New User, new server

Matthew Seaman matthew at
Tue Jun 20 15:34:30 UTC 2017

On 2017/06/20 15:33, Peter Ludikovsky wrote:
> Hello,
> I recently acquired a former office tower to replace my old home server
> (Debian 8), itself an even older office tower. As it's my primary
> storage location for images and documents I want something stable, and I
> want to try something besides Linux, so I'm going for FreeBSD
> 11-RELEASE. Which brings a few questions:
> 1) The new machine comes with a 128G SSD, in addition to the 2 4T HDDs
> from the older server. I'd like to set up ZFS root, with a slice of the
> SSD as ZIL and L2ARC, and the root mirrored across the SSD and the 2
> HDDs. Does this make sense, and if so what would be the ideal slice
> layout? Or should I just use the whole SSD as ZIL/L2ARC?

Use the 2 4T HDDs for your main zdev, and keep the SSD for ZIL/ARC
separately.  zpools work better if all of the storage devices are about
the same size and performance level.

Given you're going to mirror the two 4T HDDs, be aware that having just
one physical device for your separate logs will reintroduce a single
point of failure.  Even though a separate log device is not /required/,
and you can add and remove log devices on the fly, your system will
still crash'n'burn if the log device dies unexpectedly on you.  Better
to have mirrored logs if you can swing another SSD.

Oh, and with a SLOG device you generally don't need to allocate a huge
amount of space for all the different types of log.  Given the
throughput on the SSD, it's a good idea to run it 'undercommitted' (with
plenty of unallocated space) as this will give you extended life on the
device. Because of the wear-leveling, all of the memory cells on the
device will eventually be used, so by restricting the size of the
allocated areas, you effectively give yourself access to a lot more
"spare" memory cells than the device would give you as standard.

> 1.1) Can I start this setup with just the SSD an one HDD, as to keep the
> old server alive until everything is migrated?


> 2) Moving data from the old machine. Can I run zfs send/receive to get
> the ZFS on Linux datasets onto FreeBSD, or do I need to (r)sync?

That depends on the relative capabilities of the ZFS setup on each end
of the zfs send/receive chain.  Generally you can send from an older ZFS
to a newer one, but not vice versa.

It's easy to test though -- just create a very small ZFS and try sending
that to the other server.

> 3) Firewalling: PF, IPFW, or IPFilter? The machine will be behind an ISP
> provided router, but I'm paranoid enough to want an additional firewall
> on that machine, and one that plays nice with fail2ban at that.

PF has a much nicer (IMHO) configuration interface, but IPFW is higher
performance (although I doubt you're going to notice any difference
unless you'll be generating traffic at 1Gb/s or above for extended
periods.)  ipfilter is there for compatibility with other machines that
are running legacy ipfilter setups.  Not recommended for a new install.

> 4) As far as I understand it the host plays gateway for jails. Does that
> mean that any firewalling is done there too? If so, is any special
> configuration required besides enabling IP forwarding? (NAT, …)

This depends on the type of jail.  The traditional way, host and jails
share a single IP stack, and the host provides firewall services for all
of the jails.

There is a newer way of running jails -- keyword here is 'VIMAGE' (see: -- where each jail gets a separate
network stack and can run its own firewall.  This entails use of
something like an epair(4) interface, where one end gets passed to the
jail, and the other gets bridged together with the spare epairs from
other jails etc. to make a virtual switch inside the host machine.

VIMAGE is cool, and it has had a lot of work into making it run much
more smoothly nowadays, but if you've never used jails at all before
now, I'd advise you to start with just the regular style of jail.

I'd also suggest looking into a jail management system like iocage.

> 5) Currently all services on the machine run together. With FreeBSD I'd
> like to jail them. Is there an easy way to convert, or will I be
> creating jails for the services & shovel the data over as if it's a
> fresh install?

You can probably copy over config files, data etc. as the basis of the
config in your new jails, but they will need manual editing to set the
correct IP numbers and so forth.  As far as I know, there isn't a
generic and automated way to do that.

On the other hand, a host with a bunch of jails can be managed very
sweetly using something like ansible(1) -- everyone wants onto the
devops bandwagon, eh?

> Any pointers are appreciated. I'm in no hurry (old machine ain't dying
> yet), and I'd rather do it slow & clean than fast & dirty.

In that case, experiment.  Try out a number of different scenarios on
some throwaway test environments, then blow all that away and implement
a 'for real' setup with the benefit of what you've learned in testing.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list