Random *NIX Fix

As of late I have had some pain points with iocage, which I used since I started using FreeBSD in 2017. I came from an Ubuntu with LXD + ZFS background and iocage had the command line interface I wanted that felt familiar with LXD at the time.

Well, iocage seems dead now. Its last release was in 2019 and its last commit (at the time of writing this) was September 30, 2021. Of course, that commit isn’t in what’s in FreeBSD ports, unless you use the devel package..and, that package has some issues (for me, iocage list doesn’t work right).

Because of this, I decided to take up the challenge of making my own base jails. To start, I will give credit where credit is due and say I followed these resources to get me to where I am:

• Michael W Lucas’ FreeBSD Jail Mastery book
• https://clinta.github.io/freebsd-jails-the-hard-way/
• https://www.skyforge.at/posts/a-note-in-sysvipc-and-jails-on-freebsd/
• iocage and their fstab files

Creating the Release

First off, we need to create a release jail. This is a base image that we can use to make cloned jails, thick jails, or our base jails from. I’m going to start by making a new jails dataset and mounting it at /jails

 $ zfs create -o mountpoint=/jails zroot/jails

Here is the foundation for everything. Now I’ll create a few other datasets for our releases and templates and running jails, as well as our first release dataset (13.0-RELEASE)

$ zfs create -p zroot/jails/releases/13.0-RELEASE
$ zfs create zroot/jails/templates
$ zfs create zroot/jails/jails

Next, we need to download the base OS as well as lib32 for our jail. The contents should be extracted into /jails/releases/13.0-RELEASE in the end.

$ fetch https://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/base.txz -o /tmp/base.txz
$ fetch https://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/lib32.txz -o /tmp/lib32.txz
$ tar -xf /tmp/base.txz -C /jails/releases/13.0-RELEASE
$ tar -xf /tmp/lib32.txz -C /jails/releases/13.0-RELEASE

Now let us update the jail contents

$ env UNAME_r=13.0-RELEASE freebsd-update -b /jails/releases/13.0-RELEASE fetch install
$ env UNAME_r=13.0-RELEASE freebsd-update -b /jails/releases/13.0-RELEASE IDS

Then, we can copy our /etc/localtime and our /etc/resolv.conf files into the jail

$ cp /etc/localtime /jails/releases/13.0-RELEASE/etc/localtime
$ cp /etc/resolv.conf /jails/releases/13.0-RELEASE/etc/resolv.conf

Nice. Now we have our base. Lets snapshot it so we can clone it. We will clone this to our templates folder after we take the snapshot:

$ zfs snapshot zroot/jails/releases/13.0-RELEASE@p4
$ zfs clone zroot/jails/releases/13.0-RELEASE@p4 zroot/jails/templates/base-13.0-RELEASE

This part is done. The release is made, now we have a base created for our base jails.

Creating Our Skeleton

Since we want to be using nullfs mounts for our base jail, we are going to want to make another clone and wipe out the contents of that new clone. Here I think you can debate whether or not you want to take a clone of the base-13.0-RELEASE clone from earlier, or if you want to clone from the release. I opted to clone from the release. Maybe one is a proper way, but at this time I can’t see a drawback to either way myself.

$ zfs clone zroot/jails/releases/13.0-RELEASE@p4 zroot/jails/templates/skeleton-13.0-RELEASE

Now we want to hollow out the skeleton we just made. In Clinta’s example, this is where I started to encounter issues, namely with /usr/local since it doesn’t seem you can mount /usr/local if /usr is nullfs’d…this could create a bunch of other problems too, namely, too much stuff is set up with nullfs mounts. The way that is shown by Michael W Lucas and the iocage people is more sensible in this case. We need to EMPTY the contents of some directories without deleting the directories. Note, some directories (such as the lib directories) have immutable files, so you’ll have to make the files mutable if you encounter the error:

$ rm -rf /jails/templates/skeleton-13.0-RELEASE/bin/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/boot/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/lib/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/lib/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/libexec/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/libexec/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/rescue/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/sbin/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/sbin/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/usr/bin/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/bin/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/include/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/usr/lib/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/lib/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/usr/libexec/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/libexec/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/sbin/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/share/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/libdata/*
$ chflags -R noschg /jails/templates/skeleton-13.0-RELEASE/usr/lib32/*
$ rm -rf /jails/templates/skeleton-13.0-RELEASE/usr/lib32/*

And if you run into the unable to delete issue, run: chflags -R noschg on that directory.

Now we are at the stage where we can create our jails. We will be snapshotting the skeleton from here on out when we want to have a new jail. So, lets snapshot the skeleton and call this new jail “testboxen_13-0”.

$ zfs snapshot zroot/jails/templates/skeleton-13.0-RELEASE@skeleton
$ zfs clone zroot/jails/templates/skeleton-13.0-RELEASE@skeleton zroot/jails/jails/testboxen_13-0

Neat! It’s created. We can’t use it yet, but it’s there.

Templates

Here is a quick tidbit on templates…kind of a sidebar. Earlier we made that base-13.0-RELEASE clone and it’s not doing much. It’s the same as what’s in the release, as a matter of fact. I never utilized the templates feature in iocage, but reading Michael’s book tipped me off to how to do this for my own self. For my job I have roughly 10 jails doing the same thing. Do I want to go and update the same packages each time for each jail? They’re all running the same software, so why make 10 identical downloads? You can clone the release jail and make a base jail named, say, “nginx-13.0-RELEASE”. You could go in that jail and install nginx and anything else each of that jail might need and use that nginx-filled template along with the aforementioned skeleton. If you do this however, note you will additionally have to nuke usr/local and var/db/pkg in the skeleton.

I would like to note it wasn’t until AFTER I set everything up for work that I messed up my implementation. So, for this section I’ll just make this mention here and suggest you check out Michael’s book, ch6, page 123.

FSTABs

Next, we must create our fstab files. This will tell the jail creation tools to use the nullfs mounts inside our skeletoned jail we just created. Here’s what it should look like for our “testboxen_13-0”

/jails/templates/base-13.0-RELEASE/bin                /jails/jails/testboxen_13-0/bin          nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/boot               /jails/jails/testboxen_13-0/boot         nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/lib                /jails/jails/testboxen_13-0/lib          nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/libexec            /jails/jails/testboxen_13-0/libexec      nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/rescue             /jails/jails/testboxen_13-0/rescue       nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/sbin               /jails/jails/testboxen_13-0/sbin         nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/bin            /jails/jails/testboxen_13-0/usr/bin      nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/include        /jails/jails/testboxen_13-0/usr/include  nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/lib            /jails/jails/testboxen_13-0/usr/lib      nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/libexec        /jails/jails/testboxen_13-0/usr/libexec  nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/sbin           /jails/jails/testboxen_13-0/usr/sbin     nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/share          /jails/jails/testboxen_13-0/usr/share    nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/libdata        /jails/jails/testboxen_13-0/usr/libdata  nullfs  ro      0       0
/jails/templates/base-13.0-RELEASE/usr/lib32          /jails/jails/testboxen_13-0/usr/lib32    nullfs  ro      0       0

I like to keep these files in /jails/fstabs, so this file would be /jails/fstabs/testboxen_13-0.fstab.

The jail.conf File

Now lets make our jail.conf file. This will tell our system how to put together our jail. Here’s the contents of mine for this case. Note, you can copy/paste the testboxen_13-0 block over and over for each jail you make with its new name.

$jails="/jails/jails";

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;

testboxen_13-0 {
        host.hostname = "testboxen_13-0";
        path = "$jails/testboxen_13-0";
        vnet;
        vnet.interface = "e0b_test1";
        exec.prestart += "sh -x /usr/local/bin/jib addm test1 jeth";
        exec.poststop += "/usr/local/bin/jib destroy test1";
        mount.fstab = "/jails/fstabs/testboxen_13-0.fstab";
}

Let’s break this down a little:

• path – where the jail is located
• vnet – specifying we are running a vnet jail
• vnet.interface – the name of the interface inside the jail
• exec.prestart/poststop – how we are going to create/destroy our interfaces
• mount.fstab – the fstab file for our base jails

Neat. This is all done…but, this Still won’t work. Our host does not yet know how to use this stuff.

Host Setup

For the host, we need to setup a few things:

1. Enable the service
2. Get jib in the right place
3. Configure our interface (optional)

Enable the Service

sysrc jail_enable="YES"

Get jib in the Right Place

Either copy or symlink jib to /usr/local/bin

$ cp /usr/share/examples/jails/jib /usr/local/bin/jib

Configure Our Interface

This part is optional. I have an extra interface and I decided to give it a name. That is the “jeth” in the config above. It could be em0, igb0, re0, em1, whatever interface you want to use, don’t even need to rename it.

$ sysrc ifconfig_igb1_name="jeth"
$ sysrc ifconfig_jeth="up"

Since that will only work on the next boot, you can run ifconfig igb1 name jeth and ifconfig jeth up to get the interface up.

Okay, NOW our jail should start

Jails Needing Shared Memory

I ran into one instance where software needed shared memory (PostgreSQL). Because of that, I initially thought I needed to enable an insecure mode of sharing memory, but it turns out since, I think, FreeBSD 11.1 they added new security controls to create new shared memory namespaces to keep separate shared memory…pools? for each jail you set it up for. iocage did this out of the box for everything, but I find it’s probably only necessary on an as-needed basis. Basically, for each jail (or just your entire jail.conf file) add this line:

sysvshm = "new";

This is pretty well explained in the skyforge URL above.

Wrapping it Up

With everything in place, let’s start this jail up:

$ service jail start testboxen_13-0
$ jls
   JID  IP Address      Hostname                      Path
    1                  testboxen_13-0               /jails/jails/testboxen_13-0

HOORAY! But wait, there’s no networking. That’s because we need to have the jail do it for us. We could either put some of the exec stuff in the jail.conf, or pass the buck to the jail and put it in its rc.conf, which is what I will do. Note, with vnet jails you won’t see the ip address in the jls output. So, console into that jail:

jexec testboxen_13-0

Now lets get some stuff in our jail’s rc.conf. I’ll give it an address of 10.0.0.10/24, and a default router of 10.0.0.1

hostname="testboxen_13-0"
# note the name here matches what we put for vnet.interface
ifconfig_e0b_test1="10.0.0.10/24"
defaultrouter="10.0.0.1"

# Enable IPv6 if you want
#rtsold_enable="YES"
#ifconfig_e0b_test1_ipv6="inet6 accept_rtadv"

Cool. Now get out of that jail with an exit and restart it to ensure networking is good: service jail restart testboxen_13-0. You should be able to console back in and ping. It should be good! Now you have a fully functional jail. Lastly, if you want these to boot up, you can add it to the jail list:

sysrc jail_list+="testboxen_13-0"

Boom. Done. With all this out of the way, you can take all these same principles with the cloning of the skeleton, fstab, and jail.conf entry to create all the base jails you want!

Update 2022-01-20

I have seen others in places suggest the use of BastilleBSD for jail management too. I also think BastilleBSD is a good tool, so here’s a shoutout BastilleBSD and the people behind the project

https://bastillebsd.org/

I have been a FreeBSD user for 4 years now, and a FreeBSD desktop user full time since December of last year (2020). Previously, I used FreeBSD on my desktop on and off since the end of 2019 and have enjoyed it, despite some of the creature comforts that are lacking (which I’ll explain later).

As some background, I’ve been a Linux desktop user since 2013, started with Ubuntu, then Linux Mint, and played the whole distro hop game, using every popular distro, and most every desktop environment out there. I was never quite satisfied, hence I distro hopped. Debian and Ubuntu were stable, but there were some package updates I wanted that I thought were an inconvenience to add, or I couldn’t get the package (such as no PPAs). So then, I tried Fedora, Arch Linux, etc. that were more bleeding edge, and in less than a year it was either far too unstable for me (to the point of having irrecoverable systems sometimes after an update) or the desktop environment had so many bugs that I couldn’t use it. By that time, maybe a new LTS was out and I’d hop on that until the packages felt too old, I wanted an update, had loads of PPAs, bla bla bla and the circle went on.

I am coming at this as someone who is a power user, spends most of my time in a terminal, does sysadmin work, devops, some programming for fun. So, if you aren’t comfortable with a terminal, my opinions of “easy” and “I like this” may not align with what you would find easy or like. If you consider yourself a power user who’s comfortable with the idea of using a terminal and digging into a system, maybe you will find my thoughts interesting.

What I Like; TLDR

To begin, here’s a bullet point list on what I like about FreeBSD on the desktop to act as a TLDR

• Stable base operating system
• Option to get packages at a slower pace
• Option to get packages as they’re available in ports
• Safe updates/upgrades
• ZFS to manage my disks
• Easy disk encryption
• lagg devices to go between wired/wireless connections
• systemd-free
• Good documentation, good man pages
• bsd’s rc for managing networking, services, etc
• Good sound system (with a caveat)

What I Don’t Like; TLDR

• Some nice-to-have packages unavailable
• Some desktop integration with the OS missing
• USB audio (GGGRRRRRR)

What I Like Stable Base Operating System

If you read my intro, recall I mentioned wanting to have newer software but complained about the “base OS” (since Linux doesn’t necessarily have a “base”) being too unstable to get that newer software. I’ll get to packaging next, but who wants a crashy system, or something that is so bleeding edge that you aren’t too sure if your next update will be a great success or not? After hundreds of reboots with Ubuntu Server LTS from 14.04 to 20.04, I probably couldn’t tell you of one time when a reboot after updates failed because of the updates. But, it was a common occurrence for me when I daily drove the non-LTS Ubuntu releases, Fedora, Arch Linux. Sometimes I had to fight with the systems, other times it was just dead and I had to reinstall. For anybody reading this you’ll probably say something like “I’ve been running X for year(s) with no issues!” Good for you. Unfortunately, that was not my case.

FreeBSD has continually provided a solid base operating system for me. It provides a clean and firm foundation for me to build upon. I haven’t had any of my systems die on me or have a borked update (both home PCs and production servers). FreeBSD updates each release to ensure compatibility from minor upgrade to minor upgrade, and in my experience, has also been very clean going from major release to major release. I’ve tried numerous upgrades on Linux and it’s rare that I came out without issues. There was always some new annoying bug, or maybe it was entirely broken. Security patches are quickly made, I get access to great tools like jails and bhyve to do my work, ZFS or UFS2.

Packages

To me, this is one of the neatest things about FreeBSD for the desktop. The way FreeBSD packages software is what effectively killed my distro hopping life. FreeBSD has 3 primary ways you can get packages

1. Ports
2. Quarterly packages
3. Latest packages

With ports, you download the ports tree and compile and install the software yourself. And if you choose, you can automate the process with tools like poudriere. Quarterly packages is a slower-rolling repository where packages receive updates every quarterly through the year. So, if you need a bit more stability you can lag behind and use these packages. If you want the latest software, you can switch to the “latest” repository and get packages as they’re compiled and available via the package repository.

With this design, I really felt like I could “have my cake and eat it too”. A stable operating system to depend on, and get the up-to-date desktop packages I need (thank you to all the port maintainers out there for your hard work!).

To go back to my allusion to a later point in the article, let me give Ubuntu as an example. One piece of software I use daily is KeePassXC. As of writing, the current version is 2.6.6. This is currently the version I have installed on FreeBSD. The current version of Ubuntu (21.04) is 2.6.2 and the latest LTS offers (20.04) it’s 2.4.3. Oof! I was able to remedy this with PPAs on Ubuntu. But what if I’m not using Ubuntu? How about redis server? On 20.04 it’s version 5.0.4, and 21.04 it’s 6.0.11. For the 5.X branch 5.0.14 is the current version and 6.0.14 is the current for the 6.0.X branch. You won’t see updates for these packages. There have been reported vulnerabilities for these packages, yet, they won’t receive updates. For the desktop, what if I want some added features, bug fixes, or security patches? For something like KeePassXC (which is a security application), I want things fixed. I also want my keepassxc-browser extension to not yell at me every day because my copy of KeePassXC is outdated.

For the desktop experience, I am particularly interested in getting a new feature. Therefore, I couldn’t use an LTS distro. Onto rolling or bleeding edge distros. I got my up to date packages, but somehow they ended up being buggier on Linux than FreeBSD. My guess, like with KDE Plasma for example, I would see a hodge podge of different dependency versions for the different kf5 packages and mismatched versions of other software. I have yet to see that be the case with how packages have been added to FreeBSD. Truth be told, my most stable KDE Plasma experience yet has been on FreeBSD.

It has been a pleasure to run a stable OS with my “unstable” packages. It really does feel in a way like I’m on an LTS distro but getting all the up to date software that I would expect to be frequently updated without being frozen.

Safe Updates/Upgrades

Since I do like to live on the edge more with packages (such as my desktop environment), I have encountered bugs. It’s only natural. Although FreeBSD’s design has given me ample opportunity to mitigate some of the bugs that might annoy me, I at least have an easy way to roll back when bad stuff happens. For example, I just yesterday updated my KDE apps to 21.08.2. All good, except Konsole does not like me typing exit to close out of the terminal or ctrl+d. It ends up crashing, which means I have to go click on the “ok” button to close out the crash window. Though I was able to install 21.08.1 from /var/cache/pkg, if I had greater problems I could have relied on using ZFS boot environments. I thought more about using ZFS boot environments on package updates (as well as system updates) when I saw OmniOS automaking a boot environment for me when I used its package manager. My method now is to create a boot environment, use the boot environment and do my updates, then if things go south just revert back to the previous environment before I did my updates. With FreeBSD 13.0 they make this easy:

$ bectl create BE_name
$ bectl mount BE_name
$ chroot /tmp/BE-13.xxxxxx
$ pkg update && pkg upgrade
$ exit
$ bectl activate BE_name
$ shutdown -r now

I can do this with updating FreeBSD too. Again, if things go bad, I just activate the old boot environment, or at the bootloader select the known good boot environment and go back to my working system.

ZFS

There’s a lot of ZFS content out there, so I will keep it short. I use this to delegate permissions to certain users to do certain tasks, such as a backup user to take snapshots or give a user the permission to create new datasets to make custom changes, whatever I desire that ZFS allows me to do. I also love using ZFS to work with virtual machines. Very often I make and test Ansible scripts for work, and I will do it locally on my machine since if the script doesn’t work as intended, I can stop my VM, rollback to a snapshot, start it. And in ~20 seconds I have a fresh system to run on again.

As for backups, I don’t send/receive backups to my backup server. Instead, I take snapshots and us the borg backup utility to backup the snapshot contents. It’s great this way since I can be certain that my backup contains my file contents at a point in time, not over the course of time that it takes to complete a backup.

Disk Encryption

Have you tried setting up disk encryption on Void Linux? It’s a pain. It was the hardest OS for me to get disk encryption working on. I wouldn’t wish to do it again. FreeBSD has a simple page in the handbook on enabling disk encryption, but in the installer it is done via a basic yes/no question. Full disk encryption (except maybe boot?) out of the box with no headache, encrypt disks easily with no headache (though, I suppose post-install you can use handy tools to make disk encryption easy on Linux too). Additionally, you can utilize ZFS encryption now whenever and wherever you need it.

lagg Devices

I came across an article on setting up a Thinkpad, and one of the things mentioned was to create a lagg device so I could easily switch between wired/wireless connections whenever I plug/unplug my ethernet cable. Now, I’ve generally had this work pretty well on Linux too since I think desktop environments will do it for you. But I’ve seen some of the DIY methods for Linux, and have done them in the past, and it was a bit of a trouble for me at times. However, FreeBSD lets you put it all in your /etc/rc.conf file and set and forget:

ifconfig_em0="ether <WiFi MAC Address> up"
wlans_iwm0="wlan0"
ifconfig_wlan0="WPA up"
cloned_interfaces="lagg0"
ifconfig_lagg0="up laggproto failover laggport em0 laggport wlan0 DHCP"

Systemd-free

Okay, this one is probably the least struggle I’ve had for a desktop/laptop computer, but there is one issue that I’ve still had with systemd to this day. And that is that it always disregards my split-DNS configuration for my house. It used to be that I could modify a couple configuration files and my resolv.conf file would be populated with whichver nameservers were set via DHCP. Great! Exactly what I wanted. Well, systemd loves its own resolvd resolver (which uses Google DNS by default). Not only do I reduce what info I give Google, but as I said, it also messes with my split-DNS network configuration. In recent days, doing my old techniques to stop using resolvd didn’t work, and I tried every solution under the sun for Ubuntu 20.04. No dice. So my solution, whenever I need to force my own DNS changes, is to modify the resolv.conf file with my own configuration, make the file immutable, then try to remember the change later when I leave the house. Very annoying. There’s probably something I’m missing, I’ll admit, but I shouldn’t have to struggle with this. Especially for an OS that is striving to be consumer friendly. Why then is it the Only operating system in my home that disregards what I have set up?

Documentation and manpages

I’ve been a Linux user for 8 years now, and FreeBSD for 4 years. I work with Linux all day long. Even as the years go by, it’s certain that I can’t know everything about how to manage my computers. This is where good documentation is great. I’ve had the FreeBSD Handbook save my skin a number of times, as well as various pages on the wiki. Additionally, I’ve found the man pages to have plenty of information and useful examples to help me figure out what I want. Some of the man pages for Linux are good, but I still often find myself having to hit stack overflow or some article somewhere to solve what I want. Generally, that isn’t the case for me with FreeBSD. I have to give credit where credit is due though: the Arch Linux Wiki is fantastic. Heck, it’s very thorough and sometimes I find myself getting useful tidbits of info for software that I wouldn’t even consider a base package for Arch.

Overall, it has been easier for me to find decent documentation to help me solve my problems with FreeBSD. And, I’ve had great help from the community for various things, but I’ve found that FreeBSD has given me ample tools and an easy enough to understand system to help me be sufficient on my own too.

bsd rc

I have come to greatly appreciate the rc.conf file on FreeBSD. I have a good view of how my computer is set up with network info and services I set. I like how I can use sysrc to manage entries in my file, the service command is as effective as I like it to be (and it isn’t a wrapper for systemctl!). Network configuration is also just a few lines. One thing I really appreciated, so I’ll share here too, is the ability to make a lagg interface to combine my ethernet port and wireless adapter on my laptop to default to ethernet and seamlessly failover to wireless when I unplug my ethernet cable, and vise-verse. Here’s the lines I have

wlans_iwm0="wlan0"
ifconfig_wlan0="WPA country US powersave up"
ifconfig_em0="ether <ETHERNET MACADDR> up"
cloned_interfaces="lagg0"
ifconfig_lagg0="up laggproto failover laggport em0 laggport wlan0 SYNCDHCP"
ifconfig_lagg0_ipv6="inet6 accept_rtadv"

Those few lines achieve a whole lot. Enable wireless, enable my ethernet, combine them, and do DHCP and accept router advertisements for IPv6. Very nice.

Good Sound System

I haven’t pursued this in great detail, but I’ve come to enjoy the simplicity of managing my audio as well as having clean audio. Aside from it overall producing good output with the defaults, the one cool thing I discovered was FreeBSD’s bitperfect flag which doesn’t resample my audio as I play it back. For some of my library this has actually given some of an edge to the output. For all I know it could be placebo for me, but I’ve tried to not let any judgement interfere with that. Some songs I notice no difference, which I think would have more to do with the music itself than the bitperfect mode. I’m just happy that it’s there and one sysctl flag away.

What I Don’t Like

Although I’m a big fan of FreeBSD, there are some pain points that really do suck when I encounter these issues. Here’s a few things that I Really don’t like.

Missing Software

Now, I would say I have about 99% of everything I need. In my day to day, I am happy with what I have, but I have had to sacrifice some software. Really, this is all software that is based on Electron. Our “crossplatform” posterchild. Oh how it annoys me that we’ve reduced the term “crossplatform” to Windows, Mac, and Linux. And yet, look at something like KeePassXC, where I don’t know where it Doesn’t run. But, because of this lacking component I initially found myself missing out on software that I used daily. 2 examples are Spotify and Signal. And though I would still like to use those, I just opt to not use them now. Maybe I could do some SSH forwarding though through a VM. There’s also the LinuxApps method of using some software, but Signal is one that doesn’t work this way and I’ve seen the LinuxApps method spam up my messages log and I don’t like that.

Another program I wouldn’t mind having is the Brave browser. I’m more of a Firefox kind of guy myself anyway, but I would like to have Brave as a good secondary. There’s still chromium though.

Games is also something that’s missing, but I really don’t see FreeBSD as my gaming platform. I much prefer FreeBSD to get work done. I still hop on Windows for gaming. And, if one day Linux can compete with Windows in this realm, I’ll still likely dual boot but do FreeBSD for work and Linux for play. Really, with the way my mind is, it wouldn’t be great for me to pool my work and play together on a single computer anyway as I work from home and really try to separate the 2 where I can.

Missing Desktop Integrations

The couple things I can thing of off the top of my head are with KDE. One with their new monitoring program that I think will be replacing Ksysguard, and some of the other cool features like volume control, seeing networks in the toolbar, managing networks there, connecting, seeing bandwidth usage…I claim these are nice-to-haves because, for networks I’m fine with the rc.conf and wpa_supplicant.conf file edits, ksysguard is good and so is top, and, sometimes I find to get certain audio control bits working I have to switch sysctl flags. Though, as I’m typing this, I see some of these audio managing bits from KDE have improved on my laptop since I last tried (I’m so used to not having this sort of stuff on my desktop for various reasons, one being I use a USB DAC to increase/decrease volume).

USB Audio

This one is tricky. Does USB audio work? Yes. In fact, it’s been working great for years now. I have a FiiO DAC and I’ve had no problem listening to anything. BUT…this one point of contention I have drives me absolutely bonkers and really does prevent me from having 2 computers on my desk. And that is if I unplug my USB DAC for any reason all hell breaks loose. Up until later last year, if I unplugged my DAC I would have to hard restart, or SSH into my desktop (!!!) to kill audio processes that were using my DAC because the ENTIRE USB bus hung up. With the latter, I basically had to reboot after that anyway because my desktop environment had some process killed somewhere and wouldn’t start properly. Maybe things were okay, but audio still didn’t work until I rebooted.

Today, I don’t have to hard reboot or SSH in, but I do still have to go find and kill processes, and still probably log out or reboot anyway because the process wasn’t clean. What’s worse, they hardly seem to care to fix this problem. In fact, this is a feature. Expected behavior. Okay, well if that is true, why isn’t there some clear cut fix? One solution mentioned is virtual_oss. virtual_oss however hasn’t fixed it for me, and has been one of those programs that I would say Isn’t well documented to fix a problem such as this. In fact, the scope of the fix for this problem seems to be very limited.

This has been a huge point of contention for me. On my note of splitting work from personal life, I initially had FreeBSD on a separate computer. I thought it would be a great idea to have my work computer and my personal computer. A personal FreeBSD/Windows dual boot and a work FreeBSD desktop separate from my personal box. Part of my idea was to leave the work box running so if, while off the clock I had to respond to an incident, I could press the button on my KVM switch, switch display to my work computer, sort out the incident, and then go back to my personal box. Nope. I can’t. Due to the USB audio issue, I would have to turn my FreeBSD computer on/off each time I wanted to switch my KVM. If I pursue this again, I may have to pursue getting a second DAC altogether and a way to switch cables on my headset to whichever system I’m on so I don’t have to unplug my USB DAC.

Wrapping Things Up

If you got this far, I’m sorry for my verbosity, I hope you enjoyed reading this. With my 2 years of full-timing a FreeBSD desktop, I would say that the advantages I have gotten using FreeBSD has really outweighed the disadvantages I have from not using Linux. It has been a great OS for me to settle on and given me what I need to stop the distro hopping craze I went through (my friend would always razz me whenever I talked about yet another distro because distro X just didn’t cut it, my buddy who would do the distro hopping game with me through college). I really feel more productive using FreeBSD. Maybe one day I’ll do somewhat of a workflow article, who knows.

If you are someone who isn’t afraid of the command line and want to try FreeBSD out for yourself, I really encourage it. There’s lots of ways to learn, lots of good resources, and once you start to learn the design of FreeBSD, it really starts to come together and make a lot of sense the way things were done. You could even try GhostBSD if you want an out of the box desktop experience.

Recently I upgraded my computer to an Intel 10700K and Z490 motherboard. I had a Ryzen system and my graphics card took a dive. I needed a computer, but graphics cards were unattainable. So, I bought an Intel setup for the integrated graphics while my graphics card was being RMAd. Immediately, I found networking not working on my computer. After getting the kmod from ports installed, I got networking working, but with a whole other host of issues. I wanted to document what I did for myself and anyone else to get both IPv4 and IPv6 networking working properly.

Getting the kmod

First, I had to access another system running FreeBSD. There’s probably a better way of doing this, but I just installed the realtek-re-kmod package on my separate computer and copied the /boot/modules/if_re.ko file to /boot/modules on my desktop. Then, I loaded the kernel module and ran dhclient to get an IP address

$ kldload if_re
$ dhclient -r re0

Finally, I installed the realtek-re-kmod package on my system so that it will appear in my list of installed packages whenever there’s an update available. Finally, add these lines to your /boot/loader.conf

if_re_load="YES"
if_re_name="/boot/modules/if_re.ko"

This tells your system to not use the kernel module provided with FreeBSD base and instead use the package installed from ports.

Networking Fixes

My next issue I’ve encountered is sometimes at boot I won’t get an IP address. I haven’t found a fix for that, my only solution has been to run the dhclient(8) command like shown above.

Another common issue I’ve had now is I’ve discovered router advertisements won’t be acknowledged unless you have ipv6_defaultrouter specified. If you are moving around and your defaultrouter changes on the regular, this might be cumbersome, as your only option may be to add the default route manually and wait for an advertisement to be accepted. This means you have to know your gateway in advance. If you’re like me, you’re at home on your desktop. In this case, this trick works. Add these 2 lines to your /etc/rc.conf file

ifconfig_re0_ipv6="inet6 accept_rtadv"
ipv6_defaultrouter="2601:db8:dead:beef::1"

On boot, you should find yourself with IPv6 autoconf addresses and all IPv6 networking functioning properly. Additionally, I like to add ipv6_privacy="YES" to my rc.conf file and these lines to my sysctl.conf file

net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1

This ensures your computer prioritizes using the temporary private IPv6 addresses instead of the SLAAC address which can potentially be an identifier for your system, since the address is generated based on your MAC address.

Conclusion

For now, this is my best working effort to get the interface to work seamlessly without any other issues. Maybe from time to time I have to issue the dhclient(8) command, but everything else works fine. Note, that I haven’t yet lost my address throughout the day, so it isn’t like you’ll find your networking magically not working.

Hopefully this problem gets fixed soon. In the meantime, this is only just a minor inconvenience.

For my home setup, I’m often a lazy admin with simple needs. Especially when it comes to VPNs. I find they’re too complicated and being they’re a single point of entry into your network, with the complexity of these systems I often worry a bit that I’m exposing my network in a way I don’t intend to do. I tried OpenVPN and got it working OK but it was ugly using it on iOS. ipsec is daunting to me for setup and maintain for something I will only use sometimes, and I got OpenIKED on OpenBSD working great, but I only wanted to deal with a PSK as it was super easy to use with iOS and macOS…but the clients on Linux have NOTHING for a quick and easy connect solution and none of the GUI networking managing tools seemed to allow for PSK with IKEv2. I gave up.

Enter sshuttle. Allan Jude and Benedict Reuschling did a podcast (episode 322) recently on sshuttle and I was immediately intrigued. As the sshuttle description puts it, it’s the “poor man’s VPN”. Exactly what I need. I already have an OpenSSH server running on OpenBSD as an entry point into my network. Why add another? All I do is access some servers internally and access my Plex server from time to time and for some other misc reasons. I won’t be able to access my network with my iPhone, but that’s fine. The good news is sshuttle is stupid easy. Exactly what I need. I don’t need the higher performance or flexibility a true VPN offers. So here is what I did:

• FreeBSD 12.1 host
• vm-bhyve for bhyve virtual machine management
• OpenBSD 6.6 VM for ssh

This won’t be an exhaustive guide, but below I will provide some of what I did to get this working. Really, all of my setup is optional. You could do a Linux server, OpenBSD on metal, FreeBSD, NetBSD…really, just anything that will do SSH. I’m just going to focus on the OpenBSD server and the client here.

If you want to use OpenBSD on FreeBSD with vm-bhyve and you want OpenBSD to autostart on a host reboot, you’ll want to have something like this in your rc.conf file:

vm_enable="YES"
vm_dir="zfs:zroot/vm"
vm_list="openbsdssh"
vm_delay="20"

Where openbsdssh is the name of the VM. The vm delay is useful in case you are waiting for interfaces and such to come up. I haven’t used it without it, but I like to be on the safe side. I can wait a few extra seconds if it adds some insurance to my ssh entrypoint coming up reliably.

OpenBSD

The good news here is you can just install OpenBSD and install nothing else. All you need is OpenSSH, which is a part of OpenBSD out of the box. The sshd_config files is pretty good out of the box already. I changed the default port from 22 to keep myself from being hit by drive-by attacks on port 22. I also made these few additions:

# Less authentication attempts
MaxAuthTries 4

# Maximum 3 sessions
MaxSessions 3

# Disallow passwords…set up your ssh keys before enabling this
PasswordAuthentication no

# Logout of inactive sessions
ClientAliveInterval 300
ClientAliveCountMax 1

HostKeyAlgorithms -ecdsa-sha2-nistp256

# Limit kex algorithms to more secure ones
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

# Limit allowed ciphers
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

# Limit MAC algorithms
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

AllowUsers myname

These are the diffs I get from the original sshd_config I got in OpenBSD 6.6. Ensure you have the port forwarded to the port that OpenSSH is listening on. I would also limit the users allowed to connect to your username only with the “AllowUsers” line…make sure “myname” is your username(s) to who can use the SSH server.

Firewall Rules Anyone?

Now you’ll want to apply some PF firewall rules if you are using a host that uses PF like OpenBSD or FreeBSD. These rules are a bit of an extension of the default rules + some for DHCP (for both IPv4 and IPv6) plus a rule to block brute force attacks. These are the rules I am using on OpenBSD:

    int_if = “vio0”
    lan_net = “10.0.0.0/24″

    icmp6_types=”{ 128, 133, 134, 135, 136, 137 }”
    udp_services=”{67, 68}”
    udp6_services=”{ 53, 123, 1194, 546}” # 546 == dhcpv6-client
    icmp_types = “{echoreq, unreach}”

    table <bruteforce> persist

    set skip on lo

    # scrub incoming packets
    match in all scrub (no-df)

    block quick from <bruteforce>

    # Default deny policy
    block all

    # Activate spoofing protection on all interfaces
    block in quick from urpf-failed

    # By default, do not permit remote connections to X11
    block return in on ! lo0 proto tcp to port 6000:6010

    # Port build user does not need network
    block return out log proto {tcp udp} user _pbuild

    pass quick proto { tcp, udp } from any to port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)

    # pass all traffic to and from the local network.
    # these rules will create state entries due to the default
    # “keep state” option which will automatically be applied.
    pass in on $int_if from $lan_net
    pass out on $int_if to any

    # pass tcp, udp, and icmp out on the external (Internet) interface.
    # tcp connections will be modulated, udp/icmp will be tracked statefully.
    pass out on egress proto { tcp udp icmp } all modulate state

    # Allow ICMP
    pass inet proto icmp all icmp-type $icmp_types keep state

    pass in quick on $int_if inet6 proto udp from any to $int_if port $udp_services keep state

    # IPv6
    pass in quick on $int_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep state
    pass in quick on $int_if inet6 proto ipv6-icmp from any to $int_if icmp6-type $icmp6_types keep state
    pass in quick on $int_if inet6 proto udp from any to $int_if port $udp6_services keep state

sshuttle On Your Client

sshuttle already has good install instructions. You can refer to it to see how you can properly install the software on your host. Verify that you can ssh into your OpenSSH server. I like to add a host to my ~/.ssh/config so I can use my ssh keys easily and only specify a hostname when using sshuttle

Host remotehost
        Hostname example.com
        User myname
        Port 22
        IdentityFile /home/myname/.ssh/my_ssh_key

Now to connect:

sshuttle --dns -r remotehost 0/0

To do a quick breakdown of the command:

• sshuttle – ….sshuttle
• –dns – I want to use my DNS server provided to my OpenSSH server. This is also nice because I have content filtering enabled.
• -r remotehost – specifies that I want to use my remotehost host specified in my ssh config file
• 0/0 – pass all my traffic through my “VPN”

What’s cool is you can do this anywhere that you have ssh access. As I’m typing this I am able to login to my local hosts and I can type up this post with my sshuttle connection enabled.

Enjoy!

I want to focus on something more broad than the *NIX scope in this post, because it has been a big thing to me. In a day and age where there are multiple database breaches each year, and millions of passwords leaked to the Internet, your passwords could either be potentially stolen themselves or your method of password creation compromised.

Why Should I Be Concerned?

Glad you asked! Whether you only login to a page to look at Grandma’s pictures she posts, or you do your online banking and frequent online purchases, your online “digital” self is at risk of being stolen (identity theft), and poor decisions in protecting yourself can even harm your “real world” (or, offline) reality. I could go on about this, but I don’t want to write anymore about what has been written by hundreds of news outlets. However, I will put some extra links at the end of this post.

What Are Bad Password Practices?

To know what are good password practices, it helps to understand what bad password practices are. Below are a few, and I will give explanations of why you should not be doing this:

• Using the same password (or few passwords) across many websites
• Writing passwords on sticky notes and leaving them in the open
• Using weak passwords

Using the same/few password(s) across many websites – So why is this bad? Everyone does this, including my mom. Well let us look at this. You use the same password across all your websites, maybe you capitalize a letter or add some !!! here and there and a 3. Needless to say, those changes mean nothing, and things like making an “a” a “@”, or an “I” a “!” are well accounted for by thieves. So, you find out your password was stolen because of a data breach on ilovecats.com paired with your email address ilovecats@gmail.com. Well, since you used that combination everywhere, you’re now compromised on every other website you visit. To make matters worse, these bad actors have tools that can be used attempt logins across hundreds to thousands of websites at once with your credentials. Because of this, it isn’t a complicated task to have access to just about every website you visit. This can be very easily avoided.

Writing passwords on sticky notes and leaving them in the open – Writing down passwords is one thing, but sticky notes is one thing, and in plain site is another. Out in plain site is the obvious one because if your house is broken into, not only can the thief have your physical goods, but now they have access to your digital world as well. As for the sticky notes, they’re loosely used and often throwaway pieces of paper. I’m not against the use of sticky notes, but really, treat it with care and keep them safe. I recommend writing these things down in a notebook you keep very safe, or putting the sticky notes in that very notebook.

Using weak passwords – What’s a weak password? Passwords like Crimson!23 or 1Raven25 or [your dog’s name][your birthday] (e.g. Rex1991). All bad. All quickly guessed. All equally predictable. Please, this isn’t the 1990s anymore and these passwords needed to end yesterday. If your password is in any way relatable to those, prepare to change how you do your passwords ASAP because if your account is involved in a breach you. will. have. problems. It will only take seconds to get your password.

What Can You Do Then?

I typically consider three solutions good, from my favorite to least favorite:

1. Use a locally stored password manager to store and generate your passwords, all secured with a single complex password and/or a physical token to unlock it.
2. Creating individual, complex passwords and writing them down in a notebook and keep it very well protected.
3. Use online password managers like LastPass to store and generate your passwords, all secured with a single complex password and/or a physical token to unlock it.

1- Using a locally stored password manager:

This, I believe is one of the best solutions you can use. The drawbacks: once the master password is guessed, all your passwords are belong to them; if you forget your master password, you lose your passwords; storing your passwords on your computer means you store your passwords at the risk of being stolen by the general security flaw all computers imply.

I still find this trustworthy and convenient because your passwords go with your computer, adding/changing passwords becomes a breeze, and you only have to memorize your single master password. So what’s good about this option? Well:

• Passwords are stored safely in an AES256 encrypted database
• You don’t have to remember many passwords, the database takes care of that for you
• Provides a list of all the websites/services you are signed up for
• Can generate strong and secure passwords for you
• Creates an easy way to change passwords for accounts if necessary
• Reduces human error in password creation and storage
• Database files are small

So what programs do I recommend for this? I recommend using KeePassX, KeePass and KeeWeb. KeePass has additional features, however what’s nice about KeePassX and KeeWeb are they are cross-platform and don’t rely on Windows tools to function. I personally recommend plain KeePass last because they don’t have any website encryption and they rely on sourceforge to host their programs. I like Keeweb a lot because of the additional features and good and easy cross-platform support plus their offline database access via a web browser. However, the additional features included in Keeweb create a larger attack surface. I still use Keeweb at times though and trust it. Finally, the no thrills offline-only KeePassX is fantastic because it’s small, does what it says it does, it can be used in Windows/macOS/Linux (probably the BSDs but I haven’t personally tested to write about it), and the ability to ensure you got the intended code with PGP signatures and hashes really is fantastic for ensuring you got the intended program. What’s best about these programs though is you have the freedom to compile each one yourself because they are all free and open source software!

The next thing to consider is creating your master password. First off you can use a key to unlock your .kdbx databases with KeePassX. You can simply plug in a USB key and store the key on your USB stick and use it to authenticate to your database. BUT DO NOT STORE THE DATABASE AND YOUR DECRYPT KEY ON THE SAME FLASH DRIVE! In addition, you should ABSOLUTELY use disk encryption on your flash drive, or some encryption tool like GPG to encrypt your key so if your flash drive is stolen, they don’t have your key, just an encrypted copy of it. And always store an emergency copy somewhere safe. The other option is to use a strong password with your database to type in when you want to unlock it. I like the dice solution EFF posted. This creates a safe and easy to remember password. Sometimes the best ones aren’t all like HF*&t34jf782iYF*& like many sites require you to do. This way creates complex passwords that can just roll of the tip of your fingers because perhaps they’re funny or relatable.

2- Using complex passwords stored in a notebook:

You could actually use this method alongside the password manager, but it can even make a good standalone solution. Remember that complex passwords are necessary. This means good passphrases, or non-dictionary word passwords/passphrases with uppercase, lowercase, numeric and special characters that I would say are 12 characters minimum. If you create your passwords this way, avoid capital letters at the beginning and numbers/special characters at the end, such as Dinosaur12# or Chickens@31. Those are 11 character passwords, but they are also really easy to guess. Something like $colId0sPhoro7s can be a good password. There isn’t an easily guessable pattern and it isn’t a word. Coming up with different passwords like this can be hard though, so that’s why I always recommend this option along with option #1. Another reason why it would be good to use a password manager, but to also have a book is so you can have a physical copy in case your digital database gets destroyed. It is also good to keep this safe in the event you pass away and you want family members to have access to your accounts.

3- Use an online password manager like LastPass

This ultimately serves the same purpose as #1, but you let an online services store and generate your passwords. You get all the advantages of #1, but you open up a new can of worms. Your passwords are stored by an entity you have no control over, so if they experience a data breach (and they have in the past) you may lose personal information as well as account login credentials getting stolen. That risk comes with the advantage of easier accessibility to your passwords on different devices, rather than moving around multiple copies of your own .kdbx file and possibly having different copies because you edited the file on computer A, but not on computer B, or something along those lines. A fix to this solution could be hosting your own Nextcloud server, or use Syncthing to sync your KeePass database. However, now you’d need to set up your own server to host any of these services if you want 24/7 access to your files (but on the bright side you can sync all your files of choice!). So, if you want easy access to your passwords and consider the risk of hosting your password files on a publicly targeted service, be sure to weigh out how much you care about the accessibility of your passwords for the sake of compromising some security.

Conclusions

So, I hope this helps in some way for you. Please, if you are reusing the same passwords or set of passwords (especially if they’re REALLY simple), look into changing your password management. Don’t fall into the trap of “oh it’s just little old me, I have nothing to take except some gumballs and a Yo-Yo” or whatever “little value” you have. YOU may not be a target, but you might be the part of an attack, and you will get royally screwed in some form or another. I have had a handful of friends having account compromises (namely, Facebook) so far this year (2017) and it seems to be stemming from the recent release of passwords that are being sold on the black market. You never know, you might be next. You might have your Facebook account defaced like my friends, or in the case of one, illegal sales were made under the guise of his account. This isn’t the 1990s where you can get away with setting a simple password to lock out your mom from accessing your…whatever you used the Internet for in the 90s, now we need good password policies for ourselves to protect our digital life online, which is becoming of greater significance and also great detriment to us if we don’t protect it. And using good password policies is one of the best ways you can start doing that.

 

Photo credit goes to xmodulo – https://www.flickr.com/photos/xmodulo/

Useful articles:

http://www.huffingtonpost.com/jonathan-rajewski/identity-theft-passwords_b_2648314.html

http://macgroup.org/blog/2012/08/06/the-dangers-of-using-the-same-password-for-everything/

http://www.pcworld.com/article/219303/password_use_very_common_research_shows.html

 

Just recently I needed to upgrade my hard drive that I have my /home directory on. In this post, I will show the steps I took to replace my drive. This guide is also beneficial if you plan to replace a drive that is beginning to fail.

 

The scenario:

My hard drive was originally a 1TB hard drive, and I wanted to upgrade to a 2TB hard drive. The only thing populating the drive was the /home directory.

 

My setup: 

OS: Fedora 24

/ directory on an SSD with the EXT4 filesystem

/home directory on a 1TB hard drive

 

The process:

First things first, you will want to add the new drive to your system, so make sure your old and new drives are connected and your computer can see them. Make note of the old drive and the new drive. In my case, my old drive (and btrfs partition) was /dev/sdc1 and my new drive was /dev/sda. When I did the replacement command, I didn’t create any sort of partitioning scheme like GPT or MBR. My initial impression was the command would create the GPT partition table, but it turns out btrfs can use its own partition scheme. So if you want to use GPT or MBR, then you will have to do that beforehand. I did some reading, and the Arch Linux wiki says these are the drawbacks to using the btrfs partitioning scheme:

• Cannot use different file systems for different mount points.
• Cannot use swap area as Btrfs does not support swap files and there is no place to create swap partition. This also limits the use of hibernation/resume, which needs a swap area to store the hibernation image.
• Cannot use UEFI to boot.

Since this is just a /home drive, none of this affects this scenario and my machine hasn’t had any hiccups since. Back to continue how I replaced my drive…I believe the tool btrfs gives us to replace a disk is meant to work with a live system, but for the safety of my data, I did this entire drive swap as root just so I wasn’t making any changes to my user directory. Once logged in as root, it’s time to do the disk replacement. Be sure to allow some time, I let my system do this overnight. The tool you will be using is the btrfs replace tool. You can find more information by typing:

man btrfs replace

The syntax for this command is:

btrfs replace start [source_device] [dst_device] /path

In my case, my source device is /dev/sdc1, my destination device is /dev/sda and my path is /home. The command will look like this:

btrfs replace start /dev/sdc1 /dev/sda /home

Give this some time, there is a progress bar below that shows how far it is in to the process. Once this is complete, the drive should be removed from the system, and the UUID of your new drive should replace the UUID of your old drive in the /etc/fstab file. I found that the device wasn’t “removed” from the system in my case. My new drive wasn’t mounted and the old drive seemed to be the active drive. Once I shut down my computer, I unplugged my old drive from the system and booted into my system and everything worked as usual!

 

If you end up doing this and the drives are identical in size, you will be done at this point. However, I was adding a larger drive to my system, which requires an additional command. I wanted to populate the entire disk with my btrfs filesystem, so I ran this command:

btrfs filesystem resize max /dev/sda

Then check your drive to see if it did in fact expand to fill the entire drive:

btrfs filesystem show

If it did, then you’re done! If this doesn’t work, try rebooting the computer. If it still doesn’t work, issue the resize command again and then a btrfs filesystem show to see if it worked. I found some of my GUI tools didn’t report the change immediately, but the filesystem show command did.

 

Hopefully this helps some folks out there! Let me know if you found this useful, I plan on adding more content as I do my work.

 

Photo by Maarten Elings