Admin Life Errors, Fixes, and Encounters

19Oct/101

setup jails on freebsd

we'll be creating 4 jails + main host (5 machines in total)

First, lets create some folders where the jails will be stored.

mkdir /usr/jails && mkdir /usr/jails/mail1 && mkdir /usr/jails/mail2 && mkdir /usr/jails/mail3 && mkdir /usr/jails/mail4

then we add some settings to rc.conf

# vi /etc/rc.conf

Add these line right after (remember, every machine has a differnt network card reference (bge0)). Change it to your machines network card.

ifconfig_bge0="inet 192.168.1.157 netmask 255.255.255.0"

ifconfig_bge0_alias0="inet 192.168.1.211 netmask 0xfffffff8"
ifconfig_bge0_alias1="inet 192.168.1.212 netmask 0xfffffff8"
ifconfig_bge0_alias2="inet 192.168.1.213 netmask 0xfffffff8"
ifconfig_bge0_alias3="inet 192.168.1.214 netmask 0xfffffff8"

if you don't want to reboot, you'll also have to setup the alias now so you can ssh in later...
ifconfig bge0 inet alias 192.168.1.211 netmask 255.255.255.255
ifconfig bge0 inet alias 192.168.1.212 netmask 255.255.255.255
ifconfig bge0 inet alias 192.168.1.213 netmask 255.255.255.255
ifconfig bge0 inet alias 192.168.1.214 netmask 255.255.255.255

near the bottom of the file, add following and makre sure you change the IP's & paths if different than above.

#only have 5 IP's. 1 for the main server and 4 for the jails
#jail_list="mail1 mail2 mail3 mail4"

jail_enable="YES"
jail_list="mail1 mail2 mail3 mail4"
jail_set_hostname_allow="YES"

jail_mail1_rootdir="/usr/jails/mail1"
jail_mail1_hostname="mail1.example.com"
jail_mail1_ip="192.168.1.231"
jail_mail1_start="/bin/sh /etc/rc"
jail_mail1_devfs_enable="YES"
jail_mail1_devfs_ruleset="devfsrules_jail"

jail_mail2_rootdir="/usr/jails/mail2"
jail_mail2_hostname="mail2.example.com"
jail_mail2_ip="192.168.1.232"
jail_mail2_start="/bin/sh /etc/rc"
jail_mail2_devfs_enable="YES"
jail_mail2_devfs_ruleset="devfsrules_jail"

jail_mail3_rootdir="/usr/jails/mail3"
jail_mail3_hostname="mail3.example.com"
jail_mail3_ip="192.168.1.233"
jail_mail3_start="/bin/sh /etc/rc"
jail_mail3_devfs_enable="YES"
jail_mail3_devfs_ruleset="devfsrules_jail"

jail_mail4_rootdir="/usr/jails/mail4"
jail_mail4_hostname="mail4.example.com"
jail_mail4_ip="192.168.1.234"
jail_mail4_start="/bin/sh /etc/rc"
jail_mail4_devfs_enable="YES"
jail_mail4_devfs_ruleset="devfsrules_jail"

------------------------------------------

Make the virtual system

cd /usr/src
make world DESTDIR=/usr/jails/mail1

if you get this error "make: don't know how to make world. Stop"
it's because you don't have to source tree installed...
look at cvs-supfile blog post to know how to do it...

cd etc
make distribution DESTDIR=/usr/jails/mail1
cd /usr/jails/mail1
ln -sf /dev/null kernel

touch /usr/jails/mail1/etc/fstab
cat /etc/resolv.conf > /usr/jails/mail1/etc/resolv.conf
mount -t procfs proc /usr/jails/mail1/proc
mount -t devfs dev /usr/jails/mail1/dev
mkdir /usr/jails/mail1/usr/ports
mount_nullfs /usr/ports /usr/jails/mail1/usr/ports

Once the first jail is created, we can just copy jails and not have to redo "make world" which takes awhile.

----------------------------------------------

Configuration of the jail
Start the jail for the first time

# /etc/rc.d/jail start mail1

If you try to SSH into the jail, you will end up in the main machine and not in the jail.
To fix this add the following line to /etc/rc.conf

rpcbind_enable="NO"

vi /etc/ssh/sshd_config

Port 22
Protocol 2
ListenAddress 192.168.1.157

Now we jump into the jail for some 1st step configurations

# jail /usr/jails/mail1 mail1.example.com 192.168.1.231 /bin/sh

now you are inside the jail:

change the root password
# passwd

add a new user and invite the user to the wheel group (so you can su to root)
# adduser

So we can ssh into the jail

# echo 'sshd_enable="YES"' >> /etc/rc.conf

install bash, change the users shell to bash
if you are in a jail and ports doesn't exit you have to remount the ports Filesystem
# cd /usr/ports/shells/bash
# make clean; make install clean
# chsh
change the shell to: /usr/local/bin/bash

Host environment syslogd
This entry in /etc/rc.conf tells syslogd to not listen on any IP address.

syslogd_flags="-ss"

That allows syslogd to run in both the host and the jail environments.

Host environment inetd

This entry in /etc/rc.conf tells inetd to listen on a specific IP address. This address is that of the host environment:

inetd_flags="-wW -C 60 -a 192.168.0.100"

You should note that the first part of the above flags is from /etc/defaults/rc.conf:

inetd_flags="-wW -C 60" # Optional flags to inetd

jail_enable="YES"
jail_list="mail_1"
jail_set_hostname_allow="YES"

jail_mail_1_rootdir="/usr/jails/mail_1"
jail_mail_1_hostname="mail_1.example.com"
jail_mail_1_ip="192.168.1.202" jail_mail_1_start="/bin/sh /etc/rc"
jail_mail_1_devfs_enable="YES"
jail_mail_1_devfs_ruleset="devfsrules_jail"

if you forget root password
jail /dumpdrive500/jails/devbox2 devbox2 192.168.1.152 /usr/bin/passwd root

------------------------------------------------

Clone the Jails

mkdir /usr/jails/mail2
cd /usr/jails/mail1
tar -cpf - . | tar -C /usr/jails/mail2 -xpf -

Mount all the needed directories for the cloned jails

mount -t procfs proc /usr/jails/mail1/proc
mount -t devfs dev //usr/jails/mail1/dev
mount_nullfs /usr/ports /usr/jails/mail1/usr/ports

vi /etc/rc.conf
added in -------------
jail_devbox5_rootdir="/usr/jails/mail1"
jail_devbox5_hostname="devbox5.example.com"
jail_devbox5_ip="192.168.1.155"
jail_devbox5_start="/bin/sh /etc/rc"
jail_devbox5_devfs_enable="YES"
jail_devbox5_devfs_ruleset="devfsrules_jail"

/etc/rc.d/jail start devbox5
ref: http://www.freebsd.org/doc/en/books/handbook/jails-build.html [[BR]]
ref: http://www.freebsddiary.org/jail-6.php

Comments (1) Trackbacks (0)
  1. I much prefer informative articles like this to that high brow literature.


Leave a comment

No trackbacks yet.