Reboot FreeBSD into md

From Devpit
Jump to: navigation, search

Sometimes it is handy to tweak something about the root filesystem, and rebooting onto installation media requires walking, not to mention physical access. Alternatively, one can make a memory disk and reroot into that, allowing ssh and network access, which is far more convenient if all goes well.

To begin, ssh in as root, then run the following commands.

sh
md=$(mdconfig -s 2G)
newfs /dev/$md
mount /dev/$md /mnt
tar --one-file-system -C / -cpf - bin etc lib libexec rescue root/.ssh sbin usr/bin usr/lib usr/libdata usr/libexec usr/sbin usr/share var/empty var/run | tar -C /mnt -xpf -
mkdir /mnt/dev /mnt/mnt /mnt/tmp
chmod 777 /mnt/tmp
ln -s ../tmp /mnt/var/tmp
echo sshd_enable=YES >/mnt/etc/rc.conf
echo /dev/$md / ufs rw 0 0 >/mnt/etc/fstab
cat >/mnt/etc/ssh/sshd_config <<EOF
PasswordAuthentication no
PermitRootLogin without-password
UseDNS no
UsePAM no
EOF
umount /mnt
kenv vfs.root.mountfrom=ufs:/dev/$md
reboot -r

Then connect by ssh again. Easy peazy.


Notes

While physical access is not required if everything works correctly, you may need it to fix. If this results in being unable to access the machine, simply bump the reset button to reboot the machine back to normal operation. A PDU or a serial console with break-to-debugger enabled could help you remotely.

reroot -r will keep kernel state such as IP addresses, routes, pf, and the hostname. (It also leaves zpools imported.) This is handy, so that the temporary rc.conf does not need network configuration; the machine will simply keep the configuration it had before.

This arrangement only allows root to log in, because of the "PasswordAuthentication no" directive in sshd_config, and because no home directories are copied. It would be wise to be sure by sshing in as root to execute this procedure; then you are sure you have the right key, etc.

This does not copy /usr/local because it often won't fit in RAM. However this loses third-party PAM modules. If using winbindd, for example, missing pam_winbind.so will lock out root logins, even if root could otherwise log in without winbindd running. This is the reason for the "UsePAM no" directive in sshd_config. Another reason for avoiding PAM is, having SSH use PAM may allow other users to log in with passwords, even though sshd_config specifies "PasswordAuthentication no".