• chevron_right

      Perfect Neovim Ansible Setup

      Slixfeed · Wednesday, 13 March - 22:51 · 9 minutes

    Lets start with information that I did not created that config. This Ansible oriented config was handed to me by one of my mates from the Linux world … and as it takes some steps needed to make it work specific only to FreeBSD – I thought that it may be a good reason to share them.

    I have split the article into the following parts is shown in Table of Contents below.

    • Neovim Config
    • Neovim Plugins
    • Needed Packages
    • Ansible Language Server
    • Some Modules Linuxisms
    • Alternatives
    • Summary

    Lets start then.

    Neovim Config

    Below are the Neovim config files located at ~/.config/nvim/lua/config place.

    % wc -l ~/.config/nvim/lua/config/*
           3 /home/vermaden/.config/nvim/lua/config/globals.lua
          43 /home/vermaden/.config/nvim/lua/config/init.lua
          24 /home/vermaden/.config/nvim/lua/config/keymaps.lua
          53 /home/vermaden/.config/nvim/lua/config/options.lua
         123 total
    
    
    
    % cat ~/.config/nvim/lua/config/globals.lua
    vim.g.mapleader      = " "
    vim.g.maplocalleader = " "
    
    
    
    % cat /home/vermaden/.config/nvim/lua/config/init.lua
    local lazypath = vim.fn.stdpath("data") .. "/lazy/lazy.nvim"
    if not vim.loop.fs_stat(lazypath) then
      vim.fn.system({
        "git",
        "clone",
        "--filter=blob:none",
        "https://github.com/folke/lazy.nvim.git",
        "--branch=stable", -- latest stable release
        lazypath,
      })
    end
    vim.opt.rtp:prepend(lazypath)
    
    require('config.globals')
    require('config.options')
    require('config.keymaps')
    
    local opts = {
      defaults = {
        lazy = true,
      },
      install = {
        colorscheme = { "nightfox" }
      },
      rtp = {
        disabled_plugins = {
          "gzip",
          "matchit",
          "matchparen",
          "netrw",
          "netrwPlugin",
          "tarPlugin",
          "tohtml",
          "tutor",
          "zipPlugin",
        }
      },
      change_detection = {
        notify = true
      },
    }
    
    require("lazy").setup('plugins', opts)
    
    
    
    % cat ~/.config/nvim/lua/config/keymaps.lua
    local keymap = vim.keymap
    
    local opts = { noremap = true, silent = true }
    
    -- DIRECTORY NAVIGATION ------------------------------------------------------
    keymap.set("n", "<leader>m", ":NvimTreeFocus<CR>", opts)
    keymap.set("n", "<leader>f", ":NvimTreeToggle<CR>", opts)
    keymap.set("n", "<C-k>", "<C-w>k", opts) -- NAVIGATE [^] UP
    keymap.set("n", "<C-h>", "<C-w>h", opts) -- NAVIGATE [<] LEFT
    keymap.set("n", "<C-l>", "<C-w>l", opts) -- NAVIGATE [>] RIGHT
    keymap.set("n", "<C-j>", "<C-w>j", opts) -- NAVIGATE [v] DOWN
    
    -- WINDOW MANAGEMENT ---------------------------------------------------------
    keymap.set("n", "<leader>sv", ":vsplit<CR>", opts) -- SPLIT VERTICALLY
    keymap.set("n", "<leader>sh", ":split<CR>", opts)  -- SPLIT HORIZONTALLY
    
    -- INDENT --------------------------------------------------------------------
    keymap.set("v", "<", "<gv")
    keymap.set("v", ">", ">gv")
    
    -- COMMENTS ------------------------------------------------------------------
    vim.api.nvim_set_keymap("n", "<C-_>", "gcc", { noremap = false })
    vim.api.nvim_set_keymap("v", "<C-_>", "gcc", { noremap = false })
    
    
    
    % cat ~/.config/nvim/lua/config/options.lua
    local opt = vim.opt
    
    -- TAB/INDENT ----------------------------------------------------------------
    opt.tabstop     = 2
    opt.shiftwidth  = 2
    opt.softtabstop = 2
    opt.expandtab   = true
    opt.smartindent = true
    opt.wrap        = false
    
    -- SEARCH --------------------------------------------------------------------
    opt.incsearch  = true
    opt.ignorecase = true
    opt.smartcase  = true
    opt.hlsearch   = false
    
    -- APPEARANCE ----------------------------------------------------------------
    opt.number         = true
    opt.relativenumber = false
    opt.termguicolors  = true
    opt.colorcolumn    = "100"
    opt.signcolumn     = "yes"
    opt.cmdheight      = 1
    opt.scrolloff      = 10
    opt.completeopt    = "menuone,noinsert,noselect"
    
    -- MISC ----------------------------------------------------------------------
    opt.hidden     = true
    opt.errorbells = false
    opt.swapfile   = false
    opt.backup     = false
    opt.undodir    = vim.fn.expand("~/.vim/undodir")
    opt.undofile   = true
    opt.backspace  = "indent,eol,start"
    opt.splitright = true
    opt.splitbelow = true
    opt.autochdir  = false
    opt.modifiable = true
    opt.encoding   = "UTF-8"
    
    -- APPEND --------------------------------------------------------------------
    opt.mouse:append('a')
    opt.iskeyword:append("-")
    opt.clipboard:append("unnamedplus")
    
    -- ANSIBLE/YAML --------------------------------------------------------------
    vim.filetype.add({
      extension = {
        yml = 'yaml.ansible'
      }
    })
    
    

    That much for configs – now plugins.

    Neovim Plugins

    The list of Neovim plugins in this config is shown below.

    neovim.plugins

    … if some search engine would like to point here I will also list them in text.

    • comment.lua
    • indent-blankline.lua
    • init.lua
    • lualine-nvim.lua
    • mason-lspconfig.lua
    • mason.lua
    • nightfox.lua
    • noice.lua
    • nvim-cmp.lua
    • nvim-lspconfig.lua
    • nvim-tree.lua
    • nvim-treesitter.lua
    • nvim-ts-autotag.lua
    • nvim-web-devicons.lua
    • telescope.lua
    • vim-highlightedyank.lua
    • vim-illuminate.lua
    • whichkey.lua

    Here are their contents.

    % grep -A 1 return ~/.config/nvim/lua/plugins/* \
        | grep -v -e -- -e return \
        | awk '{print $NF}' \
        | tr -d "\"',{}" \
        | sort -u
    
    EdenEast/nightfox.nvim
    folke/noice.nvim
    folke/which-key.nvim
    hrsh7th/nvim-cmp
    lukas-reineke/indent-blankline.nvim
    machakann/vim-highlightedyank
    neovim/nvim-lspconfig
    numToStr/Comment.nvim
    nvim-lualine/lualine.nvim
    nvim-telescope/telescope.nvim
    nvim-tree/nvim-tree.lua
    nvim-tree/nvim-web-devicons
    nvim-treesitter/nvim-treesitter
    RRethy/vim-illuminate
    williamboman/mason-lspconfig.nvim
    williamboman/mason.nvim
    windwp/nvim-ts-autotag
    
    

    All these plugins are available – nvim-lua-plugins.tar.gz – here.

    Execute below command to add them to Your Neovim dir.

    % fetch -o - \
        https://github.com/vermaden/scripts/raw/master/distfiles/nvim-lua-plugins.tar.gz \
        | tar -C ~/.config/nvim/lua -xvf -
    -                                                     3696  B 9804 kBps    00s
    x plugins/
    x plugins/noice.lua
    x plugins/telescope.lua
    x plugins/indent-blankline.lua
    x plugins/whichkey.lua
    x plugins/nvim-web-devicons.lua
    x plugins/comment.lua
    x plugins/nvim-tree.lua
    x plugins/mason.lua
    x plugins/nightfox.lua
    x plugins/nvim-cmp.lua
    x plugins/vim-highlightedyank.lua
    x plugins/mason-lspconfig.lua
    x plugins/init.lua
    x plugins/nvim-treesitter.lua
    x plugins/vim-illuminate.lua
    x plugins/nvim-ts-autotag.lua
    x plugins/lualine-nvim.lua
    x plugins/nvim-lspconfig.lua
    
    

    Just in case if WordPress would mess any part of Neovim config – You may find all of the configuration and plugins in one file – ~/.config/nvim – available here.

    Needed Packages

    Besides the obvious Neovim packages there are some additional ones needed to make entire setup work.

    # pkg install -y \
        neovim \
        npm    \
        node   \
        gcc13  \
        gmake
    

    That is it. That is probably the most simple part of this article.

    Ansible Language Server

    After I dumped that Neovim config into the ~/.config/nvim dir I learned that it is a lot more advanced then I thought – to the point that it needs an external dedicated ansible-language-server needed for the Ansible playbook completions.

    neovim.ansible-language-server

    I used the most recent 1.2.1 release of ansible-language-server … and used the ALS Documentation for the instructions to build it properly.

    % fetch https://github.com/ansible/ansible-language-server/archive/refs/tags/v1.2.1.tar.gz
    
    % tar -xzvf v1.2.1.tar.gz
    
    % cd ansible-language-server-1.2.1
    
    % npm install .
    

    Lets check if the ansible-language-server built properly … and that it actually works.

    % find . -name server.js -o -name ansible-language-server
    ./bin/ansible-language-server
    ./out/server/src/server.js
    ./node_modules/vscode-languageserver/lib/common/server.js
    
    % node ./out/server/src/server.js --stdio  
    ^C
    

    Seems to work as desired.

    As I already use ~/scripts/bin place as additional ingredient to my PATH environment I will put it there … kinda.

    % echo ${PATH} | tr ':' '\n' | grep scripts
    /home/vermaden/scripts
    /home/vermaden/scripts/bin
    
    % pwd
    /home/vermaden/ansible-language-server-1.2.1
    
    % cd ..
    
    % mv ansible-language-server-1.2.1 ~/scripts/
    
    % ln -s \
        ~/scripts/ansible-language-server-1.2.1/bin/ansible-language-server \
        ~/scripts/bin/ansible-language-server
    
    % rehash || hash -r
    

    When we now start Neovim it does not cry that ansible-language-server is not available – so that part seems to work properly.

    Some Modules Linuxisms

    When You first start that Neovim setup it will start to fetch/build/configure all these plugins.

    neovim.1st.start

    For the record – if something fails its safe to remove the ~/.local/share/nvim dir and start over.

    % rm -rf ~/.local/share/nvim
    % nvim
    

    … and it fails to build LuaSnip module.

    neovim.linuxisms

    Maybe it will do better with GNU make(1) instead of BSD make(1) – lets try that.

    ~ # cd /usr/bin
    /usr/bin # mv make make.FreeBSD
    /usr/bin # ln -s /usr/local/bin/gmake make
    

    Lets try now with GNU make(1) instead.

    neovim.setup.GNU.make

    Now the gcc seems to be missing … but we installed lang/gcc13 packages at the beginning …

    % pkg info -l gcc13 | grep bin/gcc
            /usr/local/bin/gcc-ar13
            /usr/local/bin/gcc-nm13
            /usr/local/bin/gcc-ranlib13
            /usr/local/bin/gcc13

    Right … its gcc13 and not gcc

    Lets create the gcc link that points to gcc13 then.

    # ln -s /usr/local/bin/gcc13 /usr/local/bin/gcc
    
    # /bin/ls -l /usr/local/bin/gcc
    lrwxr-xr-x  1 root wheel 20 Mar 11 07:27 /usr/local/bin/gcc -> /usr/local/bin/gcc13
    

    Lets try again …

    neovim.setup.gcc

    Seems that it worked. All modules fetched/built/configured successfully as shown below.

    neovim.setup.complete

    Lets now check how it runs with some Ansible YAML file.

    neovim.YAML.before

    Seems that its processing it …

    neovim.YAML.after

    Yeah … a lot of hints for a start … sounds kinda like Clippy from some oldschool Office suite.

    clippy

    … always helpful with a bunch of hints 🙂

    The same Ansible playbook after applying the suggestions.

    neovim.YAML.fixed

    Seems like fixed.

    Now … lets revoke the GNU make(1) change.

    ~ # cd /usr/bin
    /usr/bin # rm make
    /usr/bin # mv make.FreeBSD make
    

    I tried to submit this behavior as issue on LuaSnip page – https://github.com/L3MON4D3/LuaSnip/issues/1140 – but no reaction till now.

    Alternatives

    Before I got this config I tried to setup plain vim(1) as Ansible oriented setup … and to be honest it also works quite well for me. It’s also calmer as the Clippy is not available here and does not share its thoughts all the time.

    vim.config

    Seems pretty decent. The completion also works – but its limited and based on file contents. One may overcome that with opening TWO files at once each time to edit an Ansible playbook. The first file would be the one You want to edit – the second one would be prepared Ansible playbook that contains all modules and all options for these modules … of course the completion would not be per module aware but still – somewhat helpful. Below is simple vim(1) completion spawned by [CTRL]+[N] (also known as ^n in UNIX notation) shortcut in INSERT mode.

    vim.config.completions

    … and Neovim completion for comparison with the same shortcut used.

    neovim.server.completion

    It is very simple and basic vim(1) config w/o any additional modules or plugins – just plain ~/vimrc file.

    % cat ~/.vimrc
    " -- GENERAL --------------------------------------------------------------- "     
      syntax on                                                                            
      set nomodeline                                                                                                                                                
      set nocompatible                                                                                                                                              
      set backspace=indent,eol,start                                                                                                                                
      set autoindent                                                                                                                                                
      set nobackup                                                                                                                                                  
      set cursorline                                                                                                                                                
      set number                                                                                                                                                    
      set nowrap                                                                                                                                                    
      set history=32                                                                                                                                                
      set ignorecase                                                                                                                                                
      set showcmd                                                                                                                                                   
      set incsearch
      set hlsearch
      set tabstop=2
      set shiftwidth=2
      set softtabstop=2
      set shiftwidth=2
      set expandtab 
      set ruler
      set mouse-=a
      highlight ColorColumn ctermbg=0 guibg=blue
      let &colorcolumn="100,".join(range(100,999),",")
      let g:indentLine_char = '¦' 
    
    " -- DISABLE ~/.viminfo FILE ----------------------------------------------- "
      let skip_defaults_vim=1
      set viminfo=""
    
    " -- COMMANDS -------------------------------------------------------------- "
      command WQ wq
      command Wq wq
      command W  w
      command Q  q
    
    

    I am also a big fan of Geany IDE/editor (depending on how you configure it) and its also a good companion in the Ansible world.

    geany.YAML

    Summary

    Hope that this Neovim config would help You in your daily Ansible work … and let me know it now and why 🙂

    Regards.

    UPDATE 1 – Lua and General Purpose Language Servers

    After I opened some Lua config in this nvim(1) config it welcomed me with this message below.

    neovim.lua.efm

    So I started to dig this topic … and as as result added both lua-language-server and efm-langserver servers to this config.

    Lua Language Server

    While initial research did not encouraged – https://github.com/LuaLS/lua-language-server/issues/2361 – I manged to omit the tests that are broken on FreeBSD … and the lua-language-server seems to just work.

    Below are build/install instructions.

    # pkg install ninja
    
    % git clone https://github.com/LuaLS/lua-language-server.git
    
    % cd lua-language-server
    
    % :> 3rd/bee.lua/test/test.lua
    
    % :> test.lua
    
    % ./make.sh
    
    % ./bin/lua-language-server
    Content-Length: 120
    
    {"jsonrpc":"2.0","method":"$/status/report","params":{"text":"Lua","tooltip":"Cached files: 0/0\nMemory usage: 2M"}}
    

    Seems to work – will now copy to my preferred ${PATH} place – feel free to choose your own different place.

    % cp bin/lua-language-server ~/scripts/bin
    
    % rm -rf ~/lua-language-server
    

    General Purpose Language Server

    … and now the efm-langserver part.

    # pkg install go gmake
    
    % git clone https://github.com/mattn/efm-langserver.git
    
    % cd efm-langserver
    
    % gmake
    
    % ./efm-langserver
    2024/03/14 07:54:26 efm-langserver: no configuration file
    2024/03/14 07:54:26 efm-langserver: reading on stdin, writing on stdout
    

    Seems to work – now the install part as previously.

    % cp efm-langserver ~/scripts/bin
    
    % rm -rf ~/efm-langserver
    

    … and now Neovim starts and behaves properly.

    neovim.lua.efm.works

    Regards.

    EOF
    • chevron_right

      Keycloak Identity and Access Management on FreeBSD

      Slixfeed · Sunday, 10 March - 10:35 · 8 minutes

    Many times I wrote about FreeIPA/IDM – but I have one problem with it – its not currently possible to run FreeIPA on FreeBSD … so I searched for other open source alternatives and found Keycloak. What surprised me even more is that its even available in the FreeBSD Ports as net/keycloak port. So I wanted to check how it works/runs on FreeBSD … and this is exactly how this article happened.

    keycloak.logo

    My earlier FreeIPA/IDM attempts are below.

    First – we will create new VM for our server. I will use sysutils/vm-bhyve-devel for Bhyve but feel free to use any other hypervisor (or even w/o one). To not waste time installing I will also use provided by FreeBSD project VM-IMAGE with ZFS enabled – FreeBSD-14.0-RELEASE-amd64-zfs.raw disk0.img

    host # cat /vm/.templates/freebsd.conf
    loader="bhyveload"
    cpu=1
    memory=256M
    network0_type="virtio-net"
    network0_switch="public"
    disk0_type="nvme"
    disk0_name="disk0.img"
    
    host # vm create -t freebsd -c 2 -m 4G -s 10G keycloak
    
    host # ls -lh /vm/keycloak
    total 3402399
    -rw-------  1 root wheel   10G Mar 10 10:47 disk0.img
    -rw-r--r--  1 root wheel  209B Mar 10 07:20 keycloak.conf
    -rw-r--r--  1 root wheel   96B Mar 10 07:22 vm-bhyve.log
    
    host # cd /vm/keycloak
    
    host # rm -f disk0.img
    
    host # cp /vm/TEMPLATE/FreeBSD-14.0-RELEASE-amd64-zfs.raw disk0.img
    
    host # truncate -s 10G disk0.img
    
    host # vm start keycloak
    Starting keycloak
      * found guest in /vm/keycloak
      * booting...
    
    host # vm console keycloak
    

    Type root as user and hit [ENTER] for empty password. Now the FreeBSD setup and needed packages.

    root@freebsd:~ # :> ~/.hushlogin
    
    root@freebsd:~ # cat << EOF > /etc/rc.conf
    hostname="keycloak.lab.org"
    ifconfig_DEFAULT="inet 10.1.1.211/24"
    defaultrouter="10.1.1.1"
    growfs_enable="YES"
    zfs_enable="YES"
    sshd_enable="YES"
    postgresql_enable="YES"
    keycloak_enable="YES"
    keycloak_env="KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD=password"
    EOF
    
    root@freebsd:~ # echo 10.1.1.211 keycloak.lab.org keycloak >> /etc/hosts
    
    root@freebsd:~ # mkdir -p /usr/local/etc/pkg/repos
    
    root@freebsd:~ # sed -e s/quarterly/latest/g /etc/pkg/FreeBSD.conf \
                       > /usr/local/etc/pkg/repos/FreeBSD.conf
    
    root@freebsd:~ # echo nameserver 1.1.1.1 > /etc/resolv.conf
    
    root@freebsd:~ # drill freebsd.org | grep '^[^;]'
    freebsd.org.        799     IN      A       96.47.72.84
    
    root@freebsd:~ # service netif restart
    
    root@freebsd:~ # service routing restart
    
    root@freebsd:~ # service hostname restart
    Setting hostname: keycloak.lab.org.
    
    root@keycloak:~ # passwd
    Changing local password for root
    New Password:
    Retype New Password:
    
    root@keycloak:~ # cat << EOF >> /etc/ssh/sshd_config
    PermitRootLogin yes
    UseDNS no
    EOF
    
    root@keycloak:~ # service sshd enable
    
    root@keycloak:~ # service sshd start
    
    root@keycloak:~ # exit
    

    Now switch to ssh(1) for better experience – needed to paste larger blocks of configs/text.

    host % ssh root@10.1.1.211
    
    root@keycloak:~ # pkg install -y keycloak postgresql16-server postgresql16-client
    
    root@keycloak:~ # service postgresql enable
    
    root@keycloak:~ # service postgresql initdb
    
    root@keycloak:~ # service postgresql start
    
    root@keycloak:~ # sockstat -l4
    USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    postgres postgres    2265 7   tcp4   127.0.0.1:5432        *:*
    root     syslogd      656 7   udp4   *:514                 *:*
    
    root@keycloak:~ # su - postgres -c psql
    psql (16.2)
    Type "help" for help.
    
    postgres=# ALTER USER postgres WITH PASSWORD 'password';
    
    postgres=# CREATE DATABASE keycloak with encoding 'UTF8';
    CREATE DATABASE
    
    postgres=# GRANT ALL ON DATABASE keycloak TO postgres;
    GRANT
    
    postgres=# \q
    
    root@keycloak:~ # cd /usr/local/share/java/keycloak/conf
    
    root@keycloak:~ # openssl req -x509 -newkey rsa:2048 -keyout server.key.pem -out server.crt.pem -days 36500 -nodes -subj "/C=PL/ST=lodzkie/L=Lodz/O=Vermaden/OU=HR/CN=keycloak.lab.org"
    
    root@keycloak:~ # chmod 600 server.crt.pem server.key.pem
    
    root@keycloak:~ # chown keycloak:keycloak server.crt.pem server.key.pem
    
    root@keycloak:~ # cat << EOF > /usr/local/share/java/keycloak/conf/keycloak.conf               
    db=postgres
    db-username=postgres
    db-password=password
    db-url=jdbc:postgresql://localhost:5432/keycloak
    hostname-strict-https=true
    hostname-url=https://keycloak.lab.org:8443/
    hostname-admin-url=https://keycloak.lab.org:8443/
    https-certificate-file=/usr/local/share/java/keycloak/conf/server.crt.pem
    https-certificate-key-file=/usr/local/share/java/keycloak/conf/server.key.pem
    proxy=edge
    EOF
    
    root@keycloak:~ # echo quarkus.transaction-manager.enable-recovery=true \
                        > /usr/local/share/java/keycloak/conf/quarkus.properties
    
    root@keycloak:~ # chown keycloak:keycloak /usr/local/share/java/keycloak/conf/quarkus.properties
    
    root@keycloak:~ # service keycloak enable
    
    root@keycloak:~ # service keycloak build
    The following run time non-cli properties were found, but will be ignored during build time: kc.db-url, kc.db-username, kc.db-password, kc.hostname-url, kc.hostname-admin-url, kc.hostname-strict-https, kc.https-certificate-file, kc.https-certificate-key-file, kc.proxy
    Updating the configuration and installing your custom providers, if any. Please wait.
    2024-03-10 09:01:17,701 INFO  [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 29796ms
    Server configuration updated and persisted. Run the following command to review the configuration:
    
            kc.sh show-config
    
    root@keycloak:~ # /usr/local/share/java/keycloak/bin/kc.sh show-config
    Current Mode: production
    Current Configuration:
            kc.config.built =  true (SysPropConfigSource)
            kc.db =  postgres (PropertiesConfigSource)
            kc.db-password =  ******* (PropertiesConfigSource)
            kc.db-url =  jdbc:postgresql://localhost:5432/keycloak (PropertiesConfigSource)
            kc.db-username =  postgres (PropertiesConfigSource)
            kc.hostname-admin-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.hostname-strict-https =  true (PropertiesConfigSource)
            kc.hostname-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.https-certificate-file =  /usr/local/share/java/keycloak/conf/server.crt.pem (PropertiesConfigSource)
            kc.https-certificate-key-file =  /usr/local/share/java/keycloak/conf/server.key.pem (PropertiesConfigSource)
            kc.log-console-output =  default (PropertiesConfigSource)
            kc.log-file =  ${kc.home.dir:default}${file.separator}data${file.separator}log${file.separator}keycloak.log (PropertiesConfigSource)
            kc.optimized =  true (PersistedConfigSource)
            kc.proxy =  edge (PropertiesConfigSource)
            kc.spi-hostname-default-admin-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.spi-hostname-default-hostname-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.spi-hostname-default-strict-https =  true (PropertiesConfigSource)
            kc.version =  23.0.6 (SysPropConfigSource)
    
    

    We now have needed packages installed. Self signed certificate for HTTPS generated. PostgreSQL database and Keycloak configured. We will need small patch to enable passing env(1) variables at the Keycloak daemon start. It will allow to use keycloak_env at the /etc/rc.conf main FreeBSD config file. This is needed to configure the initial admin user as sated in the Keycloak documentation.

    keycloak-0-initial-admin-user

    Now back to the patch.

    root@keycloak:~ # cat /root/keycloak.patch
    --- /root/keycloak      2024-03-08 11:46:21.847315000 +0000
    +++ /usr/local/etc/rc.d/keycloak        2024-03-08 11:47:22.027102000 +0000
    @@ -28,6 +28,7 @@
     : ${keycloak_enable:=NO}
     : ${keycloak_user:=keycloak}
     : ${keycloak_group:=keycloak}
    +: ${keycloak_env:=""}
     : ${keycloak_flags="start"}
     : ${keycloak_java_home="/usr/local/openjdk17"}
     
    @@ -54,6 +55,7 @@
     
            echo "Starting keycloak."
             ${command} ${command_args} \
    +                env ${keycloak_env} \
                     /usr/local/share/java/keycloak/bin/kc.sh \
                     ${keycloak_flags}
     }
    
    root@keycloak:~ # cd /usr/local/etc/rc.d
    
    root@keycloak:/usr/local/etc/rc.d # patch < /root/keycloak.patch
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |--- /root/keycloak      2024-03-08 11:46:21.847315000 +0000
    |+++ /usr/local/etc/rc.d/keycloak        2024-03-08 11:47:22.027102000 +0000
    --------------------------
    Patching file keycloak using Plan A...
    Hunk #1 succeeded at 28.
    Hunk #2 succeeded at 55 with fuzz 2.
    Hmm...  Ignoring the trailing garbage.
    done
    
    

    Now we will start Keycloak. Its possible to track its startup process in the /var/log/keycloak/keycloak.out file. Below You will find last 4 lines that you want to see – with Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 19.251s. message 🙂

    root@keycloak:~ # service keycloak start
    
    root@keycloak:~ # tail -f /var/log/keycloak/keycloak.out
    (...)
    2024-03-10 09:12:15,550 INFO  [io.quarkus] (main) Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 19.251s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
    2024-03-10 09:12:15,551 INFO  [io.quarkus] (main) Profile prod activated. 
    2024-03-10 09:12:15,552 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
    2024-03-10 09:12:16,303 INFO  [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'
    [CTRL]-[C]
    
    root@keycloak:~ # top -ab -o res 10
    last pid:  3067;  load averages:  0.50,  0.47,  0.42  up 0+02:56:35    09:19:04
    18 processes:  1 running, 17 sleeping
    CPU:  1.4% user,  0.0% nice,  0.4% system,  0.2% interrupt, 98.0% idle
    Mem: 299M Active, 176M Inact, 3247M Wired, 264K Buf, 202M Free
    ARC: 2965M Total, 902M MFU, 1982M MRU, 4096B Anon, 12M Header, 50M Other
         2766M Compressed, 2934M Uncompressed, 1.06:1 Ratio
    Swap: 1024M Total, 1024M Free
    
      PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
     2981 keycloak     41  68    0  1425M   299M uwait    1   0:37   0.00% /usr/local/openjdk17/bin/java -Dkc.config.built=true -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED -Dkc.home.dir=/usr/local/share/java/keycloak/bin/.. -Djboss.server.config.dir=/usr/local/share/java/keycloak/bin/../conf -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dquarkus-log-max-startup-records=10000 -cp /usr/local/share/java/keycloak/bin/../lib/quarkus-run.jar io.quarkus.bootstrap.runner.QuarkusEntryPoint start
     3063 postgres      1  24    0   181M    49M kqread   1   0:00   0.00% postgres: postgres keycloak 127.0.0.1(21936) idle (postgres)
     2266 postgres      1  20    0   178M    48M kqread   1   0:00   0.00% postgres: checkpointer  (postgres)
     3062 postgres      1  20    0   181M    47M kqread   1   0:00   0.00% postgres: postgres keycloak 127.0.0.1(22820) idle (postgres)
     2270 postgres      1  20    0   179M    31M kqread   0   0:00   0.00% postgres: autovacuum launcher  (postgres)
     2271 postgres      1  20    0   179M    31M kqread   0   0:00   0.00% postgres: logical replication launcher  (postgres)
     2269 postgres      1  20    0   178M    31M kqread   0   0:00   0.00% postgres: walwriter  (postgres)
     2267 postgres      1  20    0   178M    31M kqread   0   0:00   0.00% postgres: background writer  (postgres)
     2265 postgres      1  20    0   178M    30M kqread   0   0:00   0.00% /usr/local/bin/postgres -D /var/db/postgres/data16
     2420 root          1  20    0    22M    11M select   1   0:01   0.00% sshd: root@pts/0 (sshd)
    
    

    Add also on the host system the IP information to the /etc/hosts file and check https://keycloak.lab.org:8443 in your browser.

    host # echo 10.1.1.211 keycloak.lab.org keycloak >> /etc/hosts
    
    host % firefox 'https://keycloak.lab.org:8443'
    

    As we use self signed certificate You will be warned by potential security risk. Hit ‘Advanced’ and then ‘Accept the Risk and Continue’ buttons.

    keycloak-1-self-cert

    Next click the Administration Console link.

    keycloak-2-main-page

    Login with admin and password (or your password if You used other one).

    keycloak-3-admin-login

    … and You can now create your new realm, add users, create groups etc. You have fully working Keycloak in production mode.

    keycloak-4-admin-console

    Now … like with FreeIPA/IDM – it would be nice to attach FreeBSD to it so one could login to FreeBSD system with Keycloak user … not so fast unfortunately. To make such things be possible You need a PAM module for Keycloak … and I was not able to find one that will work on FreeBSD … and the Keycloak package also comes without one.

    root@keycloak:~ # pkg info -l keycloak | grep -i pam
    root@keycloak:~ # 
    

    After grepping the Internet I found two solutions … but only for Linux.

    One of them was a step by step Keycloak PAM Module Development Tutorial guide which showed you how to write such PAM module.

    pam-dev

    The other one was Keycloak SSH PAM project on GitHub which provided more or less ready solution for Linux systems.

    pam-kc

    So while with FreeIPA/IDM we had server on Linux that allowed to connect FreeBSD systems to it – we now hat Keycloak server hosted on FreeBSD that allows connecting Linux systems 🙂

    Not much of an improvement – but maybe someone will find that guide useful.

    EOF
    • chevron_right

      Connect FreeBSD 14.0-STABLE to FreeIPA/IDM

      Slixfeed · Wednesday, 6 March - 15:42 · 21 minutes

    In the open source world everything lives/evolves/changes. This is why the new version of connecting latest FreeBSD 14.0-STABLE system to the FreeIPA/IDM is needed. One of the things that changed is that security/sssd is now deprecated and security/sssd2 is its successor. Also new version of ports-mgmt/poudriere-devel is available – with needed fixes already merged – and also with new restyled web interface.

    FreeIPA-logo

    I already messed with that topic several times in the past:

    This article will try to address and contain all steps needed – including setting up the FreeIPA/IDM server and including the Poudriere setup. Below You will find Table of Contents for this article. All of these systems will be Bhyve virtual machines.

    • FreeIPA/IDM Server – Installation
    • FreeIPA/IDM Server – Configuration
    • Poudriere Server – Setup
    • Poudriere Server – Build FreeIPA/IDM Client Packages
    • Poudriere Server – Update Repo/Packages
    • FreeBSD 14.0-STABLE Client – Setup
    • FreeBSD 14.0-STABLE Client – Debug Commands
    • Summary

    The FreeBSD project recently started to provide ZFS based VM images … but unfortunately only for 14.0-RELEASE and they are not created for 14.0-STABLE or 15-CURRENT versions – so we will use the UFS based ones for both Poudriere server and FreeBSD FreeIPA/IDM client. For the record – https://download.freebsd.org/snapshots/VM-IMAGES/14.0-STABLE/amd64/Latest/ – they are available here.

    Some note about commands run in this article – different colors for various hosts.

    host # top -ba -o res 3                                  // executed on the host system
    [root@idm ~]# yum update -y                              // executed on IDM server
    root@freebsd:~ # geom disk list                          // executed on Poudriere server
    root@poudriere-devel-14-stable:~ # poudriere ports -l    // executed on Poudriere server
    root@idm-client:~ # hostname idm-client.lab.org          // executed on IDM client (FreeBSD)
      important information                                  // marked as GREEN color

    For the FreeIPA/IDM server I have used Alma Linux RHEL clone – but we know that Rocky Linux or Oracle Linux would also work well. We will use three systems in this article.

    FreeIPA/IDM server – with idm.lab.org hostname.

          OS: Alma Linux
          IP: 10.0.0.200/24
          GW: 10.0.0.1
      domain: lab.org
       realm: LAB.ORG
    hostname: idm.lab.org
    

    Poudriere builder system – with poudriere-devel-14-stable.lab.org hostname.

          OS: FreeBSD 14.0-STABLE
          IP: 10.0.0.124/24
          GW: 10.0.0.1
         DNS: 1.1.1.1
      domain: -
       realm: -
    hostname: poudriere-devel-14-stable.lab.org
    

    FreeBSD client for FreeIPA/IDM system – with idm-client.lab.org hostname.

          OS: FreeBSD 14.0-STABLE
          IP: 10.0.0.233/24
          GW: 10.0.0.1
         DNS: 10.0.0.200
      domain: lab.org
       realm: LAB.ORG
    hostname: idm-client.lab.org
    

    I really like the FreeBSD Bhyve memory ballooning – which means the guest VMs only take as much RAM as guest OS allocated and not 12 GB RAM as is configured.

    host # vm list | grep -e STATE -e Running
    NAME                       DATASTORE  LOADER     CPU  MEMORY  VNC           AUTO     STATE
    idm                        default    uefi       2    4g      0.0.0.0:5900  No       Running (25284)
    idm-client-14-stable       default    bhyveload  2    1g      -             No       Running (29517)
    poudriere-devel-14-stable  default    bhyveload  8    12g     -             Yes [1]  Running (23419)
    
    host # top -ba -o res 3
    last pid:  1290;  load averages:  0.09,  0.09,  0.08  up 0+00:47:08    07:05:20
    32 processes:  1 running, 31 sleeping
    CPU:  0.0% user,  0.0% nice,  0.6% system,  0.0% interrupt, 99.4% idle
    Mem: 2983M Active, 463M Inact, 1060M Wired, 56K Buf, 27G Free
    ARC: 619M Total, 115M MFU, 497M MRU, 32K Anon, 2346K Header, 4231K Other
         551M Compressed, 1080M Uncompressed, 1.96:1 Ratio
    Swap: 4096M Total, 4096M Free
    
      PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
    25284 root         13  20    0  4159M  1168M kqread  13   3:12   1.27% bhyve: idm (bhyve)
    23419 root         19  20    0    12G   109M kqread  15   0:27   0.00% bhyve: poudriere-devel-14-stable (bhyve)
    29517 root         13  20    0  1075M    77M kqread   5   0:20   0.00% bhyve: idm-client-14-stable (bhyve)
    
    

    As you can see I am using sysutils/vm-bhyve-devel for the Bhyve management – but You may as well use bare /usr/share/examples/bhyve/vmrun.sh instead … or even entirely different hypervisor like KVM on Linux or VirtualBox on Windows – it does not matter as long as machines have access to the Internet and they see each other in the same LAN network.

    FreeIPA/IDM Server – Installation

    I installed the Alma Linux some time ago – so the screenshot shows older 8.7 version.

    LAB.IDM.Server.ROOT

    After reboot its network is configured as shown below.

    [root@idm ~]# cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
    TYPE=Ethernet
    PROXY_METHOD=none
    BROWSER_ONLY=no
    BOOTPROTO=none
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no
    IPV6_DEFROUTE=yes
    IPV6_FAILURE_FATAL=no
    IPV6_ADDR_GEN_MODE=eui64
    NAME=enp0s3
    UUID=120efe1f-3cb6-40cf-8aad-b17066c08543
    DEVICE=enp0s3
    ONBOOT=yes
    IPADDR=10.0.0.200
    PREFIX=24
    GATEWAY=10.0.0.1
    DNS1=1.1.1.1
    IPV6_DISABLED=yes
    

    Some more basic setup commands below.

    
    [root@idm ~]# echo 10.0.0.200 idm.lab.org idm >> /etc/hosts
    
    [root@idm ~]# cat << EOF >> /etc/sysctl.conf
    # DISABLE IPv6 FOR MAIN enp0s3 INTERFACE
    net.ipv6.conf.enp0s3.disable_ipv6=1
    EOF
    
    [root@idm ~]# hostnamectl set-hostname idm.lab.org
    
    [root@idm ~]# timedatectl set-timezone Europe/Warsaw
    
    [root@idm ~]# timedatectl set-local-rtc 0
    
    [root@idm ~]# yum update -y
    
    [root@idm ~]# reboot
    

    Continuation after reboot.

    [root@idm ~]# yum module enable idm:DL1 -y
    
    [root@idm ~]# yum distro-sync -y
    
    [root@idm ~]# yum install -y bind-utils chrony nc
    
    [root@idm ~]# ipa-server-install                        \
                        --domain lab.org                    \
                        --realm LAB.ORG                     \
                        --reverse-zone=0.0.10.in-addr.arpa. \
                        --allow-zone-overlap                \
                        --no-forwarders                     \
                        --ntp-pool pool.ntp.org             \
                        --setup-dns                         \
                        --ds-password    password           \
                        --admin-password password           \
                        --unattended
    
    [root@idm ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    named Service: RUNNING
    httpd Service: RUNNING
    ipa-custodia Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa-dnskeysyncd Service: RUNNING
    ipa: INFO: The ipactl command was successful
    
    [root@idm ~]# systemctl list-unit-files | grep ipa | grep service
    ipa-ccache-sweep.service                   static   
    ipa-custodia.service                       disabled 
    ipa-dnskeysyncd.service                    disabled 
    ipa-healthcheck.service                    disabled 
    ipa-ods-exporter.service                   disabled 
    ipa-otpd@.service                          static   
    ipa.service                                enabled
    
    [root@idm ~]# systemctl enable --now httpd
    
    [root@idm ~]# systemctl list-unit-files | grep httpd.service
    httpd.service                              enabled  
    
    [root@idm ~]# systemctl disable firewalld
    
    [root@idm ~]# systemctl stop    firewalld
    
    [root@idm ~]# cat /etc/sssd/sssd.conf
    [domain/lab.org]
      ipa_server_mode                = True
      ipa_server                     = idm.lab.org
      ipa_hostname                   = idm.lab.org
      ipa_domain                     = lab.org
      id_provider                    = ipa
      auth_provider                  = ipa
      chpass_provider                = ipa
      access_provider                = ipa
      cache_credentials              = True
      ldap_tls_cacert                = /etc/ipa/ca.crt
      krb5_store_password_if_offline = True
    
    [sssd]
      services = nss, pam, ifp, ssh, sudo
      domains  = lab.org
    
    [nss]
      homedir_substring = /home
      memcache_timeout  = 600
    
    [pam]
    
    [sudo]
    
    [autofs]
    
    [ssh]
    
    [pac]
    
    [ifp]
      allowed_uids = ipaapi, root
    
    [session_recording]
    

    If you would like to see what a successful ipa-server-install(8) looks like – you can take a look HERE.

    We have our FreeIPA/IDM server installed.

    You will need to add 10.0.0.200 as idm.lab.org to your /etc/hosts on the system where you will be using the browser (or to your local DNS).

    host # grep idm /etc/hosts
    10.0.0.200  idm.lab.org  idm
    

    You can login to it typing https://10.0.0.200 at your local browser – you will be redirected to https://idm.lab.org/ipa/ui/ immediately and you will see the login page as shown below.

    FreeIPA-login-1

    You may login with admin username and the password you specified for the ipa-server-install(8) command (or password if you just copy pasted that command 🙂

    FreeIPA/IDM Server – Configuration

    … and after logging in I created a regular vermaden user as shown below.

    FreeIPA-login-2

    Keep in mind to reset your password by connecting to FreeIPA/IDM server.

    host # ssh -l vermaden 10.0.0.200
    (vermaden@10.0.0.200) Password:
    (vermaden@10.0.0.200) Password expired. Change your password now.
    Current Password:
    (vermaden@10.0.0.200) New password:
    (vermaden@10.0.0.200) Retype new password:
    Last failed login: Wed Oct 19 00:47:57 CEST 2022 from 10.0.0.33 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    
    [vermaden@idm /]$ w
     12:58:50 up  6:39,  1 user,  load average: 0.02, 0.05, 0.00
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    vermaden pts/0    10.0.0.4         12:58    1.00s  0.04s  0.01s w
    

    The more important configuration is in HBAC and Sudo rules.

    Here are HBAC related settings.

    idm-1-hbac-rules-menu

    idm-2-hbac-rules-menu

    idm-3-hbac-rules-freebsd-details

    … and the Sudo part.

    idm-4-sudo-rules-menu

    idm-5-sudo-rules-freebsd

    idm-6-sudo-rules-freebsd-details

    Poudriere Server – Setup

    One note for the FreeBSD setups below – please use /bin/sh shell (default for root since 14.0-RELEASE) for the commands … or zsh(1) for example … or other POSIX compatible shell. Some of these commands may not work properly on ‘C’ based shells or in fish(1) shell.

    This is the template I used for Bhyve VMs.

    host # cat /vm/.templates/freebsd.conf 
    loader="bhyveload"
    cpu=1
    memory=256M
    network0_type="virtio-net"
    network0_switch="public"
    disk0_type="nvme"
    disk0_name="disk0.img"
    

    We will now create poudriere-devel-14-stable VM for Poudriere server.

    host # vm create -t freebsd -s 20g -m 12g -c 8 poudriere-devel-14-stable
    
    host # du -sgA /vm/poudriere-devel-14-stable/*
    20      /vm/poudriere-devel-14-stable/disk0.img
    1       /vm/poudriere-devel-14-stable/poudriere-devel-14-stable.conf
    1       /vm/poudriere-devel-14-stable/vm-bhyve.log
    

    Now we will replace disk0.img with Latest FreeBSD 14.0-STABLE snapshot.

    host # fetch -o - 'https://download.freebsd.org/snapshots/VM-IMAGES/14.0-STABLE/amd64/Latest/FreeBSD-14.0-STABLE-amd64.raw.xz' \
             | xz -d > /vm/poudriere-devel-14-stable/disk0.img
    
    host # file -b /vm/poudriere-devel-14-stable/disk0.img 
    DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 12649684 sectors
    
    host # du -sgA /vm/poudriere-devel-14-stable/*
    7       /vm/poudriere-devel-14-stable/disk0.img
    1       /vm/poudriere-devel-14-stable/poudriere-devel-14-stable.conf
    1       /vm/poudriere-devel-14-stable/vm-bhyve.log
    

    We now need to add additional disk1.img disk to for ZFS pool.

    host # truncate -s 10G /vm/poudriere-devel-14-stable/disk0.img
    
    host # vm add -d disk -t file -s 100g poudriere-devel-14-stable
    
    host # vm info poudriere-devel-14-stable | grep -A 16 virtual-disk
      virtual-disk
        number: 0
        device-type: file
        emulation: nvme
        options: -
        system-path: /vm/poudriere-devel-14-stable/disk0.img
        bytes-size: 10737418240 (10.000G)
        bytes-used: 1720046592 (1.601G)
    
      virtual-disk
        number: 1
        device-type: file
        emulation: nvme
        options: -
        system-path: /vm/poudriere-devel-14-stable/disk1.img
        bytes-size: 107374182400 (100.000G)
        bytes-used: 1024 (1.000K)
    
    host # du -sgA /vm/poudriere-devel-14-stable/*
    10      /vm/poudriere-devel-14-stable/disk0.img
    100     /vm/poudriere-devel-14-stable/disk1.img
    1       /vm/poudriere-devel-14-stable/poudriere-devel-14-stable.conf
    1       /vm/poudriere-devel-14-stable/vm-bhyve.log
    

    Now internally inside VM.

    host # vm start poudriere-devel-14-stable                              
    Starting poudriere-devel-14-stable
      * found guest in /vm/poudriere-devel-14-stable
      * booting...
    
    host # vm console poudriere-devel-14-stable
    (...)
    Starting devd.
    Starting dhclient.
    DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 4
    DHCPOFFER from 10.0.0.1
    DHCPREQUEST on vtnet0 to 255.255.255.255 port 67
    DHCPACK from 10.0.0.1
    bound to 10.0.0.23 -- renewal in 43200 seconds.
    add host 127.0.0.1: gateway lo0 fib 0: route already in table
    add host ::1: gateway lo0 fib 0: route already in table
    add net fe80::: gateway ::1
    add net ff02::: gateway ::1
    add net ::ffff:0.0.0.0: gateway ::1
    add net ::0.0.0.0: gateway ::1
    Updating motd:.
    Updating /var/run/os-release done.
    Clearing /tmp (X related).
    Creating and/or trimming log files.
    Starting syslogd.
    Mounting late filesystems:.
    Starting cron.
    Starting background file system checks in 60 seconds.
    
    Wed Mar  6 08:23:03 UTC 2024
    
    FreeBSD/amd64 (freebsd) (ttyu0)
    
    login: 
    
    
    

    Use the root user with ’empty’ password – just hit [ENTER] key on password prompt.

    root@freebsd:~ # :> ~/.hushlogin
    
    root@freebsd:~ # passwd root
    Changing local password for root
    New Password:
    Retype New Password:
    
    root@freebsd:~ # geom disk list
    Geom name: nda0
    Providers:
    1. Name: nda0
       Mediasize: 10737418240 (10G)
       Sectorsize: 512
       Mode: r3w3e8
       descr: bhyve-NVMe
       lunid: 589cfc2012350001
       ident: NVME-4-0
       rotationrate: 0
       fwsectors: 0
       fwheads: 0
    
    Geom name: nda1
    Providers:
    1. Name: nda1
       Mediasize: 107374182400 (100G)
       Sectorsize: 512
       Mode: r0w0e0
       descr: bhyve-NVMe
       lunid: 589cfc20d2f40001
       ident: NVME-4-1
       rotationrate: 0
       fwsectors: 0
       fwheads: 0
    
    root@freebsd:~ # zpool create zroot nda1
    ZFS filesystem version: 5
    ZFS storage pool version: features support (5000)
    
    root@freebsd:~ # zfs set mountpoint=none zroot
    
    root@freebsd:~ # zfs list
    NAME    USED  AVAIL  REFER  MOUNTPOINT
    zroot   100K  96.4G    24K  none
    

    Now some basic configuration.

    root@freebsd:~ # cat /etc/rc.conf
    hostname="poudriere-devel-14-stable.lab.org"
    ifconfig_DEFAULT="inet 10.0.0.124/24 up"
    defaultrouter="10.0.0.1"
    zfs_enable="YES"
    sshd_enable="YES"
    nginx_enable="YES"
    
    root@freebsd:~ # cat /etc/hosts
    ::1         localhost  localhost.my.domain
    127.0.0.1   localhost  localhost.my.domain
    10.0.0.124  poudriere-devel-14-stable.lab.org  poudriere-devel-14-stable
    
    root@freebsd:~ # service sshd start
    
    root@freebsd:~ # mkdir -p /usr/local/etc/pkg/repos
    
    root@freebsd:~ # sed -e s/quarterly/latest/g /etc/pkg/FreeBSD.conf \
                       > /usr/local/etc/pkg/repos/FreeBSD.conf
    
    root@freebsd:~ # pkg install -y    \
                       beadm           \
                       lsblk           \
                       poudriere-devel \
                       nginx           \
                       git-lite        \
                       ccache4         \
                       tree
    
    root@freebsd:~ # reboot
    

    Fortunately we do not need to patch ports-mgmt/poudriere-devel anymore as the -u flag for sort(1) is already there.

    root@poudriere-devel-14-stable:~ # grep remote_all_ /usr/local/share/poudriere/common.sh | grep sort
                "${remote_all_options}" | sort -k1.2 -u | paste -s -d ' ' -)
                "${remote_all_dept}" | sort -u | paste -s -d ' ' -)
    

    We will now setup actual Poudriere server.

    root@poudriere-devel-14-stable:~ # export SSL=/usr/local/etc/ssl
    
    root@poudriere-devel-14-stable:~ # mkdir -p \
                                         /usr/ports/distfiles \
                                         ${SSL}/keys \
                                         ${SSL}/certs
    
    root@poudriere-devel-14-stable:~ # chmod 0600 ${SSL}/keys
    
    root@poudriere-devel-14-stable:~ # openssl genrsa -out ${SSL}/keys/poudriere.key 4096
    
    root@poudriere-devel-14-stable:~ # openssl rsa \
                                         -in  ${SSL}/keys/poudriere.key -pubout \
                                         -out ${SSL}/certs/poudriere.cert
    
    root@poudriere-devel-14-stable:~ # zfs create -p -o mountpoint=/var/ccache zroot/var/ccache
    
    root@poudriere-devel-14-stable:~ # zfs list
    NAME               USED  AVAIL  REFER  MOUNTPOINT
    zroot              213K  96.4G    24K  none
    zroot/var           48K  96.4G    24K  none
    zroot/var/ccache    24K  96.4G    24K  /var/ccache
    
    root@poudriere-devel-14-stable:~ # export IP=10.0.0.124
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/poudriere.conf
    ZPOOL=zroot
    BASEFS=/usr/local/poudriere
    ZROOTFS=/usr/local/poudriere
    FREEBSD_HOST=ftp://ftp.freebsd.org
    POUDRIERE_DATA=/usr/local/poudriere/data
    CHECK_CHANGED_OPTIONS=verbose
    CHECK_CHANGED_DEPS=yes
    PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
    URL_BASE=http://${IP}/
    USE_TMPFS=no
    TMPFS_LIMIT=12
    MAX_MEMORY=12
    PARALLEL_JOBS=8
    PREPARE_PARALLEL_JOBS=8
    MAX_FILES=4096
    DISTFILES_CACHE=/usr/ports/distfiles
    KEEP_OLD_PACKAGES=yes
    KEEP_OLD_PACKAGES_COUNT=3
    CHECK_CHANGED_OPTIONS=verbose
    CHECK_CHANGED_DEPS=yes
    CCACHE_DIR=/var/ccache
    RESTRICT_NETWORKING=no
    EOF
    
    root@poudriere-devel-14-stable:~ # mkdir -p /usr/local/poudriere/data/logs/bulk
    
    root@poudriere-devel-14-stable:~ # ln -s \
                                         /usr/local/etc/ssl/certs/poudriere.cert \
                                         /usr/local/poudriere/data/logs/bulk/poudriere.cert
    
    root@poudriere-devel-14-stable:~ # service nginx enable
    
    root@poudriere-devel-14-stable:~ # sed -i '' -E 's|text/plain[\t\ ]*txt|text/plain txt log|g' /usr/local/etc/nginx/mime.types
    
    root@poudriere-devel-14-stable:~ # export IP=10.0.0.124
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/nginx/nginx.conf
    events {
      worker_connections 1024;
    }
    
    http {
      include      mime.types;
      default_type application/octet-stream;
    
      server {
        listen 80 default;
        server_name ${IP};
        root /usr/local/share/poudriere/html;
    
        location /data {
          alias /usr/local/poudriere/data/logs/bulk;
          autoindex on;
        }
    
        location /packages {
          root /usr/local/poudriere/data;
          autoindex on;
        }
      }
    }
    EOF
    
    root@poudriere-devel-14-stable:~ # service nginx restart
    
    root@poudriere-devel-14-stable:~ # mkdir -p /root/.cache/ccache                                  
    
    root@poudriere-devel-14-stable:~ # ln -sf /var/ccache /root/.cache/ccache
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/poudriere.d/make.conf
    ALLOW_UNSUPPORTED_SYSTEM=yes
    DISABLE_LICENSES=yes
    EOF
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /var/ccache/ccache.conf
    max_size = 0
    cache_dir = /var/ccache
    base_dir = /var/ccache
    hash_dir = false
    EOF
    
    root@poudriere-devel-14-stable:~ # poudriere jail -c -j 14-0-S-amd64 -v 14.0-STABLE
    (...)
    [00:20:45] Jail 14-0-S-amd64 14.0-STABLE amd64 is ready to be used
    
    root@poudriere-devel-14-stable:~ # poudriere jail -l
    JAILNAME     VERSION     ARCH  METHOD TIMESTAMP           PATH
    14-0-S-amd64 14.0-STABLE amd64 http   2024-03-06 09:44:27 /usr/local/poudriere/jails/14-0-S-amd64
    
    root@poudriere-devel-14-stable:~ # poudriere ports -c -p idm
    [00:00:00] Creating idm fs at /usr/local/poudriere/ports/idm... done
    [00:00:00] Cloning the ports tree... done
    
    root@poudriere-devel-14-stable:~ # poudriere ports -l
    PORTSTREE METHOD    TIMESTAMP           PATH
    idm       git+https 2024-03-06 10:10:53 /usr/local/poudriere/ports/idm
    
    
    

    Poudriere Server – Build FreeIPA/IDM Client Packages

    Now we will choose needed options for our FreeBSD Ports and then start the bulk process of fetching and building them.

    root@poudriere-devel-14-stable:~ # poudriere options -c -n -p idm security/cyrus-sasl2-gssapi
    //   SELECT: (*) GSSAPI_MIT
    
    root@poudriere-devel-14-stable:~ # poudriere options -c -n -p idm net/openldap26-client
    //   SELECT: [x] GSSAPI
    
    root@poudriere-devel-14-stable:~ # poudriere options -c -n -p idm security/sudo
    // DESELECT: [ ] PAM
    //   SELECT: (*) GSSAPI_MIT
    //   SELECT: (*) SSSD2
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/poudriere.d/idm
    security/krb5
    security/sudo
    security/sssd2
    security/cyrus-sasl2
    security/cyrus-sasl2-gssapi
    security/pam_mkhomedir
    net/openldap26-client
    net/samba416
    EOF
    
    root@poudriere-devel-14-stable:~ # poudriere bulk -j 14-0-S-amd64 -b latest -p idm -f /usr/local/etc/poudriere.d/idm
    
    root@poudriere-devel-14-stable:~ # zfs list
    NAME                                           USED  AVAIL  REFER  MOUNTPOINT
    zroot                                         1.51G  94.9G    24K  none
    zroot/usr                                     1.39G  94.9G    24K  none
    zroot/usr/local                               1.39G  94.9G    24K  none
    zroot/usr/local/poudriere                     1.39G  94.9G    24K  none
    zroot/usr/local/poudriere/jails               1.07G  94.9G    24K  none
    zroot/usr/local/poudriere/jails/14-0-S-amd64  1.07G  94.9G  1.07G  /usr/local/poudriere/jails/14-0-S-amd64
    zroot/usr/local/poudriere/ports                328M  94.9G    24K  none
    zroot/usr/local/poudriere/ports/idm            328M  94.9G   328M  /usr/local/poudriere/ports/idm
    zroot/var                                      117M  94.9G    24K  none
    zroot/var/ccache                               117M  94.9G   117M  /var/ccache
    
    
    

    This is how the Poudriere build process looks like from the terminal … and a view for its new ZFS datasets that Poudriere created.

    xterm-poudriere

    It was 2nd or 3rd run so when You first will run the bulk there will be more information about fetching packages etc.

    Below You can see what processes are running in htop(1) during the build.

    xterm-htop

    You can also follow the status of the build process in the browser at https://10.0.0.124 page.

    poudriere-devel-100-latest-builds

    Generally the new Poudriere interface is quite ‘large’ I would say – so I use it at 70% scale/zoom on Firefox and IMHO its more usable like that.

    poudriere-devel-70-latest-builds

    And below are the details about our build job.

    poudriere-devel-70-build-complete

    Poudriere Server – Update Repo/Packages

    Everytime you will need to update the packages in that FreeIPA/IDM repo You will need to run these commands.

    root@poudriere-devel-14-stable:~ # poudriere ports -u -p idm
    
    root@poudriere-devel-14-stable:~ # poudriere bulk -j 14-0-S-amd64 -b latest -p idm -f /usr/local/etc/poudriere.d/idm
    

    You may as well update the FreeBSD Jail when needed.

    root@poudriere-devel-14-stable:~ # poudriere jail -u -j 14-0-S-amd64
    

    FreeBSD 14.0-STABLE Client – Setup

    I will not repeat the process – but the same as with Poudriere server – you need to create FreeBSD client – for example as Bhyve VM.

    Now – the needed configuration on FreeBSD 14.0-STABLE system to connect it to FreeIPA/IDM server.

    root@idm-client:~ # :> ~/.hushlogin
    
    root@idm-client:~ # mkdir -p              \
                         /usr/local/etc/ipa   \
                         /var/log/sssd        \
                         /var/run/sss/private \
                         /var/db/sss
    
    root@idm-client:~ # echo '10.0.0.233  idm-client.lab.org  idm-client' >> /etc/hosts
    
    root@idm-client:~ # echo '10.0.0.200  idm.lab.org         idm'        >> /etc/hosts
    
    root@idm-client:~ # hostname idm-client.lab.org
    
    root@idm-client:~ # sysrc hostname=idm-client.lab.org
    
    root@idm-client:~ # fetch -o /usr/local/etc/ipa/ca.crt http://idm.lab.org/ipa/config/ca.crt
    
    

    Now we will need to add or FreeBSD client to FreeIPA/IDM. Instructions below.

    [root@idm ~]# kinit admin
    
    [root@idm ~]# ipa dnsrecord-add lab.org idm-client --a-rec=10.0.0.233 --a-create-reverse
      Record name: idm-client
      A record: 10.0.0.233
    
    [root@idm ~]# ipa host-add idm-client.lab.org
    -------------------------------
    Added host "idm-client.lab.org"
    -------------------------------
      Host name: idm-client.lab.org
      Principal name: host/idm-client.lab.org@LAB.ORG
      Principal alias: host/idm-client.lab.org@LAB.ORG
      Password: False
      Keytab: False
      Managed by: idm-client.lab.org
    
    [root@idm ~]# ipa-getkeytab -s idm.lab.org -p host/idm-client.lab.org@LAB.ORG -k /root/idm-client.lab.org.keytab
    Keytab successfully retrieved and stored in: /root/idm-client.lab.org.keytab
    
    [root@idm ~]# cp /root/idm-client.lab.org.keytab /usr/share/ipa/html/
    
    [root@idm ~]# chmod 644 /usr/share/ipa/html/idm-client.lab.org.keytab
    
    

    Now lets get back to our FreeBSD client.

    root@idm-client:~ # fetch -o /usr/local/etc/ipa/krb5.keytab \
                          http://idm.lab.org/ipa/config/idm-client.lab.org.keytab
    
    root@idm-client:~ # chmod 600 /usr/local/etc/ipa/krb5.keytab
    
    root@idm-client:~ # mkdir -p /usr/local/etc/ssl/certs
    
    root@idm-client:~ # mkdir -p /usr/local/etc/pkg/repos
    
    root@idm-client:~ # sed -e 's|quarterly|latest|g' /etc/pkg/FreeBSD.conf \
                          > /usr/local/etc/pkg/repos/FreeBSD.conf
    
    root@idm-client:~ # pkg install -y beadm
    
    root@idm-client:~ # fetch -o /usr/local/etc/ssl/certs/poudriere.cert \
                          http://idm.lab.org/data/poudriere.cert
    
    root@idm-client:~ # export IP=10.0.0.124
    
    root@idm-client:~ # cat << EOF > /usr/local/etc/pkg/repos/14-0-S-amd64.conf
    14-0-S-amd64-idm: {
      url: "http://${IP}/packages/14-0-S-amd64-idm/",
      mirror_type: "http",
      signature_type: "pubkey",
      pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
      enabled: yes,
      priority: 100
    }
    EOF
    
    root@idm-client:~ # pkg update -f
    
    root@idm-client:~ # pkg install -y      \
                          krb5              \
                          sudo              \
                          sssd2             \
                          cyrus-sasl        \
                          cyrus-sasl-gssapi \
                          openldap26-client \
                          pam_mkhomedir
    
    root@idm-client:~ # cat << EOF >> /etc/ssh/ssh_config
    GSSAPIAuthentication yes
    EOF
    
    root@idm-client:~ # cat << EOF >> /etc/ssh/sshd_config
    GSSAPIAuthentication yes
    UsePAM yes
    EOF
    
    root@idm-client:~ # cat << EOF > /usr/local/etc/sssd/sssd.conf
    [sssd]
      config_file_version      = 2
      services                 = pam, ssh, sudo, ifp, pac, nss
      domains                  = lab.org
      timeout                  = 20
    
    [domain/lab.org]
      ipa_server               = idm.lab.org
      ipa_domain               = lab.org
      pam_gssapi_services      = sudo, sudo-i
      enumerate                = True
      cache_credentials        = True
      override_shell           = /usr/local/bin/bash
      override_homedir         = /home/%u
      default_shell            = /bin/sh
      ldap_group_nesting_level = 10
      default_ccache_template  = FILE:/tmp/krb5cc_:%U
    
      krb5_ccache_template     = FILE:/tmp/krb5cc_:%U
      krb5_server              = idm.lab.org:88
      krb5_realm               = LAB.ORG
      krb5_keytab              = /usr/local/etc/ipa/krb5.keytab
      krb5_auth_timeout        = 20
    
      id_provider              = ipa
      sudo_provider            = ipa
      access_provider          = ipa
      subdomains_provider      = ipa
      auth_provider            = ipa
      chpass_provider          = ipa
      selinux_provider         = none
    EOF
    
    root@idm-client:~ # chmod 600 /usr/local/etc/sssd/sssd.conf
    
    root@idm-client:~ # cat << EOF > /etc/nsswitch.conf
    #
    # nsswitch.conf(5) - name service switch configuration file
    # $FreeBSD$
    #
    group: files sss
    group_compat: nis
    hosts: files dns
    networks: files
    passwd: files sss
    passwd_compat: nis
    shells: files
    services: compat
    services_compat: nis
    protocols: files
    rpc: files
    sudoers: sss files
    netgroup: files
    EOF
    
    root@idm-client:~ # cat /etc/rc.conf
    hostname="idm-client.lab.org"
    ifconfig_vtnet0="inet 10.0.0.233/24"
    defaultrouter="10.0.0.1"
    syslogd_flags="-ss"
    clear_tmp_enable="YES"
    sshd_enable="YES"
    zfs_enable="YES"
    sssd_enable="YES"
    
    root@idm-client:~ # cat << EOF > /usr/local/etc/openldap/ldap.conf
    BASE        dc=org,dc=lab
    URI         ldap://idm.lab.org/
    SASL_MECH   GSSAPI
    SASL_REALM  LAB.ORG
    ssl         start_tls
    TLS_CACERT  /usr/local/etc/ipa/ca.crt
    EOF
    
    root@idm-client:~ # cat << EOF > /etc/krb5.conf
    [libdefaults]
      default_realm        = LAB.ORG
      default_keytab_name  = FILE:/usr/local/etc/ipa/krb5.keytab
      default_tkt_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
      default_tgs_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
      dns_lookup_realm     = false
      dns_lookup_kdc       = false
      rdns                 = false
      ticket_lifetime      = 24h
      forwardable          = yes
    
    [realms]
      LAB.ORG = {
        kdc            = idm.lab.org:88
        master_kdc     = idm.lab.org:88
        admin_server   = idm.lab.org:749
        default_domain = lab.org
        pkinit_anchors = FILE:/usr/local/etc/ipa/ca.crt
      }
    
    [domain_realm]
      .lab.org = LAB.ORG
       lab.org = LAB.ORG
    
    [logging]
      kdc          = FILE:/var/log/krb5/krb5kdc.log
      admin_server = FILE:/var/log/krb5/kadmin.log
      kadmin_local = FILE:/var/log/krb5/kadmin_local.log
      default      = FILE:/var/log/krb5/krb5lib.log
    EOF
    
    root@idm-client:~ # cat << EOF > /etc/pam.d/system
    #
    #
    # System-wide defaults
    #
    
    # AUTH
      auth      sufficient  pam_krb5.so                      no_warn try_first_pass
    # auth      sufficient  pam_ssh.so                       no_warn try_first_pass
      auth      sufficient  /usr/local/lib/pam_sss.so        no_warn use_first_pass
      auth      required    pam_unix.so                      no_warn try_first_pass nullok
    
    # ACCOUNT
    # account   required    pam_krb5.so
      account   required    pam_login_access.so
      account   required    /usr/local/lib/pam_sss.so        ignore_unknown_user ignore_authinfo_unavail
      account   required    pam_unix.so
    
    # SESSION
    # session   optional    pam_ssh.so                       want_agent
      session   required    pam_lastlog.so                   no_fail
      session   required    /usr/local/lib/pam_mkhomedir.so  mode=0700
    
    # PASSWORD
    # password  sufficient  pam_krb5.so                      no_warn try_first_pass
      password  sufficient  /usr/local/lib/pam_sss.so        no_warn use_authtok
      password  required    pam_unix.so                      no_warn try_first_pass
    EOF
    
    root@idm-client:~ # cat << EOF > /etc/pam.d/sshd
    #
    #
    # PAM configuration for the "sshd" service
    #
    
    # AUTH
      auth      sufficient  pam_krb5.so                      no_warn try_first_pass
    # auth      sufficient  pam_ssh.so                       no_warn try_first_pass
      auth      sufficient  /usr/local/lib/pam_sss.so        no_warn use_first_pass
      auth      required    pam_unix.so                      no_warn try_first_pass
    
    # ACCOUNT
      account   required    pam_nologin.so
    # account   required    pam_krb5.so
      account   required    pam_login_access.so
      account   required    pam_unix.so
      account   required    /usr/local/lib/pam_sss.so        ignore_unknown_user ignore_authinfo_unavail
    
    # SESSION
    # session   optional    pam_ssh.so                       want_agent
      session   required    pam_permit.so
      session   required    /usr/local/lib/pam_mkhomedir.so  mode=0700
      session   optional    /usr/local/lib/pam_sss.so
    
    # PASSWORD
    # password  sufficient  pam_krb5.so                      no_warn try_first_pass
      password  sufficient  /usr/local/lib/pam_sss.so        no_warn use_authtok
      password  required    pam_unix.so                      no_warn try_first_pass
    EOF
    
    

    Our idm-client.lab.org in the FreeIPA/IDM below.

    idm-hosts

    Now reboot your idm-client.lab.org and You should be able to login to it with FreeIPA/IDM account.

    host # ssh vermaden@10.0.0.233
    (vermaden@10.0.0.233) Password:
    Last login: Wed Mar  6 07:04:42 2024
    
    vermaden@idm-client:~ $ id
    uid=1374600003(vermaden) gid=1374600000(admins) groups=1374600000(admins)
    
    vermaden@idm-client:~ $ klist
    Credentials cache: FILE:/tmp/krb5cc_1374600003
            Principal: vermaden@LAB.ORG
    
      Issued                Expires               Principal
    Mar  6 07:04:34 2024  Mar  7 06:19:19 2024  krbtgt/LAB.ORG@LAB.ORG
    
    vermaden@idm-client:~ $ sudo -i
    Password for vermaden@LAB.ORG:
    
    root@idm-client:~ # id
    uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
    

    FreeBSD 14.0-STABLE Client – Debug Commands

    Below are some commands that you may (or may not) find useful.

    root@idm-client:~ # sssctl user-checks vermaden
    user: vermaden
    action: acct 
    service: system-auth
    
    SSSD nss user lookup result:
     - user name: vermaden
     - user id: 1374600003
     - group id: 1374600000
     - gecos: Vermaden Nedamrev
     - home directory: /home/vermaden
     - shell: /bin/sh
      
    Unable to connect to system bus!
    InfoPipe User lookup with [vermaden] failed.
    testing pam_acct_mgmt   
      
    pam_acct_mgmt: Success  
      
    PAM Environment:
     - no env -
    
      
      
    root@idm-client:~ # ldapsearch -H ldap://idm.lab.org -x -b "" -s base -LLL supportedSASLMechanisms
    dn:
    supportedSASLMechanisms: EXTERNAL
    supportedSASLMechanisms: GSS-SPNEGO                      
    supportedSASLMechanisms: GSSAPI
    supportedSASLMechanisms: DIGEST-MD5
    supportedSASLMechanisms: CRAM-MD5
    supportedSASLMechanisms: LOGIN
    supportedSASLMechanisms: PLAIN
    supportedSASLMechanisms: ANONYMOUS
    
    
    
    
    
    
    root@idm-client:~ # ldapsearch -x -v -W -D 'cn=Directory Manager' uid=vermaden
    ldap_initialize(  )
    Enter LDAP Password: 
    filter: uid=vermaden
    requesting: All userApplication attributes
    # extended LDIF
    #
    # LDAPv3
    # base  (default) with scope subtree
    # filter: uid=vermaden
    # requesting: ALL
    #
    
    # search result
    search: 2
    result: 32 No such object
    
    # numResponses: 1
    
    
    
    
    
    root@idm-client:~ # ldapsearch -Y GSSAPI -Omaxssf=0 -H ldaps://idm.lab.org -b dc=lab,dc=org CN=vermaden
    SASL/GSSAPI authentication started
    SASL username: vermaden@LAB.ORG
    SASL SSF: 0
    # extended LDIF
    #
    # LDAPv3
    # base  with scope subtree
    # filter: CN=vermaden
    # requesting: ALL
    #
    
    # vermaden, groups, compat, lab.org
    dn: cn=vermaden,cn=groups,cn=compat,dc=lab,dc=org
    objectClass: posixGroup
    objectClass: ipaOverrideTarget
    objectClass: ipaexternalgroup
    objectClass: top
    gidNumber: 1374600003
    ipaAnchorUUID:: OklQQTpsYWIub3JnOjcyN2FlMjM2LTMyMTktMTFlZS04OGMyLTU4OWNmYzA4MW
     QzNQ==
    cn: vermaden
    
    # vermaden, groups, accounts, lab.org
    dn: cn=vermaden,cn=groups,cn=accounts,dc=lab,dc=org
    objectClass: posixgroup
    objectClass: ipaobject
    objectClass: mepManagedEntry
    objectClass: top
    cn: vermaden
    gidNumber: 1374600003
    description: User private group for vermaden
    mepManagedBy: uid=vermaden,cn=users,cn=accounts,dc=lab,dc=org
    ipaUniqueID: 727ae236-3219-11ee-88c2-589cfc081d35
    
    # search result
    search: 4
    result: 0 Success
    
    # numResponses: 3
    # numEntries: 2
    
    
    

    Thats it – you have FreeBSD 14.0-STABLE connected to FreeIPA/IDM server.

    Summary

    Let me know in comments how it went.

    EOF
    • chevron_right

      Important efibootmgr(8) Command

      Slixfeed · Tuesday, 27 February - 13:31 · 3 minutes

    Almost 5 years ago – in my older job – I wrote about creating FreeBSD Enterprise 1 PB Storage solution. I no longer work there but one of my mates from there contacted me with interesting problem.

    tyan-fa100

    The FreeBSD system was installed on two Intel DC S3500 240 GB SSD drives in ZFS mirror – the usual Auto (ZFS) from the FreeBSD bsdinstall(8) installer. After the reboot the system was not able to boot – we assumed that one of these system SSDs died … and that only one disk entry was in UEFI (for the broken one) … but why? It was installed on ZFS mirror so it should be perfectly fine to boot from the still working SSD drive.

    This is where some efibootmgr(8) voodoo helped.

    Below is the output of efibootmgr(8) on this broken system. The information about boot disk like … evaporated … and more interesting – the SSD was not broken – both were working perfectly fine.

    root@nas02:~ # efibootmgr -v
    Boot to FW : false
    BootCurrent: 0000
    Timeout    : 15 seconds
    BootOrder  : 0006, 0001, 0003, 0005, 0007
     Boot0006* USB BBS(USB,,0x0)
     Boot0001* Hard Drive BBS(HD,,0x0)
     Boot0003  Network Card BBS(Network,,0x0)
     Boot0005  UEFI: Built-in EFI Shell VenMedia(5023b95c-db26-429b-a648-bd47664c8012)
     Boot0007  UEFI: AMI Virtual CDROM0 1.00 PciRoot(0x0)/Pci(0x14,0x0)/USB(0x1,0x0)/USB(0x0,0x0)/CDROM(0x1,0x14,0x1000)
                          VenHw(2d6447ef-3bc9-41a0-ac19-4d51d01b4ce6,41004100410041004200420042004200430043004300430031000000)
    

    Next – my buddy booted from the FreeBSD ISO and done zpool import zroot for the ZFS pool – to check which SSD drives were used.

    root@nas02:~ # camcontrol devlist | grep -i intel
    <ATA INTEL SSDSC2KB24 0100> at scbus3 target 75 lun 0 (pass11,da10)
    <ATA INTEL SSDSC2KB24 0100> at scbus4 target 124 lun 0 (pass91,da87)
    
    root@nas02:~ # zpool status zroot | grep da
                da87p4 ONLINE 0 0 0
                da10p4 ONLINE 0 0 0
    

    Then check if contents of UEFI partition are correct – if the bootx64.efi file is in its place.

    root@nas02:~ # mount -t msdosfs /dev/da10p1 /mnt
    
    root@nas02:~ # ls -l /mnt/efi/boot
    bootx64.efi
    
    root@nas02:~ # umount /mnt
    
    root@nas02:~ # mount -t msdosfs /dev/da87p1 /mnt
    
    root@nas02:~ # ls -l /mnt/efi/boot
    bootx64.efi
    
    root@nas02:~ # umount /mnt
    
    

    Everything seemed where it should be. Next step was to add that UEFI entry in the efibootmgr(8) command.

    root@nas02:~ # efibootmgr -b 0000 -c -l da10p1:/EFI/BOOT/BOOTX64.efi -L "FreeBSD 1st"
    
    root@nas02:~ # efibootmgr -v
    Boot to FW : false
    BootCurrent: 0000
    Timeout    : 15 seconds
    BootOrder  : 0000, 0006, 0001, 0003, 0005, 0007
    +Boot0000* FreeBSD 1st HD(1,GPT,81d75631-7e16-11e9-beb3-a0423f3b9d64,0x28,0x64000)/File(\EFI\BOOT\BOOTX64.EFI)
                          da10p1:/EFI/BOOT/BOOTX64.EFI (null)
     Boot0006* USB BBS(USB,,0x0)
     Boot0001* Hard Drive BBS(HD,,0x0)
     Boot0003  Network Card BBS(Network,,0x0)
     Boot0005  UEFI: Built-in EFI Shell VenMedia(5023b95c-db26-429b-a648-bd47664c8012)
     Boot0007  UEFI: AMI Virtual CDROM0 1.00 PciRoot(0x0)/Pci(0x14,0x0)/USB(0x1,0x0)/USB(0x0,0x0)/CDROM(0x1,0x14,0x1000)
                          VenHw(2d6447ef-3bc9-41a0-ac19-4d51d01b4ce6,41004100410041004200420042004200430043004300430031000000)
    

    … and that was it. The FreeBSD system booted just fine with both SSDs intact.

    In the next step my buddy also added second UEFI entry to make sure that the other SSD (da87) will be used in case the first one (da10) died.

    root@nas02:~ # efibootmgr -b 0008 -c -l da87p1:/EFI/BOOT/BOOTX64.efi -L "FreeBSD 2nd"
    
    root@nas02:~ # efibootmgr -v
    Boot to FW : false
    BootCurrent: 0000
    Timeout    : 15 seconds
    BootOrder  : 0008, 0000, 0006, 0001, 0003, 0005, 0007
     Boot0008  FreeBSD 2nd HD(1,GPT,8186155f-7e16-11e9-beb3-a0423f3b9d64,0x28,0x64000)/File(\EFI\BOOT\BOOTX64.efi)
                          da87p1:/EFI/BOOT/BOOTX64.efi (null)
    +Boot0000* FreeBSD 1st HD(1,GPT,81d75631-7e16-11e9-beb3-a0423f3b9d64,0x28,0x64000)/File(\EFI\BOOT\BOOTX64.EFI)
                          da10p1:/EFI/BOOT/BOOTX64.EFI (null)
     Boot0006* USB BBS(USB,,0x0)
     Boot0001* Hard Drive BBS(HD,,0x0)
     Boot0003  Network Card BBS(Network,,0x0)
     Boot0005  UEFI: Built-in EFI Shell VenMedia(5023b95c-db26-429b-a648-bd47664c8012)
     Boot0007  UEFI: AMI Virtual CDROM0 1.00 PciRoot(0x0)/Pci(0x14,0x0)/USB(0x1,0x0)/USB(0x0,0x0)/CDROM(0x1,0x14,0x1000)
                          VenHw(2d6447ef-3bc9-41a0-ac19-4d51d01b4ce6,41004100410041004200420042004200430043004300430031000000)
    

    Now two SSD entries are configured in UEFI using efibootmgr(8) tool.

    Not a long article this time – but I believe very important one.

    Take care.

    EOF
    • chevron_right

      OPNsense 23.1 is released with the nickname “Quintessential Quail”

      TREND OCEANS · Friday, 27 January, 2023 - 06:04

    Dubbed the “Quintessential Quail,” OPNsense 23.1 is now available for download and is packed with new features and improvements.

    Read more

    #linux #opensource #ubuntu #debian #freebsd #tools #news #technology #tech

    • chevron_right

      The W Pattern Forex Trading Guide For Beginner

      Alla Traders · Wednesday, 28 December, 2022 - 15:46 edit · 1 minute

    The double bottom or W pattern is the most prevalent chart pattern used in trading. In fact, this pattern is so common that it may be taken as irrefutable evidence by itself that price action is not as totally random as many say. The double bottom pattern is one of the very few that perfectly depicts the market’s direction changing. At the bottom of a downtrend, the double bottom forms itself, offering potential long entries for buyers.

    What Is A Double Bottom (W Pattern)?

    The double bottom pattern is a technical pattern that can be used to identify a likely reversal in the Forex market. The double bottom emerges after an extended move down and can be utilized to discover purchasing opportunities on the way up. Because of the two-touched low and the change in trend direction from downtrend to uptrend, the pattern resembles the letter “W.”

    see the complete blog here Alla Traders

    #forex #stock #crypto #trading #trader #features #thinkpad #postgresql #fediverse #database #apps #zimbabwe #gaming #profanity #xmpp #pipcu #sdr #wow #discussion #chirurgie #tools #ev #rf #instantmessaging #comics #alternativesto #ubuntu #lu #howto #apple #hololive #députés #ecology #chocolat #ft8 #piquetsyndical #8chan #siri #écologie #endurance #how #discord #platforms #dior #rcs #squat #1 #hydroxychloroquine #election #gif #laptops #omemo #hacking #fedora #ethot #compression #potpourri #kaamelott #meme #jitsi #freebsd #feminisme #gajim #animals #sendgnomemoney #métaverse #wordle #fastned #autopilot #cinéma #evolution #ukraine #jabber #sponsor #dessin #rando #africa #entraineur #google #zooarchaeology #community #technology #reddit #movim #ajax #calendar #moderation #snapchat #formation #review #quake #im #attentat #policy #advertising #prosody #abstention #azure #webserver #france #camping #amazon #openwebrx #maps #sncf #lci #darktable #littérature #keyboards #rendement #twitch #eu #projecteur #vieprivée #jpg #dinosaures #hardware #drawing #tyrannosaure #jappix #tgv #pcb #patents #médaille #poezio #animation

    • Om chevron_right

      helloSystem is a FreeBSD Distro Modelled after Mac OS X (Off Topic)

      pubsub.dcentralisedmedia.com / OMG Ubuntu · Tuesday, 9 February, 2021 - 15:39

    Screenshot of Hello FreeBSD Fair warning reader: this post has nothing to do with Ubuntu, or even Linux for that matter. So for the duration of this article I’d appreciate you pretending it’s still 2008 and this site is […]

    This post, helloSystem is a FreeBSD Distro Modelled after Mac OS X (Off Topic) is from OMG! Ubuntu! . Do not reproduce elsewhere without permission.

    • Om chevron_right

      helloSystem is a FreeBSD Distro Modelled on Mac OS X (Off Topic)

      pubsub.do.nohost.me / OMG Ubuntu · Tuesday, 9 February, 2021 - 15:39

    Fair warning reader: this post has nothing to do with Ubuntu, or even Linux for that matter. Instead, the following 600 words are about a promising (new to me) FreeBSD distro and why it left […]

    This post, helloSystem is a FreeBSD Distro Modelled on Mac OS X (Off Topic) is from OMG! Ubuntu! . Do not reproduce elsewhere without permission.