FreeBSDJail

External Pointers

• http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/jail.html
• http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8
• http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=2
• http://memberwebs.com/nielsen/freebsd/jails/
• http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html
• http://docs.freebsd.org/44doc/papers/jail/jail.html
• http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail
• http://www.the-labs.com/FreeBSD/JailTools/cookbook.html
• http://www.freebsddiary.org/jail-5.php

Internal Pointers

• FreeBSD
• FreeBSDUpgrade - my procedures for upgrading my freebsd boxen and jails
• FreeBSDCluster

Starting up

    /etc/rc.d/jail start
    /etc/rc.d/jail stop
    /etc/rc.d/jail start myjail
    /etc/rc.d/jail stop myjail

    ifconfig dc0 inet alias 192.168.1.99/32
    mount -t procfs proc /export/mirror01/cluster/jail/proc
    mount -t devfs dev /export/mirror01/cluster/jail/dev
    jail /export/mirror01/cluster/jail geektank 192.168.1.99 /bin/sh /etc/rc

    ifconfig dc0 inet delete 192.168.1.99

Maintenance

• mount_nullfs /usr/ports $JAILDIR
• jls
• jexec <jid> /bin/sh
• killall -j <jid>
• jexec [jid] /bin/kill -9 -1

Copy an existing jail

• shut down jail

    mkdir /usr/jail/new
    cd /usr/jail/old
    tar -cpf - . | tar -C /usr/jail/new -xpf -

alternate solution

• install /usr/ports/sysutils/cpsup

# cpdup /jail/directory /newjail/directory
# jail /newjail/directory newjail.hostname newjailip /bin/sh /etc/rc

Initial Filesystem Setup

• see: man jail

    cd /usr/src
    mkdir -p /export/mirror01/cluster/jail
    make -j4 world DESTDIR=/export/mirror01/cluster/jail
    make -j4 distribution DESTDIR=/export/mirror01/cluster/jail
    mount_devfs devfs /export/mirror01/cluster/jail/dev

• added -j4 param - Sun Dec 18, 2005 3:44 pm
• Next: Delete a ton of stuff that isn't needed...

Automatic Startup

• /etc/rc.conf - see jail_* params
• configure virtual interface
• mount devfs and procfs for jail automatically
• add ifconfig aliases that are defined for jails

  ifconfig_dc0_alias0="inet 192.168.1.y netmask 0xffffffff"
  ifconfig_dc0_alias1="inet 192.168.1.z netmask 0xffffffff"
  

service IP Addresses

Configure all services on the host and jails to the proper interface.

• Configure /etc/ssh/sshd_config to listen on correct interface

    ListenAddress 192.168.1.x
  

• Configure /usr/local/etc/apache??/httpd.conf to listen on correct interfaces

    Listen 192.168.1.x:80
  

• Configure /etc/namedb/named.conf

    listen-on       { 192.168.1.x; };

Configuring the jail

    jail /path/to/jail testhostname 192.168.11.100 /bin/sh

    # example:
    jail /export/mirror01/cluster/jail geektank.subaudi.net 192.168.1.99 /bin/sh

• /usr/sbin/sysinstall
• Create an empty /etc/fstab
• Disable the port mapper (/etc/rc.conf: rpcbind_enable="NO")
• Configure /etc/resolv.conf
• Disable sendmail in /etc/rc.conf
• Run newaliases(1) to quell sendmail(8) warnings
• Disable interface configuration to quell startup warnings about ifconfig(8) (network_interfaces="")
• Set a root password, probably different from the real host system
• Set the timezone
• Add accounts for users in the jail environment
• Install any packages the environment requires

Installing ports

    # build on the main system:

    $ cd /var/db/pkg/fontconfig-2.2.0/
    $ pkg_create -v -c +COMMENT -d +DESC -f +CONTENTS -m +MTREE_DIRS ~/fontconfig-2.2.0.tgz

Nagios

If you run NagioS inside a FreeBSDJail, the default check_ping won't work since, at this time, it isn't a good idea to enable ping in a jail. I used some code I found on the web to create this tcp ping replacement for check_ping.

Note that some servers or other devices may not respond to a tcp ping.