How to install VMware tools on FreeBSD server

FreeBSD is my favorite operating system. All my FreeBSD servers (except embedded systems on physical microcomputers) run as virtual machines. VMware officially supports FreeBSD as GuestOS, so nothing stops virtualizing FreeBSD even for production use.

VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves its management of the virtual machine. Although the guest operating system can run without VMware Tools, you would lose important functionality and convenience. In other words, VMware tools are not necessary but highly recommended to use on virtual machines running on top of VMware ESXi hosts.

There are multiple options for how to install VMware tools on FreeBSD, but I personally use Open VM Tools native FreeBSD package as using Open VM Tools is actually the latest VMware's recommendation for unix like systems which is the case of FreeBSD. The reason why I use Open VM Tools instead of VMtools delivered by VMware on ESXi hosts or VMware download sites is that I can use the default FreeBSD package management system (pkg) for simple deployment. It is fast, convenient, and fully integrated with standard operating system updates and upgrade procedures.

As you can see below, the installation on FreeBSD 10.x and above is very straightforward. It is a single command to install the open-vm-tools package and 5 lines in the FreeBSD system config file.

# You have to switch to the administrator account (root)
su -l root

# and unattended install of Open VM Tools on server without X11 by FreeBSD package manager

pkg install -y open-vm-tools-nox11

 

# and unattended install of Open VM Tools on workstation with X11 by FreeBSD package manager

pkg install -y open-vm-tools

To run the Open Virtual Machine tools at startup, you must add the following settings to your /etc/rc.conf

sysrc vmware_guest_vmblock_enable="NO" # this is good for VMware Workstation or Fusion
sysrc vmware_guest_vmhgfs_enable="NO" # this is good for VMware Workstation or Fusion
sysrc vmware_guest_vmmemctl_enable="YES" # this is good for VMware vSphere Memory Ballooning
sysrc vmware_guest_vmxnet_enable="YES" # vmxnet is enabled by default anyway
sysrc vmware_guestd_enable="YES" # this is good for example to report IP address to vSphere Client

... and reboot the server.

Easy, right?

 

And just for your information, Open VM tools is set of four kernel modules (vmemctl, vmxnet, vmblock, vmhgfs) and one daemon (guestd).

vmemctl is a driver for memory ballooning. 

vmxnet is paravirtualized network driver
vmhgfs is the driver that allows the shared files feature of VMware Workstation and other products that use it. This is not optimal to use on the server therefore we do not enable it.
vmblock is block filesystem driver to provides drag-and-drop functionality from the remote console.

VMware Guest Daemon (guestd) is the daemon for controlling communication between the guest and the host including time synchronization.

On Windows and Supported Linux Distributions exists other VMtools modules/drivers but those are not supported on FreeBSD. For further information about all VMtools components look at

• Names of VMware Tools Components
• VMware Tools FAQ

FreeBSD with multiple Serial Adapters acting as Access Console Server

I play a lot with network equipment like switches, routers and firewalls. It is very useful to have local serial access to consoles of such devices. When I say local, I mean remote access to local serial console. I can use some commercial Access Console Servers from companies like Avocent but these devices are usually very expensive and don't do anything else than linux box with multiple serial ports accessible remotely via ssh or telnet.

So my idea was to use my favorite unix-like system (FreeBSD) with multiple serial ports. For such appliances I usually use Soekris or Alix boards with FreeBSD on Flash. The question is how to have multiple serial (RS-232) ports. The simplest method nowadays is to use usb serial adapters. I know these usb serial converters has some issues but it is really the simplest peace of hardware to buy, plug and play.

When you use some of these USB converters you should see new devices. In my case I see in dmesg following devices:

uftdi0: on usbus1
uftdi1: on usbus1
uftdi2: on usbus1
uftdi3: on usbus1

To make serial console working you have to load uftdi module. uftdi -- USB support for serial adapters based on the FTDI family of USB serial adapter chips.

The easiest way is to load this module during boot. You just need to add to /boot/loader.conf following line

uftdi_load="yes"

After next boot you will have following new devices in your /dev/ directory

/dev/cuaU0
/dev/cuaU1
/dev/cuaU2
/dev/cuaU3

 ... and you can use program cu to connect to particular serial console. For example

cu -l /dev/cuaU0 -s 9600

to connect to console with speed 9600 bauds.

Soekris NET4801-48 with USB reduction to 4xRS232

PRTG alerts phone call notifications

I have been asked by someone how to do phone call notification of critical alerts in PRTG monitoring system. Advantage of phone call notification against Email or SMS is that it can wake up sleeping administrator in night when he has support service and critical alert appears in central monitoring system.

My conceptual answer was ... use PRTG API to monitor alerts and make a phone call when critical alerts exist.

New generation of admins doesn't have problem with APIs but don't know how to dial voice call. That's because they are IP based generation and don't have experience with modems we played extensively back in 80's and 90's ;-)

At the end I promised them to prepare embedded system integrated with PRTG over API and dialing phone configured number in case of critical alerts.

Here is the picture of hardware prototype leveraging soekris computing platform running FreeBSD OS in RAM disk and making phone calls via RS-232 GSM modem.

Soekris computing platform and RS-232 GSM modem.

Here are relevant blog posts describing some technical details little bit deeper

• http://blog.igics.com/2013/12/freebsd-running-from-read-only-compact.html
• http://blog.igics.com/2014/01/gsmgprs-modem-siemens-es75-usefull-at.html

GSM/GPRS Modem Siemens ES75 - usefull AT commands

I have been asked by one customer to prepare some automated system which can dial admin cellular phone number in case of any trouble. They use PRTG for monitoring their environment. PRTG is IMHO very good monitoring system. It can send an email notification when sensor is down or some threshold is matched. Email is OK but when you have 24/7/365 SLAs it is important to know about critical events as soon as possible. My idea was to prepare simple system which checks periodically PRTG sensors over API and dial cellular phone in case of any critical sensor downtime.

So here is the system description. Hardware is based on SOEKRIS or ALIX hardware systems with FreeBSD installed on read-only CompactFlash. I use GSM modem Siemens ES75 connected via RS-232 serial cable to dial GSM phone number.

This blog post is not about hardware, FreeBSD or PRTG API integration but about Siemens ES75 usage but I believe recent overview is important to show you full context.

So, first of all we have to connect to the modem. We need some terminal emulator like Windows Hyper Terminal, putty, Minicom, etc. I use default unix terminal programm cu.

Default terminal speed of Siemens ES75 is 115200 bauds.

So here here is cu command syntax to connect modem over my USB<->RS-232 reduction for Mac.  

cu -s 115200 -l /dev/tty.usbserial-00007324

If you have FreeBSD the cu syntax is the same. Only COM port device is different. Below is connection over COM2 (/dev/cuau1).

cu -s 115200 -l /dev/cuau1

or

cu -s 115200 -l /dev/ttyU0

So when we are connected to the modem we can use AT commands to work with modem. Useful AT commands follows.  

Set the modem into factory defaults

at&f

If you want disable echo use

ate0

to enable echo use

ate1

Write running configuration to EEPROM

at&w

To slow down modem terminal speed to 38400 bauds

at+ipr=38400

Get modem vendor

at+cgmi 

Get modem model

at+cgmm

In my modem Siemens ES75 it Vendor and Model strings looks like this

at+cgmi
Cinterion 

OK
at+cgmm
MC75i

OK 

To display signal strength of the device  

at+csq

Returned signal value can be compared with table here.

Display SIM card identification number

at^scid

Extended event indicator control

at^sind

Here is example how to get all available  indicators

at^sind?
^SIND: battchg,1,5
^SIND: signal,1,99
^SIND: service,1,0
^SIND: sounder,1,0
^SIND: message,1,1
^SIND: call,1,0
^SIND: roam,1,0
^SIND: smsfull,1,0
^SIND: rssi,1,4
^SIND: audio,0,0
^SIND: simstatus,0,5
^SIND: vmwait1,0,0
^SIND: vmwait2,0,0
^SIND: ciphcall,0,1
^SIND: adnread,0,1
^SIND: eons,0,0,"","T-Mobile CZ"
^SIND: nitz,0,,,
^SIND: lsta,0,0
^SIND: band,0,3
^SIND: simlocal,0,1
OK

Before you can use GSM network you usually have to register and authenticate by your PIN. Here is example of AT+CPIN read command which will return if SIM PIN authentication is required.

at+cpin?
+CPIN: SIM PIN
OK

The return is SIM PIN so it means we have to enter PIN to register in to GSM network. Here is how to authenticate with PIN 3303

at+cpin=3303
OK

Right now we are registered in GSM network.  You can verify it by running AT+CPIN? read command again

at+cpin=?
OK 

There is no other authentication required so this is the proof we are registered in GSM network and we can use it. If you want completely disable PIN authentication you can use command

at+clck="SC",0,"3303"

So now let's call some mobile number.

atd602123456;
BUSY

Here I dialed phone number 602123456 on my mobile and because I dropped the call the status was  returned as BUSY.

And if you want to check incoming calls during the ringing you can see on terminal

RING

RING

RING

for every ring.

If you want to see caller phone number (aka calling line identification presentation) then you have to instruct modem by following command

at+clip=1 

OK

and during ringing you will also see caller identification

RING

+CLIP: "+420602123456",145,,,,0

RING

+CLIP: "+420602123456",145,,,,0

RING

+CLIP: "+420602123456",145,,,,0

or you can ask for caller phone number during ringing by command

at+clcc

and response is

RING

RING

RING

at+clcc

+CLCC: 1,1,4,0,0,"+420602525736",145

OK

RING

RING

And if you want to hang up incoming call you can use following command

ath
OK 

That's it for now. If you need more AT commands for GSM modem Siemens ES75 ask google for document "mc75_atc_01001_eng.pdf". I found one document here. 

FreeBSD running from read-only compact flash disk and accessible over serial console (COM1)

I very often use FreeBSD for some automation tasks or as a network appliance. I like hardware like SOEKRIS, ALIX and other similar rotate-less and low power consumption hardware platforms. On such platforms I'm running FreeBSD on Compact Flash card and we all know about CF limited writes, don't we? So lets prepare FreeBSD system to run on top of read-only disk and prolong compact flash live.

After normal FreeBSD installation edit /etc/rc.conf and add following lines

tmpmfs="yes"
tmpsize="20m"
varmfs="yes"
varsize="32m"

This will instruct FreeBSD to use tmp and var in memory file system (aka ram disk) instead of normal disk mount points. This will in conjunction with read-only disk significantly save writes to flash disk however /tmp and /var mount points will stay writable which is important for lot of applications.

Now we can setup boot disk to be read-only. I can do it simply by editing /etc/fstab and change Options from rw to ro for boot disk. I can also change Dump from 1 to 0.
Parameter Dump (dump-freq) adjusts the archiving schedule for the partition (used by dump).
/etc/fstab should looks like example below:

# Device        Mountpoint      FStype  Options Dump    Pass#
/dev/ada0p2     /               ufs     ro      0       1

So now is my FreeBSD system ready to run on top of Compact Flash card in read-only mode so it eliminates flash write issue and system can run significantly longer then on read-write disk. Of course with read-only mode limitations but that's ok for lot of automation and network appliances. When I need some data disk I usually use another disk (or CF) just for data.

After FreeBSD reboot your mount points should look like on the screenshot below

root@example:~ # mount
/dev/ada0p2 on / (ufs, local, read-only)
devfs on /dev (devfs, local, multilabel)
/dev/md0 on /var (ufs, local)
/dev/md1 on /tmp (ufs, local)

Because I configure hardware appliance I would like to have possibility to control the system without monitor and keyboard. Unix systems were always ready for serial terminal consoles. So we can simply redirect console to RS-232 port and use it for system administration.

Here is the process how to do it. 

Add following command to /boot/loader.conf. You can do it simply by running following command 

echo 'console="comconsole"' >> /boot/loader.conf

which redirect all the boot messages to the serial console.

Edit /etc/ttys and change off to on and dialup to xterm for the ttyu0 entry. Otherwise, a password will not be required to connect via the serial console, resulting in a potential security hole.

The line in /etc/ttys should looks like below

ttyu0   "/usr/libexec/getty std.9600"   xterm   on secure

Update 2016-06-26: This is not needed any more for FreeBSD 9.3 and later because a new flag, "onifconsole" has been added to /etc/ttys. This allows the system to provide a login prompt via serial console if the device is an active kernel console, otherwise it is equivalent to off. 

Before editing the file I have to change read-only mode of my disk to read-write otherwise I will not be able to save the file. I can switch from read-only to read-write mode by command below:

mount -u /

If I want to change back to read-only mode here is how I do it

mount -a

This command remount all mounts with options in /etc/fstab so my disk is read-only again.

I leave the disk in read-write mode for now because I have to make the last configuration change, instruct the system to use COM port for console.

I run command

echo '-P'  >> /boot.config

to add -P option to /boot.config file. The advantage of this (-P) configuration is the flexibility. If the keyboard is not present then console message are written to

• serial and internal during boot phase
• serial during boot loader phase
• serial when system is running (in kernel phase)

If the keyboard is present in the system then monitor and keyboard is used as usual.
If the keyboard is absent the console is accessible over COM port.

Important note for systems without graphic card like SOEKRIS. Other virtual terminal entries in /etc/ttys should be commented otherwise you can see errors like

Dec 22 20:25:38 PRTG-watchdog getty[1469]: open /dev/ttyv0: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1470]: open /dev/ttyv1: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1471]: open /dev/ttyv2: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1472]: open /dev/ttyv3: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1473]: open /dev/ttyv4: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1474]: open /dev/ttyv5: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1475]: open /dev/ttyv6: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1476]: open /dev/ttyv7: No such file or directory
Dec 22 20:25:38 PRTG-watchdog getty[1477]: open /dev/ttyu0: Interrupted system call

I usually leave ttyv0 enabled otherwise you will not be able to use normal console (monitor + keyboard) on systems where VGA and keyboard exist.

So here is the screenshot from typical  /etc/ttys

#
ttyv0   "/usr/libexec/getty Pc"         xterm   on  secure
# Virtual terminals
#ttyv1  "/usr/libexec/getty Pc"         xterm   on  secure
#ttyv2  "/usr/libexec/getty Pc"         xterm   on  secure
#ttyv3  "/usr/libexec/getty Pc"         xterm   on  secure
#ttyv4  "/usr/libexec/getty Pc"         xterm   on  secure  
#ttyv5  "/usr/libexec/getty Pc"         xterm   on  secure
#ttyv6  "/usr/libexec/getty Pc"         xterm   on  secure    
#ttyv7  "/usr/libexec/getty Pc"         xterm   on  secure
#ttyv8  "/usr/local/bin/xdm -nodaemon"  xterm   off secure  
# Serial terminals
# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
ttyu0   "/usr/libexec/getty std.9600"   xterm   on  secure

At the end don't forget to reboot the system to see if the changes took effect and everything work.

I'm writing this blog post primarily for me as a personal run-book but I believe it can be useful for some other FreeBSD hackers ;-)

How to create FreeBSD memstick in running FreeBSD system

# make 2GB image file: dd if=/dev/zero of=./memstick.img bs=1m count=2000 # load image as virtual disk device: mdconfig -a -t vnode -f ./memstick.img -u 0 fdisk -iI /dev/md0 bsdlabel -wB /dev/md0s1 newfs /dev/md0s1a mount /dev/md0s1a /mnt cd /usr/src make installkernel installworld DESTDIR=/mnt umount /mnt # insert memstick now, assuming it will be /dev/da0... # raw copy virtual disk content to memstick. dd if=/dev/md0 of=/dev/da0 bs=1m

PPTP VPN in FreeBSD

This post is based on article at
https://www.dan.me.uk/blog/2010/02/07/pptp-vpn-in-freebsd-for-windows-xpvista7-clients/

Here’s a simple guide to setting up a VPN server on FreeBSD so that Windows clients can connect using their built-in VPN clients…

First, make sure your ports collection is up-to-date, then build poptop in /usr/ports/net/poptop:

# cd /usr/ports/net/poptop/
# make
# make install

Next we need to create a config file for poptop… create the file /usr/local/etc/pptpd.conf as follows:

nobsdcomp
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless

Next we need to create a PPP configuration file called /etc/ppp/ppp.conf (overwrite the existing file) as follows (edit the IPs to suit your network requirements):

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 192.168.31.254 192.168.31.120-192.168.31.128 255.255.255.255
set server /tmp/vpn-in-%d “” 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
disable pap
disable passwdauth
disable ipv6cp
accept dns
enable MSChapV2
enable mppe
disable deflate pred1
deny deflate pred1
set device !/etc/ppp/secure

Every line above except those ending with a colon(:) should be indented or ppp.conf will not work.

Next we need to create a file called /etc/ppp/secure with the following contents:

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

And set it to be executable with chmod 0755 /etc/ppp/secure – this script will be run automatically during the VPN setup process.

Now we need to add a login for the VPN (you can have multiple username/passwords in this file) called /etc/ppp/ppp.secret like so:

user1 pass1
user2 pass2
user3 pass3

And finally set the VPN server to start on bootup automatically by adding the following into /etc/rc.conf:

pptpd_enable=”YES”

Now startup the VPN server by running:

/usr/local/etc/rc.d/pptpd start

Your VPN server is now ready on your FreeBSD server and you’re ready to configure your Windows clients to connect to it.

PPTPD on FreeBSD

http://faded.org/2009/02/freebsd_pptp_server.html

FreeBSD and multiple gateways

Question: How to add multiple gateways to a FreeBSD?
Answer: No you can not do this (at least directly) on FreeBSD. FreeBSD don't support multiple gateways.
Workaround solution: If you have a server with 2 set of IPs and each set have there own gateway.

• First, you must select one of the gateway to be a default gateway.
• Then, You need ipfw (or any FreeBSD firewall solution),
  Check that your kernel support ipfw, if not, recompile your kernel with the following options(IPDIVERT and DUMMYNET is not required, but if you add IPFW/IPFW2 it better to also add these two options)

  #Firewall & NAT & DummyNet 
  options         IPFIREWALL
  options         IPDIVERT
  options         IPFIREWALL_DEFAULT_TO_ACCEPT
  options         IPFIREWALL_VERBOSE
  options         IPFIREWALL_VERBOSE_LIMIT=100
  options         DUMMYNET
  options         IPFW2
  

  add the following rule to your ipfw rules set.

   ipfw add rule_no fwd second_gateyway_ip ip from ip_of_this_gateway to not me
  

  For example, I have 2 ip set (10.0.0.100,10.0.0.101,10.0.0.102 for gateway 10.0.0.254) and (192.168.0.77,192.168.0.78 for gateways 192.168.0.254). I chose 10.0.0.254 as the default gateway. So, my ipfw rules are

   ipfw add 100 fwd 192.168.0.254 ip from 192.168.0.77 to not me
        ipfw add 110 fwd 192.168.0.254 ip from 192.168.0.78 to not me

Source: http://freebie.miraclenet.co.th/server/

iSCSI on FreeBSD

FreeBSD iSCSI howto
http://www.cyberciti.biz/faq/freebsd-iscsi-initiator-howto/

FreeBSD network link agregation
http://www.freebsd.org/doc/en/books/handbook/network-aggregation.html

Running FreeBSD 7.0 on ESX Server

Good resources ...
http://ivoras.sharanet.org/freebsd/vmware.html
and
http://scottf.wordpress.com/2008/01/17/running-freebsd-70-on-esx-server/

Internet FailOver script for FreeBSD written in Perl

I wrote Perl script to automatically detect internet uplink failure and switch over to backup internet link. When primary link is up again script will switch it back. Script must be run in crontab as often as you wish.

#!/usr/bin/perl
use Net::Frame::Device;
use Net::Ping;

$uplink1_interface="sis0";
$uplink2_interface="sis1";
$lan_interface="sis2";
$primary_gateway="10.0.3.1";
$secondary_gateway="10.10.1.1";

# print current date and time
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
$year=$year+1900;
print "GMT Time: $year-$mon-$mday $hour:$min:$sec\n";

my $device_uplink1 = Net::Frame::Device->new(dev => $uplink1_interface);
my $device_uplink2 = Net::Frame::Device->new(dev => $uplink2_interface);
my $device_lan = Net::Frame::Device->new(dev => $lan_interface);

print "Current default gateway:", $device_lan->gatewayIp, "\n";
print "Primary default gateway:", $primary_gateway, "\n";
print "Secondary gateway:", $secondary_gateway, "\n";

print "Checking primary internet uplink ...\n";
if (check_uplink($primary_gateway)) {
if ($device_lan->gatewayIp ne $primary_gateway) {
# set default route to $primary_gateway
`route delete default`;
`route add default $primary_gateway`;

# Change uplink interface to uplink1_interface
change_nat_interface($uplink1_interface);

# restart IPFW and NATD daemon
`/etc/rc.d/ipfw restart`;

print "Default gateway has been changed to $primary_gateway via interface $uplink1_interface\n";
} else {
print "Current default gateway is set to primary gateway and is ok\n";
}
} elsif (check_uplink($secondary_gateway)) {
if ($device_lan->gatewayIp ne $secondary_gateway) {
# set default route to $secondary_gateway
`route delete default`;
`route add default $secondary_gateway`;

# Change uplink interface to uplink2_interface
change_nat_interface($uplink2_interface);

# restart IPFW and NATD daemon
`/etc/rc.d/ipfw restart`;

print "Default gateway has been changed to $secondary_gateway via interface $uplink2_interface\n";
} else {
print "Current default gateway is set to secondary gateway and is ok\n";
}
} else {
print "Any uplink is up and working\n";
}

print "----\n";

######################################################
# Ping IP address and decide if it's reachable or not
# 1.parameter: IP
######################################################
sub check_uplink {
my ($ip) = @_;

my $p = Net::Ping->new("icmp");
my $ok = $p->ping($ip);
$p->close();

return $ok; # 0 - false; 1 - true
}

######################################################
# Change NATD interface file
# 1.parameter: network interface
######################################################
sub change_nat_interface {
my ($nat_if) = @_;

$filename="/tmp/natd_iface";
if (open(F, "> $filename")) {
print "change_nat_iface: writing $nat_if to $filename\n";
print F $nat_if;
close F;
} else {
print "change_nat_iface: Cannot write to $filename\n";
return 0;
}

return 1; # 0 - false; 1 - true
}