Setting up the Jails
m |
|||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
[[Category:FreeBSDSetup]] | [[Category:FreeBSDSetup]] | ||
| − | [[FreeBSD and Jails]] | + | JonDos GmbH thanks [http://www.secure-internet.org www.secure-internet.org] for the right to publish the following article. We made some changes in it but the original text was provided by www.secure-internet.org |
| + | |||
| + | navigation: [[Main Page]] | [[FreeBSD and Jails]] | ||
=== Setting up the Jails === | === Setting up the Jails === | ||
| Line 21: | Line 23: | ||
mount -t devfs devfs /jails/mix2/dev</code> | mount -t devfs devfs /jails/mix2/dev</code> | ||
| − | In principle the jails are created now (but not already running). We need to configure the jails now. | + | In principle, the jails are created now (but not already running). We need to configure the jails now. Configuring a jail is described only for the first of the two jails. Just make it likewise for the second jail, too, then. |
==== Configuring jail #1: ==== | ==== Configuring jail #1: ==== | ||
| Line 30: | Line 32: | ||
<code>touch /jails/mix1/etc/fstab</code> | <code>touch /jails/mix1/etc/fstab</code> | ||
| − | Edit the following files of jail #1 and enter the configuration you need for jail #1. In doubt see the | + | Edit the following files of jail #1 and enter the configuration you need for jail #1. In doubt see the examples above for the host system's files and adapt them for the jail if needed: |
/jails/mix1/etc/hosts | /jails/mix1/etc/hosts | ||
| Line 43: | Line 45: | ||
Now edit the jails /etc/rc.conf: | Now edit the jails /etc/rc.conf: | ||
| + | |||
<code>vi /jails/mix1/etc/rc.conf</code> | <code>vi /jails/mix1/etc/rc.conf</code> | ||
| Line 56: | Line 59: | ||
syslogd_flags="-ss"</code> | syslogd_flags="-ss"</code> | ||
| − | Of course as the IP address you need to enter the IP address of the host system since the host acts as router for the jail, not any other IP address. NFS, rpcbind and mountd are just stopped in advance even they probably are not present at all. You can leave those lines away. | + | Of course, as the IP address you need to enter the IP address of the host system, since the host acts as a router for the jail, not any other IP address. NFS, rpcbind and mountd are just stopped in advance even they probably are not present at all. You can leave those lines away. |
Save and exit the file. | Save and exit the file. | ||
We now start jail #1. Starting jails is done with the following command line: | We now start jail #1. Starting jails is done with the following command line: | ||
| + | |||
<code>jail <jaildir> <fqdn> <jail-main-IP> /bin/sh /etc/rc</code> | <code>jail <jaildir> <fqdn> <jail-main-IP> /bin/sh /etc/rc</code> | ||
As an example: | As an example: | ||
| + | |||
<code>jail /jails/mix1 mix1.yourdomain.tld 96.137.211.229 /bin/sh /etc/rc</code> | <code>jail /jails/mix1 mix1.yourdomain.tld 96.137.211.229 /bin/sh /etc/rc</code> | ||
Hitting <enter> will initiate the boot process for the jail. You might see some error messages but jail #1 nonetheless will get started however. | Hitting <enter> will initiate the boot process for the jail. You might see some error messages but jail #1 nonetheless will get started however. | ||
| − | You now need to get inside the jail. To do so you first need to know that jails „jail ID“ (JID). You can get an overview | + | You now need to get inside the jail. To do so you first need to know that jails „jail ID“ (JID). You can get an overview of all running jails by entering |
<code>jls</code> | <code>jls</code> | ||
or | or | ||
| Line 79: | Line 84: | ||
1 96.137.211.229 mix1.yourdomain.tld /jails/mix1</code> | 1 96.137.211.229 mix1.yourdomain.tld /jails/mix1</code> | ||
| − | Of course | + | Of course, you would see only one jail running and that jail (jail #1) will most probably have JID 1. Jail IDs get increased if you stop and restart a jail. Jails then get a different JID each time. So, if we mention here „jail #1“ it doesn't mean that jail #1 always has JID = 1. Jail #1 is just our first jail, regarding numbering in this HowTo. |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
To ENTER the jail now enter the following command line | To ENTER the jail now enter the following command line | ||
| Line 91: | Line 90: | ||
<code>jexec 1 /bin/sh</code> | <code>jexec 1 /bin/sh</code> | ||
| − | This will start a shell for you and you can work with that shell as | + | This will start a shell for you and you can work with that shell as being inside the jail (in fact you ARE in the jail – as the jail's root account). |
Another example for usage of the jexec command (jexec = jail execute): | Another example for usage of the jexec command (jexec = jail execute): | ||
<code>jexec 1 ps axu (to get the process list of the processes running in the jail)</code> | <code>jexec 1 ps axu (to get the process list of the processes running in the jail)</code> | ||
| − | By the way, when running „ps axu“ on the host system you will see all | + | By the way, when running „ps axu“ on the host system you will see all processes running on that machine no matter whether they run on the host or in any jail. In case any jail is up the process list then, too, will contain the JID (if it is a process running in a jail). |
| − | When you entered the jail by „jexec 1 /bin/sh“ you will get a standard shell. At this time it's not a | + | When you entered the jail by „jexec 1 /bin/sh“ you will get a standard shell. At this time it's not a Bash and you also do not yet have Bash completion. Typing is a bit more work until we have everything ready for production use. Once you installed the Bash in the jail you alternatively could enter the jail using the Bash by typing |
<code>jexec 1 /bin/bash</code> | <code>jexec 1 /bin/bash</code> | ||
| Line 113: | Line 112: | ||
(not the 228 IP as that was the IP from the host). | (not the 228 IP as that was the IP from the host). | ||
| − | Please note: When operating from outside the jail (meaning from the host system) on | + | Please note: When operating from outside the jail (meaning from the host system) on files within the jail space you may be later have to adjust the file ownership and permissions using „chown“ and „chmod“ from within the jail since users/groups on the host system are different from users/groups within the jail. Better check the ownership and permissions of the jail files you recently operated on from the outside. |
We need to go ahead configuring the jail from inside. | We need to go ahead configuring the jail from inside. | ||
| Line 119: | Line 118: | ||
passwd | passwd | ||
| − | to change the root password of the jails root account. The jail's root account is completely | + | to change the root password of the jails root account. The jail's root account is completely independent from the root account for the host system (remember that your jail is a complete Unix system on it's own). |
Enter | Enter | ||
| Line 129: | Line 128: | ||
newaliases | newaliases | ||
| − | to update the mail database (we edited the file | + | to update the mail database (we edited the file before from outside the jail). |
Enter | Enter | ||
| Line 151: | Line 150: | ||
The symlink command is only needed because some of the Shell scripts for the mix process will search for the Bash in /bin/bash instead of /usr/local/bin/bash. | The symlink command is only needed because some of the Shell scripts for the mix process will search for the Bash in /bin/bash instead of /usr/local/bin/bash. | ||
| − | Go ahead installing | + | Go ahead installing further programs, always first entering the right directory and then executing „make install“. The lines for the editors are provided in case you want other editors than Vi. Building all those programs needs a bit time each and you need to stay near your terminal because you often get asked for options. |
program (port) directory | program (port) directory | ||
| Line 158: | Line 157: | ||
Editor joe /usr/ports/editors/joe | Editor joe /usr/ports/editors/joe | ||
| − | After installing the | + | After installing the Bash you could already edit the shell assignment in the jails /etc/passwd and assign the Bash for your users. Then leave the jail by <CTRL-D> and reenter it through |
jexec 1 /bin/bash | jexec 1 /bin/bash | ||
| − | (if you prefer the | + | (if you prefer the Bash and want it as soon as possible) |
By the way – leaving the jail via <CTRL-D> doesn't mean the jail was stopped. The jail then of course still runs. To effectively stop a jail different commands are needed. | By the way – leaving the jail via <CTRL-D> doesn't mean the jail was stopped. The jail then of course still runs. To effectively stop a jail different commands are needed. | ||
Latest revision as of 16:37, 30 April 2010
JonDos GmbH thanks www.secure-internet.org for the right to publish the following article. We made some changes in it but the original text was provided by www.secure-internet.org
navigation: Main Page | FreeBSD and Jails
Setting up the Jails
We now build the actual jails.
Create an additional directory as /dev directory within each jail space
mkdir /jails/mix1/dev
mkdir /jails/mix2/dev
Build jail #1 (the „make“ command line below will run a short while each):
cd /usr/src
make installworld DESTDIR=/jails/mix1
make distribution DESTDIR=/jails/mix1
mount -t devfs devfs /jails/mix1/dev
Then build jail #2:
make installworld DESTDIR=/jails/mix2
make distribution DESTDIR=/jails/mix2
mount -t devfs devfs /jails/mix2/dev
In principle, the jails are created now (but not already running). We need to configure the jails now. Configuring a jail is described only for the first of the two jails. Just make it likewise for the second jail, too, then.
Configuring jail #1:
Configuring a jail is done in parts from „outside“ (from the host system) and in parts from inside (from within a running jail). We start with the outside part.
Jails need a /etc/fstab file even the file can be empty. Enter:
touch /jails/mix1/etc/fstab
Edit the following files of jail #1 and enter the configuration you need for jail #1. In doubt see the examples above for the host system's files and adapt them for the jail if needed:
/jails/mix1/etc/hosts /jails/mix1/etc/hosts.allow /jails/mix1/etc/aliases /jails/mix1/etc/resolv.conf
Regarding /etc/hosts.allow: You could use something like the following lines when using the jail for a middle mix or exit mix:
ALL : localhost : allow
ALL : <IP previous mix> : allow
ALL : ALL : deny
Now edit the jails /etc/rc.conf:
vi /jails/mix1/etc/rc.conf
The configuration entries here differ from the ones on the /etc/rc.conf file of the host system even if the intention is likewise. Have the following entries in the jail's /etc/rc.conf:
network_interfaces=""
defaultrouter="96.137.211.228"
sshd_enable="NO"
nfs_server_enable="NO"
rpcbind_enable="NO"
mountd_enable="NO"
sendmail_enable="NONE"
syslogd_flags="-ss"
Of course, as the IP address you need to enter the IP address of the host system, since the host acts as a router for the jail, not any other IP address. NFS, rpcbind and mountd are just stopped in advance even they probably are not present at all. You can leave those lines away.
Save and exit the file.
We now start jail #1. Starting jails is done with the following command line:
jail <jaildir> <fqdn> <jail-main-IP> /bin/sh /etc/rc
As an example:
jail /jails/mix1 mix1.yourdomain.tld 96.137.211.229 /bin/sh /etc/rc
Hitting <enter> will initiate the boot process for the jail. You might see some error messages but jail #1 nonetheless will get started however.
You now need to get inside the jail. To do so you first need to know that jails „jail ID“ (JID). You can get an overview of all running jails by entering
jls
or
jls -v
The output could look like follows:
jls
JID IP Address Hostname Path
4 96.137.211.230 mix2.yourdomain.tld /jails/mix2
1 96.137.211.229 mix1.yourdomain.tld /jails/mix1
Of course, you would see only one jail running and that jail (jail #1) will most probably have JID 1. Jail IDs get increased if you stop and restart a jail. Jails then get a different JID each time. So, if we mention here „jail #1“ it doesn't mean that jail #1 always has JID = 1. Jail #1 is just our first jail, regarding numbering in this HowTo.
To ENTER the jail now enter the following command line (the number behind „jexec“ is the Jail ID you got from the previous command):
jexec 1 /bin/sh
This will start a shell for you and you can work with that shell as being inside the jail (in fact you ARE in the jail – as the jail's root account). Another example for usage of the jexec command (jexec = jail execute):
jexec 1 ps axu (to get the process list of the processes running in the jail)
By the way, when running „ps axu“ on the host system you will see all processes running on that machine no matter whether they run on the host or in any jail. In case any jail is up the process list then, too, will contain the JID (if it is a process running in a jail).
When you entered the jail by „jexec 1 /bin/sh“ you will get a standard shell. At this time it's not a Bash and you also do not yet have Bash completion. Typing is a bit more work until we have everything ready for production use. Once you installed the Bash in the jail you alternatively could enter the jail using the Bash by typing
jexec 1 /bin/bash
But now moving within the jail:
Enter
pwd
You will be said to be in „/“ which is the jails root directory equals to /jails/mix1 from the host systems point of view.
Enter
ifconfig
That should tell you that your system's IP address is the 229 IP (not the 228 IP as that was the IP from the host).
Please note: When operating from outside the jail (meaning from the host system) on files within the jail space you may be later have to adjust the file ownership and permissions using „chown“ and „chmod“ from within the jail since users/groups on the host system are different from users/groups within the jail. Better check the ownership and permissions of the jail files you recently operated on from the outside.
We need to go ahead configuring the jail from inside. Enter
passwd
to change the root password of the jails root account. The jail's root account is completely independent from the root account for the host system (remember that your jail is a complete Unix system on it's own).
Enter
tzsetup
to set the timezone.
Enter
newaliases
to update the mail database (we edited the file before from outside the jail).
Enter
portsnap fetch portsnap extract
to get the ports collection available.
We now will install various programs needed. When building the binaries you sometimes get asked for options for the binary. Enter the options you'd like to have. If there are options urgently needed they will be mentioned here.
Enter the following command lines:
cd /usr/ports/ports-mgmt/portaudit
make install
/usr/local/sbin/portaudit -Fda
cd /usr/ports/ports-mgmt/portmaster
make install
cd /usr/ports/shells/bash
make install
ln -s /usr/local/bin/bash /bin/bash
The symlink command is only needed because some of the Shell scripts for the mix process will search for the Bash in /bin/bash instead of /usr/local/bin/bash.
Go ahead installing further programs, always first entering the right directory and then executing „make install“. The lines for the editors are provided in case you want other editors than Vi. Building all those programs needs a bit time each and you need to stay near your terminal because you often get asked for options.
program (port) directory bash completion /usr/ports/shell/bash-completion Editor nano /usr/ports/editors/nano Editor joe /usr/ports/editors/joe
After installing the Bash you could already edit the shell assignment in the jails /etc/passwd and assign the Bash for your users. Then leave the jail by <CTRL-D> and reenter it through
jexec 1 /bin/bash
(if you prefer the Bash and want it as soon as possible)
By the way – leaving the jail via <CTRL-D> doesn't mean the jail was stopped. The jail then of course still runs. To effectively stop a jail different commands are needed.
