Sufficient manual is placed in FreeBSD handbook and man-page for jail.
1. IP address for jail
Every jail is stuck to IP address. Fortunately we don't need so many network cards as number of jails. We can create IP aliases under real NIC or create new loopback, or you can create loopback and create aliases under this loopback.
Loopbacks are bit different so first, I'll show alias under real NIC.
Another way is to create sub-interface under real interface.
Assume, you have one interface "rl0" with IP 192.168.1.10/24.
You would like to create IP alias 192.168.1.20/24 under rl0:
ifconfig rl0 inet 192.168.1.20 netmask 255.255.255.0 alias
Try to run "ifconfig" to see what has changed.
We want to preserve this alias after reboot so edit "rc.conf":
ifconfig_rl0_alias0="192.168.1.20 netmask 255.255.255.0"
2. Preparation of system hierarchy - Handbook version
These steps are normally used, when you don't have any base for your own hierarchy(explained later in this post).
mkdir -p /usr/jails/my_jail - the location of jail. Dir "jails" is created by "-p" flag.
cd /usr/src/
make buildworld - check earlier post about compilation.
make installworld DESTDIR=/usr/jails/my_jail
make distribution DESTDIR=/usr/jails/my_jail
mount -t devfs devfs /usr/jails/my_jail/dev
3. Preparation of system hierarchy - my version
I'm not sure if this way is correct, but it works and I have no problem so far.
This way is connected with post about dump/restore. As you can recall, what I had done, I installed minimal FreeBSD installation, did some post-install setings, updates, upgrades, compiled some ports and than created a "snapshot" of system. Every time I start with new "project", installation, I use this snapshot to skip time consuming process to set up the basic environment. I'll use this method to create new jail.
Assume, you have dumped your own system you want to start with.
mkdir -p /usr/jails/my_jail - the same as previous
cd /usr/jails/my_jail
restore -r -b 65536 -f /mnt_src/root.dmp
#Change "/mnt_src/root.dmp" to path of your dump file.
cd /usr/jails/my_jail/var
restore -r -b 65536 -f /mnt_src/var.dmp
cd /usr/jails/my_jail/tmp
restore -r -b 65536 -f /mnt_src/tmp.dmp
cd /usr/jails/my_jail/usr
restore -r -b 65536 -f /mnt_src/usr.dmp
That's it. Just few more and less important hints:
-remove everything in /usr/jails/my_jail/var/run directory
-remove everything in /usr/jails/my_jail/etc/fstab file
-remove everything in /usr/jails/my_jail/etc/rc.conf file
-remove everything in /usr/jails/my_jail/usr/src
-remove everything in /usr/jails/my_jail/usr/obj
-remove everything else what you don't want to have in Jail or what you
don't want to users have in jail.
4. Configuration of jail
Do that in "rc.conf" file. You have various options to set up the jail.
Some essential of them:
#####################
ifconfig_rl0_alias0="192.168.1.20 netmask 255.255.255.0" - you already know
#####################
jail_enable="YES"
jail_list="my_jail" - list of jails separated by space
jail_set_hostname_allow="NO" - to avoid change hostname from inside of jail
#####################
jail_my_jail_rootdir="/usr/jails/my_jail"
jail_my_jail_hostname="MCBSD_Jail"
jail_my_jail_ip="192.168.1.20"
jail_my_jail_devfs_enable="YES
#####################
As I said, these values are just simple point-outs how to start. Google, man-pages helps you to find more options to fulfill your desires.
5. Managing the jail
/etc/rc.d/jail start
/etc/rc.d/jail stop
jls - command to list running jails
ps - check for "J" in "STAT" column
jexec - command to execute commands inside of the jail
Example of starting shell inside of the jail:
jls output:
JID IP Address Hostname Path1 192.168.1.20 MCBSD_Jail /usr/jails/my_jail
The unique identifier of jail is Jail ID. In this case "1".
We want to run tcsh inside of the jail:
jexec 1 tcsh - "1" for particular jail and "tcsh" for command. Path for "tcsh" is defined in environment.
After you hit enter, you will jump into jail with tcsh shell. Working in the jail has no effect to host machine. You can do almost all as in the normal system.
Type exit, to exit the shell in order to exit jail.
6. Hints
**Don't forget that jail is not fully independent. The usage of jail has some boundaries which you meet by using of jail. Some of them can be removed/adjusted but some of them not. Mainly for security reason which is the point of jail.
**I had some problem with user/password database. I don't know what was the reason but to fix it:
pwd_mkdb /etc/master.passwd - in case you have corrupted pwd database
pwd_mkdb -p /etc/master.passwd - to create /etc/passwd from pwd database
**You can bind jail to loopback interface:
ifconfig lo1 create inet 10.10.10.10 netmask 255.255.255.0
After I did this, starting the jail hangs. That's because of some services which are trying to start inside of jail. If you have plain jail, mainly for sendmail. So edit rc.conf inside of the jail to stop sendmail to start:
sendmail_enable="NONE"
**Be aware to which IP you bind the jails. According to this, adjust your routing table, firewall permissions, NAT options, redirecting....
**To increase the comfort, set up the SSH connection inside of your jail and eventually user "screen" command from "screen" port.
**It's interesting to have jail with resource restrictions because of security reasons.
To restrict CPU/MEM/... you can use values in "login.conf" in your jail. Some of them are useful, but for me CPU is a bit useless because this value is defined in time. Better than nothing but I would appreciate this value in percentage. There is some side workaround, but I've not tried yet...Will check.
To restrict the disk usage, one way is to use "quota" for particular users in jail. This method is not ideal for me, I suggest to have every jail in separate file-system so it's fully separated from host system. Depends on how many jails you have, with more jails there is more maintenance time for all those file-systems...check the internet for examples from real life.
**Be aware that every jail shares the kernel of the host system.
**Protect the key files inside of jail with "chflags" command.
**Create one jail with all modifications and hints above, dump it and then use as template for another ones.
**Create your own automatized system of maintaining all jails you have.
**To save disk space, remove man-pages from jails. You can use those in your host machine or use internet.
**Check the user database of your jail before putting jail into production. Look out for account which won't be in use.
Žiadne komentáre:
Zverejnenie komentára