This blog ran on Ubuntu 16.04 for 10 years. I migrated it to FreeBSD
This blog ran on Ubuntu 16.04 for 10 years. I migrated it to FreeBSD
这个博客在 Ubuntu 16.04 上运行了 10 年,现在我把它迁移到了 FreeBSD
This blog has been running on a Digital Ocean VPS for over ten years. A machine hosted in New York City, running Ubuntu 16.04 LTS. An LTS that hasn’t been in support for at least 5 years. It was about time to change it. 这个博客在 Digital Ocean 的 VPS 上已经运行了十多年。这台机器托管在纽约市,运行着 Ubuntu 16.04 LTS。这个长期支持版本(LTS)至少已经停止维护 5 年了,是时候做出改变了。
After some considerations, I migrated to a Hetzner virtual machine that is way better than my old Ubuntu one, less than half the price of what I used to pay, and just across the country from me. Not only that, but I took the challenge to move my stack to FreeBSD. It’s a long text, but stay for a cool introduction of FreeBSD Jails with Bastille and some interesting site load benchmarks. 经过一番考虑,我迁移到了一台 Hetzner 虚拟机。它比我原来的 Ubuntu 服务器好得多,价格不到原来的一半,而且距离我也更近。不仅如此,我还挑战将我的技术栈迁移到了 FreeBSD。这是一篇长文,但请留下来看看关于 FreeBSD Jails 和 Bastille 的精彩介绍,以及一些有趣的网站加载基准测试。
Motivation
动机
If you know how releases on Ubuntu work (I’m not very familiar myself), once the release is out of support, the apt package repository is out, so you can’t get any updates from it anymore. There are several implications of running such an outdated system, and the most obvious is that your server is just not as secure anymore. There might be several bots out there just trying to find nodes with vulnerabilities to introduce malicious stuff onto them. 如果你了解 Ubuntu 的发布机制(我自己不太熟悉),一旦版本停止支持,apt 软件包仓库也会随之关闭,因此你无法再从中获取任何更新。运行这样一个过时的系统有多种隐患,最明显的就是你的服务器不再那么安全了。网上可能有很多机器人正试图寻找存在漏洞的节点,以便植入恶意程序。
Luckily (I think), nothing ever happened. Not that there was anything important to be stolen in there either way. But I remember a long time ago, one WordPress blog that I had, which was also running on an old VPS, randomly got a lot of very suspicious links to casino and gambling spread across the text in the posts. 幸运的是(我想),什么都没发生。反正里面也没什么重要的东西可偷。但我记得很久以前,我有一个运行在旧 VPS 上的 WordPress 博客,文章内容中随机出现了大量指向赌场和博彩网站的可疑链接。
I was already using a Hetzner VPS as a remote development machine, where I SSH into from anywhere, and it’s been a reliable good VPS for the price. So I decided to start by comparing the specs. 我已经在用一台 Hetzner VPS 作为远程开发机,我可以从任何地方通过 SSH 连接它,而且以这个价格来说,它非常可靠。所以我决定先从对比配置开始。
The old setup
旧的配置
My old setup was serving a few more sites than just this blog. Nothing too popular; this blog, the most popular of all sites in there, wouldn’t get more than a couple thousand page views a month. Except when a couple of posts went viral on Hacker News, there wasn’t a lot of traffic. In the end, the machine was basically serving static sites, no fancy CGI or custom code running. 我原来的配置除了这个博客外,还托管了其他几个网站。没什么特别热门的;这个博客是其中最受欢迎的,每月的页面浏览量也不过几千次。除非有几篇文章在 Hacker News 上火了,否则流量并不大。归根结底,这台机器基本上只是在提供静态网站服务,没有运行复杂的 CGI 或自定义代码。
The stack was simple. Everything was served with nginx/1.10.3, statically. So I’d just basically have several config files in /etc/nginx/sites-available for each one of the sites. Extra necessary programs like static site generators and a LaTeX suite (e.g.: this blog is generated by Hugo) were installed either via apt or snap.
技术栈很简单。所有内容都由 nginx/1.10.3 静态提供。我基本上只是在 /etc/nginx/sites-available 中为每个网站准备了几个配置文件。其他必要的程序,如静态网站生成器和 LaTeX 套件(例如:这个博客是由 Hugo 生成的),都是通过 apt 或 snap 安装的。
Yep, it was running Linux 4.4! So well, in fact, that its uptime was 1491 days when I shut it off! That’s roughly 4 years without interruption! 没错,它运行的是 Linux 4.4 内核!事实上,它运行得非常好,当我关机时,它的运行时间达到了 1491 天!大约是 4 年没有中断过!
Why FreeBSD
为什么选择 FreeBSD
Not gonna lie, one of my main motivations was to get my hands on something different. I’ve been reading and watching a lot of stuff about BSDs in general, and I had a short previous experience with FreeBSD, so I thought it would be a good way to put it to a real-world test. 说实话,我的主要动机之一是想尝试一些不同的东西。我一直在阅读和观看关于 BSD 的各种资料,而且我之前有过一点 FreeBSD 的使用经验,所以我认为这是一个将其投入实际应用测试的好机会。
FreeBSD is usually praised for its stability, due to its integrated design, security, and Jails. We’ll get to that in a bit. I don’t wanna sound like I knew exactly what I was doing, but when I read about Jails, I knew exactly what I wanted to do. Jails is a form of virtualization/containerization that’s been part of FreeBSD for over 25 years, way before Docker was even a thing. FreeBSD 通常因其稳定性而受到赞誉,这归功于其集成设计、安全性和 Jails 机制。我们稍后会详细讨论。我不想表现得好像我完全知道自己在做什么,但当我读到 Jails 时,我就确切地知道我想做什么了。Jails 是一种虚拟化/容器化技术,它在 FreeBSD 中已经存在了超过 25 年,远在 Docker 出现之前。
On top of that, its filesystem, ZFS, is actually really good and useful for servers. If you come from a Linux world, you probably have heard about Btrfs, which is the newer filesystem that’s been adopted by more and more distros lately. It has some similarities to ZFS: data integrity and snapshots. Except ZFS is probably way more mature than Btrfs. 此外,它的文件系统 ZFS 对服务器来说确实非常出色且实用。如果你来自 Linux 世界,你可能听说过 Btrfs,这是最近被越来越多发行版采用的新型文件系统。它与 ZFS 有一些相似之处:数据完整性和快照。只不过 ZFS 可能比 Btrfs 成熟得多。
My idea was to have one Jail for each one of my sites with whatever tools they needed to build (like Hugo, for the blog) and an instance of nginx to serve it. And one Jail for the main web server that connected all of them with the world via reverse proxy. That way, if one of the jails get compromised, I can just destroy it and create a new one. 我的想法是为我的每个网站创建一个 Jail,包含它们构建所需的任何工具(例如博客用的 Hugo)以及一个用于提供服务的 nginx 实例。另外再创建一个 Jail 作为主 Web 服务器,通过反向代理将它们与外界连接起来。这样,如果其中一个 Jail 被攻破,我可以直接销毁它并创建一个新的。