Running Netatalk/AFP in a FreeBSD jail
Describes how to install Netatalk/AFP from binary packages, in a FreeBSD jail. Tested on FreeBSD
10.2-RELEASE. As usual, YMMV; let’s go:
Create a FreeBSD jail. I use ezjail, but the specific way of creating the jail is of no importance. To create a FreeBSD jail named
afp, with IP address of
192.168.0.231, bound to network interface
igb0, with the help of ezjail, do
root@host: ~# ezjail-admin create afp 'igb0|192.168.0.231'
afpwith desired jail/server name and
192.168.0.231with the IP address to be assigned to the jail.
Start the jail and enter inside, do
root@host: ~# ezjail-admin start afp root@host: ~# ezjail-admin console afp root@afp: ~#
Optional: select the correct time-zone, do
root@afp: ~# tzsetup
and follow instructions.
Install FreeBSD binary package manager:
root@afp: ~# pkg bootstrap
agree and wait for task to complete.
Install Netatalk binary package:
root@afp: ~# pkg install netatalk3
once again agree and wait for task to complete (Netatalk sports quite a list of dependencies).
Create initial Netatalk3 configuration file (important parts related to “jailing” AFP are explained below). The name of configuration file would be
[Global] afp interfaces = igb0 [test] path = /mnt
The “important” parts:
afp interfacesline declares the network interface to bound to; this might or might not be required, in my case it was, possibly because I used VLANs for my Intranet,
- the rest of the options export
/mntas a share named
Create a user to test with (or to keep permanently), run
root@afp: ~# adduser
and follow instructions, and remember to pick a password.
Enable and start Netatalk services:
root@afp: ~# sysrc netatalk_enable=YES netatalk_enable: -> YES root@afp: ~# sysrc dbus_enable=YES dbus_enable: -> YES root@afp: ~# sysrc avahi_daemon_enable=YES avahi_daemon_enable: -> YES root@afp: ~# service dbus start Starting dbus. root@afp: ~# service avahi-daemon start Starting avahi-daemon. root@afp: ~# service netatalk start Starting netatalk. root@afp: ~#
Shortly after starting
netatalkservice, it should be possible to access
testnetwork share on your server using newly created user account. Some time later (when name cache expires) this machine will get inaccessible. I believe the reason is, that
avahi, when running in a jail, is unable to receive multicast DNS messages, because those packets do not target jail’s IP address. With other words, when clients ask “who is
afpis the Netatalk server name, same as hostname or jail name, by default)
avahiwouldn’t be able to hear that question in order to answer.
Let’s fix that:
Let’s add a firewall rule to forward multicast DNS traffic to the jail’s
pffirewall the rules to be added to
rdr inet proto udp to 184.108.40.206 port mdns -> 192.168.0.231 port mdns
192.168.0.231should be replaced with jail’s IP address.
Same should be possible using
ipfw, but I have no experience with it.
Here are two bonus points:
to change server icon in Mac OS Finder create file
/usr/local/etc/avahi/services/afpd.servicewith the following contents:
<?xml version="1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards="yes">%h</name> <service> <type>_afpovertcp._tcp</type> <port>548</port> </service> <service> <type>_device-info._tcp</type> <port>0</port> <txt-record>model=Xserve</txt-record> </service> </service-group>
model=Xservedoes the magic. Now restart Avahi:
service avahi-daemon restart.
to enable Time Machine backups append the following to
[Time Machine] path = /usr/home/timemachine valid users = timemachine time machine = yes vol size limit = 500000
pw) create an account
timemachinewith home directory of
/usr/home/timemachine(you can pick another user account name or directory path);
500000limits Time Machine capacity to about 500 gigabytes. Now restart
service netatalk restart).