Index: head/en_US.ISO8859-1/books/handbook/config/chapter.xml
===================================================================
--- head/en_US.ISO8859-1/books/handbook/config/chapter.xml (revision 52154)
+++ head/en_US.ISO8859-1/books/handbook/config/chapter.xml (revision 52155)
@@ -1,3524 +1,3524 @@
Configuration and TuningChernLeeWritten by MikeSmithBased on a tutorial written by MattDillonAlso based on tuning(7) written by Synopsissystem configurationsystem optimizationOne of the important aspects of &os; is proper system
configuration. This chapter explains much of the &os;
configuration process, including some of the parameters which
can be set to tune a &os; system.After reading this chapter, you will know:The basics of rc.conf configuration
and /usr/local/etc/rc.d startup
scripts.How to configure and test a network card.How to configure virtual hosts on network
devices.How to use the various configuration files in
/etc.How to tune &os; using &man.sysctl.8; variables.How to tune disk performance and modify kernel
limitations.Before reading this chapter, you should:Understand &unix; and &os; basics
().Be familiar with the basics of kernel configuration and
compilation ().Starting ServicesTomRhodesContributed by servicesMany users install third party software on &os; from the
Ports Collection and require the installed services to be
started upon system initialization. Services, such as
mail/postfix or
www/apache22 are just two of the many
software packages which may be started during system
initialization. This section explains the procedures available
for starting third party software.In &os;, most included services, such as &man.cron.8;, are
started through the system startup scripts.Extended Application ConfigurationNow that &os; includes rc.d,
configuration of application startup is easier and provides
more features. Using the key words discussed in
, applications can be set to
start after certain other services and extra flags can be
passed through /etc/rc.conf in place of
hard coded flags in the startup script. A basic script may
look similar to the following:#!/bin/sh
#
# PROVIDE: utility
# REQUIRE: DAEMON
# KEYWORD: shutdown
. /etc/rc.subr
name=utility
rcvar=utility_enable
command="/usr/local/sbin/utility"
load_rc_config $name
#
# DO NOT CHANGE THESE DEFAULT VALUES HERE
# SET THEM IN THE /etc/rc.conf FILE
#
utility_enable=${utility_enable-"NO"}
pidfile=${utility_pidfile-"/var/run/utility.pid"}
run_rc_command "$1"This script will ensure that the provided
utility will be started after the
DAEMON pseudo-service. It also provides a
method for setting and tracking the process ID
(PID).This application could then have the following line placed
in /etc/rc.conf:utility_enable="YES"This method allows for easier manipulation of command
line arguments, inclusion of the default functions provided
in /etc/rc.subr, compatibility with
&man.rcorder.8;, and provides for easier configuration via
rc.conf.Using Services to Start ServicesOther services can be started using &man.inetd.8;.
Working with &man.inetd.8; and its configuration is
described in depth in
.In some cases, it may make more sense to use
&man.cron.8; to start system services. This approach
has a number of advantages as &man.cron.8; runs these
processes as the owner of the &man.crontab.5;. This allows
regular users to start and maintain their own
applications.The @reboot feature of &man.cron.8;,
may be used in place of the time specification. This causes
the job to run when &man.cron.8; is started, normally during
system initialization.Configuring &man.cron.8;TomRhodesContributed by cronconfigurationOne of the most useful utilities in &os; is
cron. This utility runs in the
background and regularly checks
/etc/crontab for tasks to execute and
searches /var/cron/tabs for custom crontab
files. These files are used to schedule tasks which
cron runs at the specified times.
Each entry in a crontab defines a task to run and is known as a
cron job.Two different types of configuration files are used: the
system crontab, which should not be modified, and user crontabs,
which can be created and edited as needed. The format used by
these files is documented in &man.crontab.5;. The format of the
system crontab, /etc/crontab includes a
who column which does not exist in user
crontabs. In the system crontab,
cron runs the command as the user
specified in this column. In a user crontab, all commands run
as the user who created the crontab.User crontabs allow individual users to schedule their own
tasks. The root user
can also have a user crontab which can be
used to schedule tasks that do not exist in the system
crontab.Here is a sample entry from the system crontab,
/etc/crontab:# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD$
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
#
#minute hour mday month wday who command
#
*/5 * * * * root /usr/libexec/atrun Lines that begin with the # character
are comments. A comment can be placed in the file as a
reminder of what and why a desired action is performed.
Comments cannot be on the same line as a command or else
they will be interpreted as part of the command; they must
be on a new line. Blank lines are ignored.The equals (=) character is used to
define any environment settings. In this example, it is
used to define the SHELL and
PATH. If the SHELL is
omitted, cron will use the
default Bourne shell. If the PATH is
omitted, the full path must be given to the command or
script to run.This line defines the seven fields used in a system
crontab: minute, hour,
mday, month,
wday, who, and
command. The minute
field is the time in minutes when the specified command will
be run, the hour is the hour when the
specified command will be run, the mday
is the day of the month, month is the
month, and wday is the day of the week.
These fields must be numeric values, representing the
twenty-four hour clock, or a *,
representing all values for that field. The
who field only exists in the system
crontab and specifies which user the command should be run
as. The last field is the command to be executed.This entry defines the values for this cron job. The
*/5, followed by several more
* characters, specifies that
/usr/libexec/atrun is invoked by
root every five
minutes of every hour, of every day and day of the week, of
every month.Commands can include any number of switches. However,
commands which extend to multiple lines need to be broken
with the backslash \ continuation
character.Creating a User CrontabTo create a user crontab, invoke
crontab in editor mode:&prompt.user; crontab -eThis will open the user's crontab using the default text
editor. The first time a user runs this command, it will open
an empty file. Once a user creates a crontab, this command
will open that file for editing.It is useful to add these lines to the top of the crontab
file in order to set the environment variables and to remember
the meanings of the fields in the crontab:SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
# Order of crontab fields
# minute hour mday month wday commandThen add a line for each command or script to run,
specifying the time to run the command. This example runs the
specified custom Bourne shell script every day at two in the
afternoon. Since the path to the script is not specified in
PATH, the full path to the script is
given:0 14 * * * /usr/home/dru/bin/mycustomscript.shBefore using a custom script, make sure it is executable
and test it with the limited set of environment variables
set by cron. To replicate the environment that would be
used to run the above cron entry, use:env -i SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/home/dru LOGNAME=dru/usr/home/dru/bin/mycustomscript.shThe environment set by cron is discussed in
&man.crontab.5;. Checking that scripts operate correctly in
a cron environment is especially important if they include
any commands that delete files using wildcards.When finished editing the crontab, save the file. It
will automatically be installed and
cron will read the crontab and run
its cron jobs at their specified times. To list the cron jobs
in a crontab, use this command:&prompt.user; crontab -l
0 14 * * * /usr/home/dru/bin/mycustomscript.shTo remove all of the cron jobs in a user crontab:&prompt.user; crontab -r
remove crontab for dru? yManaging Services in &os;TomRhodesContributed by &os; uses the &man.rc.8; system of startup scripts during
system initialization and for managing services. The scripts
listed in /etc/rc.d provide basic services
which can be controlled with the ,
, and options to
&man.service.8;. For instance, &man.sshd.8; can be restarted
with the following command:&prompt.root; service sshd restartThis procedure can be used to start services on a running
system. Services will be started automatically at boot time
as specified in &man.rc.conf.5;. For example, to enable
&man.natd.8; at system startup, add the following line to
/etc/rc.conf:natd_enable="YES"If a line is already
present, change the NO to
YES. The &man.rc.8; scripts will
automatically load any dependent services during the next boot,
as described below.Since the &man.rc.8; system is primarily intended to start
and stop services at system startup and shutdown time, the
, and
options will only perform their action
if the appropriate /etc/rc.conf variable
is set. For instance, sshd restart will
only work if sshd_enable is set to
in /etc/rc.conf.
To , or
a service regardless of the settings
in /etc/rc.conf, these commands should be
prefixed with one. For instance, to restart
&man.sshd.8; regardless of the current
/etc/rc.conf setting, execute the following
command:&prompt.root; service sshd onerestartTo check if a service is enabled in
/etc/rc.conf, run the appropriate
&man.rc.8; script with . This example
checks to see if &man.sshd.8; is enabled in
/etc/rc.conf:&prompt.root; service sshd rcvar
# sshd
#
sshd_enable="YES"
# (default: "")The # sshd line is output from the
above command, not a
root console.To determine whether or not a service is running, use
. For instance, to verify that
&man.sshd.8; is running:&prompt.root; service sshd status
sshd is running as pid 433.In some cases, it is also possible to
a service. This attempts to send a
signal to an individual service, forcing the service to reload
its configuration files. In most cases, this means sending
the service a SIGHUP signal. Support for
this feature is not included for every service.The &man.rc.8; system is used for network services and it
also contributes to most of the system initialization. For
instance, when the
/etc/rc.d/bgfsck script is executed, it
prints out the following message:Starting background file system checks in 60 seconds.This script is used for background file system checks,
which occur only during system initialization.Many system services depend on other services to function
properly. For example, &man.yp.8; and other
RPC-based services may fail to start until
after the &man.rpcbind.8; service has started. To resolve this
issue, information about dependencies and other meta-data is
included in the comments at the top of each startup script.
The &man.rcorder.8; program is used to parse these comments
during system initialization to determine the order in which
system services should be invoked to satisfy the
dependencies.The following key word must be included in all startup
scripts as it is required by &man.rc.subr.8; to
enable the startup script:PROVIDE: Specifies the services this
file provides.The following key words may be included at the top of each
startup script. They are not strictly necessary, but are
useful as hints to &man.rcorder.8;:REQUIRE: Lists services which are
required for this service. The script containing this key
word will run after the specified
services.BEFORE: Lists services which depend
on this service. The script containing this key word will
run before the specified
services.By carefully setting these keywords for each startup script,
an administrator has a fine-grained level of control of the
startup order of the scripts, without the need for
runlevels used by some &unix; operating
systems.Additional information can be found in &man.rc.8; and
&man.rc.subr.8;. Refer to this article
for instructions on how to create custom &man.rc.8;
scripts.Managing System-Specific Configurationrc filesrc.confThe principal location for system configuration
information is /etc/rc.conf. This file
contains a wide range of configuration information and it is
read at system startup to configure the system. It provides
the configuration information for the
rc* files.The entries in /etc/rc.conf override
the default settings in
/etc/defaults/rc.conf. The file
containing the default settings should not be edited.
Instead, all system-specific changes should be made to
/etc/rc.conf.A number of strategies may be applied in clustered
applications to separate site-wide configuration from
system-specific configuration in order to reduce
administration overhead. The recommended approach is to place
system-specific configuration into
/etc/rc.conf.local. For example, these
entries in /etc/rc.conf apply to all
systems:sshd_enable="YES"
keyrate="fast"
defaultrouter="10.1.1.254"Whereas these entries in
/etc/rc.conf.local apply to this system
only:hostname="node1.example.org"
ifconfig_fxp0="inet 10.1.1.1/8"Distribute /etc/rc.conf to every
system using an application such as
rsync or
puppet, while
/etc/rc.conf.local remains
unique.Upgrading the system will not overwrite
/etc/rc.conf, so system configuration
information will not be lost.Both /etc/rc.conf and
/etc/rc.conf.local
are parsed by &man.sh.1;. This allows system operators to
create complex configuration scenarios. Refer to
&man.rc.conf.5; for further information on this
topic.Setting Up Network Interface CardsMarcFonvieilleContributed by network cardsconfigurationAdding and configuring a network interface card
(NIC) is a common task for any &os;
administrator.Locating the Correct Drivernetwork cardsdriverFirst, determine the model of the NIC
and the chip it uses. &os; supports a wide variety of
NICs. Check the Hardware Compatibility
List for the &os; release to see if the NIC
is supported.If the NIC is supported, determine
the name of the &os; driver for the NIC.
Refer to /usr/src/sys/conf/NOTES and
/usr/src/sys/arch/conf/NOTES
for the list of NIC drivers with some
information about the supported chipsets. When in doubt, read
the manual page of the driver as it will provide more
information about the supported hardware and any known
limitations of the driver.The drivers for common NICs are already
present in the GENERIC kernel, meaning
the NIC should be probed during boot. The
system's boot messages can be viewed by typing
more /var/run/dmesg.boot and using the
spacebar to scroll through the text. In this example, two
Ethernet NICs using the &man.dc.4; driver
are present on the system:dc0: <82c169 PNIC 10/100BaseTX> port 0xa000-0xa0ff mem 0xd3800000-0xd38
000ff irq 15 at device 11.0 on pci0
miibus0: <MII bus> on dc0
bmtphy0: <BCM5201 10/100baseTX PHY> PHY 1 on miibus0
bmtphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc0: Ethernet address: 00:a0:cc:da:da:da
dc0: [ITHREAD]
dc1: <82c169 PNIC 10/100BaseTX> port 0x9800-0x98ff mem 0xd3000000-0xd30
000ff irq 11 at device 12.0 on pci0
miibus1: <MII bus> on dc1
bmtphy1: <BCM5201 10/100baseTX PHY> PHY 1 on miibus1
bmtphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc1: Ethernet address: 00:a0:cc:da:da:db
dc1: [ITHREAD]If the driver for the NIC is not
present in GENERIC, but a driver is
available, the driver will need to be loaded before the
NIC can be configured and used. This may
be accomplished in one of two ways:The easiest way is to load a kernel module for the
NIC using &man.kldload.8;. To also
automatically load the driver at boot time, add the
appropriate line to
/boot/loader.conf. Not all
NIC drivers are available as
modules.Alternatively, statically compile support for the
NIC into a custom kernel. Refer to
/usr/src/sys/conf/NOTES,
/usr/src/sys/arch/conf/NOTES
and the manual page of the driver to determine which line
to add to the custom kernel configuration file. For more
information about recompiling the kernel, refer to . If the NIC
was detected at boot, the kernel does not need to be
recompiled.Using &windows; NDIS DriversNDISNDISulator&windows; driversµsoft.windows;device driversKLD (kernel loadable
object)Unfortunately, there are still many vendors that do not
provide schematics for their drivers to the open source
community because they regard such information as trade
secrets. Consequently, the developers of &os; and other
operating systems are left with two choices: develop the
drivers by a long and pain-staking process of reverse
engineering or using the existing driver binaries available
for µsoft.windows; platforms.&os; provides native support for the
Network Driver Interface Specification
(NDIS). It includes &man.ndisgen.8;
which can be used to convert a &windowsxp; driver into a
format that can be used on &os;. Because the &man.ndis.4;
driver uses a &windowsxp; binary, it only runs on &i386;
and amd64 systems. PCI, CardBus,
PCMCIA, and USB
devices are supported.To use &man.ndisgen.8;, three things are needed:&os; kernel sources.A &windowsxp; driver binary with a
.SYS extension.A &windowsxp; driver configuration file with a
.INF extension.Download the .SYS and
.INF files for the specific
NIC. Generally, these can be found on
the driver CD or at the vendor's website. The following
examples use W32DRIVER.SYS and
W32DRIVER.INF.The driver bit width must match the version of &os;.
For &os;/i386, use a &windows; 32-bit driver. For
&os;/amd64, a &windows; 64-bit driver is needed.The next step is to compile the driver binary into a
loadable kernel module. As
root, use
&man.ndisgen.8;:&prompt.root; ndisgen /path/to/W32DRIVER.INF/path/to/W32DRIVER.SYSThis command is interactive and prompts for any extra
information it requires. A new kernel module will be
generated in the current directory. Use &man.kldload.8;
to load the new module:&prompt.root; kldload ./W32DRIVER_SYS.koIn addition to the generated kernel module, the
ndis.ko and
if_ndis.ko modules must be loaded.
This should happen automatically when any module that
depends on &man.ndis.4; is loaded. If not, load them
manually, using the following commands:&prompt.root; kldload ndis
&prompt.root; kldload if_ndisThe first command loads the &man.ndis.4; miniport driver
wrapper and the second loads the generated
NIC driver.Check &man.dmesg.8; to see if there were any load
errors. If all went well, the output should be similar to
the following:ndis0: <Wireless-G PCI Adapter> mem 0xf4100000-0xf4101fff irq 3 at device 8.0 on pci1
ndis0: NDIS API version: 5.0
ndis0: Ethernet address: 0a:b1:2c:d3:4e:f5
ndis0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
ndis0: 11g rates: 6Mbps 9Mbps 12Mbps 18Mbps 36Mbps 48Mbps 54MbpsFrom here, ndis0 can be
configured like any other NIC.To configure the system to load the &man.ndis.4; modules
at boot time, copy the generated module,
W32DRIVER_SYS.ko, to
/boot/modules. Then, add the following
line to /boot/loader.conf:W32DRIVER_SYS_load="YES"Configuring the Network Cardnetwork cardsconfigurationOnce the right driver is loaded for the
NIC, the card needs to be configured. It
may have been configured at installation time by
&man.bsdinstall.8;.To display the NIC configuration,
enter the following command:&prompt.user; ifconfig
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80008<VLAN_MTU,LINKSTATE>
ether 00:a0:cc:da:da:da
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc1: flags=8802<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80008<VLAN_MTU,LINKSTATE>
ether 00:a0:cc:da:da:db
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet 10baseT/UTP
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>In this example, the following devices were
displayed:dc0: The first Ethernet
interface.dc1: The second Ethernet
interface.lo0: The loopback
device.&os; uses the driver name followed by the order in which
the card is detected at boot to name the
NIC. For example,
sis2 is the third
NIC on the system using the &man.sis.4;
driver.In this example, dc0 is up and
running. The key indicators are:UP means that the card is
configured and ready.The card has an Internet (inet)
address, 192.168.1.3.It has a valid subnet mask
(netmask), where
0xffffff00 is the
same as 255.255.255.0.It has a valid broadcast address, 192.168.1.255.The MAC address of the card
(ether) is 00:a0:cc:da:da:da.The physical media selection is on autoselection mode
(media: Ethernet autoselect (100baseTX
<full-duplex>)). In this example,
dc1 is configured to run with
10baseT/UTP media. For more
information on available media types for a driver, refer
to its manual page.The status of the link (status) is
active, indicating that the carrier
signal is detected. For dc1, the
status: no carrier status is normal
when an Ethernet cable is not plugged into the
card.If the &man.ifconfig.8; output had shown something similar
to:dc0: flags=8843<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80008<VLAN_MTU,LINKSTATE>
ether 00:a0:cc:da:da:da
media: Ethernet autoselect (100baseTX <full-duplex>)
status: activeit would indicate the card has not been configured.The card must be configured as
root. The
NIC configuration can be performed from the
command line with &man.ifconfig.8; but will not persist after
a reboot unless the configuration is also added to
/etc/rc.conf. If a
DHCP server is present on the LAN,
just add this line:ifconfig_dc0="DHCP"Replace dc0 with the correct value
for the system.The line added, then, follow the instructions given in
.If the network was configured during installation, some
entries for the NIC(s) may be already
present. Double check /etc/rc.conf
before adding any lines.In the case, there is no DHCP server,
the NIC(s) have to be configured manually.
Add a line for each NIC present on the
system, as seen in this example:ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"Replace dc0 and
dc1 and the IP
address information with the correct values for the system.
Refer to the man page for the driver, &man.ifconfig.8;, and
&man.rc.conf.5; for more details about the allowed options and
the syntax of /etc/rc.conf.If the network is not using DNS, edit
/etc/hosts to add the names and
IP addresses of the hosts on the
LAN, if they are not already there. For
more information, refer to &man.hosts.5; and to
/usr/share/examples/etc/hosts.If there is no DHCP server and
access to the Internet is needed, manually configure the
default gateway and the nameserver:&prompt.root; echo 'defaultrouter="your_default_router"' >> /etc/rc.conf
&prompt.root; echo 'nameserver your_DNS_server' >> /etc/resolv.confTesting and TroubleshootingOnce the necessary changes to
/etc/rc.conf are saved, a reboot can be
used to test the network configuration and to verify that the
system restarts without any configuration errors.
Alternatively, apply the settings to the networking system
with this command:&prompt.root; service netif restartIf a default gateway has been set in
/etc/rc.conf, also issue this
command:&prompt.root; service routing restartOnce the networking system has been relaunched, test the
NICs.Testing the Ethernet Cardnetwork cardstestingTo verify that an Ethernet card is configured correctly,
&man.ping.8; the interface itself, and then &man.ping.8;
another machine on the LAN:&prompt.user; ping -c5 192.168.1.3
PING 192.168.1.3 (192.168.1.3): 56 data bytes
64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.082 ms
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.074 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.076 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.108 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.076 ms
--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.074/0.083/0.108/0.013 ms&prompt.user; ping -c5 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.726 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.766 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.700 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.747 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=0.704 ms
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 msTo test network resolution, use the host name instead
of the IP address. If there is no
DNS server on the network,
/etc/hosts must first be
configured. To this purpose, edit
/etc/hosts to add the names and
IP addresses of the hosts on the
LAN, if they are not already there. For
more information, refer to &man.hosts.5; and to
/usr/share/examples/etc/hosts.Troubleshootingnetwork cardstroubleshootingWhen troubleshooting hardware and software
configurations, check the simple things first. Is the
network cable plugged in? Are the network services properly
configured? Is the firewall configured correctly? Is the
NIC supported by &os;? Before sending
a bug report, always check the Hardware Notes, update the
version of &os; to the latest STABLE version, check the
mailing list archives, and search the Internet.If the card works, yet performance is poor, read
through &man.tuning.7;. Also, check the network
configuration as incorrect network settings can cause slow
connections.Some users experience one or two
device timeout messages, which is
normal for some cards. If they continue, or are bothersome,
determine if the device is conflicting with another device.
Double check the cable connections. Consider trying another
card.To resolve watchdog timeout
errors, first check the network cable. Many cards
require a PCI slot which supports bus
mastering. On some old motherboards, only one
PCI slot allows it, usually slot 0.
Check the NIC and the motherboard
documentation to determine if that may be the
problem.No route to host messages occur
if the system is unable to route a packet to the destination
host. This can happen if no default route is specified or
if a cable is unplugged. Check the output of
netstat -rn and make sure there is a
valid route to the host. If there is not, read
.ping: sendto: Permission denied
error messages are often caused by a misconfigured firewall.
If a firewall is enabled on &os; but no rules have been
defined, the default policy is to deny all traffic, even
&man.ping.8;. Refer to
for more information.Sometimes performance of the card is poor or below
average. In these cases, try setting the media
selection mode from autoselect to the
correct media selection. While this works for most
hardware, it may or may not resolve the issue. Again,
check all the network settings, and refer to
&man.tuning.7;.Virtual Hostsvirtual hostsIP
aliasesA common use of &os; is virtual site hosting, where one
server appears to the network as many servers. This is achieved
by assigning multiple network addresses to a single
interface.A given network interface has one real
address, and may have any number of alias
addresses. These aliases are normally added by placing alias
entries in /etc/rc.conf, as seen in this
example:ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"Alias entries must start with
alias0 using a
sequential number such as
alias0, alias1,
and so on. The configuration process will stop at the first
missing number.The calculation of alias netmasks is important. For a
given interface, there must be one address which correctly
represents the network's netmask. Any other addresses which
fall within this network must have a netmask of all
1s, expressed as either
255.255.255.255 or
0xffffffff.For example, consider the case where the
fxp0 interface is connected to two
networks: 10.1.1.0
with a netmask of
255.255.255.0 and
202.0.75.16 with a
netmask of
255.255.255.240. The
system is to be configured to appear in the ranges
10.1.1.1 through
10.1.1.5 and
202.0.75.17 through
202.0.75.20. Only
the first address in a given network range should have a real
netmask. All the rest
(10.1.1.2 through
10.1.1.5 and
202.0.75.18 through
202.0.75.20) must be
configured with a netmask of
255.255.255.255.The following /etc/rc.conf entries
configure the adapter correctly for this scenario:ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
ifconfig_fxp0_alias1="inet 10.1.1.3 netmask 255.255.255.255"
ifconfig_fxp0_alias2="inet 10.1.1.4 netmask 255.255.255.255"
ifconfig_fxp0_alias3="inet 10.1.1.5 netmask 255.255.255.255"
ifconfig_fxp0_alias4="inet 202.0.75.17 netmask 255.255.255.240"
ifconfig_fxp0_alias5="inet 202.0.75.18 netmask 255.255.255.255"
ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255"
ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"A simpler way to express this is with a space-separated list
of IP address ranges. The first address
will be given the
indicated subnet mask and the additional addresses will have a
subnet mask of 255.255.255.255.ifconfig_fxp0_aliases="inet 10.1.1.1-5/24 inet 202.0.75.17-20/28"Configuring System LoggingNiclasZeisingContributed by system loggingsyslog&man.syslogd.8;Generating and reading system logs is an important aspect of
system administration. The information in system logs can be
used to detect hardware and software issues as well as
application and system configuration errors. This information
also plays an important role in security auditing and incident
response. Most system daemons and applications will generate
log entries.&os; provides a system logger,
syslogd, to manage logging. By
default, syslogd is started when the
system boots. This is controlled by the variable
syslogd_enable in
/etc/rc.conf. There are numerous
application arguments that can be set using
syslogd_flags in
/etc/rc.conf. Refer to &man.syslogd.8; for
more information on the available arguments.This section describes how to configure the &os; system
logger for both local and remote logging and how to perform log
rotation and log management.Configuring Local Loggingsyslog.confThe configuration file,
/etc/syslog.conf, controls what
syslogd does with log entries as
they are received. There are several parameters to control
the handling of incoming events. The
facility describes which subsystem
generated the message, such as the kernel or a daemon, and the
level describes the severity of the
event that occurred. This makes it possible to configure if
and where a log message is logged, depending on the facility
and level. It is also possible to take action depending on
the application that sent the message, and in the case of
remote logging, the hostname of the machine generating the
logging event.This configuration file contains one line per action,
where the syntax for each line is a selector field followed by
an action field. The syntax of the selector field is
facility.level which will match log
messages from facility at level
level or higher. It is also
possible to add an optional comparison flag before the level
to specify more precisely what is logged. Multiple selector
fields can be used for the same action, and are separated with
a semicolon (;). Using
* will match everything. The action field
denotes where to send the log message, such as to a file or
remote log host. As an example, here is the default
syslog.conf from &os;:# $&os;$
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
!-devd
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=info
!ppp
*.* /var/log/ppp.log
!*In this example:Line 8 matches all messages with a level of
err or higher, as well as
kern.warning,
auth.notice and
mail.crit, and sends these log messages
to the console
(/dev/console).Line 12 matches all messages from the
mail facility at level
info or above and logs the messages to
/var/log/maillog.Line 17 uses a comparison flag (=)
to only match messages at level debug
and logs them to
/var/log/debug.log.Line 33 is an example usage of a program
specification. This makes the rules following it only
valid for the specified program. In this case, only the
messages generated by ppp are
logged to /var/log/ppp.log.The available levels, in order from most to least
critical are emerg,
alert, crit,
err, warning,
notice, info, and
debug.The facilities, in no particular order, are
auth, authpriv,
console, cron,
daemon, ftp,
kern, lpr,
mail, mark,
news, security,
syslog, user,
uucp, and local0 through
local7. Be aware that other operating
systems might have different facilities.To log everything of level notice and
higher to /var/log/daemon.log, add the
following entry:daemon.notice /var/log/daemon.logFor more information about the different levels and
facilities, refer to &man.syslog.3; and &man.syslogd.8;.
For more information about
/etc/syslog.conf, its syntax, and more
advanced usage examples, see &man.syslog.conf.5;.Log Management and Rotationnewsyslognewsyslog.conflog rotationlog managementLog files can grow quickly, taking up disk space and
making it more difficult to locate useful information. Log
management attempts to mitigate this. In &os;,
newsyslog is used to manage log
files. This built-in program periodically rotates and
compresses log files, and optionally creates missing log files
and signals programs when log files are moved. The log files
may be generated by syslogd or by
any other program which generates log files. While
newsyslog is normally run from
&man.cron.8;, it is not a system daemon. In the default
configuration, it runs every hour.To know which actions to take,
newsyslog reads its configuration
file, /etc/newsyslog.conf. This file
contains one line for each log file that
newsyslog manages. Each line
states the file owner, permissions, when to rotate that file,
optional flags that affect log rotation, such as compression,
and programs to signal when the log is rotated. Here is the
default configuration in &os;:# configuration file for newsyslog
# $FreeBSD$
#
# Entries which do not specify the '/pid_file' field will cause the
# syslogd process to be signalled when that log file is rotated. This
# action is only appropriate for log files which are written to by the
# syslogd process (ie, files listed in /etc/syslog.conf). If there
# is no process which needs to be signalled when a given log file is
# rotated, then the entry for that file should include the 'N' flag.
#
# The 'flags' field is one or more of the letters: BCDGJNUXZ or a '-'.
#
# Note: some sites will want to select more restrictive protections than the
# defaults. In particular, it may be desirable to switch many of the 644
# entries to 640 or 600. For example, some sites will consider the
# contents of maillog, messages, and lpd-errs to be confidential. In the
# future, these defaults may change to more conservative ones.
#
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/all.log 600 7 * @T00 J
/var/log/amd.log 644 7 100 * J
/var/log/auth.log 600 7 100 @0101T JC
/var/log/console.log 600 5 100 * J
/var/log/cron 600 3 100 * JC
/var/log/daily.log 640 7 * @T00 JN
/var/log/debug.log 600 7 100 * JC
/var/log/kerberos.log 600 7 100 * J
/var/log/lpd-errs 644 7 100 * JC
/var/log/maillog 640 7 * @T00 JC
/var/log/messages 644 5 100 @0101T JC
/var/log/monthly.log 640 12 * $M1D0 JN
/var/log/pflog 600 3 100 * JB /var/run/pflogd.pid
/var/log/ppp.log root:network 640 3 100 * JC
/var/log/devd.log 644 3 100 * JC
/var/log/security 600 10 100 * JC
/var/log/sendmail.st 640 10 * 168 B
/var/log/utx.log 644 3 * @01T05 B
/var/log/weekly.log 640 5 1 $W6D0 JN
/var/log/xferlog 600 7 100 * JCEach line starts with the name of the log to be rotated,
optionally followed by an owner and group for both rotated and
newly created files. The mode field sets
the permissions on the log file and count
denotes how many rotated log files should be kept. The
size and when fields
tell newsyslog when to rotate the
file. A log file is rotated when either its size is larger
than the size field or when the time in the
when field has passed. An asterisk
(*) means that this field is ignored. The
flags field gives further
instructions, such as how to compress the rotated file or to
create the log file if it is missing. The last two fields are
optional and specify the name of the Process ID
(PID) file of a process and a signal number
to send to that process when the file is rotated.For more information on all fields, valid flags, and how
to specify the rotation time, refer to &man.newsyslog.conf.5;.
Since newsyslog is run from
&man.cron.8;, it cannot rotate files more often than it is
scheduled to run from &man.cron.8;.Configuring Remote LoggingTomRhodesContributed by Monitoring the log files of multiple hosts can become
unwieldy as the number of systems increases. Configuring
centralized logging can reduce some of the administrative
burden of log file administration.In &os;, centralized log file aggregation, merging, and
rotation can be configured using
syslogd and
newsyslog. This section
demonstrates an example configuration, where host
A, named logserv.example.com, will
collect logging information for the local network. Host
B, named logclient.example.com,
will be configured to pass logging information to the logging
server.Log Server ConfigurationA log server is a system that has been configured to
accept logging information from other hosts. Before
configuring a log server, check the following:If there is a firewall between the logging server
and any logging clients, ensure that the firewall
ruleset allows UDP port 514 for both
the clients and the server.The logging server and all client machines must
have forward and reverse entries in the local
DNS. If the network does not have a
DNS server, create entries in each
system's /etc/hosts. Proper name
resolution is required so that log entries are not
rejected by the logging server.On the log server, edit
/etc/syslog.conf to specify the name of
the client to receive log entries from, the logging facility
to be used, and the name of the log to store the host's log
entries. This example adds the hostname of
B, logs all facilities, and stores
the log entries in
/var/log/logclient.log.Sample Log Server Configuration+logclient.example.com
*.* /var/log/logclient.logWhen adding multiple log clients, add a similar two-line
entry for each client. More information about the available
facilities may be found in &man.syslog.conf.5;.Next, configure
/etc/rc.conf:syslogd_enable="YES"
syslogd_flags="-a logclient.example.com -v -v"The first entry starts
syslogd at system boot. The
second entry allows log entries from the specified client.
The increases the verbosity of logged
messages. This is useful for tweaking facilities as
administrators are able to see what type of messages are
being logged under each facility.Multiple options may be specified to
allow logging from multiple clients. IP
addresses and whole netblocks may also be specified. Refer
to &man.syslogd.8; for a full list of possible
options.Finally, create the log file:&prompt.root; touch /var/log/logclient.logAt this point, syslogd should
be restarted and verified:&prompt.root; service syslogd restart
&prompt.root; pgrep syslogIf a PID is returned, the server
restarted successfully, and client configuration can begin.
If the server did not restart, consult
/var/log/messages for the error.Log Client ConfigurationA logging client sends log entries to a logging server
on the network. The client also keeps a local copy of its
own logs.Once a logging server has been configured, edit
/etc/rc.conf on the logging
client:syslogd_enable="YES"
syslogd_flags="-s -v -v"The first entry enables
syslogd on boot up. The second
entry prevents logs from being accepted by this client from
other hosts () and increases the
verbosity of logged messages.Next, define the logging server in the client's
/etc/syslog.conf. In this example, all
logged facilities are sent to a remote system, denoted by
the @ symbol, with the specified
hostname:*.* @logserv.example.comAfter saving the edit, restart
syslogd for the changes to take
effect:&prompt.root; service syslogd restartTo test that log messages are being sent across the
network, use &man.logger.1; on the client to send a message
to syslogd:&prompt.root; logger "Test message from logclient"This message should now exist both in
/var/log/messages on the client and
/var/log/logclient.log on the log
server.Debugging Log ServersIf no messages are being received on the log server, the
cause is most likely a network connectivity issue, a
hostname resolution issue, or a typo in a configuration
file. To isolate the cause, ensure that both the logging
server and the logging client are able to
ping each other using the hostname
specified in their /etc/rc.conf. If
this fails, check the network cabling, the firewall ruleset,
and the hostname entries in the DNS
server or /etc/hosts on both the
logging server and clients. Repeat until the
ping is successful from both
hosts.If the ping succeeds on both hosts
but log messages are still not being received, temporarily
increase logging verbosity to narrow down the configuration
issue. In the following example,
/var/log/logclient.log on the logging
server is empty and /var/log/messages
on the logging client does not indicate a reason for the
failure. To increase debugging output, edit the
syslogd_flags entry on the logging server
and issue a restart:syslogd_flags="-d -a logclient.example.com -v -v"&prompt.root; service syslogd restartDebugging data similar to the following will flash on
the console immediately after the restart:logmsg: pri 56, flags 4, from logserv.example.com, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from logserv.example.com, msg syslogd: kernel boot file is /boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
cvthname(192.168.1.10)
validate: dgram from IP 192.168.1.10, port 514, name logclient.example.com;
rejected in rule 0 due to name mismatch.In this example, the log messages are being rejected due
to a typo which results in a hostname mismatch. The
client's hostname should be logclient,
not logclien. Fix the typo, issue a
restart, and verify the results:&prompt.root; service syslogd restart
logmsg: pri 56, flags 4, from logserv.example.com, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from logserv.example.com, msg syslogd: kernel boot file is /boot/kernel/kernel
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from logserv.example.com,
msg Dec 10 20:55:02 <syslog.err> logserv.example.com syslogd: exiting on signal 2
cvthname(192.168.1.10)
validate: dgram from IP 192.168.1.10, port 514, name logclient.example.com;
accepted in rule 0.
logmsg: pri 15, flags 0, from logclient.example.com, msg Dec 11 02:01:28 trhodes: Test message 2
Logging to FILE /var/log/logclient.log
Logging to FILE /var/log/messagesAt this point, the messages are being properly received
and placed in the correct file.Security ConsiderationsAs with any network service, security requirements
should be considered before implementing a logging server.
Log files may contain sensitive data about services enabled
on the local host, user accounts, and configuration data.
Network data sent from the client to the server will not be
encrypted or password protected. If a need for encryption
exists, consider using security/stunnel,
which will transmit the logging data over an encrypted
tunnel.Local security is also an issue. Log files are not
encrypted during use or after log rotation. Local users may
access log files to gain additional insight into system
configuration. Setting proper permissions on log files is
critical. The built-in log rotator,
newsyslog, supports setting
permissions on newly created and rotated log files. Setting
log files to mode 600 should prevent
unwanted access by local users. Refer to
&man.newsyslog.conf.5; for additional information.Configuration Files/etc
LayoutThere are a number of directories in which configuration
information is kept. These include:/etcGeneric system-specific configuration
information./etc/defaultsDefault versions of system configuration
files./etc/mailExtra &man.sendmail.8; configuration and other
MTA configuration files./etc/pppConfiguration for both user- and kernel-ppp
programs./usr/local/etcConfiguration files for installed applications.
May contain per-application subdirectories./usr/local/etc/rc.d&man.rc.8; scripts for installed
applications./var/dbAutomatically generated system-specific database
files, such as the package database and the
&man.locate.1; database.HostnameshostnameDNS/etc/resolv.confresolv.confHow a &os; system accesses the Internet Domain Name
System (DNS) is controlled by
&man.resolv.conf.5;.The most common entries to
/etc/resolv.conf are:nameserverThe IP address of a name
server the resolver should query. The servers are
queried in the order listed with a maximum of
three.searchSearch list for hostname lookup. This is
normally determined by the domain of the local
hostname.domainThe local domain name.A typical /etc/resolv.conf looks
like this:search example.com
nameserver 147.11.1.11
nameserver 147.11.100.30Only one of the search and
domain options should be used.When using DHCP, &man.dhclient.8;
usually rewrites /etc/resolv.conf
with information received from the DHCP
server./etc/hostshosts/etc/hosts is a simple text
database which works in conjunction with
DNS and
NIS to provide host name to
IP address mappings. Entries for local
computers connected via a LAN can be
added to this file for simplistic naming purposes instead
of setting up a &man.named.8; server. Additionally,
/etc/hosts can be used to provide a
local record of Internet names, reducing the need to query
external DNS servers for commonly
accessed names.# $&os;$
#
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#The format of /etc/hosts is as
follows:[Internet address] [official hostname] [alias1] [alias2] ...For example:10.0.0.1 myRealHostname.example.com myRealHostname foobar1 foobar2Consult &man.hosts.5; for more information.Tuning with &man.sysctl.8;sysctltuningwith sysctl&man.sysctl.8; is used to make changes to a running &os;
system. This includes many advanced options of the
TCP/IP stack and virtual memory system
that can dramatically improve performance for an experienced
system administrator. Over five hundred system variables can
be read and set using &man.sysctl.8;.At its core, &man.sysctl.8; serves two functions: to read
and to modify system settings.To view all readable variables:&prompt.user; sysctl -aTo read a particular variable, specify its name:&prompt.user; sysctl kern.maxproc
kern.maxproc: 1044To set a particular variable, use the
variable=value
syntax:&prompt.root; sysctl kern.maxfiles=5000
kern.maxfiles: 2088 -> 5000Settings of sysctl variables are usually either strings,
numbers, or booleans, where a boolean is 1
for yes or 0 for no.To automatically set some variables each time the machine
boots, add them to /etc/sysctl.conf. For
more information, refer to &man.sysctl.conf.5; and
.sysctl.confsysctl.confsysctlThe configuration file for &man.sysctl.8;,
/etc/sysctl.conf, looks much like
/etc/rc.conf. Values are set in a
variable=value form. The specified values
are set after the system goes into multi-user mode. Not all
variables are settable in this mode.For example, to turn off logging of fatal signal exits
and prevent users from seeing processes started by other
users, the following tunables can be set in
/etc/sysctl.conf:# Do not log fatal signal exits (e.g., sig 11)
kern.logsigexit=0
# Prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0&man.sysctl.8; Read-onlyTomRhodesContributed by In some cases it may be desirable to modify read-only
&man.sysctl.8; values, which will require a reboot of the
system.For instance, on some laptop models the &man.cardbus.4;
device will not probe memory ranges and will fail with errors
similar to:cbb0: Could not map register memory
device_probe_and_attach: cbb0 attach returned 12The fix requires the modification of a read-only
&man.sysctl.8; setting. Add
to
/boot/loader.conf and reboot. Now
&man.cardbus.4; should work properly.Tuning DisksThe following section will discuss various tuning
mechanisms and options which may be applied to disk
devices. In many cases, disks with mechanical parts,
such as SCSI drives, will be the
bottleneck driving down the overall system performance. While
a solution is to install a drive without mechanical parts,
such as a solid state drive, mechanical drives are not
going away anytime in the near future. When tuning disks,
it is advisable to utilize the features of the &man.iostat.8;
command to test various changes to the system. This
command will allow the user to obtain valuable information
on system IO.Sysctl Variablesvfs.vmiodirenablevfs.vmiodirenableThe vfs.vmiodirenable &man.sysctl.8;
variable
may be set to either 0 (off) or
1 (on). It is set to
1 by default. This variable controls
how directories are cached by the system. Most directories
are small, using just a single fragment (typically 1 K)
in the file system and typically 512 bytes in the
buffer cache. With this variable turned off, the buffer
cache will only cache a fixed number of directories, even
if the system has a huge amount of memory. When turned on,
this &man.sysctl.8; allows the buffer cache to use the
VM page cache to cache the directories,
making all the memory available for caching directories.
However, the minimum in-core memory used to cache a
directory is the physical page size (typically 4 K)
rather than 512 bytes. Keeping this option enabled
is recommended if the system is running any services which
manipulate large numbers of files. Such services can
include web caches, large mail systems, and news systems.
Keeping this option on will generally not reduce
performance, even with the wasted memory, but one should
experiment to find out.vfs.write_behindvfs.write_behindThe vfs.write_behind &man.sysctl.8;
variable
defaults to 1 (on). This tells the file
system to issue media writes as full clusters are collected,
which typically occurs when writing large sequential files.
This avoids saturating the buffer cache with dirty buffers
when it would not benefit I/O performance. However, this
may stall processes and under certain circumstances should
be turned off.vfs.hirunningspacevfs.hirunningspaceThe vfs.hirunningspace &man.sysctl.8;
variable determines how much outstanding write I/O may be
queued to disk controllers system-wide at any given
instance. The default is usually sufficient, but on
machines with many disks, try bumping it up to four or five
megabytes. Setting too high a value
which exceeds the buffer cache's write threshold can lead
to bad clustering performance. Do not set this value
arbitrarily high as higher write values may add latency to
reads occurring at the same time.There are various other buffer cache and
VM page cache related &man.sysctl.8;
values. Modifying these values is not recommended as the
VM system does a good job of
automatically tuning itself.vm.swap_idle_enabledvm.swap_idle_enabledThe vm.swap_idle_enabled
&man.sysctl.8; variable is useful in large multi-user
systems with many active login users and lots of idle
processes. Such systems tend to generate continuous
pressure on free memory reserves. Turning this feature on
and tweaking the swapout hysteresis (in idle seconds) via
vm.swap_idle_threshold1 and
vm.swap_idle_threshold2 depresses the
priority of memory pages associated with idle processes more
quickly then the normal pageout algorithm. This gives a
helping hand to the pageout daemon. Only turn this option
on if needed, because the tradeoff is essentially pre-page
memory sooner rather than later which eats more swap and
disk bandwidth. In a small system this option will have a
determinable effect, but in a large system that is already
doing moderate paging, this option allows the
VM system to stage whole processes into
and out of memory easily.hw.ata.wchw.ata.wcTurning off IDE write caching reduces
write bandwidth to IDE disks, but may
sometimes be necessary due to data consistency issues
introduced by hard drive vendors. The problem is that
some IDE drives lie about when a write
completes. With IDE write caching
turned on, IDE hard drives write data
to disk out of order and will sometimes delay writing some
blocks indefinitely when under heavy disk load. A crash or
power failure may cause serious file system corruption.
Check the default on the system by observing the
hw.ata.wc &man.sysctl.8; variable. If
IDE write caching is turned off, one can
set this read-only variable to
1 in
/boot/loader.conf in order to enable
it at boot time.For more information, refer to &man.ata.4;.SCSI_DELAY
(kern.cam.scsi_delay)kern.cam.scsi_delaykernel optionsSCSI DELAYThe SCSI_DELAY kernel configuration
option may be used to reduce system boot times. The
defaults are fairly high and can be responsible for
15 seconds of delay in the boot process.
Reducing it to 5 seconds usually works
with modern drives. The
kern.cam.scsi_delay boot time tunable
should be used. The tunable and kernel configuration
option accept values in terms of
milliseconds and
notseconds.Soft UpdatesSoft Updates&man.tunefs.8;To fine-tune a file system, use &man.tunefs.8;. This
program has many different options. To toggle Soft Updates
on and off, use:&prompt.root; tunefs -n enable /filesystem
&prompt.root; tunefs -n disable /filesystemA file system cannot be modified with &man.tunefs.8; while
it is mounted. A good time to enable Soft Updates is before
any partitions have been mounted, in single-user mode.Soft Updates is recommended for UFS
file systems as it drastically improves meta-data performance,
mainly file creation and deletion, through the use of a memory
cache. There are two downsides to Soft Updates to be aware
of. First, Soft Updates guarantee file system consistency
in the case of a crash, but could easily be several seconds
or even a minute behind updating the physical disk. If the
system crashes, unwritten data may be lost. Secondly, Soft
Updates delay the freeing of file system blocks. If the
root file system is almost full, performing a major update,
such as make installworld, can cause the
file system to run out of space and the update to fail.More Details About Soft UpdatesSoft UpdatesdetailsMeta-data updates are updates to non-content data like
inodes or directories. There are two traditional approaches
to writing a file system's meta-data back to disk.Historically, the default behavior was to write out
meta-data updates synchronously. If a directory changed,
the system waited until the change was actually written to
disk. The file data buffers (file contents) were passed
through the buffer cache and backed up to disk later on
asynchronously. The advantage of this implementation is
that it operates safely. If there is a failure during an
update, meta-data is always in a consistent state. A
file is either created completely or not at all. If the
data blocks of a file did not find their way out of the
buffer cache onto the disk by the time of the crash,
&man.fsck.8; recognizes this and repairs the file system
by setting the file length to 0.
Additionally, the implementation is clear and simple. The
disadvantage is that meta-data changes are slow. For
example, rm -r touches all the files in a
directory sequentially, but each directory change will be
written synchronously to the disk. This includes updates to
the directory itself, to the inode table, and possibly to
indirect blocks allocated by the file. Similar
considerations apply for unrolling large hierarchies using
tar -x.The second approach is to use asynchronous meta-data
updates. This is the default for a UFS
file system mounted with mount -o async.
Since all meta-data updates are also passed through the
buffer cache, they will be intermixed with the updates of
the file content data. The advantage of this
implementation is there is no need to wait until each
meta-data update has been written to disk, so all operations
which cause huge amounts of meta-data updates work much
faster than in the synchronous case. This implementation
is still clear and simple, so there is a low risk for bugs
creeping into the code. The disadvantage is that there is
no guarantee for a consistent state of the file system.
If there is a failure during an operation that updated
large amounts of meta-data, like a power failure or someone
pressing the reset button, the file system will be left
in an unpredictable state. There is no opportunity to
examine the state of the file system when the system comes
up again as the data blocks of a file could already have
been written to the disk while the updates of the inode
table or the associated directory were not. It is
impossible to implement a &man.fsck.8; which is able to
clean up the resulting chaos because the necessary
information is not available on the disk. If the file
system has been damaged beyond repair, the only choice
is to reformat it and restore from backup.The usual solution for this problem is to implement
dirty region logging, which is also
referred to as journaling.
Meta-data updates are still written synchronously, but only
into a small region of the disk. Later on, they are moved
to their proper location. Because the logging area is a
small, contiguous region on the disk, there are no long
distances for the disk heads to move, even during heavy
operations, so these operations are quicker than synchronous
updates. Additionally, the complexity of the implementation
is limited, so the risk of bugs being present is low. A
disadvantage is that all meta-data is written twice, once
into the logging region and once to the proper location, so
performance pessimization might result. On
the other hand, in case of a crash, all pending meta-data
operations can be either quickly rolled back or completed
from the logging area after the system comes up again,
resulting in a fast file system startup.Kirk McKusick, the developer of Berkeley
FFS, solved this problem with Soft
Updates. All pending meta-data updates are kept in memory
and written out to disk in a sorted sequence
(ordered meta-data updates). This has the
effect that, in case of heavy meta-data operations, later
updates to an item catch the earlier ones
which are still in memory and have not already been written
to disk. All operations are generally performed in memory
before the update is written to disk and the data blocks are
sorted according to their position so that they will not be
on the disk ahead of their meta-data. If the system
crashes, an implicit log rewind causes all
operations which were not written to the disk appear as if
they never happened. A consistent file system state is
maintained that appears to be the one of 30 to 60 seconds
earlier. The algorithm used guarantees that all resources
in use are marked as such in their blocks and inodes.
After a crash, the only resource allocation error that
occurs is that resources are marked as used
which are actually free. &man.fsck.8;
recognizes this situation, and frees the resources that
are no longer used. It is safe to ignore the dirty state
of the file system after a crash by forcibly mounting it
with mount -f. In order to free
resources that may be unused, &man.fsck.8; needs to be run
at a later time. This is the idea behind the
background &man.fsck.8;: at system
startup time, only a snapshot of the
file system is recorded and &man.fsck.8; is run afterwards.
All file systems can then be mounted
dirty, so the system startup proceeds in
multi-user mode. Then, background &man.fsck.8; is
scheduled for all file systems where this is required, to
free resources that may be unused. File systems that do
not use Soft Updates still need the usual foreground
&man.fsck.8;.The advantage is that meta-data operations are nearly
as fast as asynchronous updates and are faster than
logging, which has to write the
meta-data twice. The disadvantages are the complexity of
the code, a higher memory consumption, and some
idiosyncrasies. After a crash, the state of the file
system appears to be somewhat older. In
situations where the standard synchronous approach would
have caused some zero-length files to remain after the
&man.fsck.8;, these files do not exist at all with Soft
Updates because neither the meta-data nor the file contents
have been written to disk. Disk space is not released until
the updates have been written to disk, which may take place
some time after running &man.rm.1;. This may cause problems
when installing large amounts of data on a file system
that does not have enough free space to hold all the files
twice.Tuning Kernel Limitstuningkernel limitsFile/Process Limitskern.maxfileskern.maxfilesThe kern.maxfiles &man.sysctl.8;
variable can be raised or lowered based upon system
requirements. This variable indicates the maximum number
of file descriptors on the system. When the file descriptor
table is full, file: table is full
will show up repeatedly in the system message buffer, which
can be viewed using &man.dmesg.8;.Each open file, socket, or fifo uses one file
descriptor. A large-scale production server may easily
require many thousands of file descriptors, depending on the
kind and number of services running concurrently.In older &os; releases, the default value of
kern.maxfiles is derived from
in the kernel configuration file.
kern.maxfiles grows proportionally to the
value of . When compiling a custom
kernel, consider setting this kernel configuration option
according to the use of the system. From this number, the
kernel is given most of its pre-defined limits. Even though
a production machine may not have 256 concurrent users, the
resources needed may be similar to a high-scale web
server.The read-only &man.sysctl.8; variable
kern.maxusers is automatically sized at
boot based on the amount of memory available in the system,
and may be determined at run-time by inspecting the value
of kern.maxusers. Some systems require
larger or smaller values of
kern.maxusers and values of
64, 128, and
256 are not uncommon. Going above
256 is not recommended unless a huge
number of file descriptors is needed. Many of the tunable
values set to their defaults by
kern.maxusers may be individually
overridden at boot-time or run-time in
/boot/loader.conf. Refer to
&man.loader.conf.5; and
/boot/defaults/loader.conf for more
details and some hints.In older releases, the system will auto-tune
maxusers if it is set to
0.
The auto-tuning algorithm sets
maxusers equal to the amount of
memory in the system, with a minimum of
32, and a maximum of
384.. When
setting this option, set maxusers to
at least 4, especially if the system
runs &xorg; or is used to
compile software. The most important table set by
maxusers is the maximum number of
processes, which is set to
20 + 16 * maxusers. If
maxusers is set to 1,
there can only be
36 simultaneous processes, including
the 18 or so that the system starts up
at boot time and the 15 or so used by
&xorg;. Even a simple task like
reading a manual page will start up nine processes to
filter, decompress, and view it. Setting
maxusers to 64 allows
up to 1044 simultaneous processes, which
should be enough for nearly all uses. If, however, the
proc table full error is displayed
when trying to start another program, or a server is
running with a large number of simultaneous users, increase
the number and rebuild.maxusers does
not limit the number of users which
can log into the machine. It instead sets various table
sizes to reasonable values considering the maximum number
of users on the system and how many processes each user
will be running.kern.ipc.soacceptqueuekern.ipc.soacceptqueueThe kern.ipc.soacceptqueue
&man.sysctl.8; variable limits the size of the listen queue
for accepting new TCP connections. The
default value of 128 is typically too low
for robust handling of new connections on a heavily loaded
web server. For such environments, it is recommended to
increase this value to 1024 or higher. A
service such as &man.sendmail.8;, or
Apache may itself limit the
listen queue size, but will often have a directive in its
configuration file to adjust the queue size. Large listen
queues do a better job of avoiding Denial of Service
(DoS) attacks.Network LimitsThe NMBCLUSTERS kernel configuration
option dictates the amount of network Mbufs available to the
system. A heavily-trafficked server with a low number of
Mbufs will hinder performance. Each cluster represents
approximately 2 K of memory, so a value of
1024 represents 2
megabytes of kernel memory reserved for network buffers. A
simple calculation can be done to figure out how many are
needed. A web server which maxes out at
1000 simultaneous connections where each
connection uses a 6 K receive and 16 K send buffer,
requires approximately 32 MB worth of network buffers
to cover the web server. A good rule of thumb is to multiply
by 2, so
2x32 MB / 2 KB =
64 MB / 2 kB =
32768. Values between
4096 and 32768 are
recommended for machines with greater amounts of memory.
Never specify an arbitrarily high value for this parameter
as it could lead to a boot time crash. To observe network
cluster usage, use with
&man.netstat.1;.The kern.ipc.nmbclusters loader tunable
should be used to tune this at boot time. Only older versions
of &os; will require the use of the
NMBCLUSTERS kernel &man.config.8;
option.For busy servers that make extensive use of the
&man.sendfile.2; system call, it may be necessary to increase
the number of &man.sendfile.2; buffers via the
NSFBUFS kernel configuration option or by
setting its value in /boot/loader.conf
(see &man.loader.8; for details). A common indicator that
this parameter needs to be adjusted is when processes are seen
in the sfbufa state. The &man.sysctl.8;
variable kern.ipc.nsfbufs is read-only.
This parameter nominally scales with
kern.maxusers, however it may be necessary
to tune accordingly.Even though a socket has been marked as non-blocking,
calling &man.sendfile.2; on the non-blocking socket may
result in the &man.sendfile.2; call blocking until enough
struct sf_buf's are made
available.net.inet.ip.portrange.*net.inet.ip.portrange.*The net.inet.ip.portrange.*
&man.sysctl.8; variables control the port number ranges
automatically bound to TCP and
UDP sockets. There are three ranges: a
low range, a default range, and a high range. Most network
programs use the default range which is controlled by
net.inet.ip.portrange.first and
net.inet.ip.portrange.last, which default
to 1024 and 5000,
respectively. Bound port ranges are used for outgoing
connections and it is possible to run the system out of
ports under certain circumstances. This most commonly
occurs when running a heavily loaded web proxy. The port
range is not an issue when running a server which handles
mainly incoming connections, such as a web server, or has
a limited number of outgoing connections, such as a mail
relay. For situations where there is a shortage of ports,
it is recommended to increase
net.inet.ip.portrange.last modestly. A
value of 10000, 20000
or 30000 may be reasonable. Consider
firewall effects when changing the port range. Some
firewalls may block large ranges of ports, usually
low-numbered ports, and expect systems to use higher ranges
of ports for outgoing connections. For this reason, it
is not recommended that the value of
net.inet.ip.portrange.first be
lowered.TCP Bandwidth Delay ProductTCP Bandwidth Delay Product
Limitingnet.inet.tcp.inflight.enableTCP bandwidth delay product limiting
can be enabled by setting the
net.inet.tcp.inflight.enable
&man.sysctl.8; variable to 1. This
instructs the system to attempt to calculate the bandwidth
delay product for each connection and limit the amount of
data queued to the network to just the amount required to
maintain optimum throughput.This feature is useful when serving data over modems,
Gigabit Ethernet, high speed WAN links,
or any other link with a high bandwidth delay product,
especially when also using window scaling or when a large
send window has been configured. When enabling this option,
also set net.inet.tcp.inflight.debug to
0 to disable debugging. For production
use, setting net.inet.tcp.inflight.min
to at least 6144 may be beneficial.
Setting high minimums may effectively disable bandwidth
limiting, depending on the link. The limiting feature
reduces the amount of data built up in intermediate route
and switch packet queues and reduces the amount of data
built up in the local host's interface queue. With fewer
queued packets, interactive connections, especially over
slow modems, will operate with lower
Round Trip Times. This feature only
effects server side data transmission such as uploading.
It has no effect on data reception or downloading.Adjusting net.inet.tcp.inflight.stab
is not recommended. This parameter
defaults to 20, representing 2 maximal
packets added to the bandwidth delay product window
calculation. The additional window is required to stabilize
the algorithm and improve responsiveness to changing
conditions, but it can also result in higher &man.ping.8;
times over slow links, though still much lower than without
the inflight algorithm. In such cases, try reducing this
parameter to 15, 10,
or 5 and reducing
net.inet.tcp.inflight.min to a value such
as 3500 to get the desired effect.
Reducing these parameters should be done as a last resort
only.Virtual Memorykern.maxvnodesA vnode is the internal representation of a file or
directory. Increasing the number of vnodes available to
the operating system reduces disk I/O. Normally, this is
handled by the operating system and does not need to be
changed. In some cases where disk I/O is a bottleneck and
the system is running out of vnodes, this setting needs
to be increased. The amount of inactive and free
RAM will need to be taken into
account.To see the current number of vnodes in use:&prompt.root; sysctl vfs.numvnodes
vfs.numvnodes: 91349To see the maximum vnodes:&prompt.root; sysctl kern.maxvnodes
kern.maxvnodes: 100000If the current vnode usage is near the maximum, try
increasing kern.maxvnodes by a value of
1000. Keep an eye on the number of
vfs.numvnodes. If it climbs up to the
maximum again, kern.maxvnodes will need
to be increased further. Otherwise, a shift in memory
usage as reported by &man.top.1; should be visible and
more memory should be active.Adding Swap SpaceSometimes a system requires more swap space. This section
describes two methods to increase swap space: adding swap to an
existing partition or new hard drive, and creating a swap file
on an existing partition.For information on how to encrypt swap space, which options
exist, and why it should be done, refer to .Swap on a New Hard Drive or Existing PartitionAdding a new hard drive for swap gives better performance
than using a partition on an existing drive. Setting up
partitions and hard drives is explained in while discusses partition layouts
and swap partition size considerations.Use swapon to add a swap partition to
the system. For example:&prompt.root; swapon /dev/ada1s1bIt is possible to use any partition not currently
mounted, even if it already contains data. Using
swapon on a partition that contains data
will overwrite and destroy that data. Make sure that the
partition to be added as swap is really the intended
partition before running swapon.To automatically add this swap partition on boot, add an
entry to /etc/fstab:/dev/ada1s1b none swap sw 0 0See &man.fstab.5; for an explanation of the entries in
/etc/fstab. More information about
swapon can be found in
&man.swapon.8;.Creating a Swap FileThese examples create a 64M swap file called
/usr/swap0 instead of using a
partition.Using swap files requires that the module needed by
&man.md.4; has either been built into the kernel or has been
loaded before swap is enabled. See
for information about building
a custom kernel.Creating a Swap File on
&os; 10.X and LaterCreate the swap file:&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1m count=64Set the proper permissions on the new file:&prompt.root; chmod 0600 /usr/swap0Inform the system about the swap file by adding a
line to /etc/fstab:md99 none swap sw,file=/usr/swap0,late 0 0The &man.md.4; device md99 is
used, leaving lower device numbers available for
interactive use.Swap space will be added on system startup. To add
swap space immediately, use &man.swapon.8;:&prompt.root; swapon -aLCreating a Swap File on
&os; 9.X and EarlierCreate the swap file,
/usr/swap0:&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1m count=64Set the proper permissions on
/usr/swap0:&prompt.root; chmod 0600 /usr/swap0Enable the swap file in
/etc/rc.conf:swapfile="/usr/swap0" # Set to name of swap fileSwap space will be added on system startup. To
enable the swap file immediately, specify a free memory
device. Refer to for
more information about memory devices.&prompt.root; mdconfig -a -t vnode -f /usr/swap0 -u 0 && swapon /dev/md0Power and Resource ManagementHitenPandyaWritten by TomRhodesIt is important to utilize hardware resources in an
efficient manner. Power and resource management allows the
operating system to monitor system limits and to possibly
provide an alert if the system temperature increases
unexpectedly. An early specification for providing power
management was the Advanced Power Management
(APM) facility. APM
controls the power usage of a system based on its activity.
However, it was difficult and inflexible for operating systems
to manage the power usage and thermal properties of a system.
The hardware was managed by the BIOS and the
user had limited configurability and visibility into the power
management settings. The APM
BIOS is supplied by the vendor and is
specific to the hardware platform. An APM
driver in the operating system mediates access to the
APM Software Interface, which allows
management of power levels.There are four major problems in APM.
First, power management is done by the vendor-specific
BIOS, separate from the operating system.
For example, the user can set idle-time values for a hard drive
in the APM BIOS so that,
when exceeded, the BIOS spins down the hard
drive without the consent of the operating system. Second, the
APM logic is embedded in the
BIOS, and it operates outside the scope of
the operating system. This means that users can only fix
problems in the APM
BIOS by flashing a new one into the
ROM, which is a dangerous procedure with the
potential to leave the system in an unrecoverable state if it
fails. Third, APM is a vendor-specific
technology, meaning that there is a lot of duplication of
efforts and bugs found in one vendor's BIOS
may not be solved in others. Lastly, the APM
BIOS did not have enough room to implement a
sophisticated power policy or one that can adapt well to the
purpose of the machine.The Plug and Play BIOS
(PNPBIOS) was unreliable in many situations.
PNPBIOS is 16-bit technology, so the
operating system has to use 16-bit emulation in order to
interface with PNPBIOS methods. &os;
provides an APM driver as
APM should still be used for systems
manufactured at or before the year 2000. The driver is
documented in &man.apm.4;.ACPIAPMThe successor to APM is the Advanced
Configuration and Power Interface (ACPI).
ACPI is a standard written by an alliance of
vendors to provide an interface for hardware resources and power
management. It is a key element in Operating
System-directed configuration and Power Management
as it provides more control and flexibility to the operating
system.This chapter demonstrates how to configure
ACPI on &os;. It then offers some tips on
how to debug ACPI and how to submit a problem
report containing debugging information so that developers can
diagnosis and fix ACPI issues.Configuring ACPIIn &os; the &man.acpi.4; driver is loaded by default at
system boot and should not be compiled
into the kernel. This driver cannot be unloaded after boot
because the system bus uses it for various hardware
interactions. However, if the system is experiencing
problems, ACPI can be disabled altogether
by rebooting after setting
hint.acpi.0.disabled="1" in
/boot/loader.conf or by setting this
variable at the loader prompt, as described in .ACPI and APM
cannot coexist and should be used separately. The last one
to load will terminate if the driver notices the other is
running.ACPI can be used to put the system into
a sleep mode with acpiconf, the
flag, and a number from
1 to 5. Most users only
need 1 (quick suspend to
RAM) or 3 (suspend to
RAM). Option 5 performs
a soft-off which is the same as running
halt -p.Other options are available using
sysctl. Refer to &man.acpi.4; and
&man.acpiconf.8; for more information.Common ProblemsACPIACPI is present in all modern computers
that conform to the ia32 (x86), ia64 (Itanium), and amd64
(AMD) architectures. The full standard has
many features including CPU performance
management, power planes control, thermal zones, various
battery systems, embedded controllers, and bus enumeration.
Most systems implement less than the full standard. For
instance, a desktop system usually only implements bus
enumeration while a laptop might have cooling and battery
management support as well. Laptops also have suspend and
resume, with their own associated complexity.An ACPI-compliant system has various
components. The BIOS and chipset vendors
provide various fixed tables, such as FADT,
in memory that specify things like the APIC
map (used for SMP), config registers, and
simple configuration values. Additionally, a bytecode table,
the Differentiated System Description Table
DSDT, specifies a tree-like name space of
devices and methods.The ACPI driver must parse the fixed
tables, implement an interpreter for the bytecode, and modify
device drivers and the kernel to accept information from the
ACPI subsystem. For &os;, &intel; has
provided an interpreter (ACPI-CA) that is
shared with &linux; and NetBSD. The path to the
ACPI-CA source code is
src/sys/contrib/dev/acpica. The glue
code that allows ACPI-CA to work on &os; is
in src/sys/dev/acpica/Osd. Finally,
drivers that implement various ACPI devices
are found in src/sys/dev/acpica.ACPIproblemsFor ACPI to work correctly, all the
parts have to work correctly. Here are some common problems,
in order of frequency of appearance, and some possible
workarounds or fixes. If a fix does not resolve the issue,
refer to for instructions
on how to submit a bug report.Mouse IssuesIn some cases, resuming from a suspend operation will
cause the mouse to fail. A known work around is to add
hint.psm.0.flags="0x3000" to
/boot/loader.conf.Suspend/ResumeACPI has three suspend to
RAM (STR) states,
S1-S3, and one suspend
to disk state (STD), called
S4. STD can be
implemented in two separate ways. The
S4BIOS is a
BIOS-assisted suspend to disk and
S4OS is implemented
entirely by the operating system. The normal state the
system is in when plugged in but not powered up is
soft off (S5).Use sysctl hw.acpi to check for the
suspend-related items. These example results are from a
Thinkpad:hw.acpi.supported_sleep_state: S3 S4 S5
hw.acpi.s4bios: 0Use acpiconf -s to test
S3, S4, and
S5. An of one
(1) indicates
S4BIOS support instead
of S4 operating system support.When testing suspend/resume, start with
S1, if supported. This state is most
likely to work since it does not require much driver
support. No one has implemented S2,
which is similar to S1. Next, try
S3. This is the deepest
STR state and requires a lot of driver
support to properly reinitialize the hardware.A common problem with suspend/resume is that many device
drivers do not save, restore, or reinitialize their
firmware, registers, or device memory properly. As a first
attempt at debugging the problem, try:&prompt.root; sysctl debug.bootverbose=1
&prompt.root; sysctl debug.acpi.suspend_bounce=1
&prompt.root; acpiconf -s 3This test emulates the suspend/resume cycle of all
device drivers without actually going into
S3 state. In some cases, problems such
as losing firmware state, device watchdog time out, and
retrying forever, can be captured with this method. Note
that the system will not really enter S3
state, which means devices may not lose power, and many
will work fine even if suspend/resume methods are totally
missing, unlike real S3 state.Harder cases require additional hardware, such as a
serial port and cable for debugging through a serial
console, a Firewire port and cable for using &man.dcons.4;,
and kernel debugging skills.To help isolate the problem, unload as many drivers as
possible. If it works, narrow down which driver is the
problem by loading drivers until it fails again. Typically,
binary drivers like nvidia.ko, display
drivers, and USB will have the most
problems while Ethernet interfaces usually work fine. If
drivers can be properly loaded and unloaded, automate this
by putting the appropriate commands in
/etc/rc.suspend and
/etc/rc.resume. Try setting
to 1
if the display is messed up after resume. Try setting
longer or shorter values for
to see if that
helps.Try loading a recent &linux; distribution to see if
suspend/resume works on the same hardware. If it works on
&linux;, it is likely a &os; driver problem. Narrowing down
which driver causes the problem will assist developers in
fixing the problem. Since the ACPI
maintainers rarely maintain other drivers, such as sound
or ATA, any driver problems should also
be posted to the &a.current.name; list and mailed to the
driver maintainer. Advanced users can include debugging
&man.printf.3;s in a problematic driver to track down where
in its resume function it hangs.Finally, try disabling ACPI and
enabling APM instead. If suspend/resume
works with APM, stick with
APM, especially on older hardware
(pre-2000). It took vendors a while to get
ACPI support correct and older hardware
is more likely to have BIOS problems with
ACPI.System HangsMost system hangs are a result of lost interrupts or an
interrupt storm. Chipsets may have problems based on boot,
how the BIOS configures interrupts before
correctness of the APIC
(MADT) table, and routing of the System
Control Interrupt (SCI).interrupt stormsInterrupt storms can be distinguished from lost
interrupts by checking the output of
vmstat -i and looking at the line that
has acpi0. If the counter is increasing
at more than a couple per second, there is an interrupt
storm. If the system appears hung, try breaking to
DDB (CTRLALTESC on console) and type
show interrupts.APICdisablingWhen dealing with interrupt problems, try disabling
APIC support with
hint.apic.0.disabled="1" in
/boot/loader.conf.PanicsPanics are relatively rare for ACPI
and are the top priority to be fixed. The first step is to
isolate the steps to reproduce the panic, if possible, and
get a backtrace. Follow the advice for enabling
options DDB and setting up a serial
console in or setting
up a dump partition. To get a backtrace in
DDB, use tr. When
handwriting the backtrace, get at least the last five and
the top five lines in the trace.Then, try to isolate the problem by booting with
ACPI disabled. If that works, isolate
the ACPI subsystem by using various
values of . See
&man.acpi.4; for some examples.System Powers Up After Suspend or ShutdownFirst, try setting
hw.acpi.disable_on_poweroff="0" in
/boot/loader.conf. This keeps
ACPI from disabling various events during
the shutdown process. Some systems need this value set to
1 (the default) for the same reason.
This usually fixes the problem of a system powering up
spontaneously after a suspend or poweroff.BIOS Contains Buggy BytecodeACPIASLSome BIOS vendors provide incorrect
or buggy bytecode. This is usually manifested by kernel
console messages like this:ACPI-1287: *** Error: Method execution failed [\\_SB_.PCI0.LPC0.FIGD._STA] \\
(Node 0xc3f6d160), AE_NOT_FOUNDOften, these problems may be resolved by updating the
BIOS to the latest revision. Most
console messages are harmless, but if there are other
problems, like the battery status is not working, these
messages are a good place to start looking for
problems.Overriding the Default AMLThe BIOS bytecode, known as
ACPI Machine Language
(AML), is compiled from a source language
called ACPI Source Language
(ASL). The AML is
found in the table known as the Differentiated System
Description Table (DSDT).ACPIASLThe goal of &os; is for everyone to have working
ACPI without any user intervention.
Workarounds are still being developed for common mistakes made
by BIOS vendors. The µsoft;
interpreter (acpi.sys and
acpiec.sys) does not strictly check for
adherence to the standard, and thus many
BIOS vendors who only test
ACPI under &windows; never fix their
ASL. &os; developers continue to identify
and document which non-standard behavior is allowed by
µsoft;'s interpreter and replicate it so that &os; can
work without forcing users to fix the
ASL.To help identify buggy behavior and possibly fix it
manually, a copy can be made of the system's
ASL. To copy the system's
ASL to a specified file name, use
acpidump with , to show
the contents of the fixed tables, and , to
disassemble the AML:&prompt.root; acpidump -td > my.aslSome AML versions assume the user is
running &windows;. To override this, set
hw.acpi.osname="Windows
2009" in
/boot/loader.conf, using the most recent
&windows; version listed in the ASL.Other workarounds may require my.asl
to be customized. If this file is edited, compile the new
ASL using the following command. Warnings
can usually be ignored, but errors are bugs that will usually
prevent ACPI from working correctly.&prompt.root; iasl -f my.aslIncluding forces creation of the
AML, even if there are errors during
compilation. Some errors, such as missing return statements,
are automatically worked around by the &os;
interpreter.The default output filename for iasl is
DSDT.aml. Load this file instead of the
BIOS's buggy copy, which is still present
in flash memory, by editing
/boot/loader.conf as follows:acpi_dsdt_load="YES"
acpi_dsdt_name="/boot/DSDT.aml"Be sure to copy DSDT.aml to
/boot, then reboot the system. If this
fixes the problem, send a &man.diff.1; of the old and new
ASL to &a.acpi.name; so that developers can
work around the buggy behavior in
acpica.Getting and Submitting Debugging InfoNateLawsonWritten by PeterSchultzWith contributions from TomRhodesACPIproblemsACPIdebuggingThe ACPI driver has a flexible
debugging facility. A set of subsystems and the level of
verbosity can be specified. The subsystems to debug are
specified as layers and are broken down into components
(ACPI_ALL_COMPONENTS) and
ACPI hardware support
(ACPI_ALL_DRIVERS). The verbosity of
debugging output is specified as the level and ranges from
just report errors (ACPI_LV_ERROR) to
everything (ACPI_LV_VERBOSE). The level is
a bitmask so multiple options can be set at once, separated by
spaces. In practice, a serial console should be used to log
the output so it is not lost as the console message buffer
flushes. A full list of the individual layers and levels is
found in &man.acpi.4;.Debugging output is not enabled by default. To enable it,
add options ACPI_DEBUG to the custom kernel
configuration file if ACPI is compiled into
the kernel. Add ACPI_DEBUG=1 to
/etc/make.conf to enable it globally. If
a module is used instead of a custom kernel, recompile just
the acpi.ko module as follows:&prompt.root; cd /sys/modules/acpi/acpi && make clean && make ACPI_DEBUG=1Copy the compiled acpi.ko to
/boot/kernel and add the desired level
and layer to /boot/loader.conf. The
entries in this example enable debug messages for all
ACPI components and hardware drivers and
output error messages at the least verbose level:debug.acpi.layer="ACPI_ALL_COMPONENTS ACPI_ALL_DRIVERS"
debug.acpi.level="ACPI_LV_ERROR"If the required information is triggered by a specific
event, such as a suspend and then resume, do not modify
/boot/loader.conf. Instead, use
sysctl to specify the layer and level after
booting and preparing the system for the specific event. The
variables which can be set using sysctl are
named the same as the tunables in
/boot/loader.conf.ACPIproblemsOnce the debugging information is gathered, it can be sent
to &a.acpi.name; so that it can be used by the &os;
ACPI maintainers to identify the root cause
of the problem and to develop a solution.Before submitting debugging information to this mailing
list, ensure the latest BIOS version is
installed and, if available, the embedded controller
firmware version.When submitting a problem report, include the following
information:Description of the buggy behavior, including system
type, model, and anything that causes the bug to appear.
Note as accurately as possible when the bug began
occurring if it is new.The output of dmesg after running
boot -v, including any error messages
generated by the bug.The dmesg output from boot
-v with ACPI disabled,
if disabling ACPI helps to fix the
problem.Output from sysctl hw.acpi. This
lists which features the system offers.The URL to a pasted version of the
system's ASL. Do
not send the ASL
directly to the list as it can be very large. Generate a
copy of the ASL by running this
command:&prompt.root; acpidump -dt > name-system.aslSubstitute the login name for
name and manufacturer/model for
system. For example, use
njl-FooCo6000.asl.Most &os; developers watch the &a.current;, but one should
submit problems to &a.acpi.name; to be sure it is seen. Be
patient when waiting for a response. If the bug is not
- immediately apparent, submit a PR using
- &man.send-pr.1;. When entering a PR,
+ immediately apparent, submit a bug report.
+ When entering a PR,
include the same information as requested above. This helps
developers to track the problem and resolve it. Do not send a
PR without emailing &a.acpi.name; first as
it is likely that the problem has been reported before.ReferencesMore information about ACPI may be
found in the following locations:The &os; ACPI Mailing List Archives
(https://lists.freebsd.org/pipermail/freebsd-acpi/)The ACPI 2.0 Specification (http://acpi.info/spec.htm)&man.acpi.4;, &man.acpi.thermal.4;, &man.acpidump.8;,
&man.iasl.8;, and &man.acpidb.8;
Index: head/en_US.ISO8859-1/books/handbook/mail/chapter.xml
===================================================================
--- head/en_US.ISO8859-1/books/handbook/mail/chapter.xml (revision 52154)
+++ head/en_US.ISO8859-1/books/handbook/mail/chapter.xml (revision 52155)
@@ -1,1951 +1,1951 @@
Electronic MailBillLloydOriginal
work by JimMockRewritten
by SynopsisemailElectronic Mail, better known as email, is
one of the most widely used forms of communication today. This
chapter provides a basic introduction to running a mail server
on &os;, as well as an introduction to sending and receiving
email using &os;. For more complete coverage of this subject,
refer to the books listed in .After reading this chapter, you will know:Which software components are involved in sending and
receiving electronic mail.Where basic Sendmail
configuration files are located in &os;.The difference between remote and local
mailboxes.How to block spammers from illegally using a mail server
as a relay.How to install and configure an alternate Mail Transfer
Agent, replacing
Sendmail.How to troubleshoot common mail server problems.How to set up the system to send mail only.How to use mail with a dialup connection.How to configure SMTP authentication for added
security.How to install and use a Mail User Agent, such as
mutt, to send and receive
email.How to download mail from a remote
POP or IMAP
server.How to automatically apply filters and rules to incoming
email.Before reading this chapter, you should:Properly set up a network connection ().Properly set up the DNS information
for a mail host ().Know how to install additional third-party software
().Mail ComponentsPOPIMAPDNSmail server daemonsSendmailmail server daemonsPostfixmail server daemonsqmailmail server daemonsEximemailreceivingMX recordmail hostThere are five major parts involved in an email exchange:
the Mail User Agent (MUA), the Mail Transfer
Agent (MTA), a mail host, a remote or local
mailbox, and DNS. This section provides an
overview of these components.Mail User Agent (MUA)The Mail User Agent (MUA) is an
application which is used to compose, send, and receive
emails. This application can be a command line program,
such as the built-in mail utility or a
third-party application from the Ports Collection, such as
mutt,
alpine, or
elm. Dozens of graphical
programs are also available in the Ports Collection,
including Claws Mail,
Evolution, and
Thunderbird. Some
organizations provide a web mail program which can be
accessed through a web browser. More information about
installing and using a MUA on &os; can
be found in .Mail Transfer Agent (MTA)The Mail Transfer Agent (MTA) is
responsible for receiving incoming mail and delivering
outgoing mail. &os; ships with
Sendmail as the default
MTA, but it also supports numerous
other mail server daemons, including
Exim,
Postfix, and
qmail.
Sendmail configuration is
described in . If another
MTA is installed using the Ports
Collection, refer to its post-installation message for
&os;-specific configuration details and the application's
website for more general configuration
instructions.Mail Host and MailboxesThe mail host is a server that is responsible for
delivering and receiving mail for a host or a network.
The mail host collects all mail sent to the domain and
stores it either in the default mbox
or the alternative Maildir format, depending on the
configuration. Once mail has been stored, it may either
be read locally using a MUA or remotely
accessed and collected using protocols such as
POP or IMAP. If
mail is read locally, a POP or
IMAP server does not need to be
installed.To access mailboxes remotely, a POP
or IMAP server is required as these
protocols allow users to connect to their mailboxes from
remote locations. IMAP offers several
advantages over POP. These include the
ability to store a copy of messages on a remote server
after they are downloaded and concurrent updates.
IMAP can be useful over low-speed links
as it allows users to fetch the structure of messages
without downloading them. It can also perform tasks such
as searching on the server in order to minimize data
transfer between clients and servers.Several POP and
IMAP servers are available in the Ports
Collection. These include
mail/qpopper,
mail/imap-uw,
mail/courier-imap, and
mail/dovecot2.It should be noted that both POP
and IMAP transmit information,
including username and password credentials, in
clear-text. To secure the transmission of information
across these protocols, consider tunneling sessions over
&man.ssh.1; ()
or using SSL ().Domain Name System (DNS)The Domain Name System (DNS) and
its daemon named play a large role in
the delivery of email. In order to deliver mail from one
site to another, the MTA will look up
the remote site in DNS to determine
which host will receive mail for the destination. This
process also occurs when mail is sent from a remote host
to the MTA.In addition to mapping hostnames to
IP addresses, DNS is
responsible for storing information specific to mail
delivery, known as Mail eXchanger
MX records. The MX
record specifies which hosts will receive mail for a
particular domain.To view the MX records for a
domain, specify the type of record. Refer to
&man.host.1;, for more details about this command:&prompt.user; host -t mx FreeBSD.org
FreeBSD.org mail is handled by 10 mx1.FreeBSD.orgRefer to for more
information about DNS and its
configuration.Sendmail Configuration
FilesChristopherShumwayContributed by SendmailSendmail is the default
MTA installed with &os;. It accepts mail
from MUAs and delivers it to the appropriate
mail host, as defined by its configuration.
Sendmail can also accept network
connections and deliver mail to local mailboxes or to another
program.The configuration files for
Sendmail are located in
/etc/mail. This section describes these
files in more detail./etc/mail/access/etc/mail/aliases/etc/mail/local-host-names/etc/mail/mailer.conf/etc/mail/mailertable/etc/mail/sendmail.cf/etc/mail/virtusertable/etc/mail/accessThis access database file defines which hosts or
IP addresses have access to the local
mail server and what kind of access they have. Hosts
listed as , which is the default
option, are allowed to send mail to this host as long as
the mail's final destination is the local machine. Hosts
listed as are rejected for all
mail connections. Hosts listed as
are allowed to send mail for any destination using this
mail server. Hosts listed as will
have their mail returned with the specified mail error.
If a host is listed as ,
Sendmail will abort the current
search for this entry without accepting or rejecting the
mail. Hosts listed as will
have their messages held and will receive the specified
text as the reason for the hold.Examples of using these options for both
IPv4 and IPv6
addresses can be found in the &os; sample configuration,
/etc/mail/access.sample:# $FreeBSD$
#
# Mail relay access control list. Default is to reject mail unless the
# destination is local, or listed in /etc/mail/local-host-names
#
## Examples (commented out for safety)
#From:cyberspammer.com ERROR:"550 We don't accept mail from spammers"
#From:okay.cyberspammer.com OK
#Connect:sendmail.org RELAY
#To:sendmail.org RELAY
#Connect:128.32 RELAY
#Connect:128.32.2 SKIP
#Connect:IPv6:1:2:3:4:5:6:7 RELAY
#Connect:suspicious.example.com QUARANTINE:Mail from suspicious host
#Connect:[127.0.0.3] OK
#Connect:[IPv6:1:2:3:4:5:6:7:8] OKTo configure the access database, use the format shown
in the sample to make entries in
/etc/mail/access, but do not put a
comment symbol (#) in front of the
entries. Create an entry for each host or network whose
access should be configured. Mail senders that match the
left side of the table are affected by the action on the
right side of the table.Whenever this file is updated, update its database and
restart Sendmail:&prompt.root; makemap hash /etc/mail/access < /etc/mail/access
&prompt.root; service sendmail restart/etc/mail/aliasesThis database file contains a list of virtual
mailboxes that are expanded to users, files, programs, or
other aliases. Here are a few entries to illustrate the
file format:root: localuser
ftp-bugs: joe,eric,paul
bit.bucket: /dev/null
procmail: "|/usr/local/bin/procmail"The mailbox name on the left side of the colon is
expanded to the target(s) on the right. The first entry
expands the root
mailbox to the localuser mailbox, which
is then looked up in the
/etc/mail/aliases database. If no
match is found, the message is delivered to localuser. The second
entry shows a mail list. Mail to ftp-bugs is expanded to
the three local mailboxes joe, eric, and paul. A remote mailbox
could be specified as
user@example.com. The third
entry shows how to write mail to a file, in this case
/dev/null. The last entry
demonstrates how to send mail to a program,
/usr/local/bin/procmail, through a
&unix; pipe. Refer to &man.aliases.5; for more
information about the format of this file.Whenever this file is updated, run
newaliases to update and initialize the
aliases database./etc/mail/sendmail.cfThis is the master configuration file for
Sendmail. It controls the
overall behavior of Sendmail,
including everything from rewriting email addresses to
printing rejection messages to remote mail servers.
Accordingly, this configuration file is quite complex.
Fortunately, this file rarely needs to be changed for
standard mail servers.The master Sendmail
configuration file can be built from &man.m4.1; macros
that define the features and behavior of
Sendmail. Refer to
/usr/src/contrib/sendmail/cf/README
for some of the details.Whenever changes to this file are made,
Sendmail needs to be restarted
for the changes to take effect./etc/mail/virtusertableThis database file maps mail addresses for virtual
domains and users to real mailboxes. These mailboxes can
be local, remote, aliases defined in
/etc/mail/aliases, or files. This
allows multiple virtual domains to be hosted on one
machine.&os; provides a sample configuration file in
/etc/mail/virtusertable.sample to
further demonstrate its format. The following example
demonstrates how to create custom entries using that
format:root@example.com root
postmaster@example.com postmaster@noc.example.net
@example.com joeThis file is processed in a first match order. When
an email address matches the address on the left, it is
mapped to the local mailbox listed on the right. The
format of the first entry in this example maps a specific
email address to a local mailbox, whereas the format of
the second entry maps a specific email address to a remote
mailbox. Finally, any email address from
example.com which has not matched any
of the previous entries will match the last mapping and be
sent to the local mailbox joe. When
creating custom entries, use this format and add them to
/etc/mail/virtusertable. Whenever
this file is edited, update its database and restart
Sendmail:&prompt.root; makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable
&prompt.root; service sendmail restart/etc/mail/relay-domainsIn a default &os; installation,
Sendmail is configured to only
send mail from the host it is running on. For example, if
a POP server is available, users will
be able to check mail from remote locations but they will
not be able to send outgoing emails from outside
locations. Typically, a few moments after the attempt, an
email will be sent from MAILER-DAEMON
with a 5.7 Relaying Denied
message.The most straightforward solution is to add the
ISP's FQDN to
/etc/mail/relay-domains. If multiple
addresses are needed, add them one per
line:your.isp.example.com
other.isp.example.net
users-isp.example.org
www.example.orgAfter creating or editing this file, restart
Sendmail with
service sendmail restart.Now any mail sent through the system by any host in
this list, provided the user has an account on the system,
will succeed. This allows users to send mail from the
system remotely without opening the system up to relaying
SPAM from the Internet.Changing the Mail Transfer AgentAndrewBoothmanWritten by GregoryNeil ShapiroInformation taken from emails written by emailchange mta&os; comes with Sendmail already
installed as the MTA which is in charge of
outgoing and incoming mail. However, the system administrator
can change the system's MTA. A wide choice
of alternative MTAs is available from the
mail category of the &os; Ports
Collection.Once a new MTA is installed, configure
and test the new software before replacing
Sendmail. Refer to the documentation
of the new MTA for information on how to
configure the software.Once the new MTA is working, use the
instructions in this section to disable
Sendmail and configure &os; to use
the replacement MTA.Disable SendmailIf Sendmail's outgoing mail
service is disabled, it is important that it is replaced
with an alternative mail delivery system. Otherwise, system
functions such as &man.periodic.8; will be unable to deliver
their results by email. Many parts of the system expect a
functional MTA. If applications continue
to use Sendmail's binaries to try
to send email after they are disabled, mail could go into an
inactive Sendmail queue and
never be delivered.In order to completely disable
Sendmail, add or edit the following
lines in /etc/rc.conf:sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"To only disable Sendmail's
incoming mail service, use only this entry in
/etc/rc.conf:sendmail_enable="NO"More information on Sendmail's
startup options is available in &man.rc.sendmail.8;.Replace the Default MTAWhen a new MTA is installed using the
Ports Collection, its startup script is also installed and
startup instructions are mentioned in its package message.
Before starting the new MTA, stop the
running Sendmail processes. This
example stops all of these services, then starts the
Postfix service:&prompt.root; service sendmail stop
&prompt.root; service postfix startTo start the replacement MTA at system
boot, add its configuration line to
/etc/rc.conf. This entry enables the
Postfix MTA:postfix_enable="YES"Some extra configuration is needed as
Sendmail is so ubiquitous that some
software assumes it is already installed and configured.
Check /etc/periodic.conf and make sure
that these values are set to NO. If this
file does not exist, create it with these entries:daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"Some alternative MTAs provide their own
compatible implementations of the
Sendmail command-line interface in
order to facilitate using them as drop-in replacements for
Sendmail. However, some
MUAs may try to execute standard
Sendmail binaries instead of the
new MTA's binaries. &os; uses
/etc/mail/mailer.conf to map the expected
Sendmail binaries to the location
of the new binaries. More information about this mapping can
be found in &man.mailwrapper.8;.The default /etc/mail/mailer.conf
looks like this:# $FreeBSD$
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmailWhen any of the commands listed on the left are run, the
system actually executes the associated command shown on the
right. This system makes it easy to change what binaries are
executed when these default binaries are invoked.Some MTAs, when installed using the
Ports Collection, will prompt to update this file for the new
binaries. For example, Postfix
will update the file like this:#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmailIf the installation of the MTA does
not automatically update
/etc/mail/mailer.conf, edit this file in
a text editor so that it points to the new binaries. This
example points to the binaries installed by
mail/ssmtp:sendmail /usr/local/sbin/ssmtp
send-mail /usr/local/sbin/ssmtp
mailq /usr/local/sbin/ssmtp
newaliases /usr/local/sbin/ssmtp
hoststat /usr/bin/true
purgestat /usr/bin/trueOnce everything is configured, it is recommended to reboot
the system. Rebooting provides the opportunity to ensure that
the system is correctly configured to start the new
MTA automatically on boot.TroubleshootingemailtroubleshootingWhy do I have to use the FQDN for hosts on my
site?The host may actually be in a different domain. For
example, in order for a host in foo.bar.edu to reach a
host called mumble in the
bar.edu
domain, refer to it by the Fully-Qualified Domain Name
FQDN, mumble.bar.edu,
instead of just mumble.This is because the version of
BINDBIND which ships with &os;
no longer provides default abbreviations for non-FQDNs
other than the local domain. An unqualified host such as
mumble must either be found as
mumble.foo.bar.edu, or
it will be searched for in the root domain.In older versions of BIND,
the search continued across mumble.bar.edu, and
mumble.edu.
RFC 1535 details why this is considered bad practice or
even a security hole.As a good workaround, place the line:search foo.bar.edu bar.eduinstead of the previous:domain foo.bar.eduinto /etc/resolv.conf. However,
make sure that the search order does not go beyond the
boundary between local and public
administration, as RFC 1535 calls it.How can I run a mail server on a dial-up PPP
host?Connect to a &os; mail gateway on the LAN. The PPP
connection is non-dedicated.One way to do this is to get a full-time Internet
server to provide secondary
MX
MX record
services for the domain. In this example, the domain is
example.com
and the ISP has configured
example.net
to provide secondary MX services to the
domain:example.com. MX 10 example.com.
MX 20 example.net.Only one host should be specified as the final
recipient. For Sendmail, add
Cw example.com in
/etc/mail/sendmail.cf on example.com.When the sending MTA attempts
to deliver mail, it will try to connect to the system,
example.com,
over the PPP link. This will time out if the destination
is offline. The MTA will automatically
deliver it to the secondary MX site at
the Internet Service Provider (ISP),
example.net.
The secondary MX site will periodically
try to connect to the primary MX host,
example.com.Use something like this as a login script:#!/bin/sh
# Put me in /usr/local/bin/pppmyisp
( sleep 60 ; /usr/sbin/sendmail -q ) &
/usr/sbin/ppp -direct pppmyispWhen creating a separate login script for users,
instead use sendmail -qRexample.com in
the script above. This will force all mail in the queue
for
example.com
to be processed immediately.A further refinement of the situation can be seen from
this example from the &a.isp;:> we provide the secondary MX for a customer. The customer connects to
> our services several times a day automatically to get the mails to
> his primary MX (We do not call his site when a mail for his domains
> arrived). Our sendmail sends the mailqueue every 30 minutes. At the
> moment he has to stay 30 minutes online to be sure that all mail is
> gone to the primary MX.
>
> Is there a command that would initiate sendmail to send all the mails
> now? The user has not root-privileges on our machine of course.
In the privacy flags section of sendmail.cf, there is a
definition Opgoaway,restrictqrun
Remove restrictqrun to allow non-root users to start the queue processing.
You might also like to rearrange the MXs. We are the 1st MX for our
customers like this, and we have defined:
# If we are the best MX for a host, try directly instead of generating
# local config error.
OwTrue
That way a remote site will deliver straight to you, without trying
the customer connection. You then send to your customer. Only works for
hosts, so you need to get your customer to name their mail
machine customer.com as well as
hostname.customer.com in the DNS. Just put an A record in
the DNS for customer.com.Advanced TopicsThis section covers more involved topics such as mail
configuration and setting up mail for an entire domain.Basic ConfigurationemailconfigurationOut of the box, one can send email to external hosts as
long as /etc/resolv.conf is configured or
the network has access to a configured DNS
server. To have email delivered to the MTA
on the &os; host, do one of the following:Run a DNS server for the
domain.Get mail delivered directly to the
FQDN for the machine.SMTPIn order to have mail delivered directly to a host, it
must have a permanent static IP address, not a dynamic IP
address. If the system is behind a firewall, it must be
configured to allow SMTP traffic. To receive mail directly at
a host, one of these two must be configured:Make sure that the lowest-numbered
MXMX
record record in
DNS points to the host's static IP
address.Make sure there is no MX entry in
the DNS for the host.Either of the above will allow mail to be received
directly at the host.Try this:&prompt.root; hostname
example.FreeBSD.org
&prompt.root; host example.FreeBSD.org
example.FreeBSD.org has address 204.216.27.XXIn this example, mail sent directly to
yourlogin@example.FreeBSD.org
should work without problems, assuming
Sendmail is running correctly on
example.FreeBSD.org.For this example:&prompt.root; host example.FreeBSD.org
example.FreeBSD.org has address 204.216.27.XX
example.FreeBSD.org mail is handled (pri=10) by nevdull.FreeBSD.orgAll mail sent to example.FreeBSD.org will
be collected on hub under the same
username instead of being sent directly to your host.The above information is handled by the
DNS server. The DNS
record that carries mail routing information is the
MX entry. If no MX
record exists, mail will be delivered directly to the host by
way of its IP address.The MX entry for freefall.FreeBSD.org at
one time looked like this:freefall MX 30 mail.crl.net
freefall MX 40 agora.rdrop.com
freefall MX 10 freefall.FreeBSD.org
freefall MX 20 who.cdrom.comfreefall had many
MX entries. The lowest
MX number is the host that receives mail
directly, if available. If it is not accessible for some
reason, the next lower-numbered host will accept messages
temporarily, and pass it along when a lower-numbered host
becomes available.Alternate MX sites should have separate
Internet connections in order to be most useful. Your
ISP can provide this service.Mail for a DomainWhen configuring a MTA for a network,
any mail sent to hosts in its domain should be diverted to the
MTA so that users can receive their mail on
the master mail server.DNSTo make life easiest, a user account with the same
username should exist on both the
MTA and the system with the
MUA. Use &man.adduser.8; to create the
user accounts.The MTA must be the designated mail
exchanger for each workstation on the network. This is done
in theDNS configuration with an
MX record:example.FreeBSD.org A 204.216.27.XX ; Workstation
MX 10 nevdull.FreeBSD.org ; MailhostThis will redirect mail for the workstation to the
MTA no matter where the A record points.
The mail is sent to the MX host.This must be configured on a DNS
server. If the network does not run its own
DNS server, talk to the
ISP or DNS
provider.The following is an example of virtual email hosting.
Consider a customer with the domain customer1.org, where all
the mail for customer1.org should be
sent to mail.myhost.com. The
DNS entry should look like this:customer1.org MX 10 mail.myhost.comAn A> record is
not needed for customer1.org in order to
only handle email for that domain. However, running
ping against customer1.org will not
work unless an A record exists for
it.Tell the MTA which domains and/or
hostnames it should accept mail for. Either of the following
will work for Sendmail:Add the hosts to
/etc/mail/local-host-names when
using the FEATURE(use_cw_file).Add a Cwyour.host.com line to
/etc/sendmail.cf.Setting Up to Send OnlyBillMoranContributed by There are many instances where one may only want to send
mail through a relay. Some examples are:The computer is a desktop machine that needs to use
- programs such as &man.send-pr.1;, using the
+ programs such as &man.mail.1;, using the
ISP's mail relay.The computer is a server that does not handle mail
locally, but needs to pass off all mail to a relay for
processing.While any MTA is capable of filling
this particular niche, it can be difficult to properly configure
a full-featured MTA just to handle offloading
mail. Programs such as Sendmail and
Postfix are overkill for this
use.Additionally, a typical Internet access service agreement
may forbid one from running a mail server.The easiest way to fulfill those needs is to install the
mail/ssmtp port:&prompt.root; cd /usr/ports/mail/ssmtp
&prompt.root; make install replace cleanOnce installed, mail/ssmtp can be
configured with
/usr/local/etc/ssmtp/ssmtp.conf:root=yourrealemail@example.com
mailhub=mail.example.com
rewriteDomain=example.com
hostname=_HOSTNAME_Use the real email address for root. Enter the
ISP's outgoing mail relay in place of
mail.example.com.
Some ISPs call this the outgoing mail
server or SMTP server.Make sure to disable Sendmail,
including the outgoing mail service. See for details.mail/ssmtp has some other options
available. Refer to the examples in
/usr/local/etc/ssmtp or the manual page
of ssmtp for more information.Setting up ssmtp in this manner
allows any software on the computer that needs to send mail to
function properly, while not violating the
ISP's usage policy or allowing the computer
to be hijacked for spamming.Using Mail with a Dialup ConnectionWhen using a static IP address, one should not need to
adjust the default configuration. Set the hostname to the
assigned Internet name and Sendmail
will do the rest.When using a dynamically assigned IP address and a dialup
PPP connection to the Internet, one usually has a mailbox on the
ISP's mail server. In this example, the
ISP's domain is example.net, the user name
is user, the hostname
is bsd.home, and
the ISP has allowed relay.example.net as a mail
relay.In order to retrieve mail from the ISP's
mailbox, install a retrieval agent from the Ports Collection.
mail/fetchmail is a good choice as it
supports many different protocols. Usually, the
ISP will provide POP.
When using user PPP, email can be
automatically fetched when an Internet connection is established
with the following entry in
/etc/ppp/ppp.linkup:MYADDR:
!bg su user -c fetchmailWhen using Sendmail to deliver
mail to non-local accounts, configure
Sendmail to process the mail queue as
soon as the Internet connection is established. To do this, add
this line after the above fetchmail entry in
/etc/ppp/ppp.linkup: !bg su user -c "sendmail -q"In this example, there is an account for
user on bsd.home. In the home
directory of user on
bsd.home, create a
.fetchmailrc which contains this
line:poll example.net protocol pop3 fetchall pass MySecretThis file should not be readable by anyone except
user as it contains
the password MySecret.In order to send mail with the correct
from: header, configure
Sendmail to use
user@example.net rather than user@bsd.home and to send all mail via
relay.example.net,
allowing quicker mail transmission.The following .mc should
suffice:VERSIONID(`bsd.home.mc version 1.0')
OSTYPE(bsd4.4)dnl
FEATURE(nouucp)dnl
MAILER(local)dnl
MAILER(smtp)dnl
Cwlocalhost
Cwbsd.home
MASQUERADE_AS(`example.net')dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(nocanonify)dnl
FEATURE(nodns)dnl
define(`SMART_HOST', `relay.example.net')
Dmbsd.home
define(`confDOMAIN_NAME',`bsd.home')dnl
define(`confDELIVERY_MODE',`deferred')dnlRefer to the previous section for details of how to convert
this file into the sendmail.cf format. Do
not forget to restart Sendmail after
updating sendmail.cf.SMTP AuthenticationJamesGorhamWritten by Configuring SMTP authentication on the
MTA provides a number of benefits.
SMTP authentication adds a layer
of security to Sendmail, and provides
mobile users who switch hosts the ability to use the same
MTA without the need to reconfigure their
mail client's settings each time.Install security/cyrus-sasl2
from the Ports Collection. This port supports a number of
compile-time options. For the SMTP authentication method
demonstrated in this example, make sure that
is not disabled.After installing
security/cyrus-sasl2, edit
/usr/local/lib/sasl2/Sendmail.conf,
or create it if it does not exist, and add the following
line:pwcheck_method: saslauthdNext, install
security/cyrus-sasl2-saslauthd and add
the following line to
/etc/rc.conf:saslauthd_enable="YES"Finally, start the saslauthd daemon:&prompt.root; service saslauthd startThis daemon serves as a broker for
Sendmail to authenticate against
the &os; &man.passwd.5; database. This saves the trouble of
creating a new set of usernames and passwords for each user
that needs to use SMTP authentication,
and keeps the login and mail password the same.Next, edit /etc/make.conf and add
the following lines:SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2These lines provide Sendmail
the proper configuration options for linking to
cyrus-sasl2 at compile time. Make sure
that cyrus-sasl2 has been installed
before recompiling
Sendmail.Recompile Sendmail by
executing the following commands:&prompt.root; cd /usr/src/lib/libsmutil
&prompt.root; make cleandir && make obj && make
&prompt.root; cd /usr/src/lib/libsm
&prompt.root; make cleandir && make obj && make
&prompt.root; cd /usr/src/usr.sbin/sendmail
&prompt.root; make cleandir && make obj && make && make installThis compile should not have any problems if
/usr/src has not changed extensively
and the shared libraries it needs are available.After Sendmail has been
compiled and reinstalled, edit
/etc/mail/freebsd.mc or the local
.mc. Many administrators choose
to use the output from &man.hostname.1; as the name of
.mc for uniqueness. Add these
lines:dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnlThese options configure the different methods available
to Sendmail for authenticating
users. To use a method other than
pwcheck, refer to the
Sendmail documentation.Finally, run &man.make.1; while in
/etc/mail. That will run the new
.mc and create a
.cf named either
freebsd.cf or the name used for the
local .mc. Then, run make
install restart, which will copy the file to
sendmail.cf, and properly restart
Sendmail. For more information
about this process, refer to
/etc/mail/Makefile.To test the configuration, use a MUA to
send a test message. For further investigation, set the
of Sendmail
to 13 and watch
/var/log/maillog for any errors.For more information, refer to
SMTP authentication.Mail User AgentsMarcSilverContributed by Mail User AgentsA MUA is an application that is used to
send and receive email. As email evolves and
becomes more complex, MUAs are becoming
increasingly powerful and provide users increased functionality
and flexibility. The mail category of the
&os; Ports Collection contains numerous MUAs.
These include graphical email clients such as
Evolution or
Balsa and console based clients such
as mutt or
alpine.mail&man.mail.1; is the default
MUA installed with &os;. It is a console
based MUA that offers the basic
functionality required to send and receive text-based email.
It provides limited attachment support and can only access
local mailboxes.Although mail does not natively support
interaction with POP or
IMAP servers, these mailboxes may be
downloaded to a local mbox using an
application such as
fetchmail.In order to send and receive email, run
mail:&prompt.user; mailThe contents of the user's mailbox in
/var/mail are automatically read by
mail. Should the mailbox be empty, the
utility exits with a message indicating that no mail could
be found. If mail exists, the application interface starts,
and a list of messages will be displayed. Messages are
automatically numbered, as can be seen in the following
example:Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/marcs": 3 messages 3 new
>N 1 root@localhost Mon Mar 8 14:05 14/510 "test"
N 2 root@localhost Mon Mar 8 14:05 14/509 "user account"
N 3 root@localhost Mon Mar 8 14:05 14/509 "sample"Messages can now be read by typing t
followed by the message number. This example reads the first
email:& t 1
Message 1:
From root@localhost Mon Mar 8 14:05:52 2004
X-Original-To: marcs@localhost
Delivered-To: marcs@localhost
To: marcs@localhost
Subject: test
Date: Mon, 8 Mar 2004 14:05:52 +0200 (SAST)
From: root@localhost (Charlie Root)
This is a test message, please reply if you receive it.As seen in this example, the message will be displayed
with full headers. To display the list of messages again,
press h.If the email requires a reply, press either
R or rmail keys. R instructs
mail to reply only to the sender of the
email, while r replies to all other
recipients of the message. These commands can be suffixed
with the mail number of the message to reply to. After typing
the response, the end of the message should be marked by a
single . on its own line. An example can be
seen below:& R 1
To: root@localhost
Subject: Re: test
Thank you, I did get your email.
.
EOTIn order to send a new email, press m,
followed by the recipient email address. Multiple recipients
may be specified by separating each address with the
, delimiter. The subject of the message may
then be entered, followed by the message contents. The end of
the message should be specified by putting a single
. on its own line.& mail root@localhost
Subject: I mastered mail
Now I can send and receive email using mail ... :)
.
EOTWhile using mail, press
? to display help at any time. Refer to
&man.mail.1; for more help on how to use
mail.&man.mail.1; was not designed to handle attachments and
thus deals with them poorly. Newer MUAs
handle attachments in a more intelligent way. Users who
prefer to use mail may find the
converters/mpack port to be of
considerable use.muttmutt is a powerful
MUA, with many features, including:The ability to thread messages.PGP support for digital signing and encryption of
email.MIME support.Maildir support.Highly customizable.Refer to http://www.mutt.org
for more information on
mutt.mutt may be installed using the
mail/mutt port. After the port has been
installed, mutt can be started by
issuing the following command:&prompt.user; muttmutt will automatically read
and display the contents of the user mailbox in
/var/mail. If no mails are found,
mutt will wait for commands from
the user. The example below shows
mutt displaying a list of
messages:To read an email, select it using the cursor keys and
press Enter. An example of
mutt displaying email can be seen
below:Similar to &man.mail.1;, mutt
can be used to reply only to the sender of the message as well
as to all recipients. To reply only to the sender of the
email, press r. To send a group reply
to the original sender as well as all the message recipients,
press g.By default, mutt uses the
&man.vi.1; editor for creating and replying to emails. Each
user can customize this by creating or editing the
.muttrc in their home directory and
setting the editor variable or by setting
the EDITOR environment variable. Refer to
http://www.mutt.org/
for more information about configuring
mutt.To compose a new mail message, press
m. After a valid subject has been given,
mutt will start &man.vi.1; so the
email can be written. Once the contents of the email are
complete, save and quit from vi.
mutt will resume, displaying a
summary screen of the mail that is to be delivered. In
order to send the mail, press y. An example
of the summary screen can be seen below:mutt contains extensive help
which can be accessed from most of the menus by pressing
?. The top line also displays the keyboard
shortcuts where appropriate.alpinealpine is aimed at a beginner
user, but also includes some advanced features.alpine has had several remote
vulnerabilities discovered in the past, which allowed remote
attackers to execute arbitrary code as users on the local
system, by the action of sending a specially-prepared email.
While known problems have been fixed,
alpine code is written in an
insecure style and the &os; Security Officer believes there
are likely to be other undiscovered vulnerabilities. Users
install alpine at their own
risk.The current version of alpine
may be installed using the mail/alpine
port. Once the port has installed,
alpine can be started by issuing
the following command:&prompt.user; alpineThe first time alpine
runs, it displays a greeting page with a brief introduction,
as well as a request from the
alpine development team to send
an anonymous email message allowing them to judge how many
users are using their client. To send this anonymous message,
press Enter. Alternatively, press
E to exit the greeting without sending an
anonymous message. An example of the greeting page is
shown below:The main menu is then presented, which can be navigated
using the cursor keys. This main menu provides shortcuts for
the composing new mails, browsing mail directories, and
administering address book entries. Below the main menu,
relevant keyboard shortcuts to perform functions specific to
the task at hand are shown.The default directory opened by
alpine is
inbox. To view the message index, press
I, or select the
MESSAGE INDEX option shown
below:The message index shows messages in the current directory
and can be navigated by using the cursor keys. Highlighted
messages can be read by pressing
Enter.In the screenshot below, a sample message is displayed by
alpine. Contextual keyboard
shortcuts are displayed at the bottom of the screen. An
example of one of a shortcut is r, which
tells the MUA to reply to the current
message being displayed.Replying to an email in alpine
is done using the pico editor,
which is installed by default with
alpine.
pico makes it easy to navigate the
message and is easier for novice users to use than &man.vi.1;
or &man.mail.1;. Once the reply is complete, the message can
be sent by pressing CtrlX. alpine will ask for
confirmation before sending the message.alpine can be customized using
the SETUP option from the main
menu. Consult http://www.washington.edu/alpine/
for more information.Using fetchmailMarcSilverContributed by fetchmailfetchmail is a full-featured
IMAP and POP client. It
allows users to automatically download mail from remote
IMAP and POP servers and
save it into local mailboxes where it can be accessed more
easily. fetchmail can be installed
using the mail/fetchmail port, and offers
various features, including:Support for the POP3,
APOP, KPOP,
IMAP, ETRN and
ODMR protocols.Ability to forward mail using SMTP,
which allows filtering, forwarding, and aliasing to function
normally.May be run in daemon mode to check periodically for new
messages.Can retrieve multiple mailboxes and forward them, based
on configuration, to different local users.This section explains some of the basic features of
fetchmail. This utility requires a
.fetchmailrc configuration in the user's
home directory in order to run correctly. This file includes
server information as well as login credentials. Due to the
sensitive nature of the contents of this file, it is advisable
to make it readable only by the user, with the following
command:&prompt.user; chmod 600 .fetchmailrcThe following .fetchmailrc serves as an
example for downloading a single user mailbox using
POP. It tells
fetchmail to connect to
example.com using
a username of joesoap
and a password of XXX. This example assumes
that the user joesoap
exists on the local system.poll example.com protocol pop3 username "joesoap" password "XXX"The next example connects to multiple POP
and IMAP servers and redirects to different
local usernames where applicable:poll example.com proto pop3:
user "joesoap", with password "XXX", is "jsoap" here;
user "andrea", with password "XXXX";
poll example2.net proto imap:
user "john", with password "XXXXX", is "myth" here;fetchmail can be run in daemon
mode by running it with , followed by the
interval (in seconds) that fetchmail
should poll servers listed in .fetchmailrc.
The following example configures
fetchmail to poll every 600
seconds:&prompt.user; fetchmail -d 600More information on fetchmail can
be found at http://www.fetchmail.info/.Using procmailMarcSilverContributed by procmailprocmail is a powerful
application used to filter incoming mail. It allows users to
define rules which can be matched to incoming
mails to perform specific functions or to reroute mail to
alternative mailboxes or email addresses.
procmail can be installed using the
mail/procmail port. Once installed, it can
be directly integrated into most MTAs.
Consult the MTA documentation for more
information. Alternatively, procmail
can be integrated by adding the following line to a
.forward in the home directory of the
user:"|exec /usr/local/bin/procmail || exit 75"The following section displays some basic
procmail rules, as well as brief
descriptions of what they do. Rules must be inserted into a
.procmailrc, which must reside in the
user's home directory.The majority of these rules can be found in
&man.procmailex.5;.To forward all mail from user@example.com to
an external address of goodmail@example2.com::0
* ^From.*user@example.com
! goodmail@example2.comTo forward all mails shorter than 1000 bytes to an external
address of goodmail@example2.com::0
* < 1000
! goodmail@example2.comTo send all mail sent to
alternate@example.com to a mailbox called
alternate::0
* ^TOalternate@example.com
alternateTo send all mail with a subject of Spam to
/dev/null::0
^Subject:.*Spam
/dev/nullA useful recipe that parses incoming &os;.org mailing lists and
places each list in its own mailbox::0
* ^Sender:.owner-freebsd-\/[^@]+@FreeBSD.ORG
{
LISTNAME=${MATCH}
:0
* LISTNAME??^\/[^@]+
FreeBSD-${MATCH}
}