Home
|
UNIX
|
Code
|
Phisolophy
|
Practical
DragonFly & FreeBSD Jail configuration
Prepare the host system
Disable some daemons,
inetd_enable="NO"
rpcbind_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
Note. no services other than ssh, syslog and cron should be running on the host system.
Configure the general jail settings,
jail_enable="YES"
jail_list="jail1"
#jail_set_hostname_allow="NO"
#jail_interface="lnc0"
#jail_devfs_enable="YES"
#jail_procfs_enable="YES"
Note. the first line : lists jails to be started with a simple space separator.
Force SSHD to listen on host's IP only,
vi /etc/ssh/sshd_config
change,
ListenAddress 10.1.1.3
At this point you should reboot to defenitely make that host Jail capable,
shutdown -r now
Prepare the Jail
Mount the Cdrom,
mkdir -p /mnt/cdrom
mount -t cd9660 /dev/cd0c /mnt/cdrom
or upload and mount the ISO,
mdconfig -a -t /root/vnode -f 7.0-RELEASE-i386-disc1.iso
mount -v -t cd9660 /dev/md0 /cdrom
Note. to unmount,
#umount /data/jail1/cdrom
#mdconfig -d -u 3
On FreeBSD
Launch sysinstall and install the distributions sets,
mkdir -p /data/jail1
sysinstall
then,
sysinstall > Custom > Options > Install Root > /data/jail1
sysinstall > Custom > Distributions > Minimal
sysinstall > Custom > Media > File System > /cdrom
sysinstall > Custom > Commit
[Visit the general configuration menu ?] > No
Note. don't do the post-install, it would modify the host, not the guest.
Share a directory between the host and the guest Jail,
mount_nullfs /usr/ports /data/jail1/usr/ports
Note. make sure /usr/ports exists inside the guest
On DragonFly
Install,
mkdir -p /data/jail1
cd /data/jail1
cpdup /mnt/cdrom/bin bin
cpdup /mnt/cdrom/dev dev
cpdup /mnt/cdrom/etc.hdd etc
cpdup /mnt/cdrom/sbin sbin
cpdup /mnt/cdrom/usr usr
cpdup /mnt/cdrom/var var
mkdir -p mnt proc root tmp
chmod 1777 tmp
cd dev
sh MAKEDEV jail
Note. no 'boot' dir means jail, easy to recognize
Refs.
/mnt/cdrom/README
Configure a Jail
Add this on hosts's rc.conf,
vi /etc/rc.conf
for each jail,
jail_jail1_rootdir="/data/jail1"
jail_jail1_hostname="jail1.example.net"
jail_jail1_ip="10.1.1.91"
ifconfig_lnc0_alias0="inet 10.1.1.91 netmask 255.255.255.255"
#freebsd: jail_jail1_devfs_ruleset="devfsrules_jail"
Create jail's rc.conf,
vi /data/jail1/etc/rc.conf
like,
keymap="fr.iso.acc"
hostname="jail1.example.net"
ifconfig_lnc0="inet 10.1.1.91 netmask 255.255.255.255"
defaultrouter="10.1.1.254"
#freebsd: clear_tmp_enable="YES"
sshd_enable="YES"
sendmail_enable="NO"
#dfly: inetd_flags="-wW -a 10.1.1.91"
rpcbind_enable="NO"
Configure the name resolution and prepare a few things,
cd /data/jail1/etc
cp -f ../usr/share/zoneinfo/Europe/Paris localtime
cp -p /etc/resolv.conf .
vi /etc/hosts && cp -p /etc/hosts .
touch fstab
vi ssh/sshd_config
Create the network address alias and launch the Jail,
ifconfig lnc0 inet 10.1.1.91 netmask 255.255.255.255 alias
/etc/rc.d/jail start
#/etc/rc.d/jail start jail1
#jail /data/jail1 jail1.example.net 10.1.1.91 /bin/csh
Manage Jails
Get into the jail and make sure it has an IP configured,
jls
jexec 1 csh
#jexec 1 login
then within the jail,
ifconfig
passwd root
Note. you can't ping from a jail.
Note. no need for 'tzsetup', we did it by hand above.
And try to SSH to it from the outside.
To stop a jail, from the inside,
sh /etc/rc.shutdown
and then from the host,
/etc/rc.d/jail stop jail1
Enable accf_http on the host if you need to run Apache inside a guest,
echo ‘accf_http_load=”YES”‘ >> /boot/loader.conf
To delete a Jail, stop it, remove file flags and delete the whole directory,
/etc/rc.d/jail stop jail1
chflags -R noschg /data/jail1
rm -rf /data/jail1
References