2023年10月1日 星期日

Ubuntu 安裝 Nginx(設定Let’s Encrypt的SSL憑證)、PHP-FPM、MariaDB

 [環境]

作業系統版本: Ubuntu 22.04

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy


[安裝 Nginx]

查看系統儲存庫,內建的 Nginx 最新版為 1.18,不是 Nginx 官網目前最新的穩定版,後面安裝官網提供的版本
$ sudo apt update
$ apt list nginx  -a
Listing... Done
nginx/jammy-updates 1.18.0-6ubuntu14.4 s390x
nginx/jammy-security 1.18.0-6ubuntu14.3 s390x
nginx/jammy 1.18.0-6ubuntu14 s390x

依照 Nginx 官網說明,加入官網提供的套件庫
https://nginx.org/en/linux_packages.html#Ubuntu

安裝必要套件
$ sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring

下載官方 nginx 簽章金鑰導入
$ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

確認下載的金鑰指紋是否跟官網說明相同,如果指紋不同,刪除金鑰檔案
$ gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

加入穩定版的套件庫
$ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

查看目前所有儲存庫,確認有剛剛加入的 Nginx 官方套件庫
$ grep ^[^#] /etc/apt/sources.list /etc/apt/sources.list.d/*
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy main restricted
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy universe
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-updates universe
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy multiverse
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-updates multiverse
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-security universe
/etc/apt/sources.list:deb http://ports.ubuntu.com/ubuntu-ports jammy-security multiverse
/etc/apt/sources.list.d/nginx.list:deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu jammy nginx

設定儲存庫優先選擇剛剛加入的官網套件庫而不是系統發行版提供的
$ echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx

Package: *
Pin: origin nginx.org
Pin: release o=nginx
Pin-Priority: 900

取得最新套件清單
$ sudo apt update

看可安裝的 Nginx 版本
$ apt list nginx  -a
Listing... Done
nginx/stable 1.24.0-1~jammy s390x
nginx/stable 1.22.1-1~jammy s390x
nginx/stable 1.22.0-1~jammy s390x
nginx/jammy-updates 1.18.0-6ubuntu14.4 s390x
nginx/jammy-security 1.18.0-6ubuntu14.3 s390x
nginx/jammy 1.18.0-6ubuntu14 s390x

安裝最新穩定版 Nginx
$ sudo apt install nginx
查看 Nginx 版本
$ nginx -v
nginx version: nginx/1.24.0

查看是否已啟動
$ systemctl status nginx
若沒有,則手動啟動
$ sudo systemctl start nginx

查看是否開機自動啟動
$ systemctl is-enabled nginx
若沒有,則設定開機自動啟動
$ sudo systemctl enable nginx

查看防火牆是否有開放 80 PORT
$ sudo iptables -L
若沒有,設定防火牆開放 80 PORT
$ sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
此時遊覽器瀏覽 Server IP 應該可以看到 Nginx 預設頁面



[Nginx 新增 http://test.example.com 網站]

$ sudo vi /etc/nginx/conf.d/webA.conf
server {
       listen 80;
       listen [::]:80;

       server_name test.example.com;

       root /var/www/webA;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }
}
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
$ sudo mkdir -p /var/www/webA
$ sudo vi /var/www/webA/index.html
test webA
$ sudo systemctl reload nginx
此時遊覽器瀏覽 http://test.example.com 應該可以看到 test webA 頁面



[Nginx 的 test.example.com 網站,申請設定 Let’s Encrypt 提供的 SSL 憑證]

安裝 certbot,一個管理 Let’s Encrypt 憑證的工具

註:certbot 官網是使用 snap 套件管理工具安裝,但我測試的 VPS 是 s390x 架構,不能跑 snap 內的 certbot
安裝 certbot 官網說明中使用的 snap 套件管理工具
https://snapcraft.io/docs/installing-snap-on-ubuntu
$ sudo apt update
$ sudo apt install snapd
安裝 certbot
$ sudo snap install --classic certbot
error: snap "certbot" is not available on stable for this architecture (s390x) but exists on other
       architectures (amd64, arm64, armhf).
$ lscpu
Architecture:            s390x
.....

使用 APT 安裝系統內建的版本
$ sudo apt update
$ sudo apt install certbot
查看 certbot 版本
$ certbot --version
certbot 1.21.0
安裝 nginx 使用的 plugin
$ sudo apt install python3-certbot-nginx

開始向 Let’s Encrypt 申請 SSL 憑證,並自動設定在 Nginx 設定檔
(注意:此操作會自動修改 Nginx 設定檔,加入申請的 SSL 憑證、變為 HTTPS 網站。
可先將 Nginx 設定檔備份,事後比對 certbot 做了何種更動。
如果只想申請憑證,自己修改 Nginx 設定檔,可使用加了 certonly 參數的指令
sudo certbot certonly --nginx -d test.example.com )
過程會問幾個問題:
  1. Email,用來緊急續訂和安全通知
  2. 是否同意向 ACME server 註冊,必須同意選 Y
    Automatic Certificate Management Environment (ACME) 為自動證書管理環境
    Let’s Encrypt 使用此方式,驗證欲申請憑證的網域是否為申請者所有
    https://letsencrypt.org/zh-tw/docs/challenge-types/
  3. 自由選擇是否分享 Email,會發送相關郵件。此項我選 N
$ sudo certbot --nginx -d test.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):xyz@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for test.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/test.example.com/privkey.pem
This certificate expires on 2023-12-29.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for test.example.com to /etc/nginx/conf.d/webA.conf
Congratulations! You have successfully enabled HTTPS on https://test.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

執行後,便自動完成 SSL 憑證申請與 Nginx 設定
查看 Nginx 被 Certbot 改了那些設定
$ cat /etc/nginx/conf.d/webA.conf
server {

       server_name test.example.com;

       root /var/www/webA;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/test.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/test.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = test.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


       listen 80;
       listen [::]:80;

       server_name test.example.com;
    return 404; # managed by Certbot


}

防火牆開啟 HTTPS 使用的 443 PORT
$ sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
此時遊覽器瀏覽 https://test.example.com/ 應該可以看到 test webA 頁面


Let’s Encrypt 的憑證有效期限為 90 天
而前面使用 Certbot 申請憑證完成後的訊息,有一段已設定自動更新憑證的排程說明
「...
Certbot has set up a scheduled task to automatically renew this certificate in the background.
...」

我這個版本,是使用 list-timers 設定 SSL 憑證更新排程 (也有可能是使用 crontab 設定排程)
$ systemctl list-timers -all
NEXT                        LEFT          LAST                        PASSED       UNIT                           ACTIVATES
...
Sun 2023-10-01 03:39:12 UTC 3h 13min left n/a                         n/a          certbot.timer                  certbot.service
...
$ systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sat 2023-09-30 23:49:24 UTC; 37min ago
    Trigger: Sun 2023-10-01 03:39:12 UTC; 3h 11min left
   Triggers: ● certbot.service

Sep 30 23:49:24 web systemd[1]: Started Run certbot twice daily.
$ cat /usr/lib/systemd/system/certbot.timer
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target
$ cat /usr/lib/systemd/system/certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://certbot.eff.org/docs
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

其他:
  • 測試憑證的自動續訂
    $ sudo certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/test.example.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Account registered.
    Simulating renewal of an existing certificate for test.example.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations, all simulated renewals succeeded:
      /etc/letsencrypt/live/test.example.com/fullchain.pem (success)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 列出所有憑證及到期日
    $ sudo certbot certificates
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Found the following certs:
      Certificate Name: test.example.com
        Serial Number: *****************************
        Key Type: RSA
        Domains: test.example.com
        Expiry Date: 2023-12-29 23:07:50+00:00 (VALID: 89 days)
        Certificate Path: /etc/letsencrypt/live/test.example.com/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/test.example.com/privkey.pem
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 更新快到期的 SSL 憑證
    $ sudo certbot renew
  • 停用 ACME 帳號
    $ sudo certbot unregister




[安裝 PHP FPM]

$ sudo apt update
$ sudo apt install php-fpm
查看 PHP 版本
$ php -v
PHP 8.1.2-1ubuntu2.14 (cli) (built: Aug 18 2023 11:41:11) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2-1ubuntu2.14, Copyright (c), by Zend Technologies
(註:若想安裝更新的版本
可自行判斷,是否另外加入 ppa:ondrej/php 提供的 PPA (Personal Package Archives、個人套件庫)
此 PPA,開發者是一名 Debian 的開發人員,
加入 PPA
$ sudo add-apt-repository ppa:ondrej/php
移除 PPA
$ sudo add-apt-repository --remove ppa:ondrej/php
)

查看是否已啟動
$ sudo systemctl status php8.1-fpm
若沒有,則手動啟動
$ sudo systemctl start php8.1-fpm

查看是否開機自動啟動
$ sudo systemctl is-enabled php8.1-fpm
若沒有,則設定開機自動啟動
$ sudo systemctl enable php8.1-fpm

Nginx 在 HTTP 443 PORT 的 Server {...} 設定區段加入 PHP FPM 設定
$ sudo vi /etc/nginx/conf.d/webA.conf
server {
.....	
    location ~ \.php$ {
        fastcgi_pass   unix:/run/php/php-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
.....
}

Ubuntu 系統預設儲存庫安裝的 PHP FPM,執行使用者身份是 www-data
$ ps aux | grep php-fpm
root       29093  0.0  0.4 200720 19232 ?        Ss   00:59   0:00 php-fpm: master process (/etc/php/8.1/fpm/php-fpm.conf)
www-data   29094  0.0  0.3 201196 14416 ?        S    00:59   0:00 php-fpm: pool www
www-data   29095  0.0  0.3 201196 13908 ?        S    00:59   0:00 php-fpm: pool www
從 Nginx 官方套件庫安裝的 Nginx,執行使用者身份是 nginx
$ ps aux | grep nginx
root       11481  0.0  0.1  21732  8096 ?        Ss   Sep30   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx      30754  0.0  0.2  22592  8776 ?        S    02:01   0:00 nginx: worker process
nginx      30755  0.0  0.1  22592  7752 ?        S    02:01   0:00 nginx: worker process

將 Nginx 的執行者身份改為 www-data 跟 php-fpm 一樣,避免出現 502 Bad Gateway
(如果 Nginx 也是安裝系統預設的套件,執行者身份也會是 www-data)
$ sudo vi /etc/nginx/nginx.conf
#user  nginx;
user  www-data;

Nginx 重新載入
$ sudo nginx -t
$ sudo systemctl reload nginx



[安裝 php-mysql Extension]
$ sudo apt install php-mysql
啟用 pdo_mysql module
$ sudo phpenmod pdo_mysql
phpenmod 會自動將系統預設設定檔 link 到 conf.d 資料夾
$ ls -al /etc/php/8.1/fpm/conf.d/*pdo_mysql*
lrwxrwxrwx 1 root root 41 Apr 27 08:40 /etc/php/8.1/fpm/conf.d/20-pdo_mysql.ini -> /etc/php/8.1/mods-available/pdo_mysql.ini
查看 PHP 的 pdo_mysql 模組是否已啟用
$ php -m | grep pdo_mysql
pdo_mysql
也可以使用 phpquery 查看 pdo_mysql 模組狀態
$ phpquery -v 8.1 -s fpm -m pdo_mysql
pdo_mysql (Enabled for fpm by local administrator)


若要關閉 pdo_mysql module
$ sudo phpdismod pdo_mysql
$ phpquery -v 8.1 -s fpm -m pdo_mysql
No module matches pdo_mysql (Disabled for fpm by local administrator)


其他個人常用 php extension (視需要安裝)
$ sudo apt install php-memcached php-bcmath php-redis





[安裝 MariaDB]

$ sudo apt update
$ sudo apt install mariadb-server

使用 mysql_secure_installation 進行安全的相關設定
mysql_secure_installation 指令,會一步一步以問答方式進行 MySQL 的安全性設定
因為是新安裝的,還沒有密碼,所以要 Enter current password for root 時留空白,直接按 enter
設定過程如下,我都使用預設值 Y (設定 root 密碼、移除匿名帳號、移除 root 可以從其他電腦登入的設定、移除 test 資料庫、重新載入權限)
$ sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n]
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

確定已啟動、設定開機啟動
$ sudo systemctl start mariadb
$ sudo systemctl status mariadb
$ sudo systemctl enable mariadb
$ sudo systemctl is-enabled mariadb

登入 mariadb
$ sudo mariadb
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT version();
+----------------------------------+
| version()                        |
+----------------------------------+
| 10.6.12-MariaDB-0ubuntu0.22.04.1 |
+----------------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]> SELECT user(),current_user(),system_user(),session_user();
+----------------+----------------+----------------+----------------+
| user()         | current_user() | system_user()  | session_user() |
+----------------+----------------+----------------+----------------+
| root@localhost | root@localhost | root@localhost | root@localhost |
+----------------+----------------+----------------+----------------+
1 row in set (0.000 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.000 sec)






參考:


2023年4月2日 星期日

Google Sheets App Scripts 移除重複資料列

Demo 影片:


使用 removeDuplicates() 方法去除重複資料列

function myFunction() {
  var spreadsheet = SpreadsheetApp.getActiveSpreadsheet();
  var sheet = spreadsheet.getSheetByName("aaa");
  sheet.appendRow(["aa", "bb", "cc"]);
  sheet.appendRow(["aa", "bb", "cc"]);
  sheet.appendRow(["aa", "bb", "cc"]);
  sheet.appendRow(["aa1", "bb", "cc"]);
  sheet.appendRow(["aa1", "bb", "cc"]);
  sheet.appendRow(["aa1", "bb", "cc"]);

  var range = sheet.getRange(1, 1, sheet.getMaxRows(), sheet.getMaxColumns()).activate();

  //移除重複資料(每一欄都相同的資料列)
  range.removeDuplicates().activate();

  //移除重複資料(B、C 欄相同的資料列)
  //range.removeDuplicates([2, 3]).activate();
}




參考:

2023年3月4日 星期六

安裝 FreeBSD 13.1

Demo 影片:




步驟:
  1. 到 https://www.freebsd.org/where/ 官網下載需要版本的 installer 檔案。
    我是一般的桌機,使用 amd64 的檔案,下載 13.1 版本
    https://download.freebsd.org/releases/amd64/amd64/ISO-IMAGES/13.1/

    裡面可視自己需要,選擇不同的安裝檔下載:
    • .....-bootonly.iso:最精簡的安裝檔,只含安裝程式, 安裝時需要網路連線來下載所需的檔案以完成安裝。可做成開機光碟。
    • .....-disc1.iso:含有所有安裝 FreeBSD 所需的檔案,包含原始碼及 Port 套件集。可做成開機光碟。
    • .....-dvd1.iso:含有所有安裝 FreeBSD 所需的檔案,包含原始碼及 Port 套件集,也內含熱門的 Binary 套件、視窗管理程式、以及一些應用程式。可做成開機光碟。
    • .....-memstick.img:含有所有安裝 FreeBSD 所需的檔案,包含原始碼及 Port 套件集。可做成 USB 開機隨身碟。
    • .....-mini-memstick.img:類似 -bootonly.iso,需要網路連線。可做成 USB 開機隨身碟。

  2. 我這邊使用 -disc1.iso 的安裝檔。
    下載完,跟 https://download.freebsd.org/releases/amd64/amd64/ISO-IMAGES/13.1/CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64,比對一下雜湊值是否正確
    >certUtil -hashfile D:\download\FreeBSD-13.1-RELEASE-amd64-disc1.iso SHA512
    SHA512 的 D:\download\FreeBSD-13.1-RELEASE-amd64-disc1.iso 雜湊:
    259e034731c1493740a5a9f2933716c479746360f570312ea44ed9b7b59ed9131284c5f9fe8db13f8f4e10f312033db1447ff2900d65bfefbf5cfb3e3b630ba2
    CertUtil: -hashfile 命令成功完成。

  3. 開機畫面,按「Enter」進入安裝程序

  4. 選「Install」開始安裝程序

  5. 選擇鍵盤,一般是預設的標準 US 鍵盤,直接選預設「Continue with default keymap」

  6. 根據實際情況設定 hostname,須是完整的主機名稱,我這邊隨意設為 testserver.example.com

  7. 選擇要安裝的元件。我這邊直接按「Enter」繼續。

  8. 選擇檔案系統格式,我這邊選「ZFS」。
    ZFS 需要較多記憶體,安裝畫面下方說明 ZFS 檔案系統若少於 8GB 記憶體,可參考 https://wiki.freebsd.org/ZFSTuningGuide 調教指南。


  9. 設定 ZFS

    如果直接按「Enter」繼續,會強制到「Pool Type/Disks」設定,進行硬碟規劃設定。
    有 6 種模式,畫面下方會列出該模式至少需多少顆硬碟。
    stripe(至少1顆硬碟)、mirror(至少2顆硬碟)、raid10(至少4顆硬碟)、raidz1(至少3顆硬碟)、raidz2(至少4顆硬碟)、raidz3(至少5顆硬碟)










    如果系統的硬碟不夠用來設定,會提示重選。
    (以下只有1顆硬碟,但故意選需要2顆硬碟的 mirror 進行設定)

    強迫重選「Change Selection」,會跑回原本的設定選單。
    若在設定選單,選擇「Cancel」,會出現「ZFS setup failed」,按「Restart」後,會跑回最初設定鍵盤的步驟。




    我只有一顆硬碟,所以後面選擇 stripe 模式繼續:



    設定好後,選擇「Install」繼續安裝

  10. 最後確定使用的硬碟,會被清空,同意後,便會開始安裝






  11. 設定 root 密碼


  12. 設定網路,這邊只有 IPv4,使用 DHCP






    最後的 Search、DNS 設定,即為 /etc/resolv.conf 裡的設定

  13. 設定時區



  14. 設定時間,直接「Skip」跳過,後面再設定由系統自動校時


  15. 選擇開機要啟動的服務
    加選「ntpdate」、「ntpd」,讓系統自動校時。

  16. 設定安全性選項,這邊直接略過

  17. 是否新增其他使用者,這邊直接略過


  18. 前面的設定,若有想修改的地方,可在這步驟修改,若沒有,按「Exit」繼續

  19. 是否開啟 shell,對前面的設定做最終修改,這邊選「No」繼續

  20. 完成安裝,選「Reboot」重開機







參考: