This section is not ready, but Virtualization with bhyve in the FreeBSD manual is a starting point. Qemu does not work with bhyve but with NetBsd nvmm qemu should work.
as host OS
as guest OS
Test a ready made image
- Get a machine
- Get a ready made virtual machine image
- Run the machine
- following change the bios part
qemu-system-x86_64 -m 4096 -smp 4 -serial mon:stdio -nographic -drive file=FreeBSD-14.0-RELEASE-amd64.qcow2 -enable-kvm- Close the machine from within freebsd
poweroff
Prepare a ready made image
- Download say FreeBSD-15.0-RELEASE-amd64-BASIC-CLOUDINIT-ufs.qcow2.xz
- Get a machine
cp FreeBSD-15.0-RELEASE-amd64-BASIC-CLOUDINIT-ufs.qcow2.xz vm00.qcow2.xz- Make a copy of the file to avoid future downloads
uzxz vm00.qcow2.zx- Expand the image
qemu-img resize vm00.qcow2 +4G- Resize the hard disk of the work copy to a desired size in our case increase by 4G
/usr/bin/qemu-system-x86_64 \ -enable-kvm -m 8192 -cpu host -smp 4 \ -drive file=./vm00.qcow2 \ -monitor unix:/run/vm00.sock,server,nowait \ -nic tap,mac=b4:e1:ad:2b:d3:00 \ -serial mon:stdio -nographic \ -pidfile /run/user/1001/vm00.pid \ -name vm00,process=vm00run the machine with access to serial console. For this FreeBSD image some scripts will be run for you on the virtual machine. Subsequently the virtual machine will reboot and you will be greeted with a login for a root user. Just type
rootto access FreeBSD are root. From within the root console of the virtual machine get some things ready, such as remote accesspasswd- set a root password and reboot the virtual machine
vi /etc/rc.config- set the hostname to a meaningful name
vi /etc/ssh/sshd_config- modify sshd to allow root login
reboot- after setting up a root password reboot the machine. Send your
public key file to the guest with
ssh-copy-id root@192.168.1.XXXorssh-copy-id root@guest_hostnamewhereguest_hostnameresolves to the ip address of the guest. You should be able to log in the guest withssh root@192.168.1.XXXorssh root@guest_hostname. Log in with your new root password either from the serial console or remotely. vi /etc/ssh/sshd_config- modify sshd to allow root login but only with public key authentication.
service sshd restart- make sure the sshd daemon uses the new configuration - there are alternative ways to do it of course
- perform any tasks you want on your virtual machine that runs FreeBSD. One good idea would be to add a new user with wheel privileges instead of using root login. Install any software that you need
pkg update- It is a good idea to add the various ports for easier installation of software. Be where of pkg update issue
poweroffExpand disk after installation
After creating the guest virtual machine at one point your drive may be full in which case you may need to increase the drive space (Ram and the like are changes to qemu-system-x86_64) options. From the host do
echo system_powerdown | socat - unix-connect:/path/to/work.sock- stop the virtual machine
qemu-img resize work.qcow2 +4G- expand the drive with the desired amount
qemu-system-x86_64 -drive file=work.qcow2- start the virtual machine. Include all options that you regularly use
ssh root@work- access the root console in the guest
gpart show- see the names of the dist as viewed by gpart. In my case
ada0 gpart recover ada0- if there is a corruption fix it (possible after expanding the disk with
qemu-img gpart resize -i 5 ada0- here
-i 5points to (the last) partition of the disk where the root partition is stored df -h- Check where root partition is mounted on
/devmine was different from/dev/ada0p5. It was on/dev/gpt/rootfs growfs /dev/gpt/rootfs- grow the partition (this is assuming you used ufs type filesystem)
reboot- reboot and log on again to verify the changes
Apache on FreeBSD
Install and configure Apache
pkg install apache24- installs Apache with output
apachectl -M- list loaded modules
vi /etc/rc.local- add
apache24_enable="yes"to run apache at start up cd /usr/local/etc/apache24/- go to the apache24 config directory and create necessary certificate keys
openssl ecparam -name prime256v1 -out p256-apache24.pem- To use
httpscreate necessary keys for apache, to use self signed certificates. Start with creating a key openssl req -x509 -newkey ec:p256-apache24.pem -keyout apache24.key -out apache24.crt -days 365 -nodes- create the certificate and the corresponding key. The files
apach24.keyandapache24.crtare the needed files. vi /usr/local/etc/apache24/httpd.conf- and comment out enable
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
LoadModule include_module libexec/apache24/mod_include.so- allow https connections and server side includes
Include etc/apache24/extra/httpd-ssl.conf- within this file there are calls to SSLcertificates and keys. Those certificates must be present - they may not come with the package. Create your own if necessary.
Include etc/apache24/sites-enabled/*.conf- create director
/usr/local/etc/apache24/sites-enabledand with the above line place all virtual hosts in that directory. All files ending with.confwill be served by apache - For basic authentication the authentication file must be in the
root directory
/usr/local/www
vi /usr/local/etc/apache24/extra/httpd-ssl.conf- Verify the correct place of the certificates that were created
SSLCertificateFile "/usr/local/etc/apache24/apache24.crt"SSLCertificateKeyFile "/usr/local/etc/apache24/apache24.key"
service apache24 start- Start apache24
Php82 on FreeBSD
install and configure
pkg install php82- or with the script
./bsd_php82_mods.shwhich in addition installs apache24 and a bunch of useful extensions and reports php -m- check available modules it appears
json,openssl,pcreandspl(SPL) are installed by default cp /usr/local/etc/php.ini-developement /usr/local/etc/php.ini- create a
php.inifile
PostgreSQL on FreeBSD
Here the operating system runs on a virtual machine. Access its terminal as root
Installation
pkg update- update to the latest package management in FreeBSD
pkg search postgresql- find the latest versions of PostgreSQL available for you
pkg install postgresql18-server postgresql18-client- make sure you have enough space and install the software. postgresql18-client gives you
psqlcommand that lest you manage the databases from within the virtual machine. vi /etc/rc.config- add
postgresql_enabled="yes"to start the database on boot
Configuration for local access
Edit /var/db/postgres/data18/postgresql.conf (this is for PostgeSQL v18) and set
listen_address = 'localhost,192.168.1.88'
password_encryption = scram-sha-256where 192.168.1.88 is the IP address of the machine that host PostgeSQL. Make sure the passwords are stored in the specified format before setting passwords of any users.
Next edit /var/db/postgres/data18/pg_hba.conf and set
host all all 127.0.0.1/32 trust
host all all 192.168.68.0/24 scram-sha-256
Useful BSD tools
doas
allows you to run code as a different user; sudo
alternative
pkg install doas- installs doas
cp /usr/local/etc/doas.conf.example /usr/local/etc/doas.conf- create
doas's config file vi /usr/local/etc/doas.conf- make changes that suit you
OpenSSL
This library comes pre-installed with BSD and Linux variants. The use case here is to create client keys so as to avoid password authentication.
ssh-keygen -t ed25519- create curve ed25519 key pairs, which are stored in your
$HOME/.sshdirectory ssh-keygen -t ecdsa- create curve elliptic curve DSA signing key pair, which are stored in your
$HOME/.sshdirectory ssh-copy-id user@hostname- copy the created keys to the
authorized_keysfile on the remote server. From now on you can use publickey authentication instead of password authentication pkg install fusefs-sshfs- on freebsd
apt-get install sshfs- on Linux variants
vi /etc/fstabsshfs#user@hostname:/path/to/share /path/to/mountpoint fuse noauto,rw,uid=username,gid=groudname,user,reconnect,IdentityFile=/path/to/home/.ssh/id_ecdsa 0 0mount /path/to/mountpoint- the above command can be executed as a user. No need for root access
socat
A multi purpose relay, which had multiple use cases
- You have a personal computer and various firewall
rules on your work place or anywhere else are prohibiting you from using
sshto log onto your computer you can hide the ssh trafic as https trafic - You manage a virtual machines and need to access the unix socket where the virtual machine monitor (e.g., qemu monitor) accepts connections.
pkg install socat- installs socat on freebsd
openssl req -x509 -newkey rsa:2048 -keyout client.key -out client.crt -days 300 -nodes- create certificate for the client
mv client.* $HOME/.ssh/- place the client certificates in your home ssh directory
openssl req -x509 -newkey rsa:2048 -keyout tunnel.key -out tunnel.crt -days 300 -nodes- create certificate for the server tunnel
- avoid fancy parameters both at the server end (where socat runs) and the client end (your laptop from which you connect to your home ps that runs socat) as it makes it more likely for the firewall to filter your traffic, hence the RSA choice
mv tunnel.* /root/- move the tunnel certificate and key to the root home
/path/to/socat -L /run/Socat_21022_22 OPENSSL-LISTEN:21022,fork,reuseaddr,certificate=/root/tunnel.crt,key=/root/tunnel.key,verify=0 tcp:127.0.0.1:22 &- by running the above code at boot (e.g. within
/etc/rc.localyou can hide yoursshconnections withinhttps. The tunnel listens to incoming port 21022 and redirects it to local port 22. Since this is only for hiding traffic no keys are verified (verify=0). vi $HOME/.ssh/config/- tell ssh to wrap your traffic into https connection by setting
Host vicktricks.net ProxyCommand =/usr/bin/socat STDIO OPENSSL-CONNECT:%h:21022,verify=0,cert=/path/to/home/.ssh/client.crt,key=/path/to/home/.ssh/client.key
- router
- with the above specifications make sure the router you have at home and
connects you to the wider internet forwards port 21022 to the IP address
associated with your computer (where
socat tunnel.crt/tunnel.keyare run