SOLVED Where to put pre-init script? (or attempts to make FreeNAS safe; ipfw)

Status
Not open for further replies.

askomar

Dabbler
Joined
Jun 14, 2018
Messages
13
From the official doc: "select when the command/script will run; choices are Pre Init (very early in boot process before filesystems are mounted)"

So, if pre-init script runs before filesystems are mounted, then where should I place it?!

I'm trying to make FreeNAS at least somewhat protected (I see it's designed without thinking much about security). One of the part of this protection is to configure ipfw, which I first want to be deny by default. Since FreeNAS kernel is built with default accept policy, I have to set net.inet.ip.fw.default_to_accept=0 and the only wait to do it by settings Tunables of loader. Once it's done, nothing will works (e.g. some services that FreeNAS loads on boot will not run) until ipfw allow rules are set (by the script).

So, where to put that script that will be executed "very early in boot process before filesystems are mounted"?
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
I think you are making a mistake to do this, but good luck. Click the button and it will pop a menu to point to your script.

upload_2018-6-16_0-27-20.png
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
Mistake in what?
My question was not about how to use web interface.
Mistake in modifying the function of FreeNAS. Why do you want to do that?

Then what is your question? That is how you tell the system to run a pre-init script.
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
You put the script in a pool for storage and copy it to /root for execution.
 

askomar

Dabbler
Joined
Jun 14, 2018
Messages
13
Guys, try once again. I quote the doc: ""select when the command/script will run; choices are Pre Init (very early in boot process before filesystems are mounted)"

Anyone from FreeNAS is here to comment this doc?
 

MrToddsFriends

Documentation Browser
Joined
Jan 12, 2015
Messages
1,338
Guys, try once again.

@garm already said what's needed to know. /root or a subfolder thereof is independent of mounted file systems as it resides on the freenas-boot pool. Furthermore the contents of /root survives reboots and updates (even in FreeNAS, which should be viewed as an appliance).

Putting a copy of your script somewhere in a data pool usually is a good idea as in many installations freenas-boot is less robust than data pools (for instance due to usage of USB flash drives).
 
Last edited:

askomar

Dabbler
Joined
Jun 14, 2018
Messages
13
@garm already said what's needed to know.

He said "put the script in a pool for storage" ;)

the contents of /root survives reboots and updates

Your explanation is good. Thank you. I'll give it a try.

Putting a copy of your script somewhere in a data pool usually is a good idea as in many installations freenas-boot is less robust than data pools (for instance due to usage of USB flash drives).

To make it really robust I installed freenas-boot on the same raided zpool as a storage, so excluded USB flash and/or additional drive.
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
The guy is making changes to the way FreeNAS is designed. It is like the guy who was downloading the source code and making his own tweaks and had questions.

Once you make changes from the baseline, we are not necessarily going to be able to answer.

Sent from my SAMSUNG-SGH-I537 using Tapatalk
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
Who decided that it is a point of failure? How many years have you been doing FreeNAS?

Sent from my SAMSUNG-SGH-I537 using Tapatalk
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
I’m signing off this thread, best of luck to who ever gets so maintain this..
 
Last edited:

askomar

Dabbler
Joined
Jun 14, 2018
Messages
13
Who decided that it is a point of failure?
Who decided that it is not?

I decided, who else could decide about security and reliability if not a person who is going to ship a solution to clients and will be responsible for all consequences?

I decided based on:

Experience;
Statistic;
Common sense;
Experience;
Logical thinking;
Experience.

How many years have you been doing FreeNAS?
I've been doing FreeBSD since 4.x

Offtopic:

For 15+ years I visited forums only few times. Usually it happens either when 1) I found some contradictions in docs that I can't figureout how to overcome or 2) it's the only source of support promoted by a developer. Because pretty all forums a usually full of "experts" who are good for beginners only. More or less serious subjects are always turned out to be a kind of flood. I do not want to turn this topic into a debate. People must learn to stop believing in the infallibility of something created by other people and think with their own mind before applying this or that application. I don't know what make you thinking that tweaks are something wrong. If they would be discouraged by iXsystems then they would never offered Tunables or Pre/post inits commands/scripts.


For the subject:

Documentation clearly says that I can run a script before filesystems are mounted. Reasonable question is where to put this script if filesystems are not mounted. That's all what I need to know.
 

askomar

Dabbler
Joined
Jun 14, 2018
Messages
13
/root or a subfolder thereof is independent of mounted file systems as it resides on the freenas-boot pool.

FreeNAS will not allow to link any script to location in /root with error "The path must reside within a volume mount point". The question is still there: what guys from iXsystems meant when they wrote in the doc
"select when the command/script will run; choices are Pre Init (very early in boot process before filesystems are mounted)" or where they suppose those scripts go to.
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
.
I decided, who else could decide about security and reliability if not a person who is going to ship a solution to clients and will be responsible for all consequences?

I decided based on:

Experience;
Statistic;
Common sense;
Experience;
Logical thinking;
Experience.
So, you decided that you are smarter than the entire development team. A development team that also makes the TrueNAS solution that iXsystems sells...
I've been doing FreeBSD since 4.x
FreeNAS is an appliance that is based on FreeBSD, but it is heavily modified and it is not the same thing.
 

MrToddsFriends

Documentation Browser
Joined
Jan 12, 2015
Messages
1,338
FreeNAS will not allow to link any script to location in /root with error "The path must reside within a volume mount point". The question is still there: what guys from iXsystems meant when they wrote in the doc [...]

Indeed a problem I did not expect to occur at this place.
 

askomar

Dabbler
Joined
Jun 14, 2018
Messages
13
So, you decided that you are smarter than the entire development team.

As for the building of safe systems - for sure! I tell you more: in some day this team will come to a conclusion that it is much much more reliable to have freenas-boot on RAIDZ (or even just on mirror) together with storage's volume than on those sticks that are not intended for such applications at all! When they'll do what I did with my setup and will open this to community come here for a thanks ;). You will be lucky if they realize this soon, otherwise I'm really sorry for those of you who spend extra SSD and still without raid protection (!) or worst - USB flash! The worst scenario for community if they already realized this, but keep this door for sales. It's OK, because they are commercial organization afterall and opnesource you get is just because of the licence that won't allow the opposite way. Otherwise they would probably like to build another closed system too.

I hope also that in some day they will understand that at least some minimum firewall configuration should be there for users like you. Let it be pf, if they can't afford ipfw. :) Finally, I hope they will understand that root password via web GUI it's a criminal! I'm ripped apart from the inside entering root password to the web GUI. It ruins all canons of safety.

I do understand background of this. Many programmers do not care about security at all and they don't understand the issue. I have met plenty of talented programmers (FreeNAS's guys can be on that list too... probably... not enough time to judge)... who just don't know how to make systems they programming safe. And if there is no leader in the team who takes it seriously, then we have what I see now...

I could continue the list, but I signed off since I found how to overcome most of above reliability/safety flaws, include the one I started with.

A development team that also makes the TrueNAS solution that iXsystems sells...

I'll keep in mind that sales is a new measurement of smartness the next time I recall the beginning of this century with its Bitrix boom and their chmod 777.

I did not aim to show off, I just wanted to find out what they meant in the documentation. But you enticed me for a small tease. It was a fun. Thanks!
 
Status
Not open for further replies.
Top