backdoors.
/root/.ssh/authorized_keys:
- An rsa key for ericbsd@ericbsd.ghostbsd.org
- An ecdsa key for ericbsd@ericbsd.ghostbsd.org
- An ecdsa key for root@ericbsd.ghostbsd.org
- An ecdsa key for root@eclipse
- An ed25519 key for kraileth
But first things first: Why are we using two authorized_key files? I've seen this on very, very old machines in the past but this one is new, right? As far as I know, OpenSSH originally suggested putting newer keys (for usage with protocol 2!) in authorized_keys2. That was a suggestion from the last millennium, though, and the file authorized_keys2 has been deprecated basically forever. Protocol version 1 has been deprecated as well for more than a decade and disabled with OpenSSH 7.0, after all, so it doesn't make any sense to stick with it. Or did I overlook something here?
Just curious: Is there a reason that you're preferring the ecdsa keys? That tech is based on the NSA curves after all and smart people have expressed doubts about backdoors.
Re: ghostbsd server
yes, root@eclipse is me, ASX.
about authorized_keys and authorized_keys2:
I added my key with ssh-copy-id, and it end-up automatically in authorized_keys2
ericbsd initially used and rsa key, and copied it with ssh-copy-id, which ended in authorized_keys,
later I asked him to create a ecdsa key.
You key was added by me manually in authorized_keys2.
Feel free to fix as needed.
about authorized_keys and authorized_keys2:
I added my key with ssh-copy-id, and it end-up automatically in authorized_keys2
ericbsd initially used and rsa key, and copied it with ssh-copy-id, which ended in authorized_keys,
later I asked him to create a ecdsa key.
You key was added by me manually in authorized_keys2.
Feel free to fix as needed.