Setting up the Jails

From JonDonym Wiki
Revision as of 16:37, 30 April 2010 by Kn (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

JonDos GmbH thanks www.secure-internet.org for the right to publish the following article. We made some changes in it but the original text was provided by www.secure-internet.org

navigation: Main Page | FreeBSD and Jails

Setting up the Jails

We now build the actual jails.

Create an additional directory as /dev directory within each jail space

mkdir /jails/mix1/dev
mkdir /jails/mix2/dev

Build jail #1 (the „make“ command line below will run a short while each):

cd /usr/src
make installworld DESTDIR=/jails/mix1
make distribution DESTDIR=/jails/mix1
mount -t devfs devfs /jails/mix1/dev

Then build jail #2:

make installworld DESTDIR=/jails/mix2
make distribution DESTDIR=/jails/mix2
mount -t devfs devfs /jails/mix2/dev

In principle, the jails are created now (but not already running). We need to configure the jails now. Configuring a jail is described only for the first of the two jails. Just make it likewise for the second jail, too, then.

Configuring jail #1:

Configuring a jail is done in parts from „outside“ (from the host system) and in parts from inside (from within a running jail). We start with the outside part.

Jails need a /etc/fstab file even the file can be empty. Enter:

touch /jails/mix1/etc/fstab

Edit the following files of jail #1 and enter the configuration you need for jail #1. In doubt see the examples above for the host system's files and adapt them for the jail if needed:

/jails/mix1/etc/hosts
/jails/mix1/etc/hosts.allow 
/jails/mix1/etc/aliases
/jails/mix1/etc/resolv.conf

Regarding /etc/hosts.allow: You could use something like the following lines when using the jail for a middle mix or exit mix:

ALL : localhost 		: allow
ALL : <IP previous mix> 	: allow
ALL : ALL 			: deny

Now edit the jails /etc/rc.conf:

vi /jails/mix1/etc/rc.conf

The configuration entries here differ from the ones on the /etc/rc.conf file of the host system even if the intention is likewise. Have the following entries in the jail's /etc/rc.conf:

network_interfaces=""
defaultrouter="96.137.211.228"
sshd_enable="NO"
nfs_server_enable="NO"
rpcbind_enable="NO"
mountd_enable="NO"
sendmail_enable="NONE"
syslogd_flags="-ss"

Of course, as the IP address you need to enter the IP address of the host system, since the host acts as a router for the jail, not any other IP address. NFS, rpcbind and mountd are just stopped in advance even they probably are not present at all. You can leave those lines away.

Save and exit the file.

We now start jail #1. Starting jails is done with the following command line:

jail <jaildir> <fqdn> <jail-main-IP> /bin/sh /etc/rc

As an example:

jail /jails/mix1 mix1.yourdomain.tld  96.137.211.229 /bin/sh /etc/rc

Hitting <enter> will initiate the boot process for the jail. You might see some error messages but jail #1 nonetheless will get started however.

You now need to get inside the jail. To do so you first need to know that jails „jail ID“ (JID). You can get an overview of all running jails by entering

jls

or

jls -v

The output could look like follows:

 jls
JID  IP Address      Hostname                      Path
4  96.137.211.230  mix2.yourdomain.tld      /jails/mix2
1  96.137.211.229  mix1.yourdomain.tld      /jails/mix1

Of course, you would see only one jail running and that jail (jail #1) will most probably have JID 1. Jail IDs get increased if you stop and restart a jail. Jails then get a different JID each time. So, if we mention here „jail #1“ it doesn't mean that jail #1 always has JID = 1. Jail #1 is just our first jail, regarding numbering in this HowTo.

To ENTER the jail now enter the following command line (the number behind „jexec“ is the Jail ID you got from the previous command):

jexec 1 /bin/sh

This will start a shell for you and you can work with that shell as being inside the jail (in fact you ARE in the jail – as the jail's root account). Another example for usage of the jexec command (jexec = jail execute):

jexec 1 ps axu (to get the process list of the processes running in the jail)

By the way, when running „ps axu“ on the host system you will see all processes running on that machine no matter whether they run on the host or in any jail. In case any jail is up the process list then, too, will contain the JID (if it is a process running in a jail).

When you entered the jail by „jexec 1 /bin/sh“ you will get a standard shell. At this time it's not a Bash and you also do not yet have Bash completion. Typing is a bit more work until we have everything ready for production use. Once you installed the Bash in the jail you alternatively could enter the jail using the Bash by typing

jexec 1 /bin/bash

But now moving within the jail:

Enter

pwd

You will be said to be in „/“ which is the jails root directory equals to /jails/mix1 from the host systems point of view.

Enter

ifconfig

That should tell you that your system's IP address is the 229 IP (not the 228 IP as that was the IP from the host).

Please note: When operating from outside the jail (meaning from the host system) on files within the jail space you may be later have to adjust the file ownership and permissions using „chown“ and „chmod“ from within the jail since users/groups on the host system are different from users/groups within the jail. Better check the ownership and permissions of the jail files you recently operated on from the outside.

We need to go ahead configuring the jail from inside. Enter

passwd

to change the root password of the jails root account. The jail's root account is completely independent from the root account for the host system (remember that your jail is a complete Unix system on it's own).

Enter

tzsetup

to set the timezone.

Enter

newaliases

to update the mail database (we edited the file before from outside the jail).

Enter

portsnap fetch
portsnap extract

to get the ports collection available.

We now will install various programs needed. When building the binaries you sometimes get asked for options for the binary. Enter the options you'd like to have. If there are options urgently needed they will be mentioned here.

Enter the following command lines:

cd /usr/ports/ports-mgmt/portaudit
make install 
/usr/local/sbin/portaudit -Fda
cd /usr/ports/ports-mgmt/portmaster
make install 
cd /usr/ports/shells/bash
make install
ln -s /usr/local/bin/bash /bin/bash

The symlink command is only needed because some of the Shell scripts for the mix process will search for the Bash in /bin/bash instead of /usr/local/bin/bash.

Go ahead installing further programs, always first entering the right directory and then executing „make install“. The lines for the editors are provided in case you want other editors than Vi. Building all those programs needs a bit time each and you need to stay near your terminal because you often get asked for options.

program (port)		directory
bash completion        /usr/ports/shell/bash-completion
Editor nano		/usr/ports/editors/nano
Editor joe		/usr/ports/editors/joe

After installing the Bash you could already edit the shell assignment in the jails /etc/passwd and assign the Bash for your users. Then leave the jail by <CTRL-D> and reenter it through

jexec 1 /bin/bash

(if you prefer the Bash and want it as soon as possible)

By the way – leaving the jail via <CTRL-D> doesn't mean the jail was stopped. The jail then of course still runs. To effectively stop a jail different commands are needed.

Personal tools