-
-
Notifications
You must be signed in to change notification settings - Fork 6
Jails
Jails MidnightBSD supports Jails.
The jail(8) command is used to start a jail.
jls can be used to view what jails are currently running.
Setup To setup a jail, one must first create a directory to store the jail and then populate it with a copy of the OS, excluding the kernel. It won't hurt anything if the kernel is there, but you will be running on the host kernel. No sense having any files present that you don't need. They just waste space.
Lets assume you set an environment variable called DESTDIR and pointed it at the location of your jail, say /usr/jail/myjail
In order to populate the OS, you can either download a base.txz from the release on the FTP server for the release you're using (or older) or get it from the installation media. You can also install it from src.
For the base media approach, just extract it like so:
tar -xf base.txz -C $DESTDIR
You can also fetch the mports.txz but it is recommended to get a fresh copy of mports or just use portsnap to populate it instead. Some folks even get clever and share a /usr/mports directory with the host
For the src approach:
setenv D /usr/jail/myjail mkdir -p $D cd /usr/src
make buildworld make installworld DESTDIR=$D make distribution DESTDIR=$D mount -t devfs devfs $D/dev
Configuration Add jail_enable="YES" to /etc/rc.conf
Now setup /etc/jail.conf. (example from FreeBSD handbook)
www { host.hostname = www.example.org; # Hostname ip4.addr = 192.168.0.10; # IP address of the jail path = "/usr/jail/www"; # Path to the jail devfs_ruleset = "www_ruleset"; # devfs ruleset mount.devfs; # Mount devfs inside the jail exec.start = "/bin/sh /etc/rc"; # Start command exec.stop = "/bin/sh /etc/rc.shutdown"; # Stop command }
Starting and stopping your jail
service jail start www service jail stop www
View and stop a jail
jls
JID IP Address Hostname Path 3 192.168.0.10 www /usr/jail/www
jexec 3 /etc/rc.shutdown
Old releases MidnightBSD didn't always have /etc/jail.conf
To configure jails on old releases do something like this in /etc/rc.conf after setting up the directory as above
jail_enable="YES"
jail_list="magus"
jail_magus_devfs_enable="YES"
jail_magus_ip="10.1.10.251"
jail_magus_hostname="magus.mydomain"
jail_magus_rootdir="/home/jail/magus"
Attaching to a running jail Run jls to get the jail id. let's say it's 1
jexec 1 tcsh Security Tuning There are many sysctl's that affect security. Consult the jail and sysctl man pages for more information. Here's a few examples:
security.jail.set_hostname_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.enforce_statfs: 2
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.jailed: 0
Software Update If you used the source method, you can just do a new buildworld installworld cycle to update the jail OS.
If you wish to use mport packages, attach to the jail and use the mport commands as normal. Unlike FreeBSD's pkg, mport does NOT have a jail feature from the host.