Managing Jails

w}Z W!HGeneral InformationBSD爱好者乐园*x M0c k;@B

BSD爱好者乐园3Gb%A [/J6Cf#S \5^N

This document is an introduction to basic FreeBSD jails also called ‘fat jails’. We discuss an easy jail installation process. We will do some basic jail configuration and show you how to manage the jail environment. This document wil not cover building ‘chroot jails’ in a jail.BSD爱好者乐园on*Rm)l#Qc$p

X}4RM:g vl+M6@Requirements

`.c:b~|D

l*UelnBasic knowledge of FreeBSD

5PD3\o0D D@y/rBSD爱好者乐园Ka%K{%K){

Root access

\dh!Mw4ftBSD爱好者乐园1z}q&C9Eh4?

Read up on jails – see the references at the end of the document
.I
_1C8o.tQ0FInstallation

0l)I-uO1\'\J

\1v p0o5i0aCBefore we start: the machine which will run the jails is refered as ‘host’.  The jails are built and configured from the host. Every individual jail runs the desired services. The host’s services are minimized, running a syslogd and sshd should be enough. 

E"d M4JS"n#p2a-m

.muK$\Q%R)M9`.CJail LocationBSD爱好者乐园#H._f
S&VzC7x5@

9Ib;| @;WzjK!@Determine where you want to install the jail(s). Throughout the document /usr/jails will be used. For example we will install a web server in the jail, so let us take /usr/jails/webserver1 as the location for the web server.
$p/b)?8QIcd /usr/
;Pw8Jp\/IS$D4f)f^mkdir jails
a#fc*~)~;hAcd jailsBSD爱好者乐园3|$H
L7j7i%SV'c`A
mkdir webserver1BSD爱好者乐园 W!z'We(iy _
sysinstallBSD爱好者乐园
n*TU;mA

5t&Jr*B8Jd;s |In the menu select ‘Custom’.

o-zqwe `+eQ

/P#P%A&P#oDChoose ‘2 Options’ and navigate to ‘Install Root /’. When selected, press spacebar and change ‘/’ to ‘/usr/jails/webserver1’. Press ‘q’ to quit the options menu.BSD爱好者乐园Bq'E2d\P g1X

_R[8~2p(`Go to ‘5 Distributions’ and select ‘A Minimal’.

"Xv_cx/[7V/h"yp
fT:CBSD爱好者乐园/Lc)`5pRskw-J\P^

Then choose ‘6 Media’ from which you will install your base installation for the jail. 

g
F5_#S6}3apBSD爱好者乐园Ozi:j1[

When done, select ‘7 Commit’.
C_e1[ prH`]Don’t visit the general configuration menu. Every option you edit in the configuration menu will be executed on your host. Exit the installation menu and return to your host's shell.
.b8?#t7z?$U$a# cd /usr/jails/webserver1
W)VPC4n*| w/m# lsBSD爱好者乐园b[\1OX4`vkg
.cshrc           boot          libexec        rescue         tmp
vo-d!kO[&iG.profile         dev           media          root           usr
2a X6i@/Bd)Mtu2rLCOPYRIGHT        etc           mnt            sbin           var
(Acm$JF!E*`bin              lib           proc           sysBSD爱好者乐园maes3`L
#BSD爱好者乐园'[0G d0[k@3v
 
6M*e0|'i:f*ny^ZnWe have to edit and create some configuration files in order to make our jail(s) work.BSD爱好者乐园:~K|4T2M9D6[

Nu+j'f? iJ,gHost – rc.confBSD爱好者乐园"ZA#jEp9\nY`K

$`wZ l5pKUTGhostname="host"BSD爱好者乐园 Xk ERynMU~| ?
ifconfig_rl0="inet 10.0.0.10 netmask 255.255.255.0"BSD爱好者乐园qqzfi'n p
ifconfig_rl0_alias0="inet 10.0.0.20 netmask 255.255.255.255"
;|q;r G'Ninetd_enable=”NO”BSD爱好者乐园O+STD5[VL+}
# if you need inetd sevices on the host, uncomment the inetd lines
sf0t-N4s nV
~#inetd_enable="YES"
%lsxl9vkX#inetd_flags="-wW -a 10.0.0.10"
/tB+J3T&\rpcbind_enable="NO"BSD爱好者乐园:xBK-i0E l,N;po
sendmail_enable="NO"
0p;o!mp~5P%q)f fsendmail_submit_enable="NO"BSD爱好者乐园xJ5Rb1\h
sendmail_outbound_enable="NO"BSD爱好者乐园"cUrx2F r
sendmail_msp_queue_enable="NO"BSD爱好者乐园5c-el]#h"D#Y
syslogd_enable="YES"
%\_oBw@$^wsyslogd_flags="-ss"
8GWX#NCp3{syslogd_flags="-a 10.0.0.10"
yb&|CTV
J+v&wF[/?;`^syslogd_flags="-a 10.0.0.20"BSD爱好者乐园.j#z0Y|{$]T
keymap="us.iso"
? Hk(I`,l-o&E?XGsshd_enable="YES"BSD爱好者乐园2I],a}IS,?/Ku
# Jail general settings
j?OQ"E"Sjail_set_hostname_allow=”NO”
.R%u jNbZ
Vjail_enable="YES"BSD爱好者乐园\?z6?8W0e
jail_list="webserver1"
A^4`m&lM6v K2f8|vjjail_interface="rl0"BSD爱好者乐园*]gBNfMj-Lo
jail_devfs_enable="YES"BSD爱好者乐园a%jITcF
jail_procfs_enable="YES"
%M4Rt
p3K2_# settings per jail listed in jail_list
d;{4}YA TbiG|jail_webserver1_rootdir="/usr/jails/webserver1"
L8R fMj5jc$Aa sjail_webserver1_hostname="webserver1"
9\ {5m]h8h+@#U^7ljail_webserver1_ip="10.0.0.20"
uSW"f!z lH^Ljail_webserver1_devfs_ruleset="devfsrules_jail"BSD爱好者乐园*_E]VR z {#F
 
E8}I+z-x'nThe host’s rc.conf consists of two blocks: the config for the host and the jail. The jail’s config consists of two subcategories: the general jail config and the per jail config.BSD爱好者乐园L6ap;^}D~5i-x

/e8_M\:d]H;LuR;hCorresponding to the sections ‘Setting up the host environment’ and ‘Configuring the jail’ of the manual page of jail(8), we have to create IP-aliases, edit the super-server daemon (In this scenario, inetd is disabled.) , disable the portmapper and disable sendmail. Specifying the syslogd flags –ss disables remote logging and syslogd will not listen to any IP-address. Instead, we want syslogd to listen to specific socketaddresses through enabling the –a flag.

;E-v)`&BcY]&bBSD爱好者乐园2W"Jn(p5]7E'I'M

The next rc.conf block is about the jails. Read the manual page rc.conf(5) for all the jail options and jail(8) for their configuration and use. You have to know there are several sysctl management entries you can alter and configuration defaults aren’t listed in the provided rc.cconf. Check out ‘/usr/share/examples/etc/defaults/rc.conf’ for a complete survey. The first system control line you encounter is ‘jail_set_hostname_allow=”NO”’. This option affects all jails and has to be stated before any jail is started. It allows or disallows jail processes changing the jail’s hostname. This affects management tools relying on the jail information in /proc. The option should be disabled like this if you are giving out root access to untrusted users in the jail.

-pN7gQ K&@JBSD爱好者乐园8WcF'p/g

Through the ‘jail_list’ variable, the host knows and starts the known jails.  For example ‘jail_list=”webserver1 database dns” ‘.BSD爱好者乐园/[P%]"{K!KR_3q

Cn3]
P8Pw5M]IWebserver1 – rc.conf

d+x1pL3Oj1g,_;H
v

.R_iPt Rjhostname="webserver1"BSD爱好者乐园JRr7c9yh D
ifconfig_rl0="inet 10.0.0.20 netmask 255.255.255.255"
'Ze M(QUg qadefaultrouter="10.0.0.1"
"FP&On*DUmrpcbind_enable="NO"
vdx~ P7F.C.|$lclear_tmp_enable="YES"BSD爱好者乐园sB5E h7Q
V*?K:u)w,k
sendmail_enable="YES"BSD爱好者乐园.n6^2X|1JP8qg
sshd_enable="YES"
4D{e%b)J i BSD爱好者乐园"{D(b&P
m+l%L#\$B
When you enable sshd, specify the ListenAddress in /etc/ssh/sshd_conf.  The ListenAddress will be 10.0.0.20 for ‘webserver1’.

_k9bZ,d7Th

!H%S9a |f%lx:bIM"mWebserver1 – resolv.confBSD爱好者乐园+]c'H5Dz0u

:rT{1]t"|XIf your host box has already an internet connection, you can copy the host’s DNS information to webserver1.BSD爱好者乐园XsSJBCN8{
# cp /etc/resolv.conf  /usr/jails/webserver1/etc/resolv.confBSD爱好者乐园7[+WP_6y:k!X
This should be sufficient to start the jailed environment. There are more ways to execute a jail. The document’s information will keep it simple.
)j*gW7FoR6lReboot the host system or execute on the host:
!{Wb
D4C$q# /bin/sh /etc/rcBSD爱好者乐园5]'Y-F1_2P!VG"V~
Let us see if the jail and its network are up and running by using the commands ‘jls’ (jail list) and ‘ping’. Jail ID 0 equals the host.
"D:|,^'{;{sz_# jlsBSD爱好者乐园4~'M;O.wh@k/e
   JID  IP Address      Hostname      Path
k ^ d+L%B(A*Mv(AlU#Tw     1  10.0.0.20       webserver1    /usr/jails/webserver1
#r*{.j8R}3l |&Fo# ping -c 3 10.0.0.20BSD爱好者乐园$I.sN N&bQ:Ur
PING 10.0.0.20 (10.0.0.20): 56 data bytesBSD爱好者乐园(oE0G5E?(W
TPi
64 bytes from 10.0.0.20: icmp_seq=0 ttl=64 time=0.324 ms
4dEJY0PF64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.222 ms
2o&oh8o$h)}5]4[64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.220 ms

C%J;Y"I1KBSD爱好者乐园DgA+^({H,]{

--- 10.0.0.20 ping statistics ---BSD爱好者乐园 p*UY-N8f
x?5Q7j
3 packets transmitted, 3 packets received, 0% packet loss
9|2|OP1Lround-trip min/avg/max/stddev = 0.220/0.255/0.324/0.049 ms
(XL#K4miRw#BSD爱好者乐园E)KII#s|$O]
 

R*o*T9q2pWe can ping the jail environment from the host or other machine, but when in a jail, only the tcp/ip (version 4) protocol is supported.BSD爱好者乐园-Q`2vMjeeS

BSD爱好者乐园zQ%xPS&B

Jail configurationBSD爱好者乐园;e8OS`p3cpm

BSD爱好者乐园6SJ L.mC bE;K7C

Some basic jail configuration: creating an empty fstab, setting a root password, adding a user and setting the timezone.BSD爱好者乐园0\
S
REX1X!i[
When adding the first user, invite him to the wheel group. Root can’t login in the jail when logging in from the host.BSD爱好者乐园|!Ts}NO@
The command ‘jexec’ (jail execute) is used as follows:BSD爱好者乐园:\1RGcy9YA
jexec <jail ID> <execute command in the jail>
E9gie8K%]F&D/RJ BSD爱好者乐园'OG!Pa9\-XP|
jexec 1 touch /etc/fstabBSD爱好者乐园VuE$a(vZ#r
jexec 1 passwdBSD爱好者乐园"weTy}_
jexec 1 adduser
,^ KT3p Q$a/}O;Wjexec 1 tzsetupBSD爱好者乐园{/`j#S }
At this point we can login to the jail with a non-root account and look around.
nA7o/fv h+b&~ X# jexec 1 loginBSD爱好者乐园-D-t&f B5Qw
_+}i
$ su
XBoFG3|-X# exit
fO `*wa\0Ue#?'`#A$ exit
*q6{ j|"m#BSD爱好者乐园Z\ K*~b?sz)|
 
,jj%A6z c8F@.r$TIf you didn’t added a user who can become root trough adduser, this is an alternative method. Spawn the root shell of the jail, open its group file and add the desired user to the wheel group. Exit the jail and re-login to the jail using ‘login’.
x\,P,P)G&`9Ck2zjexec 1 /bin/shBSD爱好者乐园?ZV6okXQ
ee /etc/group
4Bg#sr;O\exit
ao%Pb3hDZ-X}sjexec 1 loginBSD爱好者乐园3slu(_-j&y
To enable remote administration, edit the jail’s sshd_config to your needs and restart sshd. There will be at least one option in the sshd_config file you have to alter. The ‘ListenAddress’ has to be specified to the corresponding jail IP-address.BSD爱好者乐园VJ.Xj_/K
/etc/rc.d/sshd stopBSD爱好者乐园
c'I gINHb8B(l
ee /etc/ssh/sshd_configBSD爱好者乐园 qTgU-~+GaU
/etc/rc.d/sshd start
p(o
Gq:{8L"E$FCF(beexit
[ gvo'B8\Cd2}Starting and stopping jails:BSD爱好者乐园FsY)N7hY/mx%P [
/etc/rc.d/jail startBSD爱好者乐园!E#g9m0zDB
/etc/rc.d/jail stop
nY'd1I%XZYou can start and stop jails seperatly by specifying the jail’s name. For example:
7lG:z"]4a@ \.[/etc/rc.d/jail start webserver1BSD爱好者乐园`#},i4N LJz7L
e
/etc/rc.d/jail stop webserver1

8d\\:H%]phv6] U

#Z+I J&uU
DCInstalling a service

Vk
yl wMV,?

8d$[#U y6r_Let us continue and install a webserver trough the host’s ports collection. Installing the ports collection in a jail is unnessecary. Checkig installed ports for known vulnarabilities is of course necessary. We will mount the host’s ports against our jailed environments. Unmount the host’s /usr/ports and /usr/src them when done.BSD爱好者乐园K1I^%v/EK8wI

BSD爱好者乐园#RV(B'PS-U

The ‘webserver1’ jail  has no ports dirtectory at the moment; we have to create the directory.
S*L_KZsjexec 1 mkdir /usr/portsBSD爱好者乐园9? oX k'kr:l
mount_nullfs /usr/ports /usr/jails/webserver1/usr/ports
qm&qH2~vmount_nullfs /usr/src /usr/jails/webserver1/usr/src
h6Wi:bP+i+Hjexec 1 loginBSD爱好者乐园b*jB9N D)i ?'q/eos
su
ElcLz8k+_cd /usr/ports/ports-mgmt/portaudit
%u{L8it B&E~9D tmake install distcleanBSD爱好者乐园&O^$H.j
@o
/usr/local/sbin/portaudit -FdaBSD爱好者乐园JBP6g)~&zO8~
cd ../../www/apache22
SM*`%L!V"VjO%v wmake install distcleanBSD爱好者乐园!w7k)\.azY
echo 'apache22_enable="YES"' >> /etc/rc.conf
j'o |6mHr%^,lN`k&aFor simplicity we add the IP-address as ServerName in the configuration file of httpd. Then we will try to fire it up.
!RGW2[ ^^Ree /usr/local/etc/apache22/httpd.conf

,U,vIU!RBSD爱好者乐园'Rs3T5Nw.g

ServerName 10.0.0.20BSD爱好者乐园vg Vs#_:A4]%g[
 

3l4L3rW nG)mz GBSD爱好者乐园R%f W8Vy
i+f

# /usr/local/sbin/apachectl start
K a+DcoWhen you want to run the Apache web server, you can get following error:BSD爱好者乐园o7FGp7d}\4^bQ
[warn] (2)No such file or directory: Failed to enable the ‘httpready’ Accept FilterBSD爱好者乐园"S\$iHE2Ob4B,e
 BSD爱好者乐园'bc5g/IG&|9Da/QL+{
You have to enable the accf_http module on the host, not the jailed environment. You can’t load kernel modules in your jail.BSD爱好者乐园3V/pn&E9|G&v
Add the line ‘accf_http_load=”YES”’ into the /boot/loader.conf of your host.BSD爱好者乐园m-PEf)F#IG5mpJ
# echo ‘accf_http_load=”YES” ‘ >> /boot/loader.conf
^-S-ex-yR,mNqWhen you check the hosts’ processes, look at the STAT column. Every process listed in that column with a ‘J’ attached to it, is a jailed process.
'A)T7LML ]@Now shutdown the jail and restart it and then check again if the web server is up and running.

dJ8p w/qIBSD爱好者乐园jq{ H.}C

ConclusionBSD爱好者乐园'z Q%m2e
my

BSD爱好者乐园N,]&bG6J9y,@D

The jail environment is just a virtual box with extra features for free.

8F.d-f.O0ey[[
[版权声明]BSD爱好者乐园站内文章，如来源不是互联网，则均系原创或翻译之作，可随意转载，或以此为基础进行演译，但务必以链接形式注明原始出处和作者信息，否则属于侵权行为。另对本站转载他处文章，俱有说明，如有侵权请联系本人，本人将会在第一时间删除侵权文章。
TAG: jail