{"id":273,"date":"2005-02-13T02:38:01","date_gmt":"2005-02-13T01:38:01","guid":{"rendered":"http:\/\/wp.devco.net\/?p=273"},"modified":"2009-10-09T17:08:48","modified_gmt":"2009-10-09T16:08:48","slug":"managing_jails_on_freebsd_5","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2005\/02\/13\/managing_jails_on_freebsd_5.php","title":{"rendered":"Managing Jails on FreeBSD 5"},"content":{"rendered":"
While configuring up my new FreeBSD 5.3 server I noticed that the rc system now supports starting up your jails using settings in \/etc\/rc.conf<\/i>. I am not sure when this came about, I have not used FreeBSD 5.x much but I have to say it is a lot nicer than my own hacked up RC scripts.
\nRead on for more details about this and some other tools that is useful for jail management.<\/p>\n
\nA few things needs to be done to enable jails in general:<\/p>\n
\njail_enable=”YES”
\njail_list=”jail1 jail2″
\njail_set_hostname_allow=”YES”
\njail_socket_unixiproute_only=”YES”
\njail_sysvipc_allow=”NO”\n<\/p><\/blockquote>\nThe above enable the jail feature, tells it I have 2 jails to start (jail1 and jail2), allows hostnames to be set, restricts all networking to TCP\/IP only and disallows SystemV IPC.
\nUnlike jails in FreeBSD 4.x you can now allow raw sockets, this will enable things like ping and traceroute to work, also I suppose portscanners etc will work. I am not too keen on this myself but if you want to enable it you need to set a sysctl:<\/p>\n\n# sysctl security.jail.allow_raw_sockets=1\n<\/p><\/blockquote>\n
The above when run from the root command line will enable raw sockets in all your jails, its a pity this isn’t a per jail thing. To make the sysctl stick through reboots just add it to \/etc\/sysctl.conf<\/i>
\nFor each jail you need to set some options, this is what I have for jail1:<\/p>\n\njail_jail1_rootdir=”\/usr\/local\/jails\/jail1″
\njail_jail1_hostname=”jail1.domain.com”
\njail_jail1_ip=”192.168.1.2″
\njail_jail1_exec=”\/bin\/sh \/etc\/rc”
\njail_jail1_fdescfs_enable=”NO”
\njail_jail1_procfs_enable=”YES”
\njail_jail1_devfs_enable=”YES”
\njail_jail1_devfs_ruleset=”devfsrules_jail”\n<\/p><\/blockquote>\nSome basic stuff here that explains themselves, the IP address, command to call etc. The special stuff comes with some of the options.
\nFreeBSD 5.x has devfs, its a kernel file system that gets mounted on \/dev<\/i>, Linux users will be familiar with this, it dynamically allocated device entries as needed. The default rules for which devices to allow exist in \/etc\/defaults\/devfs.rules<\/i> and it defines a minimal set of devices for jails in the personality named devfsrules_jail<\/i>. By enabling the devfs you end up with a nice set of devices that does not expose your base system to any risk. You can of course tweak them a bit more but you should read the devfs man pages for that.
\nYou’d also want to mount \/proc<\/i> for the jail, this will let things like netstat, ps etc work correctly.
\nYou can read more about this by searching for jail<\/i> in \/etc\/defaults\/rc.conf<\/i> or by reading the man page for rc.conf<\/i>.
\nOnce all of this is setup you can start and stop all the jails using the following:<\/p>\n\n# \/etc\/rc.d\/jail start
\n# \/etc\/rc.d\/jail stop\n<\/p><\/blockquote>\nYou can also start and stop individual jails by just passing a 2nd parameter to the above with the jail name as defined in the jail_list<\/i>.
\nTo see what jails are currently running you can use the jls<\/i> command which produce output like this:<\/p>\n\n\n# jls\nJID IP Address Hostname Path\n10 192.168.1.2 jail1.domain.com \/j\/jail1\n9 192.168.1.3 jail2.domain.com \/j\/jail2\n<\/pre>\n<\/blockquote>\nIf for some other reason the jail isn’t starting as you’d hope or you just want to see the usual start up messages just check \/var\/log\/console.log<\/i> in each jail root, normal startup gets redirected there.
\nSome additional utilities for managing jails can be found in in the jailutils<\/i> port, these allow you alternative methods of stopping and starting jails, there is also a very handy jail aware ps:<\/p>\n\n\n# jps jail1.domain.com -auxw\nUSER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND\nroot 1667 0.0 0.3 3360 1728 ?? IsJ 5:19PM 0:00.03 \/usr\/sbin\/sshd\nroot 1674 0.0 0.2 1380 916 ?? IsJ 5:19PM 0:00.12 \/usr\/sbin\/cron -s\n<\/pre>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"While configuring up my new FreeBSD 5.3 server I noticed that the rc system now supports starting up your jails using settings in \/etc\/rc.conf. I am not sure when this came about, I have not used FreeBSD 5.x much but I have to say it is a lot nicer than my own hacked up RC […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[7],"tags":[62,33],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/273"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=273"}],"version-history":[{"count":1,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/273\/revisions"}],"predecessor-version":[{"id":711,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/273\/revisions\/711"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}