Running Netatalk/AFP in a FreeBSD jail
Describes how to install Netatalk/AFP from binary packages, in a FreeBSD jail. Tested on FreeBSD 10.2-RELEASE. As usual, YMMV; let’s go:
Create a FreeBSD jail. I use ezjail, but the specific way of creating the jail is of no importance. To create a FreeBSD jail named
afp, with IP address of192.168.0.231, bound to network interfaceigb0, with the help of ezjail, doroot@host: ~# ezjail-admin create afp 'igb0|192.168.0.231'
Replace
afpwith desired jail/server name and192.168.0.231with the IP address to be assigned to the jail.Start the jail and enter inside, do
root@host: ~# ezjail-admin start afp root@host: ~# ezjail-admin console afp root@afp: ~#
Optional: select the correct time-zone, do
root@afp: ~# tzsetup
and follow instructions.
Install FreeBSD binary package manager:
root@afp: ~# pkg bootstrap
agree and wait for task to complete.
Install Netatalk binary package:
root@afp: ~# pkg install netatalk3
once again agree and wait for task to complete (Netatalk sports quite a list of dependencies).
Create initial Netatalk3 configuration file (important parts related to “jailing” AFP are explained below). The name of configuration file would be
/usr/local/etc/afp.conf:[Global] afp interfaces = igb0 [test] path = /mntThe “important” parts:
afp interfacesline declares the network interface to bound to; this might or might not be required, in my case it was, possibly because I used VLANs for my Intranet,- the rest of the options export
/mntas a share namedtest.
Create a user to test with (or to keep permanently), run
root@afp: ~# adduser
and follow instructions, and remember to pick a password.
Enable and start Netatalk services:
root@afp: ~# sysrc netatalk_enable=YES netatalk_enable: -> YES root@afp: ~# sysrc dbus_enable=YES dbus_enable: -> YES root@afp: ~# sysrc avahi_daemon_enable=YES avahi_daemon_enable: -> YES root@afp: ~# service dbus start Starting dbus. root@afp: ~# service avahi-daemon start Starting avahi-daemon. root@afp: ~# service netatalk start Starting netatalk. root@afp: ~#
Shortly after starting
netatalkservice, it should be possible to accesstestnetwork share on your server using newly created user account. Some time later (when name cache expires) this machine will get inaccessible. I believe the reason is, thatavahi, when running in a jail, is unable to receive multicast DNS messages, because those packets do not target jail’s IP address. With other words, when clients ask “who isafp” (afpis the Netatalk server name, same as hostname or jail name, by default)avahiwouldn’t be able to hear that question in order to answer.Let’s fix that:
Let’s add a firewall rule to forward multicast DNS traffic to the jail’s
avahi. Usingpffirewall the rules to be added to/etc/pf.confwould be:rdr inet proto udp to 224.0.0.251 port mdns -> 192.168.0.231 port mdnsAgain:
192.168.0.231should be replaced with jail’s IP address.Same should be possible using
ipfw, but I have no experience with it.
Here are two bonus points:
to change server icon in Mac OS Finder create file
/usr/local/etc/avahi/services/afpd.servicewith the following contents:<?xml version="1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards="yes">%h</name> <service> <type>_afpovertcp._tcp</type> <port>548</port> </service> <service> <type>_device-info._tcp</type> <port>0</port> <txt-record>model=Xserve</txt-record> </service> </service-group>model=Xservedoes the magic. Now restart Avahi:service avahi-daemon restart.to enable Time Machine backups append the following to
/usr/local/etc/afp.conf:[Time Machine] path = /usr/home/timemachine valid users = timemachine time machine = yes vol size limit = 500000and (using
adduserorpw) create an accounttimemachinewith home directory of/usr/home/timemachine(you can pick another user account name or directory path);500000limits Time Machine capacity to about 500 gigabytes. Now restartnetatalkservice (service netatalk restart).