Each jail under FreeBSD virtual environment runs on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system. The easiest way to set, create and modify jails is using a framework called ezjail.
WARNING! You need to modify host server daemons to listen to only 127.0.0.1 or a single private or public IP such as 202.54.1.2. At least you need to modify sshd, syslogd and other services before you configure jails.Sample Setup
server.nixcraft.net.in : FreeBSD host server running v7.2 with 202.54.1.2
smtpd.nixcraft.net.in : Mail server jail with 202.54.1.3
httpd.nixcraft.net.in : Web server jail with 202.54.1.4
Step # 1: Update Your Host System
Make sure you are running updated kernel and base system. Use cvsup command to install the latest kernel and base system. See detailed tutorial about upgrading FreeBSD operating system.Step # 2: Install ezjail
Type the following commands to install ezjail port which contains two scripts to easily create, manipulate and run FreeBSD jails.# cd /usr/ports/sysutils/ezjail
# make install cleanezjail Default File Locations
- /usr/jails/ : Default location to store base jail system template.
- /usr/jails/flavours/ : Customization for each jail can be done via flavours. For e.g. adding default /etc/resolv.conf file or updating existing /etc/make.conf can be done here.
- /usr/jails/basejail/ : Base jail will be exported and mounted as read only for each jail. This will save disk space.
- /usr/local/etc/rc.d/ezjail.sh : Stop / Start / Restart jails script.
- /usr/local/etc/ezjail.conf : Configuration file for ezjail script. contains settings that control the operation of the ezjail rc script. It is also read by the ezjail-admin utility to figure out where it should perform its actions.
- /usr/local/etc/ezjail/ : All your jail configuration files are stored here.
Step # 2: Create Base Jail Template
Type the following command to creates or updates ezjail's environment (aka basejail) from source, enter:# ezjail-admin update -p -iWhere,
- -p : Provide ports for jail.
- -i : Do not run make world. This will save time and it will use existing buildworld done in step # 1.
# ezjail-admin installStep # 3: Create SMTPD Mail Server Jail
Type the following command to create smtpd.nixcraft.net.in jail with 202.54.1.3 IP address at /jails/smtpd.nixcraft.net.in directory:# ezjail-admin create -r /jails/smtpd.nixcraft.net.in smtpd.nixcraft.net.in 202.54.1.3Update SMTPD Jail Config File
The default config file is located at /usr/local/etc/ezjail/smtpd_nixcraft_net_in. Open this file using vi text editor:# vi /usr/local/etc/ezjail/smtpd_nixcraft_net_inSet hostname and multiple IP address as required:
export jail_smtpd_nixcraft_net_in_hostname="smtpd.nixcraft.net.in"Save and close the file.
export jail_smtpd_nixcraft_net_in_ip="202.54.1.3,10.21.51.12"
Step # 4: Turn On jail Service
Type the following command:# echo 'ezjail_enable="YES"' >> /etc/rc.confHow do I start all Jails?
# /usr/local/etc/rc.d/ezjail.sh startHow do I stop all Jails?
# /usr/local/etc/rc.d/ezjail.sh stopHow do I restart all Jails?
# /usr/local/etc/rc.d/ezjail.sh restartYou can also start / stop / restart particular jail using the following syntax:
# /usr/local/etc/rc.d/ezjail.sh {start/stop/restart} jail-name
# /usr/local/etc/rc.d/ezjail.sh start httpd
# /usr/local/etc/rc.d/ezjail.sh stop smtpd.nixcraft.net.inHow Do I List All Jails?
Use jls command to lists all jails:# jlsTo display more verbose information including cpusets, jail state, multi-IP, etc. enter:
# jls -vHow Do I Login To My Jail From The Host Itself?
Use jexec command as follows to attach a console to jail:# jexec jid cshjid can be obtained using jls command. Connect to jail called smtpd.nixcraft.net.in with jid # 2:
# jexec 2 cshNow, you can install any software and do work with jails. Update your /etc/resolv.conf file:
# vi /etc/resolv.confInstall bash shell, enter:
# pkg_add -r -v bashInstall Apache 2.2 server:
# cd /usr/ports/www/apache22
# make install cleanHow Do I Login Remotely (Directly) To Jail?
First, login using jexec command. Add the following line to jail /etc/rc.conf:# echo 'sshd_enable="YES"' >> /etc/rc.confOpen sshd_config file and update listen parameter to bind to jail IP only. Start OpenSSH server inside the jail:
# /etc/rc.d/sshd start
# sockstat -4How Do I Upgrade FreeBSD Jail?
Simply run the following command:# /usr/local/etc/rc.d/ezjail.sh stop
# ezjail-admin update -p -i
# /usr/local/etc/rc.d/ezjail.sh startHow Do I Upgrade Only Ports Tree?
No need to stop jails, just run the following to update ports tree for all jails:# ezjail-admin update -PJail Log Files
The default jail console file is located at /var/log directory. For e.g. view log file for smtpd.nixcraft.net.in jail. enter:# tail -f jail_smtpd_nixcraft_net_in_console.log
# grep 'error' jail_smtpd_nixcraft_net_in_console.logHow Do I Add Additional Jails?
Create httpd jail, enter:# ezjail-admin create -r /jails/httpd.nixcraft.net.in httpd.nixcraft.net.in 202.54.1.4
# vi /usr/local/etc/ezjail/httpd_nixcraft_net_in
# /usr/local/etc/rc.d/ezjail.sh start httpd.nixcraft.net.in
# jls -v
# jexec id cshHow Do I Backup Jails?
Use tar, rsync or dump command to backup jail to other server or tape device. For e.g. tar command to backup smtpd.nixcraft.net.in to tape:# tar -zcvf /dev/sa0 /jails/smtpd.nixcraft.net.inYou can also use dump command to backup all jails stored on /jails partition:
# /sbin/dump -0uLf /dev/sa0 /jails/Later just dump incremental updates:
# /sbin/dump -1uLf /dev/sa0 /jails/
No comments:
Post a Comment