This page looks best with JavaScript enabled

KVMs on FreeBSD

 ·  🎃 kr0m

Accessing KVMs on servers can be problematic even on mainstream systems like Windows or Linux. In this article, we will use the Linux binary through Linux-FreeBSD compatibility to be able to access 99% of the KVMs on the market without any problems.

We must keep in mind that the linux-oracle-jdk18 port requires access to certain parts of the system. Depending on our security configuration, it is possible that a regular user may not be able to access it. We have two options: disable the security measure or run javaws as root using sudo.

To disable it:

sysctl security.bsd.unprivileged_proc_debug=1

vi /etc/sysctl.conf
security.bsd.unprivileged_proc_debug=1

If we choose the solution using sudo:

vi /usr/local/etc/sudoers.d/kr0m

kr0m ALL=(ALL) NOPASSWD: /usr/local/linux-oracle-jdk1.8.0/bin/javaws
kr0m ALL=(ALL) NOPASSWD: /usr/local/linux-oracle-jdk1.8.0/bin/jcontrol

I personally will use sudo.


Some of the errors that usually occur are:

no ikvm64 in java.library.path
No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Disabling Java as it is too old and likely to be out of date. To reenable use jcontrol utility

The first error is due to the applet being only compatible with Windows, MacOSX, and Linux, therefore it looks for binaries that do not exist in FreeBSD. To solve the problem, we will have to use the Java binary from Linux through the FreeBSD binary compatibility .

We load the Linux compatibility module for both 32 and 64 bits:

kldload linux
kldload linux64

We check that both modules are loaded:

kldstat|grep linux

13    2 0xffffffff8425f000    3df60 linux.ko
24    1 0xffffffff84319000    35b20 linux64.ko

We install the base Linux binaries and libraries:

pkg install emulators/linux_base-c7

We enable compatibility at boot:

vi /etc/rc.conf

linux_enable="yes"

The only way to install Oracle JDK for Linux is through ports since it is restricted software due to licensing issues:

RESTRICTED: Redistribution of repackaged binaries not permitted
A package is not available for ports marked as: Forbidden / Broken / Ignore / Restricted

There is no problem in mixing binary packages and ports in this case because this software is only available through ports, and it is not installed in the system as such, but rather in the directory where the Linux binaries reside.

We install the prerequisites:

pkg install javavmwrapper linux-c7-xorg-libs

Before compiling the port, we need to download a file from the Oracle website :

jdk-8u241-linux-x64.tar.gz

NOTE: The version of the file will change over time. To find out which version we will try to compile the port, as indicated a few steps below, and it will show us the version to download.

We download it to the directory:

/usr/ports/distfiles

We compile and install the linux-oracle-jdk18 port:

cd /usr/ports/java/linux-oracle-jdk18/
make install clean

Java will try to obtain certain information from the system by accessing the Linux proc directory. To make this information available, we need to load the linprocfs module and mount the /compat/linux/proc directory.

We load the linprocfs module:

kldload linprocfs

We edit the fstab:

vi /etc/fstab

linprocfs   /compat/linux/proc   linprocfs   rw   0  0

We mount the directory:

mount /compat/linux/proc

In theory, you can configure the browser to open the file directly with the Linux binary, but I prefer to save the file and open it manually:

/usr/local/linux-oracle-jdk1.8.0/bin/javaws -verbose FILENAME.jnlp

Usually, access to KVM is necessary in some kind of emergency where we need quick access to the server. For this purpose, I use a very simple bash script:

vi javaApplet

#!/usr/bin/env bash

if [ $# -eq 0 ]; then
    echo "ERROR: No arguments supplied"
    exit
fi
sudo /usr/local/linux-oracle-jdk1.8.0/bin/javaws -verbose $1
chmod 700 javaApplet

We just have to pass it the filename:

./javaApplet FILENAME.jnlp


The second error regarding encryption protocols is solved by allowing all protocols. I know it will be insecure, but it’s better than not being able to access it when there’s an emergency.

We edit the Java configuration file and comment out the statement that disables algorithms:

vi /usr/local/linux-oracle-jdk1.8.0/jre/lib/security/java.security

#jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

The third error can be solved by whitelisting the connection URL:

sudo /usr/local/linux-oracle-jdk1.8.0/bin/jcontrol

We go to the Security tab and add the URLs of the KVMs. It is important to note that we must add both http and https even if the access is https.


Another interesting option is to enable the Java console so that we can see the errors in more detail:

If you liked the article, you can treat me to a RedBull here