Using a jail as a virtual machine on 4.x

zl7V1RO,`fThis article shows you how I created a jail for theOSWwebsite. It runs in a jail on the same system as this website. I originally did this install back in November 2003 and the notes from that session form the basis of this article. I have need to recreate the jail now as we recently had an HDD failure.BSD爱好者乐园'q6j:M:zG!iCY

BSD爱好者乐园O-LEe&HUJT

NOTE: This article applies to FreeBSD 4.I have since written aboutjail on FreeBSD 5, and it appears to apply to FreeBSD 6.x just as well. I recommend read that article over this one.BSD爱好者乐园(Q+u,z;sIbYL_5pC[9i

!Q3jw?W}qA jail is useful for many purposes. In my case, I wanted to give the OSW project a place to run their websites, mailing lists, etc, but at the same time keep them isolated from the rest of the machine. In short, it gives them a virtual machine, and it gives me peace of mind knowing that I have less to worry about with respect to the rest of the machine.

`#h6[*M1U3~ q7N\!`BSD爱好者乐园X'xH&SMS/`

The main document for creating a jail isman jail. I followed the instructions listed underSetting up a Jail Directory Tree. I followed those instructions to create the jail.

J'x"_;v)?4z

X`0UR,r R*vG8jOf note, I did not do this:

(vp"N:T+D(G*m5b-P

• I left sendmail (actually, postfix) running. I just changed it so that it did not listen on all IP addresses. This allowed the jail to run its own mail server.
• I did not specify theportmap_enable="NO"directive as that is default setting (see/etc/defaults/rc.conf).

BSD爱好者乐园F
PI0wI7b'UT`5]

6w1g"e)a(c{_`u yMost daemons will listen to whatever IP addresses are available to them. After starting your jail, if you try to ssh to it, you will not get into it. You'll be in the host environment instead. To get into the jail environment via ssh, you need to:BSD爱好者乐园?c.I&^ sL$O5}2F

• Tell the host environment sshd not to listen to the jail's IP address
• run sshd in the jail

Host environment sshd

To alter the host environment sshd so it listens only to host environment IP addresses, modify/etc/ssh/sshd_configand set the IP address for the Listen directive:

ListenAddress 192.168.0.100

Then restart the main sshd process:

kill -HUP `cat /var/run/sshd.pid`

Use telnet to verify that the host environment is not listening on the jail address:

$ telnet 192.168.0.155 22BSD爱好者乐园&k*}wDz hI6V
Trying 192.168.0.155...
PSL![6]&Vtelnet: connect to address 192.168.0.155: Connection refusedBSD爱好者乐园!RKtwW7^i
telnet: Unable to connect to remote host

If you don't get a connection, the host environment is not listening. This assumes that you have not yet started sshd in the jail environment.

Jail environment sshd

d n0^4b zT8YTo start sshd in the jail environment, add the following line to/etc/rc.conf:

2jvj4iJb8x7[D)i

sshd_enable="YES"

BSD爱好者乐园;`)w"t.l)_7C[

;S3]4qLlFrom man jail, to start a jail, issue this command:BSD爱好者乐园)J4NYn M+v&W%aW

[root@mtwenty:/home/dan] # jail /usr/jails/192.168.0.155 osw.example.org 192.168.0.155 /bin/sh
.gc}F-tx2TN$

That prompt (#) indicates you are now in the jail environment. Now you can run the start up processes:

$ sh /etc/rc
H%n6AXd#dgF L zLoading configuration files.
:_$?QHUmdmfs: mdconfig (attach) exited with error code 1BSD爱好者乐园9S
t]H#s Jw2ED+MTP7i$z
cd: can't cd to pppBSD爱好者乐园`BLsrn7O"Mi&e`u
rm: utmp: Permission deniedBSD爱好者乐园uk\|Mp_Z~j
cp: utmp: Permission deniedBSD爱好者乐园v:fqYT8{(?2i sv9r
/etc/rc.d/cleanvar: cannot create /var/run/clean_var: Permission denied
6dI4`m'o1B LesY_ {d9@undef.unixathome.org
3@AW9v{ P_]&MSetting hostname: undef.unixathome.org.BSD爱好者乐园+HU(A"T1x:QUUj?~
Generating nsswitch.conf.BSD爱好者乐园2Ha2[ U E#m4h!{N
eval: cannot create /etc/nsswitch.conf: Permission deniedBSD爱好者乐园|)i)jXd4@(u
Generating host.conf.BSD爱好者乐园 J O+o['PRI-A3F
eval: cannot open /etc/nsswitch.conf: No such file or directoryBSD爱好者乐园J ut6b5~H(d\A
ln: /dev/log: Operation not permittedBSD爱好者乐园nc i)VBM~k'o
eval: cannot create /var/run/syslogd.sockets: Permission deniedBSD爱好者乐园A)G%H'Vv0F]
Starting syslogd.BSD爱好者乐园"WW)u$x Gm dc!r:R5z
syslogd: child pid 97899 exited with return code 1BSD爱好者乐园Zb(i w+E ~#m3s]8`x
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
7C%KDV8v_/f'lldconfig: mkstemp(/var/run/ld-elf.so.hints.EO1FRT): Permission deniedBSD爱好者乐园!yEdl
dm2q)W
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aoutBSD爱好者乐园:Z+Nbn"DQH
ldconfig: /var/run/ld.so.hints.QnuzP1cZaF: Permission denied
@']B,B
XsStarting local daemons:.BSD爱好者乐园D8W6K!V iq*g
Updating motd ... /etc/motd is not writable, update failed.BSD爱好者乐园*lu%~8n|1w&F0N9f9~C
/etc/rc: WARNING: Setting entropy source to blocking mode.
abC;r sQz====================================================BSD爱好者乐园,rA^/}ui+he
Type a full screenful of random junk to unblock
SWm9K'B CVit and remember to finish with. This willBSD爱好者乐园EFO)}-h,w6V
E
timeout in 300 seconds, but waiting for
lz{\h#}IG4|the timeout without typing junk may make the
-vi$S
^tyS1R+wentropy source deliver predictable output.
Ypi:SW%d)fH
3\c.d,d{ th"|Just hitfor fast+insecure startup.BSD爱好者乐园khe4z a%Ip
====================================================BSD爱好者乐园s'G)Ne]0|.y;E8g
kern.random.sys.seeded: 1
tsg,Hh6j9SRlkajdflkjadsflkjsdfalk; voiusfady 098125 09okjcv lkhq234ou 8g09fuzohj adjfBSD爱好者乐园'h8|7VqvPR
You don't exist, go away!BSD爱好者乐园z9H)w6R^;l
You don't exist, go away!
F2^4d2?!vYou don't exist, go away!
2AOr6X%kq-j_ msendmail_submit: /etc/mail/aliases.db not present, generatingBSD爱好者乐园 Si5D}G
Permission denied (real uid not trusted)
$h
QJ({&Ag)z ]Kasendmail_clientmqueue: /etc/mail/aliases.db not present, generating

J.y$W#F3r*?#v-EPermission denied (real uid not trusted)BSD爱好者乐园_T-NE%D$s3qh|
dStarting cron.
5YG'vh0Tcron: can't open or create /var/run/cron.pid: Permission denied
q }!p9`ty6WLocal package initialization:.BSD爱好者乐园Q5V6N ^4y$O}'A*a
/etc/rc.d/msgs: cannot create /var/msgs/bounds: Permission deniedBSD爱好者乐园0I k
U\m upX
lBSD爱好者乐园TG1n3{9s7xqv%U
Sun Sep 11 21:05:35 UTC 2005
R I9i/WE.X1y AV$

BSD爱好者乐园9w0dWJl"JyP v

For the most part, this looks exactly like a normal startup. A few things to note

*~;e8mVw
]:k

• /etc/fstab - if you see this, you didn't do as man jail said. You need to create an empty /etc/fstab file.
• adjkerntz - Not sure about this. I know you should comment out the /etc/crontab entry for adjkerntz within your jail environment.
• sendmail - My host environment does not use sendmail (i.e. I have "NO_SENDMAIL= true" in /etc/make.conf). I think this will go away once I install Postfix within the jail.
• net.inet.tcp.always_keepalive - I have no idea why this occurs

BSD爱好者乐园w(ab r!E;F:C
BSD爱好者乐园7X)h_Bv2wY

I found two interesting tools for starting and stopping the jails:sysutils/jailerandsysutils/jailutils. sysutils/jailer is installed in the jail environment. sysutils/jailutils should be installed in the host environment. Using those two tools, I created this start/stop script:

+jZS]2s3X6F Ie

#!/bin/shBSD爱好者乐园ys.P8Fx

'NSli1Vcase "$1" inBSD爱好者乐园;u)u-??-|'D%F
start)BSD爱好者乐园;A%T ZHEd!O
        jail /usr/jail/192.168.0.155 osw.example.org 192.168.0.155 /usr/local/sbin/jailer > /dev/null && echo -n ' jail 66.154.97.254'
(B0K7v"D{?j~        ;;
&x+y%?0r0hBstop)BSD爱好者乐园y??2lk4f8s
        /usr/local/sbin/jails | /usr/bin/xargs /usr/local/sbin/killjail > /dev/null && echo -n ' jail'
r1{A"tl*s@        ;;
5K
Wb9Z5In*)
r\y`)u/|        echo "Usage: `basename $0` {start|stop}" >&2BSD爱好者乐园9`` A\5^/z*gh#h
        y;;BSD爱好者乐园wR(CL4G0mD
esacBSD爱好者乐园'W7P\!t:Fs Oxt
BSD爱好者乐园j;J,\eQ[7oBP&a
exit 0

BSD爱好者乐园_2W*dv2mV(i;Q

This is a very limited script. It doesn't check that a jail is already running before starting it. That would be a nice addition. If you want to add it, I look forward to your patch.

ff.O)~l(Uv,dZt5BBSD爱好者乐园1ej-Kp4m;Md

In addition, you might want to add this to the host environment's/etc/sysctl.conf

Y4v3b R:Q4F5h

jail.set_hostname_allowed=0

%tu7vY;cHUnder 5.*, this variable has a slightly different name.

_.sHu8S6VJ;|'Dp
[版权声明]BSD爱好者乐园站内文章，如来源不是互联网，则均系原创或翻译之作，可随意转载，或以此为基础进行演译，但务必以链接形式注明原始出处和作者信息，否则属于侵权行为。另对本站转载他处文章，俱有说明，如有侵权请联系本人，本人将会在第一时间删除侵权文章。
TAG: jail machine virtual