While configuring up my new FreeBSD 5.3 server I noticed that the rc system now supports starting up your jails using settings in /etc/rc.conf. I am not sure when this came about, I have not used FreeBSD 5.x much but I have to say it is a lot nicer than my own hacked up RC scripts.
Read on for more details about this and some other tools that is useful for jail management.
A few things needs to be done to enable jails in general:
jail_enable=”YES”
jail_list=”jail1 jail2″
jail_set_hostname_allow=”YES”
jail_socket_unixiproute_only=”YES”
jail_sysvipc_allow=”NO”
The above enable the jail feature, tells it I have 2 jails to start (jail1 and jail2), allows hostnames to be set, restricts all networking to TCP/IP only and disallows SystemV IPC.
Unlike jails in FreeBSD 4.x you can now allow raw sockets, this will enable things like ping and traceroute to work, also I suppose portscanners etc will work. I am not too keen on this myself but if you want to enable it you need to set a sysctl:
# sysctl security.jail.allow_raw_sockets=1
The above when run from the root command line will enable raw sockets in all your jails, its a pity this isn’t a per jail thing. To make the sysctl stick through reboots just add it to /etc/sysctl.conf
For each jail you need to set some options, this is what I have for jail1:
jail_jail1_rootdir=”/usr/local/jails/jail1″
jail_jail1_hostname=”jail1.domain.com”
jail_jail1_ip=”192.168.1.2″
jail_jail1_exec=”/bin/sh /etc/rc”
jail_jail1_fdescfs_enable=”NO”
jail_jail1_procfs_enable=”YES”
jail_jail1_devfs_enable=”YES”
jail_jail1_devfs_ruleset=”devfsrules_jail”
Some basic stuff here that explains themselves, the IP address, command to call etc. The special stuff comes with some of the options.
FreeBSD 5.x has devfs, its a kernel file system that gets mounted on /dev, Linux users will be familiar with this, it dynamically allocated device entries as needed. The default rules for which devices to allow exist in /etc/defaults/devfs.rules and it defines a minimal set of devices for jails in the personality named devfsrules_jail. By enabling the devfs you end up with a nice set of devices that does not expose your base system to any risk. You can of course tweak them a bit more but you should read the devfs man pages for that.
You’d also want to mount /proc for the jail, this will let things like netstat, ps etc work correctly.
You can read more about this by searching for jail in /etc/defaults/rc.conf or by reading the man page for rc.conf.
Once all of this is setup you can start and stop all the jails using the following:
# /etc/rc.d/jail start
# /etc/rc.d/jail stop
You can also start and stop individual jails by just passing a 2nd parameter to the above with the jail name as defined in the jail_list.
To see what jails are currently running you can use the jls command which produce output like this:
# jls JID IP Address Hostname Path 10 192.168.1.2 jail1.domain.com /j/jail1 9 192.168.1.3 jail2.domain.com /j/jail2
If for some other reason the jail isn’t starting as you’d hope or you just want to see the usual start up messages just check /var/log/console.log in each jail root, normal startup gets redirected there.
Some additional utilities for managing jails can be found in in the jailutils port, these allow you alternative methods of stopping and starting jails, there is also a very handy jail aware ps:
# jps jail1.domain.com -auxw USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1667 0.0 0.3 3360 1728 ?? IsJ 5:19PM 0:00.03 /usr/sbin/sshd root 1674 0.0 0.2 1380 916 ?? IsJ 5:19PM 0:00.12 /usr/sbin/cron -s