FreeBSD Jails

I’m thinking of offering FreeBSD jailed Apache servers as a middle ground between community hosting and dedicated servers. First step is to create my test of how it will work. Using my trusty HP MicroServer, I’ve installed a new(ish) disk and done a vanilla install of FreeBSD 9.0 RC1 (pretty cutting edge, I know!). The chosen text for this will be the FreeBSD online handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html) and Michael Lucas’s ‘Absolute FreeBSD 2nd Edition’ which in my opinion is the most readable book on FreeBSD.

Prelims

To start with I’ll need to assign an ip to the server (was on DHCP) and the make sure that all the services running on the server are bound to that ip address, and that ip address only. The reason is that each ‘jail’ gets its own ip and we cannot have the host services listening for toe services too, in fact is just does not even start, so here goes, for the ip address

# in /etc/rc.conf, add
defaultrouter="10.10.10.1"
ifconfig_bge0="inet 10.10.10.100 netmask 255.255.255.0"

Then make sure the sshd service is bound correctly:

# in /etc/ssh/sshd_config, change the Listen address
ListenAddress 10.10.10.100

Also syslog service is listening, so

# in /etc/rc.conf, add
syslogd_flags="-b 10.10.10.100"

Now either reboot the machine or just restart the services:

/etc/rc.d/netif restart
service syslogd restart
service sshd restart

Use the sockstat -4 command to check its all ok:

test# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
dan      sshd       1670  3  tcp4   10.10.10.100:22       10.10.10.10:64296
root     sshd       1667  3  tcp4   10.10.10.100:22       10.10.10.10:64296
root     syslogd    1493  6  udp4   10.10.10.100:514      *:*
root     sshd       1469  3  tcp4   10.10.10.100:22       *:*
root     sendmail   1322  3  tcp4   127.0.0.1:25          *:*

Ensure in the LOCAL ADDRESS column has nothing with a *:port_number which will means the service is not specifically bound to an ip and is listening on all interfaces.

Installing the Jail

Installing the jail is basically installing all the system files again in a separate location. If the server has never been upgraded then we need to ‘build the world’ first.

# cd /usr/src
# make build world
# make installworld DESTDIR=/usr/jail/jail1
# make distribution DESTDIR=/usr/jail/jail1
# mount -t devfs devfs /usr/jail/jail1/dev

Having completed those steps, new we can start the jail up manually using the jail command.

# jail /usr/jail/jail1 jail1 10.10.10.101 /bin/sh

So we are now logged into the jail, although there is very little to see! We’ll need to do a few jobs to get the thing up and running enough for an ssh login to the jail. These will be adding some name servers to reslov.conf, enabling sshd, adding a local user and setting root password. We’ll also touch the /etc/ftstab file to avoid software complaints.

# touch /etc/fstab
# echo 'network_interfaces=""' >> /etc/rc.conf
# echo 'sshd_enable="YES"' >> /etc/rc.conf
# echo 'nameserver 4.2.2.1' >> /etc/resolv.conf
# echo 'nameserver 4.2.2.2' >> /etc/resolv.conf
#
# passwd (add password x 2)
# adduser (follow instructions for new local user)
#
# exit

When you exit the jail will shut down. Now in order to use the rc system for staring up and shutting down you need to add some jail directives in tote /etc/rc.conf file, firstly to enable jails and then set the details for the individual jails:

# echo '##################################' >> /etc/rc.conf
# echo 'jail_enable="YES"' >> /etc/rc.conf
# echo 'jail_list="jail1"' >> /etc/rc.conf
# echo '##################################' >> /etc/rc.conf
# echo 'jail_jail1_rootdir="/usr/jail/jail1"' >> /etc/rc.conf
# echo 'jail_jail1_hostname="jail1"' >> /etc/rc.conf
# echo 'jail_jail1_ip="10.10.10.101"' >> /etc/rc.conf
# echo 'jail_jail1_devfs_enable="YES"' >> /etc/rc.conf
# echo 'jail_jail1_devfs_ruleset="devfsrules_jail"' >> /etc/rc.conf

Now we can use the following commands to control all or individual jails:

# /etc/rc.d/jail start (starts all jails)
# /etc/rc.d/jail jail1 start (starts just jail1) 
# /etc/rc.d/jail stop (stops all jails)
# /etc/rc.d/jail jail1 stop (stops just jail1) 

Managing the Jails

Now we have everything up and running there are a couple of programs which make managing the jails a bit more bearable.
‘jls’ – apparently the name of a pop group, also shows the jail die numbers which we need for ‘jexec’ which allows the administrator of the ‘host’ or ‘master’ box to excite commands on the jailed servers. Here are some examples:

test# jls
   JID  IP Address      Hostname                      Path
     3  10.10.10.101    jail1                         /usr/jail/jail1

test# jexec 3 sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
dan      sshd       2587  3  tcp4   10.10.10.101:22       10.10.10.10:55613
root     sshd       2584  3  tcp4   10.10.10.101:22       10.10.10.10:55613
root     sshd       2582  3  tcp4   10.10.10.101:22       *:*

I hope that was enjoyable! I’m off to find out where the ports tree has gone on my jail now! Thats quite enough for one post.

This entry was posted in FreeBSD Administration and tagged , , , . Bookmark the permalink.

Leave a Reply