Author: Michael Lucas

For those who missed the announcement, FreeBSD 9 has replaced sysinstall with a new installer. It’s based on the PC-BSD installer’s back end and a text-based front end by Nathan Whitehorn. So, what is this new installer we’ve waited sixteen years for? I decided to find out.

As an official snapshot with the BSD installer isn’t yet available, I grabbed one of nwhitehorn’s recent snapshots. The back end is not integrated, but let’s see what the front end looks like. I assume there will be changes between this February snapshot and the next official snapshot. For my testing, I used a VM running Microsoft Virtual PC (for ease of screenshots) with ACPI disabled (so the install would finish).

Booting the image, I saw:

A recovery shell and a live CD are great, but I want to install.

The next screen tells me to select a keyboard. By virtue of alphabetical order, the default is Armenian. When I arrow down to find the US keyboard, there’s several different options. I know exactly what kind of keyboard I have, it’s an Endurapro with the mouse pointer between the G and the H. But that’s not an option. Fortunately, I use a Dvorak layout, and that is an option.

I’m now asked for a hostname, and then allowed to choose optional components.

Of course I want source code!

I will miss the ability to choose “the smallest distribution possible,” but in reality, upgrading added the entire base system anyway.

Now we partition the disk.

Ooooh, a “guided” method. That sounds newbie-friendly. Let’s try that.

We want to use the whole disk.

Wait a minute… where are /var, /tmp, /usr, and all the other partitions? Don’t tell me that one of the last survivors of proper partitioning is stumbling into the one large root filesystem trap? Ick. (I assume that the other partitioning methods will let you create proper partitions.)

Note that these are GPT partitions, not MBR partitions (slices).

Highlighting a partition and pressing ENTER shows details.

We can set a label in the installer, which is a nice feature. And it appears that two ESC takes you out of this submenu into the main menu. That seems odd, but perhaps it’s related to this being in Virtual PC. Arrow over to EXIT and hit ENTER to get the final confirmation screen.

“Are you sure?” Save and Abort aren’t exactly answers to that question – actually “save” is kind of ambiguous in this context. Save your existing data? Yes, we’re sure, choose Save. The filesystem is initialized:

The installer verifies the files on disk and begins installing.

We must watch for a panic in the background, versus a simple lock order reversal. This is -current, either one can happen and both are displayed by default.

While watching this, I wanted to hit ALT-F2 and see just how well the ports were extracting. That’s apparently no longer an option.

After extracting everything, I was prompted for the root password, then for a network interface.

I took the default.

Why yes, I would like DHCP with my host, thank you.

Now I’m asked for the services I want enabled at boot.

Compared to sysinstall there aren’t many choices, but I’m all right with being offered only the lowest common denominators. Far more vexing is how the network configuration gracelessly handled the unplugged network interface. While CTRL-L redrew the screen, a new link down message reappeared every second or so. I’d never tried Virtual PC before, and apparently I need to decipher the network configuration.

Once I choose the essential services, I’m asked if I want to add users. When I say yes, it drops me to text mode for the usual adduser(8) dialog.

All right, the network message is getting pretty annoying now.

After adding my user, I get the final screen.

You can change many of your optional settings, plus set the time zone. You get the usual warnings about removing the CD-ROM from the drive, and then reboot into the new install.

Overall, I like many of the changes. It doesn’t have many of the libdialog annoyances that plague sysinstall. I dislike the guided partitioning system, or more exactly the lack of actual partitioning therein. I do not want /tmp files filling my hard disk!

The good news is, with the separation between the front end and the back end, changing the installer will be much simpler than it ever was with sysinstall. For all the petty annoyances in this installer, it’s a big step in the right direction. I want to commend the creators for actually pushing Sysinstall Replacement Attempt #82,319 to completion.

I installed Apache on a diskless FreeBSD-9/amd64 server. Once I added SSL, the web server wouldn’t start. It died with:

[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:17 2011] [alert] Child 1733 returned a Fatal error... Apache is exiting!

Google says that the fix for this is to define AcceptMutex flock somewhere in httpd.conf. Google shows dozens of mailing list discussions that give this advice, but without explanation. Every so often, someone whinges about it not working, and doesn’t get a response.

This is an example of what I call “Occult IT.” There are certain recipes that people just follow, without understanding why. We stumble around, grasping for invocations and incantations that will fix our problem. I don’t just want the ritual that will solve the problem; I want to know why the problem happened and deepen my understanding of the issue.

Besides, adding AcceptMutex flock didn’t work.

To identify the problem, I set LogLevel to debug in httpd.conf and tried starting httpd again.

[Mon Mar 21 16:03:18 2011] [debug] prefork.c(1018): AcceptMutex: flock (default: flock)

I didn’t have that configuration setting in my httpd.conf, but it’s the Apache default anyway. So, what are my other choices?

Apache documentation says that the AcceptMutex setting determines how Apache serializes incoming requests. The flock setting dictates how Apache locks the LockFile.

My configuration doesn’t have a defined LockFile, so choosing how we lock it isn’t going to help.

I don’t like lock files. Bad stuff happens to them. Let’s try a locking method without a lockfile. The documentation lists two different classes of locking mechanisms. flock and fcntl work on lock files. posixsem, pthread, and sysvsem use the in-memory mechanisms of semaphores and/or mutexes to provide locking.

As I don’t like lock files, I’ll try one of the in-memory mechanisms.

AcceptMutex posixsem


And Apache starts and runs perfectly.

I can’t find any details on the differences between these in-memory mechanisms, from a system administrator’s point of view. I imagine that the System V mechanism wouldn’t work if you’d removed that support from your kernel. But the point is:

Do not rely on occult IT. Read The Fine Manual.

My employer’s current webmail solution is pretty tightly tied to the mail server. We need a webmail solution, but I want to be able to move, change, and upgrade webmail independently of the mail server. I’m testing Roundcube, running on FreeBSD-current/amd64 diskless on KVM.

First install Roundcube. Go to /usr/ports/mail/roundcube and run make config-recursive. You can use MySQL, PostgreSQL, or SQLite. Personally, I’m a Postgres bigot, mainly because Postgres has inflicted less pain than MySQL over the years. (Remember, punishing someone less feels like a reward!) I selected postgres, disabled mysql, then chose other environment-specific options such as LDAP. After configuring all of roundcube’s dependencies, run make all install clean.

No matter the database you prefer, in FreeBSD the client is packaged and built separately from the database server. I built /usr/ports/databases/postgresql84-server. Normally I would enable PAM, to enable database authentication via the operating system authentication, but that’s apparently broken as of this writing.

I want to modify httpd.conf as little as possible, so I do most of my configuration via files in /usr/local/etc/apache/Includes. I create the following files:

vhosts.conf
NameVirtualHost *:80
NameVirtualHost *:443


And of course, we need to acces webmail over SSL. Here’s ssl.conf:

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
AcceptMutex posixsem
SSLMutex "file:/var/run/www/ssl_mutex"

I use RCS for minor stuff like this, so I need to block web site visitors from viewing my RCS files. Here’s blockRCS.conf


Order allow,deny
Deny from all
Satisfy All



Finally, here’s the configuration for the webmail virtual server, webmail.conf. The most interesting thing here is that I automatically redirect HTTP connections to HTTPS. (Perhaps interesting is the wrong word. “Least uninteresting?” Yeah, that’s better.)

AddType application/x-httpd-php .php

ServerName webmail.domain.com
Redirect permanent / https://webmail.domain.com/
ServerAdmin webmail@domain.com
ErrorLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_error_log.%Y-%m-%d-%H_%M_%S 86400 -300"
CustomLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_access_log.%Y-%m-%d-%H_%M_%S 86400 -300" combined
DocumentRoot /usr/local/www/webmail/

Options None
AllowOverride All
Allow from all



ServerAdmin webmail@domain.com
ServerName webmail.domain.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLOptions +StdEnvVars

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCertificateFile etc/apache22/certs/webmail.domain.com.crt
SSLCertificateKeyFile etc/apache22/certs/webmail.domain.com.key
ErrorLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_ssl_error_log.%Y-%m-%d-%H_%M_%S 86400 -300"
CustomLog "|/usr/local/sbin/rotatelogs /var/log/httpd/webmail_ssl_access_log.%Y-%m-%d-%H_%M_%S 86400 -300" combined
DocumentRoot /usr/local/www/roundcube/

Options Indexes FollowSymLinks
AllowOverride All
Allow from all



Initialize your postgresql database. I got Postgres help from here.

# /usr/local/etc/rc.d/postgresql initdb

Edit your Postgres config file, /usr/local/pgsql/data/postgresql.conf. Be sure that your database is only listening on the loopback address.

listen_addresses = 'localhost'

If you’re a Postgres guru, make any other changes you like. Then configure loggin in /etc/syslog.conf:

!postgres
*.* /var/log/pg.log

The log files must exist before syslogd will write to them.

# touch /var/log/pg.log
# chown pgsql:pgsql /var/log/pg.log

Now run /usr/local/etc/rc.d/postgresql start and check for errors. It should start without trouble, unless you mucked with your configuration too much.

Normally I would edit pg_hba.conf to tie my account password to PAM, and through PAM to LDAP, but as that’s broken right now, I’ll create a local user.

# su pgsql
$ createuser -sdrP mwlucas
Enter password for new role:
Enter it again:

Now create the Roundcube database, as per the instructions.

$ createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb -O roundcube -E UNICODE roundcubemail
$ psql roundcubemail
psql (8.4.7)
Type "help" for help.

roundcubemail=# alter user roundcube with password 'WeHatesWebmail';
ALTER ROLE
roundcubemail=# \c - roundcube
psql (8.4.7)
You are now connected to database "roundcubemail" as user "roundcube".
roundcubemail=> \i SQL/postgres.initial.sql

After a bunch of SQL spammage, we have a database. Log out with:

roundcubemail=> \q

Roundcube needs two configuration files, db.inc.php and main.inc.php. Go to /usr/local/www/roundcube/config and copy the .dist versions of these files.

Tell Roundcube where to find its database by setting a DSN in db.inc.php.

$rcmail_config['db_dsnw'] = 'pgsql://roundcube:WeHatesWebmail@localhost/roundcubemail';

In main.inc.php, set your mail server. (If you don’t set a mail server, Roundcube will let you connect to any mail server you like. This would confuse my users. Confusion leads to phone calls, something I avidly avoid.)

$rcmail_config['default_host'] = 'mail.domain.com';

Verify that pgsql and Apache are running, and browse to your webmail site. You have a webmail server!

Overall, the setup was pretty straightforward. I’m not saying I’ll keep Roundcube, but my test users are basically content, so it’s a strong candidate.