Deployment of WebObjects applications on FreeBSD

WO on FreeBSD
Miguel Arroz
Global Village Consulting, Inc.
WOWODC 2011

FreeBSD overview
• UNIX System

• BSD License (of course!)

• Supports x86, amd64, pc98 as Tier 1

• Distributed and installed via FTP, HTTP, CD/DVD, etc.

FreeBSD overview
• Integration and consistency

• The same team handles the Kernel and user-land tools

• Release engineering team

Installation
• Pseudo-graphical installation

• Very fast, low footprint

• Installs only the essential, the rest is up to you

Networking
• Everything you would expect from an UNIX system

• Reference (KAME) IPv6 implementation

Documentation

• FreeBSD Handbook (free, on freebsd.org)

• Mail-lists

Security
• Most software installs with safe default
conﬁguration

• Installing a port prints a message with
security information if appropriate

• Easy to conﬁgure daily scan for security
advisors on OS and installed ports

• http://security.freebsd.org/

Security
The following files will be updated as part of
updating to 7.1-RELEASE-p16:
/usr/lib/libssl.a
/usr/lib/libssl.so.5
/usr/lib/libssl_p.a
/usr/src/crypto/openssl/ssl/s3_clnt.c
/usr/src/sys/conf/newvers.sh

WARNING: FreeBSD 7.1-RELEASE-p15 HAS PASSED ITS
END-OF-LIFE DATE.
Any security issues discovered after Tue Feb 1
00:00:00 WET 2011
will not have been corrected.

FreeBSD versions
• Major versions

• May break binary and source compatibility.

• Used to introduce new features, deprecate or remove unused
stuff.

FreeBSD versions
• Minor versions:

• Maintain binary and source compatibility (main goal)

• Bug ﬁxes, mostly

• New features (usually, small ones) if baked enough

FreeBSD versions
• Security advisors and erratas:

• Released for all the currently supported versions

• Very easy to install, specially if you use GENERIC kernel

• Fix security vulnerabilities and show-stopper bugs

• Don’t break binary or source compatibility

• Never introduce new features

• Kernel and OS source is updated too if installed

Release cycles
• Security advisors and erratas are only made available for
currently supported FreeBSD releases

• The life-time of each release depends on a few factors

Minor versions

.0 .1 .2 .3 .4
Major versions

8 8.0 8.1 8.2

7 7.0 7.1 7.2 7.3 7.4

6 6.0 6.1 6.2 6.3 …

Minor versions

.0 .1 .2 .3 .4
Major versions

8 8.0 8.1-P1 8.2-P1
8.1
8.1-P2 8.2

7 7.0 7.1 7.2 7.3-P1 7.4-P2
7.3
7.3-P2 7.4-P1
7.4
7.3-P3

6 6.0 6.1 6.2 6.3 …

Minor versions
New security advisor
New minor version
.0 .1 .2 .3 .4
New security advisor
Major versions

8 8.0 8.3
8.1 8.2-P1 8.3-P1
8.2
8.1-P1 8.2-P2
8.1-P2 8.2-P3
8.1-P3
8.1-P4
7 7.0 7.1 7.2 7.3 7.4-P1
7.4
7.3-P1 7.4-P2
7.3-P2 7.4-P3
7.3-P3 7.4-P4
7.3-P4
7.3-P5
6 6.0 6.1 6.2 6.3 …

Updating
• If using GENERIC kernel, errata or security advisor is trivial:

• freebsd-update fetch

• freebsd-update install

• reboot

• If stuff happens:

• freebsd-update rollback

Updating
• Put this on cron to be warned when there’s a patch to install:

• @daily root freebsd-update cron

• Minor and major version updates can be done remotely, but are
more complex

• Check FreeBSD Handbook (24.2 - FreeBSD Update)

• May need to recompile installed software

• May need console access

Installing software
• Packages

• Ports

• Traditional UNIX way (conﬁgure, make, make install)

Packages
• Binary distributions

• Usually smaller than source archives

• No compilation required

• Much faster, specially when there are many dependencies

• pkg_add -r <package>

Ports
• Packages are compiled with conservative options (must run on
all hardware). Ports can be tuned.

• Ports allow compile-time options conﬁguration.

• Some software licenses force source-only distribution.

• May apply local patches.

• The source is with you.

Port Tree
• The port tree stays in /usr/ports

• Installation using portsnap:

• portsnap fetch

• portsnap extract

• Updating:

• portsnap fetch

• portsnap update

Installing a Port
• Browser for ports: http://www.freebsd.org/ports/

• Install port (typical):

• cd /usr/ports/<path to port>

• make install clean

• make conﬁg to see conﬁguration menu

Updating ports
• The easiest way to upgrade a port and it’s dependencies is using
one of these utilities:

• portupgrade

• portmanager

• portmaster

• See Handbook (4.5.4 - Upgrading Ports)

Port security scan
• Install ports-mgmt/portaudit

• After installing, FreeBSD makes daily security scans on installed
ports and notiﬁes you of any released security advisors.

Checking for a current audit database:

Database created: Wed Apr 21 03:10:01 WEST 2010

Checking for packages with security vulnerabilities:

Affected package: sudo-1.7.2.5
Type of problem: sudo -- Privilege escalation with sudoedit.
Reference: <http://portaudit.FreeBSD.org/1a9f678d-48ca-11df-85f8-000c29a67389.html>

Affected package: gtar-1.22
Type of problem: gtar -- buffer overflow in rmt client.
Reference: <http://portaudit.FreeBSD.org/c175d72f-3773-11df-8bb8-0211d880e350.html>

2 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

Jails
• OS-level virtualization system

• More isolation than chroot, less isolation than VM

• Jail has its own kernel structures, binded IPs and superuser

• Can be used to test software or isolate deployed services

• Can’t use a different kernel

• No live-migration

BSD Hypervisor
• http://wiki.freebsd.org/201105DevSummit?
action=AttachFile&do=get&target=BHyVe.pdf

Status
!  Guest
–  FreeBSD/amd64 releases 7.2 and 8.1
–  SMP - up to 8 virtual cpus
–  I/O - virtio or pci passthru
–  Minor kernel patches required

!  Host
–  FreeBSD/amd64 release 8.1
–  Unmodified GENERIC kernel

!  Hardware
–  Requires hardware virtualization assist with Nested Page Tables
–  Intel VT-x is supported
–  AMD-V support in progress

3

Init scripts
• Shares a lot with Mac OS X startup items

• /etc/rc.conf - switches and conﬁgurations

• /etc/rc.d/<servicename> <action>

• /etc/rc.d/sshd restart

• /usr/local/etc/rc.d/<servicename> <action>

• Scripts can specify provided and required services

hostname="andromeda.example.com"
defaultrouter="XXX.XXX.XXX.XXX"

ifconfig_em0="inet X.X.X.X netmask X.X.X.X"
ifconfig_em0_alias0="inet X.X.X.X netmask 255.255.255.255"

ifconfig_em1="inet X.X.X.X netmask X.X.X.X"
ifconfig_em1_alias0="inet X.X.X.X netmask 255.255.255.0"

static_routes="service multicast"
route_service="-net X.X.X.X/8 X.X.X.X"
route_multicast="-net X.X.X.X X.X.X.X"

sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_flags="time.service.example.com"
syslogd_enable="YES"
syslogd_flags="-ss"
ntpd_enable="NO"

Kernel Tuning
• File /etc/sysctl.conf:

# Increase the number of maximum open file descriptors
kern.maxfiles=65535

# Enough space to cache the full java launch command line,
# so that we can see it in "ps" output instead of [java]
kern.ps_arg_cache_limit=1024

# Limits the number of logging lines per logging rule
net.inet.ip.fw.verbose_limit=5

Java
• Diablo distribution (Sun JVM)

• Port java/diablo-jdk16

• Installation may include time-zone updaters and JCE Policy ﬁles

• All ﬁles must be downloaded manually due to licensing

• The port will guide you

Apache
• Port www/apache22

WebObjects
• Two ways to install the WO frameworks on FreeBSD:

• Using the WOPort

• Manually

• http://wiki.objectstyle.org/conﬂuence/display/WO/Deploying
+on+FreeBSD+8.2+and+WebObjects+5.4.3

DB Server

DB Server

DNS
WWW Server
Updates

Private

Public
WWW Server The Internets!
App Server
WWW Server
App Server

App Server

App Server

Why?
• Security

• Data between wotaskd and other components

• Data (RR) between adaptors and apps

• Broadcasted and other custom data between apps

• Hide database and other services from the public network

• Save public IPs

Why?
• Ideally, you should only expose ports 80 and 443

Network conﬁguration
• em0 with private IP

• em1 with public IP

• Add as much services as you can to private network

Software conﬁguration
• On ﬁle /usr/local/etc/rc.d/wotaskd:

• command_args="${log_args} -WOHost 10.1.2.3"

• On JavaMonitor:

• Add hosts using their private IPs

• Add -WOHost argument with private IP to apps

WOHostUtilities
• WO Apps need to make sure requests for stats, shutdown,
refuse new sessions, etc, are legit

• Those requests must not came from web server, and their source
must be localhost.

• Problem is… private IPs are not considered localhost IPs by Java.

WOHostUtilities
• Use Wonder, set er.extensions.WOHostUtilities.localhostips

er.extensions.WOHostUtilities.localhostips=(10.1.2.1,10.1.2.2,10.1.2.3)

SoftLayer
• Dual network conﬁguration by default

• VPN access to the private network

• Free IPv6 for every server

• Amazing support staff

One small detail…
• FreeBSD + Adaptec 5405 RAID card = pain

• Must use ﬁrmware 17574 or newer.

• SoftLayer use this cards, request updated ﬁrmware or older
card.

MONTREAL 1/3 JULY 2011

Q&A

Deployment of WebObjects applications on FreeBSD

More Related Content

What's hot (20)

Similar to Deployment of WebObjects applications on FreeBSD (20)

More from WO Community (20)

Recently uploaded (20)

Deployment of WebObjects applications on FreeBSD