FreeBSD

Every server configured by us is monitored via Zabbix. If a server is not monitored, for us it does not exist. More often than not, we first add the to-be-created server in Zabbix and set it up afterward.

If possible, we always use our beloved FreeBSD as a base. FreeBSD offers jails, and we use them a lot. A jail can be one service in a minimal environment or a full-fledged host used by multiple users. Often the host gets its own IP (VNET jail), SSH access, and its own Zabbix agent. But what about monitoring a minimalistic jail running a simple service?

The management overview of why we use FreeBSD:

• Clear separation of system and applications
• Manual updates possible, as there are fewer packages
• ZFS
• Lean (Mewburn rc vs. systemd)
• Patches directly from developers (upstream), not from maintainers
• Diversification; avoids monoculture

I am often asked why we like to use FreeBSD so much. Sometimes I catch myself giving very detailed and theoretical answers. Since that isn’t always the clearest way, here is a practical example.

A Single Sign-On (SSO) solution was to be created for various applications. The components used are:

• Keycloak
• PostgreSQL for Keycloak
• OAuth2-Proxy for applications that don’t support OAuth2 / OIDC.
• A custom web application that provides an overview of all offered applications (Spring Boot, Java).
• nginx as a reverse proxy

Five different services. In our setup, each service runs in its own jail. The jails are managed with BastilleBSD, a very lightweight jail manager. We use so-called thin jails: they share a common base system, so a typical installation only consumes storage for the installed packages (keycloak, postgres, etc.):