Setting up a (Debian) Linux jail on FreeBSD

[Lamia]

This should do the trick - https://wiki.freebsd.org/LinuxJails . It works for debian variants - devuan, ubuntu - and centos (Red Hat and its variants).

You will need make slight changes depending on your choice variant e.g. for repos.

 

[TrOuBLe]

I'm trying this and other flavors (Ubuntu, Alpine, Arch) however, all of them don't have /etc/init.d/rc script to be used in jail configuration (including Debian):

    exec.start = "/etc/init.d/rc 3";
    exec.stop = "/etc/init.d/rc 0";

Errors:

Starting jails: cannot start jail  "Test-Jail":
4
jail: Test-Jail: exec /etc/init.d/rc: No such file or directory
jail: Test-Jail: /etc/init.d/rc 3: failed

I think there was similar ask in beginning of this post but still don't have solution. Would anyone please share your recommendation or did I miss certain step? TIA

Don't expect too much from Linux over FreeBSD, it has a large gap on the Network level.
I was able to install Ubuntu 18 and lower version and Debian as well in jail.
To boot up the jail you need to call the system to load in a different manner below my jail.conf

bionic {
    path = /jails/${name}/base;
    host.hostname = "${name}.jail";
        interface = lo0;
        ip4.addr = 127.0.0.5;
    exec.clean;
    exec.system_user = "root";
    exec.jail_user = "root";
    exec.consolelog = /jails/${name}/.jail_cfg/console.log;
    exec.prestart = "cp /etc/resolv.conf $path/etc";
    exec.poststop = "rm $path/etc/resolv.conf";
    exec.start = "/bin/true";
    exec.stop = "/bin/true";
        persist;
        mount.devfs;
        mount.fstab = "/jails/${name}/.jail_cfg/fstab";
        allow.mount;
        allow.mount.devfs;
    allow.chflags;
        allow.raw_sockets;
};

Following the documentations:
https://wiki.freebsd.org/LinuxJails

 

[ziomario]

you can also give a look at CBSD : https://www.bsdstore.ru/en/about.html

 

[TrOuBLe]

If you will face user login issue you must do the following

# cd /my/jail/path/etc
# echo "root::0:0::0:0:Charlie &:/root:/bin/bash" > master.passwd
 # pwd_mkdb -d ./ -p master.passwd
pwd_mkdb: warning, unknown root shell

In case you are not able to use apt do the following after booting the Linux jail, inside the deb jail:

sudo adduser _apt --force-badname

Mainly this is what I have faced like issues with Linux Over FreeBSD...
Let us know if you have generated different issues, I am interested to update my docs in that topic.

 

[ThisIsMask]

This gets me one step nearer. I could start/stop/restart jail but I'm having issue with network.

/ # ip a
ip: socket(AF_NETLINK,3,0): Address family not supported by protocol

I'm still researching around to understand more about jail networking. In normal jail (bsdinstall) alias just works but not in this case.

Don't expect too much from Linux over FreeBSD, it has a large gap on the Network level.
I was able to install Ubuntu 18 and lower version and Debian as well in jail.
To boot up the jail you need to call the system to load in a different manner below my jail.conf

bionic {
    path = /jails/${name}/base;
    host.hostname = "${name}.jail";
        interface = lo0;
        ip4.addr = 127.0.0.5;
    exec.clean;
    exec.system_user = "root";
    exec.jail_user = "root";
    exec.consolelog = /jails/${name}/.jail_cfg/console.log;
    exec.prestart = "cp /etc/resolv.conf $path/etc";
    exec.poststop = "rm $path/etc/resolv.conf";
    exec.start = "/bin/true";
    exec.stop = "/bin/true";
        persist;
        mount.devfs;
        mount.fstab = "/jails/${name}/.jail_cfg/fstab";
        allow.mount;
        allow.mount.devfs;
    allow.chflags;
        allow.raw_sockets;
};

Following the documentations:
https://wiki.freebsd.org/LinuxJails

 

[ziomario]

Im trying to do the same,but with bastille,following this tutorial :

Create an Ubuntu Linux jail on FreeBSD 12.2

Create a jailed Ubuntu Linux with Bastille on FreeBSD 12.2 Make sure Bastille is installed and configured. click here This is not offically supported, so don’t use it in production! update 2021/02/11: Auto Installer You could try the following POC for automated jail creation: DO NOT USE THIS IN...

hackacad.net

but I'm failing :

@marietto:/usr/home/marietto/Desktop/Scripts/bastille # jexec ubuntu /bin/bash


@ubuntu:/# apt update


Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
Building dependency tree    
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Temporary failure resolvi
ng 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.


@ubuntu:/# ping google.it
ping: socket: Protocol not supported

@ubuntu:/# exitundefined

linux jails works well 1/10. This method is not good at all. Since I'm not a developer,I can do only easy tasks. So I'm thinking to do something like this :

1. a small linux vm virtualized with bhyve that can communicate with the freebsd host. this vm will have the minimum features requested by docker and nothing else.
2. this vm will be detached from the background,just like the virtualbox driver,that it is installed,hidden,but u can't do anything with it,at least graphically speaking
3. some components of docker will run inside the vm,some others on freebsd and they communicate sharing files and features as much as they can.
4. this minimum vm can be used also for a lot of other tasks and it should give to us the linux calls that are missing in the linuxulator.

 

[Lamia]

I am also recommending this guide - https://wiki.freebsd.org/JailingGUIApplications.

 

[Lamia]

Looks like I have already mentioned that guide before. My bad!

 

[ziomario]

I'm not using ZFS. do u have the same guide but for ufs ? I want to try to run google chrome inside the jail (I never been able to make it work)

 

[SirDice]

I'm not using ZFS. do u have the same guide but for ufs ?

There's very little in this howto that actually depends on ZFS.

 

[ziomario]

ok but if I can't issue the ZFS commands,I'm not able to complete it.

 

[SirDice]

ok but if I can't issue the ZFS commands,I'm not able to complete it.

What ZFS commands? There are no ZFS commands in this howto.

And instead of blindly copy/pasting commands, actually think about and understand what each step does. Then you can just as easily apply this howto to UFS.

 

[ziomario]

Its full of zfs commmands :

The commands given are all executed as root, on the host, unless explicitly stated differently.

Toggle line numbers    1 zfs create -o compress=lz4 -o atime=off zroot/jails
   2 zfs create zroot/jails/basejail
   3 bsdinstall jail /zroot/jails/basejail


Here we used the bsdinstall method for convenience. Otherwise downloading and unpacking base.txz and configuring it should suffice. At this point we'd configure the basejail for pkg, like the location of your Poudriere repo if you have it. No other configuration is required for the base as the jails will basically run a single process.

So we snapshot it and create our Firefox jail filesystem:

Toggle line numbers    1 zfs snapshot zroot/jails/basejail@latest
   2 zfs create zroot/jails/firefox
   3 zfs clone zroot/jails/basejail@latest zroot/jails/firefox/root
   4 zfs create zroot/jails/firefox/var
   5 zfs create zroot/jails/firefox/tmp
   6 zfs create zroot/jails/firefox/home
   7 rsync -a /zroot/jails/firefox/root/var/ /zroot/jails/firefox/var/
   8 zfs set mountpoint=/zroot/jails/firefox/root/var zroot/jails/firefox/var
   9 zfs set mountpoint=/zroot/jails/firefox/root/tmp zroot/jails/firefox/tmp
  10 zfs set mountpoint=/zroot/jails/firefox/root/usr/home zroot/jails/firefox/home


For extra security we want our jail to run with minimum require privilege, so we set some properties on these datasets, which should make obvious why we separated them like this. Of course, these rules are not applicable to every application, as some, unfortunately would like to write or execute to/from paths they shouldn't. For firefox, these suffice, tho'.

Toggle line numbers

   1 zfs set setuid=off exec=off zroot/jails/firefox/var
   2 zfs set setuid=off exec=off zroot/jails/firefox/tmp
   3 zfs set setuid=off exec=off zroot/jails/firefox/home


At this point it's worth observing that when base is to be update, all we need to do is update the basejail and create a new snapshot for cloning. With that, and separate var/home/tmp dirs, it's trivial to update the jails' bases, just zfs destroy root dataset and re-clone it from basejail. This will require unmounting and re-mounting the other datasets, but it can all be easily scripted for simple maintenance.

Next, with the filesystem in place, we install the packages. xauth and firefox are the base minimum, while liberation-fonts-ttf is recommended addition for some nice fonts in Firefox.

Toggle line numbers    1 pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf

don't worry,that I dont copy and paste the commands blindly. I learn what I need,but I don't want to learn everything. If inside a tutorial there are parts that I want to learn later or one day,I will skip them. I don't want to be overloaded with too much informations. Otherwise it stops to be an hobby and it becomes a job. But I'm not tailored for this as a job. It can be only an hobby. In this specific case,Its hard for me to skip the zfs commands because If I do it,I don't know or it becomes hard to replace the skipped commands with the ufs commands. When I started learning FreeBSD I made a choice : to start with UFS,to make things easier,at the beginning. I've thought that if I had chosen zfs I would have overloaded myself with useful informations for sure,but not so essential,at least for a newbie,at the beginning.

 

[SirDice]

That's from a completely different howto?

 

[ziomario]

That's from a completely different howto?

what do u mean ? I'm referring to Lamia tutorial,because I haven't been able to configure correctly the linux jail using this tutorial :

Create an Ubuntu Linux jail on FreeBSD 12.2

Create a jailed Ubuntu Linux with Bastille on FreeBSD 12.2 Make sure Bastille is installed and configured. click here This is not offically supported, so don’t use it in production! update 2021/02/11: Auto Installer You could try the following POC for automated jail creation: DO NOT USE THIS IN...

hackacad.net

so I'm open to try new tutorials.

 

[SirDice]

I'm referring to @Lamia tutorial,

You were asking it in a thread of a different howto.


That's it. I'm getting tired of howto's being hijacked with unrelated questions. I'm going to remove any and all responses from all howtos, and lock those threads down so only the original howto author can respond.

 

[ziomario]

You were asking it in a thread of a different howto.


That's it. I'm getting tired of howto's being hijacked with unrelated questions. I'm going to remove any and all responses from all howtos, and lock those threads down so only the original howto author can respond.

that's a bad choice because usually happens that the original author does not respond anymore maybe because some time is passed and he forgot or because he has no time to reproduce the situation because he is involved in a totally different job and task. Your choice is good to stop the circulation of experiments and ideas.

 

[Lamia]

I did not get LinuxGUI-Jailed using one guide. And many other people would say the same. And contents of the wiki.freebsd.org can be difficult to "decipher" as several developers writing articles on similar or related topics. I shared links of such related topic here - GUI Apps in a FreeBSD Jail, LinuxGUIJailed & Linuxator. I may not be able to provide the links here now. But they are very related. I can only point at these to you and several others written outside FreeBSD platforms - forum, wiki, bugzilla, etc.

Some may be dated yet valuable enough to provide the fix. Being a moderated forum, the onus is on the admins to decide what is approved and posted.

 

[TrOuBLe]

I was away from your discussions...
In short, what I have learned from Linux jail and from different documentation is that we can not CHANGE or MODIFY anything on the network level because LinuxJail is just using an emulator to run over Freebsd Kernel which is totally different from Linux kernel. The ethernet interface and its configuration are just inherited from the Freebsd HOST.
I would appreciate any experienced Freebsd admin to correct my info.

 

[ziomario]

I was away from your discussions...
In short, what I have learned from Linux jail and from different documentation is that we can not CHANGE or MODIFY anything on the network level because LinuxJail is just using an emulator to run over Freebsd Kernel which is totally different from Linux kernel. The ethernet interface and its configuration are just inherited from the Freebsd HOST.
I would appreciate any experienced Freebsd admin to correct my info.

I know this. But I see that there are a lot of gui applications that needs a network stack. I suppose that they want a linux network stack and since they find a freebsd network stack,they don't work. But I read somewhere that there is a method to create a network stack inside a real linux chroot. The method maybe could be applied also inside the linux jail.

 

[TrOuBLe]

I know this. But I see that there are a lot of gui applications that needs a network stack. I suppose that they want a linux network stack and since they find a freebsd network stack,they don't work. But I read somewhere that there is a method to create a network stack inside a real linux chroot. The method maybe could be applied also inside the linux jail.

Well the only way to make those apps works is to create a Virtual Network Interface inside the Jail.
I have switched to another strategy with Linux, the better way is to build the Linux app in FreeBSD.

 

[ziomario]

Well the only way to make those apps works is to create a Virtual Network Interface inside the Jail.
I have switched to another strategy with Linux, the better way is to build the Linux app in FreeBSD.

give me some documentation. But if it is too much technical I can't do that. I suppose I should follow the more abstract method to build a virtual network interface inside the jail,because I'm not a programmer.

 

[ziomario]

I don't understand why I always get the error "Can't start system message bus - /proc is not mounted ... failed!" because :

1) I have added the argument :

linprocfs       /compat/devuan/proc  linprocfs    rw            0 0

to the file /etc/fstab.devuan on FreeBSD

2) I've mounted proc with this command :

mount -t linprocfs none /compat/devuan/proc

I don't get errors,but when I create the devuan jail, I always see the error that proc is not mounted :

@marietto:/usr/home/marietto # jail -c devuan

 devuan: created
Using makefile-style concurrent boot in runlevel 3.
dmesg: read kernel buffer failed: Operation not permitted
Starting enhanced syslogd: rsyslogdmknod: /dev/xconsole: Operation not supported
chown: cannot access '/dev/xconsole': No such file or directory
rsyslogd: cannot create '/dev/log': Operation not supported [v8.2102.0 try https://www.rsyslog.com/e
/2176 ]
rsyslogd: imuxsock does not run because we could not aquire any socket  [v8.2102.0]
rsyslogd: activation of module imuxsock failed [v8.2102.0]
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): No such file or directory.
rsyslogd: activation of module imklog failed [v8.2102.0 try https://www.rsyslog.com/e/2145 ]

----> Can't start system message bus - /proc is not mounted ... failed!

Starting periodic command scheduler: cron.
Starting session management daemon: elogind.

 

[sody]

I have the same errors all the time
the downside is /var/log/messages never populated because of this.
has anyone found a solution / alternative to this rsyslogd service?

tried to add to /etc/default/devfs.rules under jail ruleset (4) the following, reboot with no luck:
add path log unhide

might it be related to allow.socket_af ? i tried to set on /boot/loader.conf
security.jail.param.allow.socket_af=1

but it still "0" for some reason, maybe should give a try to jail params but not sure this would work.

Edit: tried jail -mr allow.socket_af=1but that didnt change it either.. has anyone found a solution to this?

Sody

 

[ziomario]

I have the same errors all the time
the downside is /var/log/messages never populated because of this.
has anyone found a solution / alternative to this rsyslogd service?

tried to add to /etc/default/devfs.rules under jail ruleset (4) the following, reboot with no luck:
add path log unhide

might it be related to allow.socket_af ? i tried to set on /boot/loader.conf
security.jail.param.allow.socket_af=1

but it still "0" for some reason, maybe should give a try to jail params but not sure this would work.

Sody

you also get the errors below ?

/compat/devuan/bin/chrome


[21224:102845:0218/234112.132650:ERROR:file_path_watcher_linux.cc(321)] inotify_init() failed: Function not implemented (38)

(chrome:21224): Gtk-WARNING **: 23:41:13.905: Unknown key gtk-applications-prefer-dark-theme in /root/.config/gtk-3.0/settings.ini

Gtk-Message: 23:41:14.184: Failed to load module "colorreload-gtk-module"

Gtk-Message: 23:41:14.185: Failed to load module "window-decorations-gtk-module"

[21224:102854:0218/234114.947955:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102854:0218/234114.963025:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102846:0218/234115.770664:ERROR:address_tracker_linux.cc(196)] Could not create NETLINK socket: Address family not supported by protocol (97)

[21224:102853:0218/234115.795018:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102853:0218/234115.795076:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102846:0218/234116.707297:ERROR:udev_watcher.cc(52)] Failed to initialize a udev monitor.

[21233:102862:0218/234117.094025:ERROR:address_tracker_linux.cc(196)] Could not create NETLINK socket: Address family not supported by protocol (97)

[21233:102864:0218/234117.094035:ERROR:file_path_watcher_linux.cc(321)] inotify_init() failed: Function not implemented (38)

[21224:21224:0218/234117.188257:ERROR:process_singleton_posix.cc(1100)] Failed to bind() /tmp/.com.google.Chrome.Pbohb3/SingletonSocket: No such file or directory (2)

[21224:21224:0218/234117.216008:ERROR:chrome_browser_main.cc(1305)] Failed to create a ProcessSingleton for your profile directory. This means that running multiple instances would start multiple browser processes rather than opening a new window in the existing process. Aborting now to avoid profile corruption.