This site is now 100% read-only, and retired.

Question: From FreeBSD to Debian, in four days?

Posted by chuffykow on Fri 2 Sep 2005 at 13:36

I've been an active FreeBSD admin/user for the past five years, running it mainly on Intel hardware, and recently, sparc64 hardware. I've come to really enjoy how the OS is built, and the precision in which it is presented to the administrator. I decided to take my experiences to a more professional setting, and applied/interviewed for a FreeBSD admin position. After a bit of a wait, they informed me that the position was actually not going to be available, but they would like me to interview for a Debian admin position. I said I would be glad to come in. Whoops.

The position would be maintaining high-end servers, primarily focused on serving dynamic web content, with lots of large downloads/streaming content. I imagine the machines will have solid and proper raid hardware, and every other toy that is part of more expensive datacenter grade hardware. The hardware platform was not specified, but I imagine it is x86. I have a solid background in Apache(1,2,mod_ssl), BIND9, NIS/NFS, Samba, etc, but it's all geared toward FreeBSD. What words of wisdom and other bits of advice do the regular readers here have? I'm interested in common caveats, and other tidbits that can generaly only be gleamed from having used the system for a while. I'm of course going over the Debian Manuals (apt, securing, etc), but any advice long time users have tends to be worth a lot more in the long run.

Thanks in advance for the suggestions!

 

 


Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (213.164.xx.xx) on Fri 2 Sep 2005 at 14:53
Get a spare box, and install Debian on it. Install everything you need to get a fully functional setup that matches the setup they have told you about.

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (70.112.xx.xx) on Fri 2 Sep 2005 at 15:10
Read/learn FHS. Realize that Debian *strictly* adheres to it, so you know where to find things.

Most useful debian-specific commands:
dpkg --list : shows installed packages
dpkg -S /bin/foo : shows which installed package /bin/foo belongs to
apt-cache search foo : show me packages about 'foo'
apt-get install foo : download and install package foo
apt-get -s upgrade : simulate an upgrade - tell me what would be done if I were to do an actual upgrade. Useful to see what's going to be done without worrying about it actually happening.

That's my set of 'most-used' debian-specific commands. Learning about each of the base program (dpkg, apt-cache, apt-get) will help you get an idea of how the debian package system works.

Enjoy, and best of luck.

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by DaveV (24.8.xx.xx) on Fri 2 Sep 2005 at 15:30

I would add the following command(s):

  1. apt-file: search packages from the apt databases.
  2. apt-spy: for finding fast apt repositories in your area.
  3. apt-src: download, build and install source packages.
  4. dpkg-reconfigure: to rerun package configuration.
Also, check out the Debian specific documentation at: http://www.debian.org/doc/

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (65.78.xx.xx) on Fri 2 Sep 2005 at 17:06

Useful tool: http://people.debian.org/~debacle/refcard/

Debian GNU/Linux Reference Card
The 101 most important things when using Debian GNU/Linux

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Steve (82.41.xx.xx) on Sat 3 Sep 2005 at 04:00
[ View Weblogs ]

apt-spy has never done anything but segfault for me ...

Although it seems like a useful package I've resigned myself to not using it.

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by hardik (61.95.xx.xx) on Sat 3 Sep 2005 at 07:17
How can you forgot apt-move to make the debian repository from debian cache which in /var/cache/apt/archievs.....
This is most basic tool when you are doing debian administration. Also apt-cacher, Which is most useful tool when you want ot use you server as poxy between debian mirror and your local user. The worst thig is that apt-cacher is not official debian apt utility. Check below site...



For apt-move



With Cheers,
Hardik Dalwadi.

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by simonw (212.24.xx.xx) on Fri 2 Sep 2005 at 15:38
[ View Weblogs ]
There really aren't that many gotcha's.

Learn "apt" thoroughly, the Debian reference is a good read, if rather dry.

Features like "apt-get remove -purge", "apticron", "cron-apt" are worth their weight in gold. If you find your self struggling with the packaging system you've probably missed a command that does it for you, ask someone ;)

But also understand the releases properly, and why they exist, it isn't difficult, but there are a lot of people with funny ideas about them, and it took me a remarkably long time to get the grips with the basics of them (mostly for not reading the Debian reference material on them carefully enough).

I've built fairly complex systems on top of Debian Sarge, for email and web, without having to step outside of the prepared packages in Sarge once. Which is a tribute to the maturity of the packaging system. But I'd never managed anything as complex with other Unix like systems without reverting to source far more frequently (even if in some cases I built my own packages). Stepping outside of the packaging system really is evil, that isn't just lipservice.

Hardening is an interesting question. I tend not to explicitly harden Debian, apart from the trivial things like "apt-get remove portmap" after vanilla installs, so that the only listening processes are the ones I want listening.

There is a lot of hardening advice, much of which will I suspect appeal to anyone coming from FreeBSD, but I suspect a lot of it will break the existing packaging assumptions, and thus make the boxes harder to maintain.

None of the caching tools for packages are any good , either build your own Debian mirror (how to stress test rsync in one easy lesson), or tell squid that hanging onto a lot of huge .deb files is good karma, if you need to build or maintain a lot of boxes (or you are experimenting a lot and impatient).

We did a special Debian LUG meet, and made our own mirror for it (2 minute job, plus 4 days of rsync on a 2Mbps connection to get x86 packages for stable/testing/unstable and install media), and it is just great if you are experimenting or trying a lot of stuff. Really 100Mbps fullduplex to the mirror saves a lot of time... Oh and we have a gigabit switch now ;)

As regards the Linux Kernel, Debian has tools for building bespoke kernel packages ("apt-get install kernel-package", docs are always in /usr/share/doc/kernel-package). Use them, don't even think of not using them, don't even read "non Debian" kernel HOW-TOs.

Indeed there is one right way to build a Linux kernel, and non-Debian people are all doing it wrong ;).

I'm guessing with fancy hardware you may have to build bespoke kernels, or at least bespoke kernel modules.

Although these days all my servers run stock kernels (again staying inside the packaging system means getting the latest kernel upgrades automatically). My Desktop box has a hideously bespoke kernel, with bespoke modules, it almost certainly could run a stock kernel if I'd known as much then as I do now.

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (64.160.xx.xx) on Fri 9 Sep 2005 at 07:45
("apt-get install kernel-package", docs are always in /usr/share/doc/kernel-package). Use them, don't even think of not using them, don't even read "non Debian" kernel HOW-TOs.

-heed this adivce.. kernel-package makes life SO easy...

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by drdebian (194.208.xx.xx) on Thu 30 Aug 2007 at 19:13
Hardening is an interesting question. I tend not to explicitly harden Debian, apart from the trivial things like "apt-get remove portmap" after vanilla installs, so that the only listening processes are the ones I want listening.
I usually install the "harden" and "bastille" packages, which take care of the most important security issues.

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (131.251.xx.xx) on Fri 2 Sep 2005 at 16:40
'Me too' - about 6 weeks ago I went over to Ubuntu
(write up at http://number9.hellooperator.net/articles/2005/07/22/dances-with- penguins )
and last week I finally switched my last freebsd box to debian sarge.
As Linuxes go, it's a pretty good freebsd :)

Start with the 'debian reference' docs at:

http://www.us.debian.org/doc/manuals/reference/reference.en.html

Other than that, the only gotchas are:

* some kind of political license issue with openssl means that some packages aren't as SSLed-up as I'd like
* servers tend to be enabled by default once installed
* iptables is horrible compared to (i)pf

Other than that it's been a blast.
Once you get your head round dpkg-buildpackage, you'll find you can build from source when you have to and still keep track of installed software.



[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (81.57.xx.xx) on Mon 5 Sep 2005 at 08:19
iptables is horrible compared to (i)pf

I'm configuring firewalls for Linux for a long time (from ipfwadm to ipchains to iptables) and am not new to routing or advanced network concepts, but agree with you.

When I discovered OpenBSD and his firewall pf, I where in 2 month more confident and familiar with it than with several years of netfilter. Imho iptables is a very bad UI for netfilter. And, clearly, netfilter has many weakness: IPv6 tracking is not stateful, no well state (connexions, fragments, ...) level redundancy / high availability mechanisms, "modulate state" and "synproxy state" excellent functionalities are lacking, weak state & fragments tracking, ugly & unuseful "iptables -L" output, many fundamentals functions relagated to patch-o-matic "extra" section ...

So my advice for your fast Debian GNU/Linux learning race would be to learn fastly debian specifics (apt-get, apt-cache, aptitude, dpkg, dpkg-reconfigure, update-*, make-kpkg, ...) that are easy, coherents and well designed and not forget to keep enough time to learn netfilter/iptables basics.

(ps: in a more positive note, most of those netfilter weakness -except syntax- will be worked on next month at 4th Netfilter Developers workshop. See http://workshop.netfilter.org/devel.html)

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by wouter (195.162.xx.xx) on Fri 2 Sep 2005 at 18:49

I admin Debian and FreeBSD servers mostly.

One difference between *BSD (and Slackware) and DEB/RPM package based distro's is that you are better off not trying to install anything in between manually. Use /opt or make a package yourself. I consider this an annoying problem with package managers, I prefer source for servers -- but package systems have some clear advantages too, ofcourse.

So you will have to do some things the 'Debian' way.

Some basic things I had to learn after using Slackware and FreeBSD are:

apt-get update
get the list of packages for your version and branch

apt-get upgrade
update the packages on the system themselves according to list without installing newer versions

apt-get dselect-upgrade
update the packages, but install newer versions
(probably most useful with Testing/Unstable branches, not with Stable since the versions are constant)

apt-get install
install a package (will prompt for dep's)

apt-get --purge remove
will remove a package (purge option removes the config files)

dpkg-reconfigure
reconfigures packages by rerunning their install script

apt-cache search
search for a word in the full list of packages, installed or not
(e.g. sniffer, mta, encrypt, etc)

apt-cache show
show the package description

aptitude
new console interface which should go all that in a more graphical way, try it!

Some quick crappily worded distinctions: dpkg is the package manager itself, i.e. the files and their layout, apt is the system with lists and branches, apt-cache is the cache of the list of current packages.

Install a new kernel (I always compile everything in the kernel on servers, no modules):
apt-get install kernel-package libncurses-dev libncurses5
apt-cache search kernel-source
apt-get install kernel-source-2.6.11
# -or- get the newest kernel from kernel.org
dmesg > dmesg_old.txt
cd /usr/src
ls -l kernel*
tar (xzvvf|xjvvf) kernel-source*.(gz|bz2) # you get the point
cd linux-source-2.6.11
make menuconfig
# configure kernel
make-kpkg --revision MyBeautifulNewKernel.1 --bzImage kernel_image
# wait a too long time while the kernel is being built
cd ..
# use dpkg to install a local package
dpkg -i kernel-image-2.6.11_MyBeautifulNewKernel.1_i386.deb
# answer some questions about boot-floppy [no]
# answer the question about running lilo/grub to install the new kernel [yes]
# you're done, reboot

dmesg > dmesg_new.txt
# check if you didn't forget to compile something important

apt-get install sysv-rc-conf (or sysvconfig)
sysv-rc-conf
# configure your runlevel symlinks, what you want started at boot

apt-get install ntpdate
(nano|vi|emacs|other_holy_war) /etc/default/ntpdate
# set some ntp servers, or use pool.ntp.org, or europe.pool.ntp.org if you live in the EU

# check some settings
ls -l /etc/default/
ls -l /etc/network/
ls -l /etc/ssh/

As already mentioned in this page by someone else, iptables is pure horror compared to ipf/pf or ipfw. You need to find a good tutorial (luckily, there are many).

Apache default DocRoot is /var/www, cgi-bin is probably /usr/lib/cgi-bin, but I always change the whole configuration. Btw, apache2 has a nice configuration system with chopped up files for each vhost and module separate. Spend some time on it, it really pays off if you have to do a lot of complex apache configurations with many vhosts.

If you want to do advanced routing and other trickery:
apt-get install iproute

Don't forget to do a 'netstat -natu' or 'netstat -natup' as root to check if you're not running anything you don't want to be running.

Gotta run, more if/when I remember. Success!

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Steve (82.41.xx.xx) on Sat 3 Sep 2005 at 03:59
[ View Weblogs ]

Use /opt or make a package yourself.

I'd definitely second that.

Whilst making a "real" Debian package, conforming to our policies seem challenging initially it is suprisingly simple once you get the hang of it.

Failing that you can cheat and create Debian packages from source code with checkinstall in a few minutes if you have all the required dependencies available.

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (84.45.xx.xx) on Sat 3 Sep 2005 at 11:37
"As already mentioned in this page by someone else, iptables is pure horror compared to ipf/pf or ipfw"

I'm intrigued.

I'm no iptables rule syntax fan (I have a huge firewall table at work, that need dragging upto date, it is largely doing packet filtering, and I need to make more rules stateful (actually I mostly need to remove the rules for replies since the rules are stateful, but there are no prizes for getting firewall changes right - just pain when it is wrong)).

But a quick glance at the IPF documentation, suggests the syntax and layout looks pretty similar. Indeed I'd say practically identical. Thinking I could do a sed script to convert from one to other, and my sed is lousy.

iptables cries out for a greater level of abstraction (although of course a lot of the devil is in the detail which makes this hard).

Rusty, the guilty party in most of this, worked for Watchguard, and they had their own internal config file format (you use to have to hand edit it to get their firewalls to log to a syslog host).

From what I recall it abstracted to the level of grouping addresses nicely, grouping port ranges sensibly. Really nothing too clever. Alas with iptables this sort of thing is all to often left to scripts, but I haven't found a set of scripts that I feel confident to put the effort into.

I did for a while use guarddog, and guard(mumble) to configure my home dekstop firewall. Which was adequate, but not brilliant GUI.


[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by wouter (195.162.xx.xx) on Sun 11 Sep 2005 at 02:44

I've written several firewalls for iptables and ipf, although I don't consider myself an expert on this subject. Ofcourse, if all you want to do is block some ports, the syntax is very similar. But it's the routing and forwarding stuff that always confuses me in iptables, where the kernel sends what to, while ipf's syntax comes pretty easily. I can write an ipf script without documentation even if it has been a while; but not so for iptables. As far as I remember, ipchains was more straight-forward and transparent, too, although probably less featureful.

This is ofcourse not a statement about the quality of the code in and of itself. I presume all mainstream firewall code to be secure, stable and fairly optimised.

Perhaps it's the mileage, I never understood why every kernel must have its own firewall language. FreeBSD has ipfw 1/2 (and pf, and perhaps ipf too, don't know); OpenBSD has pf now after a rather minor difference of opinion with the ipf author, NetBSD probably still uses ipf, and Linux has had ipchains which they replaced by iptables.

Yet it's still pretty much the same tcp/ip...

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Steve (82.41.xx.xx) on Sat 3 Sep 2005 at 03:53
[ View Weblogs ]

I think you've had enough comments about the Debian-specific tools such as apt-get, and the lower levelled dpkg command which apt-get is built upon.

So instead I'll say that you'll likely not be suprised too much if you're already familiar with the FreeBSD way of doing things. Most packages such as apache, openssh, etc, are going to behave in ways that you'd expect. You'll find that Debian systems have more software installed upon them by default - for example Perl is part of the base install which I think is different from *BSDs

I guess some of the less obvious differences are the way that services are setup via the /etc/init.d/ scripts - you can read about adding new init scripts if you need to see how that works.

Rather than having a global /etc/rc.conf file, or similar, most daemons will take their own settings from files stored beneath the /etc/default directory - that might be a suprise, but it becomes obvious once you explore the init scripts themselves.

You can find documentation included in most packages in the directory /usr/share/doc/NameOfPackage - often this directory will include examples. That's useful for a lot of the more complex packages.

If you have specific questions then you're likely to want to explore different ways of getting Debian support, that should get you answers fast, so long as your question is not too obscure, or badly phrased ;)

All in all Debian shouldn't contain too many suprises.

After you've played for a while it'd be interesting to hear your thoughts and comments on the switch. That might help other users in your position in the future.

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by suspended user chuffykow (12.1.xx.xx) on Sat 3 Sep 2005 at 08:02
[ View Weblogs ]
Thanks for all the comments. I've built a few different Debian machines on hardware I have floating around the house -- though none of it matches the class I expect to be working on.

I've felt very comfortable working with the apt-get/dpkg system. In many ways, it is similiar to the ports tree on FreeBSD (and dports on Darwin/OS X). The learning curve was fairly short, most of the time, I was having to search for the particular apt-* command to actually get the information I needed. I was sort of hoping there would be one master binary to control everything, and it would just take flags as needed. But, once I learned apt-get, apt-cache, etc, I was through the tough spots.

I installed apache1 mod_ssl on a machine, and got it up and running. I was a bit disappointed to find the config files in /etc. I've really come to like /usr/local/ on FreeBSD, and I feel it provides a solid degree of seperation between OS and non-OS software. Though I do like the fact that the package system installs non-OS software in a segregated location.

The only area i'm honestly worried about is questions specific to Linux/Debian -- fixing a broken kernel/module install, grub/lilo hacking, and modifying hardware parameters (raid, advanced network interfaces, serial setup, etc). Are there any solid resources for that area of Debian? I feel generaly comfortable around the other aspects of the OS, but I would really like to get my hands dirty with that sort of problem.

Thanks again for the information everybody, i've started pouring over the links people have posted, and i've created my own cheat sheet based on what people have talked about here.

[ Parent ]

Re: Question: From FreeBSD to Debian, in four days?
Posted by Anonymous (201.242.xx.xx) on Fri 30 Mar 2007 at 07:22
So, it's 2007, how was it?

[ Parent ]