I’m thinking of offering FreeBSD jailed Apache servers as a middle ground between community hosting and dedicated servers. First step is to create my test of how it will work. Using my trusty HP MicroServer, I’ve installed a new(ish) disk and done a vanilla install of FreeBSD 9.0 RC1 (pretty cutting edge, I know!). The chosen text for this will be the FreeBSD online handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html) and Michael Lucas’s ‘Absolute FreeBSD 2nd Edition’ which in my opinion is the most readable book on FreeBSD.
Prelims
To start with I’ll need to assign an ip to the server (was on DHCP) and the make sure that all the services running on the server are bound to that ip address, and that ip address only. The reason is that each ‘jail’ gets its own ip and we cannot have the host services listening for toe services too, in fact is just does not even start, so here goes, for the ip address
# in /etc/rc.conf, add defaultrouter="10.10.10.1" ifconfig_bge0="inet 10.10.10.100 netmask 255.255.255.0"
Then make sure the sshd service is bound correctly:
# in /etc/ssh/sshd_config, change the Listen address ListenAddress 10.10.10.100
Also syslog service is listening, so
# in /etc/rc.conf, add syslogd_flags="-b 10.10.10.100"
Now either reboot the machine or just restart the services:
/etc/rc.d/netif restart service syslogd restart service sshd restart
Use the sockstat -4 command to check its all ok:
test# sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS dan sshd 1670 3 tcp4 10.10.10.100:22 10.10.10.10:64296 root sshd 1667 3 tcp4 10.10.10.100:22 10.10.10.10:64296 root syslogd 1493 6 udp4 10.10.10.100:514 *:* root sshd 1469 3 tcp4 10.10.10.100:22 *:* root sendmail 1322 3 tcp4 127.0.0.1:25 *:*
Ensure in the LOCAL ADDRESS column has nothing with a *:port_number which will means the service is not specifically bound to an ip and is listening on all interfaces.
Installing the Jail
Installing the jail is basically installing all the system files again in a separate location. If the server has never been upgraded then we need to ‘build the world’ first.
# cd /usr/src # make build world # make installworld DESTDIR=/usr/jail/jail1 # make distribution DESTDIR=/usr/jail/jail1 # mount -t devfs devfs /usr/jail/jail1/dev
Having completed those steps, new we can start the jail up manually using the jail command.
# jail /usr/jail/jail1 jail1 10.10.10.101 /bin/sh
So we are now logged into the jail, although there is very little to see! We’ll need to do a few jobs to get the thing up and running enough for an ssh login to the jail. These will be adding some name servers to reslov.conf, enabling sshd, adding a local user and setting root password. We’ll also touch the /etc/ftstab file to avoid software complaints.
# touch /etc/fstab # echo 'network_interfaces=""' >> /etc/rc.conf # echo 'sshd_enable="YES"' >> /etc/rc.conf # echo 'nameserver 4.2.2.1' >> /etc/resolv.conf # echo 'nameserver 4.2.2.2' >> /etc/resolv.conf # # passwd (add password x 2) # adduser (follow instructions for new local user) # # exit
When you exit the jail will shut down. Now in order to use the rc system for staring up and shutting down you need to add some jail directives in tote /etc/rc.conf file, firstly to enable jails and then set the details for the individual jails:
# echo '##################################' >> /etc/rc.conf # echo 'jail_enable="YES"' >> /etc/rc.conf # echo 'jail_list="jail1"' >> /etc/rc.conf # echo '##################################' >> /etc/rc.conf # echo 'jail_jail1_rootdir="/usr/jail/jail1"' >> /etc/rc.conf # echo 'jail_jail1_hostname="jail1"' >> /etc/rc.conf # echo 'jail_jail1_ip="10.10.10.101"' >> /etc/rc.conf # echo 'jail_jail1_devfs_enable="YES"' >> /etc/rc.conf # echo 'jail_jail1_devfs_ruleset="devfsrules_jail"' >> /etc/rc.conf
Now we can use the following commands to control all or individual jails:
# /etc/rc.d/jail start (starts all jails) # /etc/rc.d/jail jail1 start (starts just jail1) # /etc/rc.d/jail stop (stops all jails) # /etc/rc.d/jail jail1 stop (stops just jail1)
Managing the Jails
Now we have everything up and running there are a couple of programs which make managing the jails a bit more bearable.
‘jls’ – apparently the name of a pop group, also shows the jail die numbers which we need for ‘jexec’ which allows the administrator of the ‘host’ or ‘master’ box to excite commands on the jailed servers. Here are some examples:
test# jls
JID IP Address Hostname Path
3 10.10.10.101 jail1 /usr/jail/jail1
test# jexec 3 sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
dan sshd 2587 3 tcp4 10.10.10.101:22 10.10.10.10:55613
root sshd 2584 3 tcp4 10.10.10.101:22 10.10.10.10:55613
root sshd 2582 3 tcp4 10.10.10.101:22 *:*
I hope that was enjoyable! I’m off to find out where the ports tree has gone on my jail now! Thats quite enough for one post.
