Jail tutorials?

gentoobob

gentoobob

I just set up a jail (my first time) using the FreeBSD handbook documentation. I am now left with a jail that cannot access the network/internet or ports tree. Is there a tutorial or documentation that has a way of setting up your jail to be a normal system setup that does NOT use ezjail? I've found tutorials on setting up jails with ezjail but I didn't use ezjail, I used FreeBSD's documentation and I want to continue building this hands on so I learn the ins and outs.

Any help would be great.

Thanks,
 
Great! Thanks. Yea I saw I'm missing rc.conf, resolv.conf, etc. I did add a resolv.conf but not a NAT.

I will look over whatever you sent me. Thanks!
 
rc.conf() is not automatic with installation of jails. Though I understand how one may assume it would be as the file was generated when you were in sysinstall() when you installed FreeBSD.

From the rc.conf man page:
Code: 
DESCRIPTION
     The file rc.conf contains descriptive information about the local host
     name, configuration details for any potential network interfaces and
     which services should be started up at system initial boot time.  In new
     installations, the rc.conf file is generally initialized by the system
     installation utility, sysinstall(8).
Click to expand...

A general note. Though it's important to go through the process that you currently are by hand. In the long run you'll end up wanting to automate the creation of jails via your own custom scripts.
 
Good detail.

I'm surprised there is not a more informational documentation on creating jails by hand and not by ezjail. I'm just finding tid bits here and there.

Yes, templates would be good. For now I'm just doing this on my own at home, making a WWW and mail jail.

Thanks for the information!
 
Awesome, thanks. I will definitely check it out.

I'm blogging about my setup anyways so I will put together a nice document. I actually just looked through a FreeBSD book I had and it gives me the details I needed. I'm surprised how much lack of information was in the FreeBSD docs. Definitely could use more.

Thanks again!
 
gentoobob said:
Awesome, thanks. I will definitely check it out.

I'm blogging about my setup anyways so I will put together a nice document. I actually just looked thru a FreeBSD book I had and it gives me the details I needed. I'm surprised how much lack of information was in the FreeBSD docs. Definitely could use more.

Thanks again!
Click to expand...

It's bit of an advanced subject. The user needs to understand several stacks example: FreeBSD, networking, and use cases (i.e. slim jailed processes as well as fat jails for sandboxing).

Since it's really meant for customization for administrators to build into their systems it makes sense that the handbook is a bit terse and to the point. To be honest I'm surprised it even mentions ezjail at all.
 
gentoobob said:
I agree. ;)

Thanks for all the help!
Click to expand...

No problem. Feel free to ask more questions if you get stuck. I've been there and know how discouraging it is when something doesn't work. In fact I remember being exactly in the same place you are and getting analysis and informed on irc. It's all about passing it forward.

BTW just in case you may be interested. There is a "beta" project currently in the works called VIMAGE. I haven't used it yet but others may be able to comment. From what I understand it will allow us to create jails within jails as a side effect there is also work to make ipfw() and pf() compatible in the jails as well.

This project should open up more exotic used for FreeBSD. I imagine those who use FreeBSD for hosting services have an eye on the project as it can be used to separate users from the system and also allow users to create new users as well to sandbox away from their own jails those users themselves could go on to create their own sandboxes and carry around their own versions of preferred software and so on.

If your interested in seeing if vimage works you can run # make lint in your kernel conf directory which will create a proper LINT file as well as the vimage kernel config which really just sucks in GENERIC while adding vimage to the kernel.

As the current zfs version on FreeBSD 9 has dedup available I'd imagine a proper set up system with the proper hardware requirements to run zfs with dedup with jails set up with a working vimage would be a very nice server for an office where many developer can build, experiment, and deploy many projects with included inside networking all on one single box.

Congrats on tackling FreeBSD jails. It's one of the finer and more interesting and unique parts of of FreeBSD.
 
I will definitely get back with you for any questions. You seem very resourceful.

The jail inside of a jail seems crazy but I'm sure there is a need for that kind of control. If I get the chance to play around with it soon, I'll let you know when I take a gander at it. :)
 
Hey UNIXgod, one thing you might be able to help me on is devfs rules for the jail. How does that work? I cant find any good literature on that. Do I cp the devfs rules file from the ../defaults folder to the jail and rename it? Any pointers on that?

BTW, I've managed to do pretty well on my first jail. Got ports installed, apache22, mysql, and wordpress. not too shabby. :) My next one will be postfix.
 
gentoobob said:
Hey UNIXgod, one thing you might be able to help me on is devfs rules for the jail. How does that work? I cant find any good literture on that.
Do I cp the devfs rules file from the ../defaults folder to the jail and rename it?
Any pointers on that?
Click to expand...
% man 8 jail
type /devfs inside the pager to locate the documentation.

Code: 
EXAMPLES
   Setting up a Jail Directory Tree
     To set up a jail directory tree containing an entire FreeBSD distribu-
     tion, the following sh(1) command script can be used:

     D=/here/is/the/jail
     cd /usr/src
     mkdir -p $D
     make world DESTDIR=$D
     make distribution DESTDIR=$D
     mount -t devfs devfs $D/dev

     [B]NOTE: It is important that only appropriate device nodes in devfs be
     exposed to a jail; access to disk devices in the jail may permit pro-
     cesses in the jail to bypass the jail sandboxing by modifying files out-
     side of the jail.  See devfs(8) for information on how to use devfs rules
     to limit access to entries in the per-jail devfs.  A simple devfs ruleset
     for jails is available as ruleset #4 in /etc/defaults/devfs.rules.[/B]

     In many cases this example would put far more in the jail than needed.
     In the other extreme case a jail might contain only one file: the exe-
     cutable to be run in the jail.

     [B]We recommend experimentation and caution that it is a lot easier to start
     with a ``fat'' jail and remove things until it stops working, than it is
     to start with a ``thin'' jail and add things until it works.[/B]
Click to expand...


gentoobob said:
btw, I've managed to do pretty well on my first jail.
Got ports installed, apache22, mysql, and wordpress. not too shabby. :)

My next one will be postfix.
Click to expand...

Sounds like your making you way. Congrats again!

Might I suggest making your database a separate jail. Generally the web server and database server is two separate "servers". From a security standpoint if one gets hacked (i.e. wordpress exploit on the apache side... the database is safe ... or other way around in case of sql injection).
 
Yeah, I read that about the devfs rules. I guess I'm a little confused because some people in their rc.conf make up a different name for the ruleset.

I thought about making the database a separate jail; good point. Definitely will do that. :)
 
You must log in or register to reply here.
Back
Top