Install on a Wear-Leveling CF Drive ?
-
I thought that was a "feature" of the scripts, or /etc/fstab, not the kernel.
But, even if it is a kernel feature, the scripts still have to be aware of that, and "write" to a suitable location, which is available as rw.
Cheers.
Yes, that's true indeed. I just want the "full install" kernel for SMP and VGA console support. The rc-scripts /etc/rc and /etc/rc.embedded particularly act upon the contents of /etc/platform and create a memory filesystem for both nanobsd and embedded platform to hold RRD graphs and logfiles etc. I also found that the PHP GUI config takes care of remounting the root filesystem and - if present - the /cf filesystem to/from read/write access for both scenarios. So AFAIK there is no real difference in how the whole configuration part is handled between a true embedded install and a full install that's been altered to embedded.
The only thing left to figure out is whether or not the upgrade process would still work after such change. Maybe that's just a matter of temporarily changing the platform back to pfSense/SMP and changing the fstab to mount the filesystems read/write by default. I guess there's only one way to find out… ;)
-
ok Im looking at this and I am going to try installing on a CF drive (ok its actually a DOM) but I looked in the GUI and couldn't find a option to allow me to set the firewall to "read only" is there something Im missing or is this more something I have to do via SSH/Shell?
-
ok Im looking at this and I am going to try installing on a CF drive (ok its actually a DOM) but I looked in the GUI and couldn't find a option to allow me to set the firewall to "read only" is there something Im missing or is this more something I have to do via SSH/Shell?
It's not an officially supported option, so you'll have to modify this manually through either Diagnostics -> Edit file -> /etc/platform -> Load -> Change pfSense/SMP to embedded -> Save or using SSH and vi. After this change you'll have to reboot and verify if your root filesystem is mounted read-only. If you prefer to check this using the GUI, you can do that with Diagnostics -> Command -> Command: mount -> Execute and verify if / is mounted read-only.
-
ok, ill give that a go once I get to that point, thanks!
-
I could have sworn that I posted this yesterday, but I guess not.
After this change you'll have to reboot and verify if your root filesystem is mounted read-only. If you prefer to check this using the GUI, you can do that with Diagnostics -> Command -> Command: mount -> Execute and verify if / is mounted read-only.
How do I tell what's ro or rw, because here's what mount shows me:
$ mount /dev/ufs/pfsense0 on / (ufs, local) devfs on /dev (devfs, local) /dev/md0 on /var/tmp (ufs, local) /dev/md1 on /var (ufs, local) /dev/ufs/cf on /cf (ufs, local) devfs on /var/dhcpd/dev (devfs, local)
Cheers.
-
How do I tell what's ro or rw, because here's what mount shows me:
$ mount /dev/ufs/pfsense0 on / (ufs, local) devfs on /dev (devfs, local) /dev/md0 on /var/tmp (ufs, local) /dev/md1 on /var (ufs, local) /dev/ufs/cf on /cf (ufs, local) devfs on /var/dhcpd/dev (devfs, local)
Cheers.
It should show "read-only" next to "ufs, local" when mounted read only, and nothing (other then "ufs, local") when mounted read/write. But judging on the output I reckon you're running the nanobsd embedded version, correct? Since I don't recall the full install having a separate filesystem for /cf. I'm doing all this from my memory, but I figure I'd better written down all the steps taken… I'll rerun the install here on a VM and take notes about the exact changes. I could very well have modified the /etc/fstab to mount the filesystems read-only by default.
EDIT: Ok, checked with a reinstall and changing a full install to embedded through /etc/platform automatically mounts the root filesystem read-only. I have changed /etc/fstab however so that it immediately gets mounted read-only since this is also done on a nanobsd install.
-
But judging on the output I reckon you're running the nanobsd embedded version, correct?
Yes, correct.
Now, here's an interesting observation. If I issue the mount command, via the Diagnostics GUI, I get the result above. However, if I log on to the box, and issue it at a command prompt, I get this:
[root@roadblock.bogolinux.net]/root(1): mount /dev/ufs/pfsense0 on / (ufs, local, read-only) devfs on /dev (devfs, local) /dev/md0 on /var/tmp (ufs, local) /dev/md1 on /var (ufs, local) /dev/ufs/cf on /cf (ufs, local, read-only) devfs on /var/dhcpd/dev (devfs, local) [1.2.3-RELEASE]
Hmmmmmmmmm.
Cheers.
-
I think that the GUI config remounts the filesystems read-write during command execution. Sounds logical of course, since the command might be trying to modify the filesystem. So the only way to correctly check it is through SSH.
-
I've been running 1.2.3 on the Intel D94GCLF Atom 330 motherboard for a couple weeks now with an Innodisk 2GB Wear Leveling embedded IDE drive. I've modified the platform setting from pfsense to embedded and also set the drives to RO in /etc/fstab. I've seen the same behavior discussed below of the drives being listed as RO from the console but RW from the GUI.
Thus far, everything seems to be perfectly fine - the only effect of setting the CF drive RO I have seen is that all the RRD graphs get reset after a reboot, which is no problem for me. Operationally, I've noticed no difference between this install and my prior full install deployment on an older Athlon with a conventional hard drive.
For what it is worth, the Atom 330 runs pfSense without even starting to break a sweat. I've got a 20MBps line into the house and without running any VPN sessions, I can't get the CPU loading over a couple percent. The board with 1GB of memory, an extra GB NIC and the CF drive draws right around 30W. Based on power savings alone, the board and the Mini-ITX case will be paid for in right around 3 years when compared to my prior Athlon setup. Given the performance of the system, I can't imagine a reason why I'd touch it indefinitely - short of something failing.
The only thing I'd consider changing if I were to do this again would be to get a board with one of the 5xx series Atom processors - they have even lower power draw - but are also a little more expensive as well so I'm not sure if the ROI would change much.
At this point, I think it would be helpful if we could get an officially supported embedded install with VGA and keyboard support. I'm using this at home so I don't mind going slightly off the beaten path, but if I were doing this for my job I might think twice.
Thanks to everyone who chimed in on this thread - I appreciate the comments and information.
Best Wishes,
Stephan
http://www.intel.com/Products/Desktop/Motherboards/D945GCLF/D945GCL
http://www.mini-box.com/2GB-40-pin-Embedded-Disk-Card-4000 -
I've got a couple installs on InnoDisk IDE DOMs running full installs, and my home testing install which gets reinstalled frequently from 2.0 snapshots. All of these have been stable running for at least 18 months, the oldest is about 24 months with no issues. Industrial flash is designed to be used this way, I doubt you'll have any problems with proper industrial flash modules, be it CF, IDE/SATA DOM or SSD.