BIND9 in Jail

S

SacamantecaS

Hello

I'm trying to install two dns servers (master-slave) in jails to separate the system, but I encounter a fault. As much as I have searched the forum and the rest of the Internet, I haven´t found a possible solution. It occurs to me to make this directory writable, but not to what extent it could have security problems for the rest of jails or the system itself. I wanted to know if anyone has solved one way or know how to fix it.

Code: 
making install in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/i
sc/include/isc
/bin/sh ../../../../mkinstalldirs /usr/include/isc
mkdir /usr/include/isc
mkdir: /usr/include/isc: Read-only file system
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include
/isc.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include
.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1.
*** Error code 1

Stop in /basejail/usr/ports/dns/bind98.
*** Error code 1

Stop in /basejail/usr/ports/dns/bind98.

Thank you very much.

Regards
 
Hello

I tested with the following command:
Code: 
make install clean DESTDIR=/usr/jails/ns01

I keep getting error. I can only think write permission to put the path and try, but not if it will have a security vulnerability or so then back to left as read-only, bind fails

Code: 
/bin/sh ../../../../mkinstalldirs /usr/include/isc
mkdir /usr/include/isc
mkdir: /usr/include/isc: Read-only file system
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib/isc/incl
ude/isc.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib/isc/incl
ude.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib/isc.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1.
*** Error code 1

Stop in /tmp/mountpoint.XxdwH4/dns/bind98.
*** Error code 1

Stop in /tmp/mountpoint.XxdwH4/dns/bind98.
===>  Chrooted make in /usr/jails/ns01/ failed
===>  Cleaning up...
*** Error code 1

Stop in /usr/ports/dns/bind98.

thanks

best regards
 
Hello,

You should install Bind inside the jail. If you don't want to fetch ports tree in the jail you can mount system ports into the jail with nullfs for example:

# mount -t nullfs /usr/ports /usr/jails/ns1/usr/ports

Then "enter" in the jail and install Bind in it.
 
Hello,

I also do not work. I deleted the path and I created the mount point, but inside the jail, still gives me the same error. I tried to stop and start the jail, but still gives error :(. I see that gives another path in the error.

Code: 
ANFITRION:
/usr/ports on /usr/jails/ns01/usr/ports (nullfs, local)

JAIL:
/bin/sh ../../../../mkinstalldirs /usr/include/isc
mkdir /usr/include/isc
mkdir: /usr/include/isc: Read-only file system
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include/isc.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1.
*** Error code 1

Stop in /usr/ports/dns/bind98.
*** Error code 1

Stop in /usr/ports/dns/bind98.
ns01#

Thanks.

Best regards
 
Hello

I think I leave it as impossible, I am not able to find the solution :(. So try to get some physical machines or virtual machines xen in linux. thanks

regards
 
Have you tried using PREFIX=/some/path building and installing from outside the jail like suggested by quintessence ?

If it does not help, can you provide the following details ?
  • ports full path on host
  • output of mount command on the host (outside a jail) with only /usr/ports part
  • output of mount command inside a jail
  • full path of directory and from which host you execute your make install
 
Hello

At the end I left it as impossible, install it on machines dedicated ... Coming soon (months) I want to try again, perhaps with version 9.0 or retry with it, to learn what was the error. Thanks

Regards
 
Is there a particular reason why you're trying to install bind from ports instead of using the bind that's in the base system (and therefore is already there when you've created the jail)?

Fonz
 
SacamantecaS said:
Hello

At the end I left it as impossible, install it on machines dedicated ... Coming soon (months) I want to try again, perhaps with version 9.0 or retry with it, to learn what was the error. Thanks

Regards
Click to expand...

What is impossible? To run bind in jail? Its very possible base/ports version, doesn't matter.
 
The port installs headers in /usr/include/. This directory seems to be read-only inside your jail. As far as I know this only happens during installation. Having write access to that directory is not needed to run bind98.
 
Bind does work in a jail:

Assumption

My configuration assumes the following:
Code: 
* Installed Jail in /var/jails/dns.my-domain.int
* LAN Addr: 192.168.10.0/24
* NIC: sk0

Change appropriate values, such as NIC name or network and install jail.


Host

rc.conf
Code: 
hostname="router.my-domain.int"
ifconfig_sk0="192.168.10.1 netmask 255.255.255.0"


ifconfig_sk0_alias0="inet 192.168.10.10 netmask 255.255.255.255"   # dns
ifconfig_lo0_alias0="inet 127.0.10.10 netmask 255.255.255.255"     # dns

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_devfs_enable="YES"
jail_mount_enable="YES"
jail_list="dns"

############### DNS
jail_dns_ip="sk0|192.168.10.10,lo0|127.0.10.10"
jail_dns_hostname="dns.my-domain.int"
jail_dns_rootdir="/var/jails/dns.my-domain.int"
jail_dns_fstab="/var/jails/fstab.dns"

fstab.dns
Code: 
/usr/ports       /var/jails/dns.my-domain.int/usr/ports       nullfs noatime,rw 0 0
/var/db/portsnap /var/jails/dns.my-domain.int/var/db/portsnap nullfs noatime,rw 0 0


Jail

Install
Code: 
root> cd /usr/ports/dns/bind99
root> make config
 # check REPLACE_BASE
root> make install clean

rc.conf
Code: 
named_enable="YES"
named_chrootdir=""
 
Try quick way to create your jails and admin them by using sysutils/qjail port on the host.
Code: 
qjail install
qjail update -p
qjail create -n your-lan-nic-name jail-name lan-ip-address
qjail start jail-name 
qjail console jail-name 
cd /usr/ports/dns/bind
make install clean
exit

That should do it.

NOTE: If your jail can not access the internet means your firewall is not NATing the LAN ip address you assigned to your jail.
 
named_chrootdir=""
Click to expand...
* I don't think chroot should be called when you are already in a jail (jailception?) Maybe re-build with chroot option disabled.
* What is the error you are getting if you jexec into the running jail and manually start bind? Have you enabled this in host /etc/<wherever preferred>?
Code: 
jail_bind_parameters="allow.raw_sockets"
 
ifdnrg said:
Hi,

You just need to uncheck the 'replace base bind' option,
Click to expand...

I have exactly the same problem. Your solution solved the problem completely, thanks.

But I have a question. What is the difference between enabled and disabled option 'replace base BIND'? In the past I always set this checkbox when installing BIND in a standard environment, not in an jail. I would like to know what problems are possible when this option is disabled in the jailed environment.

Thank you.
 
With the option checked the port will overwrite binaries and scripts in the base system, namely in directories /usr/sbin, /etc/rc.d and so on. When the option is not checked the port will install everything using /usr/local as the prefix and does not overwrite anything in the base system. In my opinion there's no advantage to using the replace option, it just complicates installation and upgrading.
 
kpa said:
With the option checked the port will overwrite binaries and scripts in the base system, namely in directories /usr/sbin, /etc/rc.d and so on. When the option is not checked the port will install everything using /usr/local as the prefix and does not overwrite anything in the base system. In my opinion there's no advantage to using the replace option, it just complicates installation and upgrading.
Click to expand...

Thanks for answer. This is interesting, but after installation I did not find a start script in /usr/local/etc/rc.d/. In /etc/rc.d/ it is present, but not in /usr/local/etc/rc.d/. Is this normal?

P.S. I try to install Sendmail from ports in a jail. I get the same result:
Code: 
...
install: /usr/bin/vacation: Read-only file system
*** Error code 71
...
Sorry for off topic, but what to do in this case?

Thanks.
 
I realize this is an old thread...but

I came across this thread in looking to see how to do pretty much the same thing....

baneff said:
Thanks for answer. This is interesting, but after installation I did not find a start script in /usr/local/etc/rc.d/. In /etc/rc.d/ it is present, but not in /usr/local/etc/rc.d/. Is this normal?
Click to expand...

This seems to be normal, set named_program in /etc/rc.conf to point to the port's named, and update named_conf, if needed. Since I had previously installed bind on base system with the REPLACE_BASE option, which has since been removed, I no longer had base configs so I had laid down various symlinks in trying to get bind to start again before I found the other parameters available in the rc script.

I got the direction to set named_program, while following the mailing list discussions about the loss of the REPLACE_BASE option. It is now provided through pkg-message after the port/pkg is installed (when applicable.)

P.S. I try to install Sendmail from ports in a jail. I get the same result:
Code: 
...
install: /usr/bin/vacation: Read-only file system
*** Error code 71
...
Sorry for off topic, but what to do in this case?

Thanks.
Click to expand...

This would suggest that at one time the port mail/sendmail had an option similar REPLACE_BASE to dns/bind99, rather than the update /etc/mail/mailer.conf that I've done with my install of the sendmail port.

The Dreamer.
 
Last edited by a moderator:
With BIND, there is no need for confusing links that will be lost during a system upgrade. When installed as a port, BIND expects configuration files to go in /usr/local/etc like any other port. In /usr/local/etc/namedb, specifically.
 
if only the pkg upgrade, had moved things when REPLACE_BASE suddenly vanished on me and left me scrambling to get services back up.

Though cleaning up from mess caused by upgrading to 9.9.7-P1, is something I still haven't gotten around to resolving. But actual disruption was due to unrelated problems...

...like having a weeks to do KSK rollover and not getting it partly done until a week past, and, at last check, still not completely done. There would've been more time if I had known that the emergency key rollover was never going to get done... the contractor's (that had caused the compromise of KSK back in April, and was to work on setting up new appliances to replace, and go with a KSK rollover to it) last day fell in the middle of what would've been our normal 2 month KSK rollover window. Because as once again proven, getting office person that manages domain registrar needs more than a month to make the change. This would've been the first time with a 2 month window if it wasn't about to be replaced.

Plus in conjunction with that, zone refreshes for one of the zones had gotten broke a few days before. The important zone, of course. The upgrade only broke my master server, since its the only one that was still using views. Though soon the others will have views again, since the proper fix to sharing zones between views means I can get zone transfers between views to finally work.

So, I find myself trying to replicate production DNS in jails on my FreeBSD workstation to test changes. Except getting to where I can do that has taken a lot longer than I had expected. Surprised my kluge is still holding up, but definitely don't want it to stick around any longer than needed.

At least its not like the forgotten quick fix of borrowing another system and making all the configuration in memory only...and in tmpfs. Such that a couple years later when the box is rebooted, all trace of it ever being a DNS server vanishes. Not how I had planned to spend my evening/night.... The former admin got a chuckle out of it when I pinged him on IRC about it.

The Dreamer.

Actually, there's lots of things I wish pkg upgrade actually did....
 
I Have 3 Virtual FreeBSD Machines runing bind9 jailed inside of them without problems.
By the way, I am not using ezjail or iocage, only the defaults like handbook explain, example:

Preparing the image:

zfs create zroot/usr/jails/ns1
cd /usr/src
make buildworld
make installworld DESTDIR=/usr/jails/ns1
make distribution DESTDIR=/usr/jails/ns1
mount -t devfs devfs /usr/jails/ns1/dev

Enabling Jails on Host:

nano /etc/rc.conf
Code: 
jail_enable="YES"
jail_conf="/etc/jail.conf"
jail_parallel_start="YES"
jail_list="nsf"


Setup Jail:

nano /etc/jail.conf
Code: 
ns1 {
    path  = /usr/jails/ns1;
    mount.devfs;
    host.hostname = ns1.yourdomain.com;
    ip4.addr = XXX.XXX.XXX.XXX;
    interface = YourNIC;
    exec.start =  "/bin/sh /etc/rc";
    exec.stop = "/bin/sh  /etc/rc.shutdown";
    }

Using ports one time for install stuff on jail:

mkdir -p /usr/jails/ns1/usr/ports
mount_nullfs /usr/ports /usr/jails/ns1/usr/ports
mount_nullfs /var/run /usr/jails/ns1/var/run

Note: Without the last mount the error reported about read permission occurs...

Setup DNS servers for jail use:
nano /usr/jails/ns1/etc/resolv.conf
Code: 
nameserver 208.67.222.222    #OpenDNS
nameserver 208.67.220.220    # OpenDNS
nameserver 8.8.8.8    # Google

Setup Jail rc.conf:

nano /usr/jails/nsf/etc/rc.conf
Code: 
hostname="ns1.youdormain.com"
ifconfig_vmx3f0="inet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX"
defaultrouter="XXX.XXX.XXX.X"
dump_dev="NO"
clear_tmp_enable="YES"
kern_securelevel_enable="YES"
kern_securelevel="3"

Starting and connecting on jail

service jail start
jls
jexec 1 /bin/sh

I have did a guide for get bind9 inside jails and DNSSec enable, maybe would help you:

https://forums.freebsd.org/threads/guide-bind-9-10-install-on-freebsd-10.45716/
 
You must log in or register to reply here.
Back
Top