Setting up the Jails
JonDos GmbH thanks www.secure-internet.org for the right to publish the following article. We made some changes in it but the original text was provided by www.secure-internet.org
Setting up the Jails
We now build the actual jails.
Create an additional directory as /dev directory within each jail space
mkdir /jails/mix1/dev mkdir /jails/mix2/dev
Build jail #1 (the „make“ command line below will run a short while each):
cd /usr/src make installworld DESTDIR=/jails/mix1 make distribution DESTDIR=/jails/mix1 mount -t devfs devfs /jails/mix1/dev
Then build jail #2:
make installworld DESTDIR=/jails/mix2 make distribution DESTDIR=/jails/mix2 mount -t devfs devfs /jails/mix2/dev
In principle, the jails are created now (but not already running). We need to configure the jails now. Configuring a jail is described only for the first of the two jails. Just make it likewise for the second jail, too, then.
Configuring jail #1:
Configuring a jail is done in parts from „outside“ (from the host system) and in parts from inside (from within a running jail). We start with the outside part.
Jails need a /etc/fstab file even the file can be empty. Enter:
Edit the following files of jail #1 and enter the configuration you need for jail #1. In doubt see the examples above for the host system's files and adapt them for the jail if needed:
/jails/mix1/etc/hosts /jails/mix1/etc/hosts.allow /jails/mix1/etc/aliases /jails/mix1/etc/resolv.conf
Regarding /etc/hosts.allow: You could use something like the following lines when using the jail for a middle mix or exit mix:
ALL : localhost : allow ALL : <IP previous mix> : allow ALL : ALL : deny
Now edit the jails /etc/rc.conf:
The configuration entries here differ from the ones on the /etc/rc.conf file of the host system even if the intention is likewise. Have the following entries in the jail's /etc/rc.conf:
network_interfaces="" defaultrouter="220.127.116.11" sshd_enable="NO" nfs_server_enable="NO" rpcbind_enable="NO" mountd_enable="NO" sendmail_enable="NONE" syslogd_flags="-ss"
Of course, as the IP address you need to enter the IP address of the host system, since the host acts as a router for the jail, not any other IP address. NFS, rpcbind and mountd are just stopped in advance even they probably are not present at all. You can leave those lines away.
Save and exit the file.
We now start jail #1. Starting jails is done with the following command line:
jail <jaildir> <fqdn> <jail-main-IP> /bin/sh /etc/rc
As an example:
jail /jails/mix1 mix1.yourdomain.tld 18.104.22.168 /bin/sh /etc/rc
Hitting <enter> will initiate the boot process for the jail. You might see some error messages but jail #1 nonetheless will get started however.
You now need to get inside the jail. To do so you first need to know that jails „jail ID“ (JID). You can get an overview of all running jails by entering
The output could look like follows:
jls JID IP Address Hostname Path 4 22.214.171.124 mix2.yourdomain.tld /jails/mix2 1 126.96.36.199 mix1.yourdomain.tld /jails/mix1
Of course, you would see only one jail running and that jail (jail #1) will most probably have JID 1. Jail IDs get increased if you stop and restart a jail. Jails then get a different JID each time. So, if we mention here „jail #1“ it doesn't mean that jail #1 always has JID = 1. Jail #1 is just our first jail, regarding numbering in this HowTo.
To ENTER the jail now enter the following command line (the number behind „jexec“ is the Jail ID you got from the previous command):
jexec 1 /bin/sh
This will start a shell for you and you can work with that shell as being inside the jail (in fact you ARE in the jail – as the jail's root account). Another example for usage of the jexec command (jexec = jail execute):
jexec 1 ps axu (to get the process list of the processes running in the jail)
By the way, when running „ps axu“ on the host system you will see all processes running on that machine no matter whether they run on the host or in any jail. In case any jail is up the process list then, too, will contain the JID (if it is a process running in a jail).
When you entered the jail by „jexec 1 /bin/sh“ you will get a standard shell. At this time it's not a Bash and you also do not yet have Bash completion. Typing is a bit more work until we have everything ready for production use. Once you installed the Bash in the jail you alternatively could enter the jail using the Bash by typing
jexec 1 /bin/bash
But now moving within the jail:
You will be said to be in „/“ which is the jails root directory equals to /jails/mix1 from the host systems point of view.
That should tell you that your system's IP address is the 229 IP (not the 228 IP as that was the IP from the host).
Please note: When operating from outside the jail (meaning from the host system) on files within the jail space you may be later have to adjust the file ownership and permissions using „chown“ and „chmod“ from within the jail since users/groups on the host system are different from users/groups within the jail. Better check the ownership and permissions of the jail files you recently operated on from the outside.
We need to go ahead configuring the jail from inside. Enter
to change the root password of the jails root account. The jail's root account is completely independent from the root account for the host system (remember that your jail is a complete Unix system on it's own).
to set the timezone.
to update the mail database (we edited the file before from outside the jail).
portsnap fetch portsnap extract
to get the ports collection available.
We now will install various programs needed. When building the binaries you sometimes get asked for options for the binary. Enter the options you'd like to have. If there are options urgently needed they will be mentioned here.
Enter the following command lines:
cd /usr/ports/ports-mgmt/portaudit make install /usr/local/sbin/portaudit -Fda cd /usr/ports/ports-mgmt/portmaster make install cd /usr/ports/shells/bash make install ln -s /usr/local/bin/bash /bin/bash
The symlink command is only needed because some of the Shell scripts for the mix process will search for the Bash in /bin/bash instead of /usr/local/bin/bash.
Go ahead installing further programs, always first entering the right directory and then executing „make install“. The lines for the editors are provided in case you want other editors than Vi. Building all those programs needs a bit time each and you need to stay near your terminal because you often get asked for options.
program (port) directory bash completion /usr/ports/shell/bash-completion Editor nano /usr/ports/editors/nano Editor joe /usr/ports/editors/joe
After installing the Bash you could already edit the shell assignment in the jails /etc/passwd and assign the Bash for your users. Then leave the jail by <CTRL-D> and reenter it through
jexec 1 /bin/bash
(if you prefer the Bash and want it as soon as possible)
By the way – leaving the jail via <CTRL-D> doesn't mean the jail was stopped. The jail then of course still runs. To effectively stop a jail different commands are needed.