Why a New Server?
With the demise of Apple’s Server software and the discontinuation of intel based Mac’s immanent the time has come to move some of my services away from Mac OS, OS X and macOS. I still run a directory service and MDM solution on an M1 powered Mac mini but it was getting increasingly difficult to keep the open source DNS server up to date, and I can not run earlier Mac operating systems in an acceptable manner on the M1 processor. I still need file sharing for very old Macintosh computers and an Apple Software Update archive. I run Netatalk on a FreeBSD VirtualBox for afp file sharing, and a NetSUSLP appliance, this one specifically requires an intel compatible CPU.
The Solution
I have purchased a Hewlett Packard Enterprise Proliant Microserver Gen10 Plus. I have also setup a free developer account with Red Hat so that I have a free to update and self support server operating system that is supported on my little server. I do not recommend running non supported operating systems on the Proliant range due to the limited availability of system firmware tools, although it looks like SUSE Enterprise Linux is supported by the available utilities although not listed as a supported operating system in the server specifications. I can’t see any reason not to also consider Red Hat compatible systems like AlmaLinux and Rocky Linux.
I have configured my server to run:
- DNS (BIND)
- Virtualization Host (with VirtualBox)
Getting Started
I have installed Red Hat Enterprise Linux 8.3 booting from an ISO file which I wrote to a USB coin (LaCie CurrenKey) using the dd command on my iMac. I am using reclaimed hard disks so I installed Red Hat Enterprise Linux onto the first 1TB drive with automatic partitioning, then setup a separate hard disk for /home in the system; I don’t want to LVM the disks together given the slight increase in risk of failure so that I can just restore the failed device and not the whole system.
Before going any further I need to put SELinux into permissive mode as it will add complications to VirtualBox latter on.
vim /etc/selinux/config #to make "permissive"
shutdown -r now
DNS Server (BIND)
Due to increasing difficulty compiling newer versions of BIND on macOS without an additional package management solution I plan to move my named (BIND) configuration in “/Library/Server/named/” to the new RedHat Enterprise Linux server so that it receives updates automatically with the system using dnf.
- dnf install bind bind-utils
- systemctl enable –now named
- Verify it’s loaded: systemctl status named
- Backup the original ‘named.conf’: cp /etc/named.conf /etc/named.conf.orig
- Get the ‘/Library/Server/named’ folder from the macOS system by issuing a command like the following on the new server: scp -r pmadmin@10.0.1.199:/Library/Server/named ~/ #rndc.key may fail to copy which is OK as we don’t need it.
- cd named
- Copy the db files to /var/named for example: cp db.1.0.10.in-addr.arpa db.macintosh-rescue.net /var/named
- Now make a .zones file in /etc/named/ : I one called macintosh-rescue.zones with the following text:
//forward zone
zone "macintosh-rescue.net" IN {
type master;
file "db.macintosh-rescue.net";
};
//backward zone
zone "1.0.10.in-addr.arpa" IN {
type master;
file "db.1.0.10.in-addr.arpa";
};
- I then edited the /etc/named.conf file with some forwarders copied from the macOS Server named.conf file, and referenced my /etc/named/Macintosh-rescue.zones file:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// acl clients for 10.0.1*
acl clients {10.0.1.0/24;};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; clients; };
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
// Stuff copied from macOS Server
forwarders {
208.67.222.222;
208.67.220.220;
2001:4860:4860::8888;
2001:4860:4860::8844;
};
// End of copy
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
// Include for Macintosh Rescue zones
include "/etc/named/macintosh-rescue.zones";
- Check for any errors with: named-checkconf # which should return nothing if all is well
- Let clients through the firewall:
firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --reload
DNS Should Now Be Working!
I tested my configuration by pointing a virtual machines DNS resolver manually to the servers IP address and pinged some local and outer addresses. Once I’d verified that the DNS server worked I rebooted the server to make sure the service started as expected.
To finish off I set my router to supply my new DNS server with DHCP which needs to be for both IPv4 and IPv6. I have now removed BIND from the macOS Server.
Virtualization Host
To run my Apple Software Update local mirroring system with NetSUSLP I need to use VirtualBox. I have tried importing the ova appliance into libvirt (Red Hat’s supplied virtualisation solution) but had many issues. Red Hat also offer very limited guest OS support compared with VirtualBox making VirtualBox my best solution.
Install VirtualBox
- Enable Extra Packages for Enterprise Linux:
subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
- wget -q https://www.virtualbox.org/download/oracle_vbox.asc
- rpm –import oracle_vbox.asc
- vim /etc/dnf/dnf.conf
- Add the following:
[virtualbox]
name=Oracle Linux / RHEL / CentOS-$releasever / $basearch - VirtualBox
baseurl=http://download.virtualbox.org/virtualbox/rpm/el/$releasever/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc
- dnf install gcc make perl elfutils-libelf-devel
- dnf install kernel-devel kernel-devel-4.18.0-305.7.1.el8_4.x86_64
- dnf install VirtualBox-7.1
- /sbin/vboxconfig
- VBoxManage import NetSUSLP_5.0.2.ova
- VBoxManage startvm vm –type=headless #to check that it works
- ssh into the virtual machine and shut it down gracefully
- vim /etc/default/virtualbox
- Enter the following:
VBOXAUTOSTART_DB=/etc/vbox
VBOXAUTOSTART_CONFIG=/etc/vbox/autostart.cfg
- mkdir /etc/vbox
- vim /etc/vbox/autostart.cfg
- Enter the following:
# Default policy is to deny starting a VM, the other option is "allow".
default_policy = deny
# Andrew is allowed to start virtual machines but starting them
# will be delayed for 10 seconds
andrewread = {
allow = true
startup_delay = 10
}
- chgrp vboxusers /etc/vbox
- chmod 1775 /etc/vbox
- usermod -aG vboxusers andrewread
- Enable the autostart service with: systemctl enable –now vboxautostart-service
- logout of root
- logout then back in as the non root user
- VBoxManage setproperty autostartdbpath /etc/vbox
- VBoxManage modifyvm vm –autostart-enabled on
VirtualBox Server Virtualisation Enabled
Whenever the system starts all autostart enabled virtual machines will boot ready to provide their services. I am currently running two virtual servers: FreeBSD providing AppleTalk services (for very old Macintosh computers), and an appliance I downloaded NetSUSLP which can mirror Apple Software Update catalogs, locally serve the updates themselves, provide file sharing and even host NetBoot images.