The last post was a success in that a jail was created and everything worked fine and as expected. However, before I go charging off to the server store and configuring my production server, I’m going to do a bit more research in to the ongoing deployment and maintenance. The EZJail port in the collection claims to make deployment and maintenance, er, ‘EZ’, so I’m giving that a trial on a fresh server install. Also I’d be happier when FreeBSD 9 is fully released rather than the RC1 version I’m using now for testing.
Prelims
We need to do the same prep as before for the server, see the last post for details, but in short, lock down the sshd daemon and the syslog daemon if it’s a fresh install like mine is. Then it’s off to /usr/src for a make buildworld:
# in /etc/ssh/sshd_config, change the Listen address ListenAddress 10.10.10.100 # in /etc/rc.conf, add syslogd_flags="-b 10.10.10.100" service syslogd restart service sshd restart # Now the tedious bit... cd /usr/src make buildowrld
Time passes
…
A lot more time passes.
…
Wow, I really need a faster machine for doing this sort of thing! ….
…
Finally!
Lets install EZjail before I retire…
# cd /usr/ports/sysutils/ezjail # make install
Initial Setup
First task is to create a base jail which is the template for other jails. part of the process is a buildpworld which if you have followed the instructions you do not want to do again! We want the ports included so our jail clients can install software.
# ezjail-admin update -i -p
A few minutes later and there is a /usr/jails directory with the following content:
# cd /usr/jails/ # ls -lah total 20 drwxr-xr-x 5 root wheel 512B Nov 4 20:30 . drwxr-xr-x 17 root wheel 512B Nov 4 20:28 .. drwxr-xr-x 9 root wheel 512B Nov 4 20:30 basejail drwxr-xr-x 3 root wheel 512B Nov 4 20:30 flavours drwxr-xr-x 12 root wheel 512B Nov 4 20:30 newjail
Interestingly we can make pre defined templates with the ‘flavours’ and whats more re-assuring is, that its spelt correctly! Anyway, we’ll come back to that later. There is also another file to note that is /usr/local/etc/ezjail.conf.example which I’ll copy (I like to keep an original) now to remove the example part:
# pwd /usr/local/etc # cp ezjail.conf.sample ezjail.conf
Deploying our first jail
Now we’ll create our first jail – totally vanilla:
# ezjail-admin create testjail.gconnect.net 10.10.10.101 -- LOTS OF OUTPUT FINISHING WITH -- Warning: IP 10.10.10.101 not configured on a local interface. Warning: Some services already seem to be listening on all IP, (including 10.10.10.101) This may cause some confusion, here they are: root sshd 1300 4 tcp4 *:22 *:* root syslogd 1045 7 udp4 *:514 *:*
That ip easy to fix..
# ifconfig bge0 10.10.10.101/32 alias
I’ll edit the /etc/rc.conf to make the alias survive a reboot. The sshd and syslogd is fixed as per the last post by adding syslogd_flags="-b 10.10.10.100" to /etc/rc.conf and modifying the Listen address in /etc/ssh/sshd_config.
Before we can power on the jail, we need to add this to the /etc/rc.conf:
# echo 'ezjail_enable="YES"' >> /etc/rc.conf
Now we can start the jail up and confirm with jls by:
# /usr/local/etc/rc.d/ezjail.sh start
ezjailConfiguring jails:.
Starting jails: testjail.gconnect.net.
jtest# jls
JID IP Address Hostname Path
1 10.10.10.101 testjail.gconnect.net /usr/jails/testjail.gconnect.net
As before, we need to add the basic stuff in like sshd_enable, some resolvers, initial user account, root password, etc. etc. etc. Whilst doing this I came across this problem…
# ping 4.2.2.1 ping: socket: Operation not permitted
I did the usual hawking of config files, rebooting and so on, but it transpires that the security.jail.allow_raw_sockets is set at zero which stops this working. So we need to reset this value ON THE HOST SYSTEM and restart the jail:
# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1
# /usr/local/etc/rc.d/ezjail.sh restart
Stopping jails: testjail.gconnect.net.
Configuring jails:.
Starting jails: testjail.gconnect.net.
# jls
JID IP Address Hostname Path
6 10.10.10.101 testjail.gconnect.net /usr/jails/testjail.gconnect.net
# jexec 6 /bin/sh
# ping 4.2.2.1
PING 4.2.2.1 (4.2.2.1): 56 data bytes
64 bytes from 4.2.2.1: icmp_seq=0 ttl=245 time=41.766 ms
64 bytes from 4.2.2.1: icmp_seq=1 ttl=245 time=47.647 ms
That all works, but I wanted to ensure it was still set after a reboot, so on the host machine:
# echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf
My test reboot confirms this is all working.
Deleting a Jail
The next task is to delete the jail, seems like a waste but I want to use the ‘flavours’ to roll out lots of jails with pretty much the same config and pre-installed values.
# ezjail-admin delete -w testjail.gconnect.net Error: Jail appears to be still running. 'ezjail-admin stop testjail.gconnect.net' it first or use 'ezjail-admin delete -f testjail.gconnect.net' to force stop. # /usr/local/etc/rc.d/ezjail.sh stop testjail.gconnect.net Stopping jails: testjail.gconnect.net. # ezjail-admin delete -w testjail.gconnect.net rm: /usr/jails/testjail.gconnect.net/var/empty: Operation not permitted rm: /usr/jails/testjail.gconnect.net/var: Directory not empty rm: /usr/jails/testjail.gconnect.net: Directory not empty
This does not look good! Is the jail still there?
# jls JID IP Address Hostname Path # ezjail-admin list STA JID IP Hostname Root Directory --- ---- --------------- ------------------------------ ------------------------ jtest# cd /usr/jails/ # ls basejail flavours newjail testjail.gconnect.net
Ok the jail is gone, but I have a directory remaining….
# rm -r testjail.gconnect.net/ override r-xr-xr-x root/wheel schg for testjail.gconnect.net/var/empty? y rm: testjail.gconnect.net/var/empty: Operation not permitted rm: testjail.gconnect.net/var: Directory not empty rm: testjail.gconnect.net/: Directory not empty
The directory does not want to be deleted. It appears to have the immutable flag set, so we’ll remove it and start again.
# cd /usr/jails/testjail.gconnect.net/var # chflags -R noschg empty/ # rmdir empty/ # cd /usr/jails # rm -r testjail.gconnect.net/
