About Jail

[concept]

Hi, I set up FreeBSD on an old desktop which is currently connected to a router, where it gets its internet. So my base FreeBSD is:

base FreeBSD hostname: concept@192.168.1.1
base FreeBSD home network ip: 192.168.1.100
base FreeBSD interface: vr0

I have set up a jail in /usr/jails/ and added this to my base FreeBSD rc.conf:

jail_newjail_rootdir="/usr/jails/newjail"
jail_newjail_hostname="newjail@concept.192.168.1.1
jail_newjail_ip="192.168.1.101"

Do I need to make another rc.conf for the jail and enable sshd to be able to ssh to the jail's IP? Thanks.

 

[concept]

Okay, I can ssh to the jail's IP now, but I can't log in to the root account or user account of the jail. How or where do I make account credentials for the jail?

 

[SirDice]

Think of the jail as a separate machine. You just installed a clean FreeBSD on it. How many user accounts are there by default?

 

[concept]

I think I got it now, I just have to find out the rules for jail users and passwd creation. Now I have a couple of questions..

1. How do I remove a jail completely? All I know is rm -rf which I guess wouldn't work for removing jail.
2. Is it more secure if I make a jail for each service? eg. www/mails/ircd?

Thanks a lot in advance!

 

[SirDice]

1. How do i remove a jail completely? All i know is rm -rf which i guess wouldn't work for removing jail.

Why wouldn't it work? Just make sure the jail isn't running when you do.

2. Is it more secure if i make a jail for each service? eg. www/mails/ircd

It usually is. It's usually a Good Thing(tm) to compartmentalize.

 

[concept]

I have an old_jail which I tried to remove with rm -rf but it gave me something like a permission denied error. I'm pretty sure I was root when I did it. Anyway, I tried to delete the /usr/jails dir and not just the jailname dir and it worked. Do I need to do something more or is it completely removed already? Thanks again!

 

[SirDice]

You can get some errors because of some chflags(1). They're usually easily removed.

 

[concept]

These errors, are they going to just show up or is there a way I can determine where are they and just remove them already?

 

[fluca1978]

These errors, are they going to just show up or is there a way i can determine where are they and just remove them already?

I don't understand your question, you should see in the error message what is causing the removal to fail, isn't it?

 

[concept]

So I have set up a jail on FreeBSD-8.2 following the manual. After the setup, I copied these files rc.conf, /etc/passwd from base to jail. And this is what I did in order:

    jexec id passwd (to change the jail root password)
    jexec id adduser (i added a user as a non-root)

Why can't I log in to the jail through ssh? But I can log in with jexec id login? I mean I can connect to the jail but it fails to authenticate?

And why can't I execute any commands like rehash/ping/ps when I'm inside my jail? Which files do I still need to copy from the base? Thanks.

 

[concept]

I don't understand your question, you should see in the error message what is causing the removal to fail, isn't it?

Oh sorry, I was pointing out the errors that may show up according to SirDice.

 

[concept]

I tried to follow these guide on bsdguide. I have my jail named "webserver" now, I edited the sshd_config of jail to add

ListenAdress <ip add of jail (192.168.1.107)>

The host's IP is 192.168.1.107. I can ping the jail but i can't connect to the jail thru ssh. Btw, I changed my ssh port to another port for added security, do I need to uncomment that line also on jail's sshd_config?

And every time I try to start ssh or any service from inside the jail I get this error.

ps: /boot/kernel/kernel

When I installed pf on host I remember that I renamed the kernel to a custom name, if that what's causing this problem how do I fix it?

Thanks in advance.

 

[SirDice]

I tried to follow these guide on bsdguide. I have my jail named "webserver" now, I edited the sshd_config of jail to add ListenAdress <ip add of jail (192.168.1.107)> The host's IP is 192.168.1.107. I can ping the jail but i can't connect to the jail thru ssh. Btw, i change my ssh port to another port for added security, do i need to uncomment that line also on jail's sshd_config?

You need to configure the host's sshd to only listen on the host's address. Same for the jails. Port is not relevant.

And everytime i try to start ssh or any service from inside the jail i get this error. "ps: /boot/kernel/kernel".

This looks like your jail and host OS are not in sync. I.e. you have a different version of the base OS in the jail compared to the kernel on the host.

When i installed pf on host i remember that i renamed the kernel to a custom name, if that what's causing this problem how do i fix it?

Not relevant.

 

[concept]

How do i make them sync? I tried to # uname -a in the Host and It is the same on what i see in my jail.

FreeBSD concept 8.2-RELEASE-p4 FreeBSD 8.2-RELEASE-p4 #0: Mon Nov  7 18:39:02 PHT 2011 concept.192.168.1.1:/usr/obj/usr/src/sys/CONCEPTKERNEL  i386

The only difference is the hostname.

 

[SirDice]

That command only shows a few kernel variables. Since there is only one kernel those values don't mean anything inside a jail. There isn't a command to get the version of the OS unfortunately.

How did you install your host and your jail?

 

[concept]

I installed the host by dvd which i downloaded from the ftp site. And this is how i installed my jail

cd /usr/
mkdir jails
cd jails
mkdir webserver
sysinstall
minimal distribution from ftp site

 

[fbsd1]

You should really look into using sysutils/qjail port for jail creation and management.

 

[folivora]

I would take a look into http://www.freebsd.org/doc/handbook/jails-intro.html, there is "quite" good documentation about managing jails.

I agree with fbsd1 that sysutils/qjail might be worth of testing. You can easily create different kind of templates. Also updating of jails might be "easier".

- folivora