SlideShare a Scribd company logo

FreeBSD Jail Complete Example

Mohammed Farrag
Mohammed Farrag
Technology
1 of 5
Download to read offline
FreeBSD Jail Complete Example The goals of the setup described below are:  Create a simple and easy to understand jail structure. This implies not having to run a full installworld on each and every jail.  Make it easy to add new jails or remove existing ones.  Make it easy to update or upgrade existing jails.  Make it possible to run a customized FreeBSD branch.  Be paranoid about security, reducing as much as possible the possibility of compromise.  Save space and inodes, as much as possible. As it has been already mentioned, this design relies heavily on having a single master template which is read-only (known as nullfs) mounted into each jail and one read-write device per jail. A device can be a separate physical disc, a partition, or a vnode backed md(4) device. In this example, we will use read-write nullfs mounts. The file system layout is described in the following list:  Each jail will be mounted under the /home/j directory.  /home/j/mroot is the template for each jail and the read-only partition for all of the jails.  A blank directory will be created for each jail under the /home/j directory.  Each jail will have a /s directory, that will be linked to the read-write portion of the system.  Each jail shall have its own read-write system that is based upon /home/j/skel.  Each jailspace (read-write portion of each jail) shall be created in /home/js. Note: This assumes that the jails are based under the /home partition. This can, of course, be changed to anything else, but this change will have to be reflected in each of the examples below. 15.6.1.2 Creating the Template This section will describe the steps needed to create the master template that will be the read-only portion for the jails to use. It is always a good idea to update the FreeBSD system to the latest -RELEASE branch. Check the corresponding Handbook Chapter to accomplish this task. In the case the update is not feasible, the buildworld will be required in order to be able to proceed. Additionally, the sysutils/cpdup package will be required. We will use the portsnap(8) utility to download the FreeBSD Ports Collection. The Handbook Portsnap Chapter is always good reading for newcomers.
1. First, create a directory structure for the read-only file system which will contain the FreeBSD binaries for our jails, then change directory to the FreeBSD source tree and install the read-only file system to the jail template: 2. # mkdir /home/j /home/j/mroot 3. # cd /usr/src 4. # make installworld DESTDIR=/home/j/mroot 5. Next, prepare a FreeBSD Ports Collection for the jails as well as a FreeBSD source tree, which is required for mergemaster: 6. # cd /home/j/mroot 7. # mkdir usr/ports 8. # portsnap -p /home/j/mroot/usr/ports fetch extract 9. # cpdup /usr/src /home/j/mroot/usr/src 10. Create a skeleton for the read-write portion of the system: 11. # mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles 12. # mv etc /home/j/skel 13. # mv usr/local /home/j/skel/usr-local 14. # mv tmp /home/j/skel 15. # mv var /home/j/skel 16. # mv root /home/j/skel 17. Use mergemaster to install missing configuration files. Then get rid of the extra directories that mergemaster creates: 18. # mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel - i 19. # cd /home/j/skel 20. # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev 21. Now, symlink the read-write file system to the read-only file system. Please make sure that the symlinks are created in the correct s/ locations. Real directories or the creation of directories in the wrong locations will cause the installation to fail. 22. # cd /home/j/mroot 23. # mkdir s 24. # ln -s s/etc etc 25. # ln -s s/home home 26. # ln -s s/root root 27. # ln -s ../s/usr-local usr/local 28. # ln -s ../s/usr-X11R6 usr/X11R6 29. # ln -s ../../s/distfiles usr/ports/distfiles 30. # ln -s s/tmp tmp 31. # ln -s s/var var 32. As a last step, create a generic /home/j/skel/etc/make.conf with its contents as shown below: 33. WRKDIRPREFIX?= /s/portbuild Having WRKDIRPREFIX set up this way will make it possible to compile FreeBSD ports inside each jail. Remember that the ports directory is part of the read-only system. The custom path for WRKDIRPREFIX allows builds to be done in the read- write portion of every jail. 15.6.1.3 Creating Jails
Now that we have a complete FreeBSD jail template, we can setup and configure the jails in /etc/rc.conf. This example demonstrates the creation of 3 jails: “NS”, “MAIL” and “WWW”. 1. Put the following lines into the /etc/fstab file, so that the read-only template for the jails and the read-write space will be available in the respective jails: 2. /home/j/mroot /home/j/ns nullfs ro 0 0 3. /home/j/mroot /home/j/mail nullfs ro 0 0 4. /home/j/mroot /home/j/www nullfs ro 0 0 5. /home/js/ns /home/j/ns/s nullfs rw 0 0 6. /home/js/mail /home/j/mail/s nullfs rw 0 0 7. /home/js/www /home/j/www/s nullfs rw 0 0 Note: Partitions marked with a 0 pass number are not checked by fsck(8) during boot, and partitions marked with a 0 dump number are not backed up by dump(8). We do not want fsck to check nullfs mounts or dump to back up the read-only nullfs mounts of the jails. This is why they are marked with “0 0” in the last two columns of each fstab entry above. 8. Configure the jails in /etc/rc.conf: 9. jail_enable="YES" 10. jail_set_hostname_allow="NO" 11. jail_list="ns mail www" 12. jail_ns_hostname="ns.example.org" 13. jail_ns_ip="192.168.3.17" 14. jail_ns_rootdir="/usr/home/j/ns" 15. jail_ns_devfs_enable="YES" 16. jail_mail_hostname="mail.example.org" 17. jail_mail_ip="192.168.3.18" 18. jail_mail_rootdir="/usr/home/j/mail" 19. jail_mail_devfs_enable="YES" 20. jail_www_hostname="www.example.org" 21. jail_www_ip="62.123.43.14" 22. jail_www_rootdir="/usr/home/j/www" 23. jail_www_devfs_enable="YES" Warning: The reason why the jail_name_rootdir variable is set to /usr/home instead of /home is that the physical path of the /home directory on a default FreeBSD installation is /usr/home. The jail_name_rootdir variable must not be set to a path which includes a symbolic link, otherwise the jails will refuse to start. Use the realpath(1) utility to determine a value which should be set to this variable. Please see the FreeBSD-SA-07:01.jail Security Advisory for more information. 24. Create the required mount points for the read-only file system of each jail: 25. # mkdir /home/j/ns /home/j/mail /home/j/www 26. Install the read-write template into each jail. Note the use of sysutils/cpdup, which helps to ensure that a correct copy is done of each directory: 27. # mkdir /home/js 28. # cpdup /home/j/skel /home/js/ns 29. # cpdup /home/j/skel /home/js/mail
30. # cpdup /home/j/skel /home/js/www 31. In this phase, the jails are built and prepared to run. First, mount the required file systems for each jail, and then start them using the /etc/rc.d/jail script: 32. # mount -a 33. # /etc/rc.d/jail start The jails should be running now. To check if they have started correctly, use the jls(8) command. Its output should be similar to the following: # jls JID IP Address Hostname Path 3 192.168.3.17 ns.example.org /home/j/ns 2 192.168.3.18 mail.example.org /home/j/mail 1 62.123.43.14 www.example.org /home/j/www At this point, it should be possible to log onto each jail, add new users or configure daemons. The JID column indicates the jail identification number of each running jail. Use the following command in order to perform administrative tasks in the jail whose JID is 3: # jexec 3 tcsh 15.6.1.4 Upgrading In time, there will be a need to upgrade the system to a newer version of FreeBSD, either because of a security issue, or because new features have been implemented which are useful for the existing jails. The design of this setup provides an easy way to upgrade existing jails. Additionally, it minimizes their downtime, as the jails will be brought down only in the very last minute. Also, it provides a way to roll back to the older versions should any problems occur. 1. The first step is to upgrade the host system in the usual manner. Then create a new temporary read-only template in /home/j/mroot2. 2. # mkdir /home/j/mroot2 3. # cd /usr/src 4. # make installworld DESTDIR=/home/j/mroot2 5. # cd /home/j/mroot2 6. # cpdup /usr/src usr/src 7. # mkdir s The installworld run creates a few unnecessary directories, which should be removed: # chflags -R 0 var # rm -R etc var root usr/local tmp 8. Recreate the read-write symlinks for the master file system: 9. # ln -s s/etc etc 10. # ln -s s/root root 11. # ln -s s/home home
12. # ln -s ../s/usr-local usr/local 13. # ln -s ../s/usr-X11R6 usr/X11R6 14. # ln -s s/tmp tmp 15. # ln -s s/var var 16. The right time to stop the jails is now: 17. # /etc/rc.d/jail stop 18. Unmount the original file systems: 19. # umount /home/j/ns/s 20. # umount /home/j/ns 21. # umount /home/j/mail/s 22. # umount /home/j/mail 23. # umount /home/j/www/s 24. # umount /home/j/www Note: The read-write systems are attached to the read-only system (/s) and must be unmounted first. 25. Move the old read-only file system and replace it with the new one. This will serve as a backup and archive of the old read-only file system should something go wrong. The naming convention used here corresponds to when a new read- only file system has been created. Move the original FreeBSD Ports Collection over to the new file system to save some space and inodes: 26. # cd /home/j 27. # mv mroot mroot.20060601 28. # mv mroot2 mroot 29. # mv mroot.20060601/usr/ports mroot/usr 30. At this point the new read-only template is ready, so the only remaining task is to remount the file systems and start the jails: 31. # mount -a 32. # /etc/rc.d/jail start

Recommended

Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationMohammed Farrag
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 IntroductionMohammed Farrag
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
[ArabBSD] Unix Basics
[ArabBSD] Unix Basics[ArabBSD] Unix Basics
[ArabBSD] Unix BasicsMohammed Farrag
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
Lecture 5 Kernel Development
Lecture 5 Kernel DevelopmentLecture 5 Kernel Development
Lecture 5 Kernel DevelopmentMohammed Farrag
 
How to design a file system
How to design a file systemHow to design a file system
How to design a file systemNikhil Anurag VN
 

Recommended

Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationMohammed Farrag
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 IntroductionMohammed Farrag
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
[ArabBSD] Unix Basics
[ArabBSD] Unix Basics[ArabBSD] Unix Basics
[ArabBSD] Unix BasicsMohammed Farrag
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
Lecture 5 Kernel Development
Lecture 5 Kernel DevelopmentLecture 5 Kernel Development
Lecture 5 Kernel DevelopmentMohammed Farrag
 
How to design a file system
How to design a file systemHow to design a file system
How to design a file systemNikhil Anurag VN
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템Sam Kim
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSjoshuasoundcloud
 
Linux IO
Linux IOLinux IO
Linux IOLiran Ben Haim
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Linux commands
Linux commandsLinux commands
Linux commandsHemakumar.S
 
Programming Embedded linux
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linuxLiran Ben Haim
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSEKernel TLV
 
LINUX Admin Quick Reference
LINUX Admin Quick ReferenceLINUX Admin Quick Reference
LINUX Admin Quick Referencewensheng wei
 
50 most frequently used unix linux commands (with examples)
50 most frequently used unix linux commands (with examples)50 most frequently used unix linux commands (with examples)
50 most frequently used unix linux commands (with examples)Rodrigo Maia
 
Useful Linux and Unix commands handbook
Useful Linux and Unix commands handbookUseful Linux and Unix commands handbook
Useful Linux and Unix commands handbookWave Digitech
 
Putting some "logic" in LVM.
Putting some "logic" in LVM.Putting some "logic" in LVM.
Putting some "logic" in LVM.Workhorse Computing
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
 
50 most frequently used unix
50 most frequently used unix50 most frequently used unix
50 most frequently used unixTeja Bheemanapally
 
Unix Shell Script
Unix Shell ScriptUnix Shell Script
Unix Shell Scriptstudent
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 
Resume for Mohamed Farag
Resume for Mohamed FaragResume for Mohamed Farag
Resume for Mohamed FaragMohammed Farrag
 
Artificial Intelligence Programming in Art by Mohamed Farag
Artificial Intelligence Programming in Art by Mohamed FaragArtificial Intelligence Programming in Art by Mohamed Farag
Artificial Intelligence Programming in Art by Mohamed FaragMohammed Farrag
 

More Related Content

What's hot

The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템Sam Kim
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSjoshuasoundcloud
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Programming Embedded linux
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linuxLiran Ben Haim
 
LINUX Admin Quick Reference
LINUX Admin Quick ReferenceLINUX Admin Quick Reference
LINUX Admin Quick Referencewensheng wei
 
50 most frequently used unix linux commands (with examples)
50 most frequently used unix linux commands (with examples)50 most frequently used unix linux commands (with examples)
50 most frequently used unix linux commands (with examples)Rodrigo Maia
 
Useful Linux and Unix commands handbook
Useful Linux and Unix commands handbookUseful Linux and Unix commands handbook
Useful Linux and Unix commands handbookWave Digitech
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
 
Unix Shell Script
Unix Shell ScriptUnix Shell Script
Unix Shell Scriptstudent
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 

What's hot (20)

The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPS
 
Linux IO
Linux IOLinux IO
Linux IO
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Linux commands
Linux commandsLinux commands
Linux commands
 
Programming Embedded linux
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linux
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
LINUX Admin Quick Reference
LINUX Admin Quick ReferenceLINUX Admin Quick Reference
LINUX Admin Quick Reference
 
50 most frequently used unix linux commands (with examples)
50 most frequently used unix linux commands (with examples)50 most frequently used unix linux commands (with examples)
50 most frequently used unix linux commands (with examples)
 
Useful Linux and Unix commands handbook
Useful Linux and Unix commands handbookUseful Linux and Unix commands handbook
Useful Linux and Unix commands handbook
 
Putting some "logic" in LVM.
Putting some "logic" in LVM.Putting some "logic" in LVM.
Putting some "logic" in LVM.
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance Tools
 
50 most frequently used unix
50 most frequently used unix50 most frequently used unix
50 most frequently used unix
 
Unix Shell Script
Unix Shell ScriptUnix Shell Script
Unix Shell Script
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
 

Viewers also liked

Resume for Mohamed Farag
Resume for Mohamed FaragResume for Mohamed Farag
Resume for Mohamed FaragMohammed Farrag
 
Artificial Intelligence Programming in Art by Mohamed Farag
Artificial Intelligence Programming in Art by Mohamed FaragArtificial Intelligence Programming in Art by Mohamed Farag
Artificial Intelligence Programming in Art by Mohamed FaragMohammed Farrag
 
Downtown Arena Renderings
Downtown Arena RenderingsDowntown Arena Renderings
Downtown Arena Renderingswhitneyk7
 
E learning Simplified for 8th Graders
E learning Simplified for 8th GradersE learning Simplified for 8th Graders
E learning Simplified for 8th GradersClint Walters
 
Co jsme se naučili od spuštění Fakturoidu
Co jsme se naučili od spuštění FakturoiduCo jsme se naučili od spuštění Fakturoidu
Co jsme se naučili od spuštění Fakturoidujan korbel
 
ruby on rails pitfalls
ruby on rails pitfallsruby on rails pitfalls
ruby on rails pitfallsRobbin Fan
 
Message Queues : A Primer - International PHP Conference Fall 2012
Message Queues : A Primer - International PHP Conference Fall 2012Message Queues : A Primer - International PHP Conference Fall 2012
Message Queues : A Primer - International PHP Conference Fall 2012Mike Willbanks
 
Dec 06, Sermon Am
Dec 06, Sermon AmDec 06, Sermon Am
Dec 06, Sermon AmGeo Acts
 
Responding to student writing
Responding to student writingResponding to student writing
Responding to student writingElizabeth Nesius
 
Axiologix Company Presentation Jan 2011
Axiologix Company Presentation Jan 2011Axiologix Company Presentation Jan 2011
Axiologix Company Presentation Jan 2011InboundMarketingPR.com
 
Wiki Technology By IT ROCKS
Wiki Technology By IT ROCKSWiki Technology By IT ROCKS
Wiki Technology By IT ROCKSnaveenv
 
Mariocarretero reseñaconstructivismo
Mariocarretero reseñaconstructivismoMariocarretero reseñaconstructivismo
Mariocarretero reseñaconstructivismoGeovanny Armijos
 
How to start? - The Execution
How to start? - The Execution How to start? - The Execution
How to start? - The Execution Ido Green
 
Lessons Learned and Best Practices for Game Development in the Cloud
Lessons Learned and Best Practices for Game Development in the CloudLessons Learned and Best Practices for Game Development in the Cloud
Lessons Learned and Best Practices for Game Development in the Cloudsarahnovotny
 
Jan. 17. I Am Jonah
Jan. 17. I Am JonahJan. 17. I Am Jonah
Jan. 17. I Am JonahGeo Acts
 
Startup: 10 Mosse per crearne una
Startup: 10 Mosse per crearne unaStartup: 10 Mosse per crearne una
Startup: 10 Mosse per crearne unaFrancesco Baruffi
 
you know databases, how hard can MySQL be?
you know databases, how hard can MySQL be?you know databases, how hard can MySQL be?
you know databases, how hard can MySQL be?sarahnovotny
 

Viewers also liked (20)

Resume for Mohamed Farag
Resume for Mohamed FaragResume for Mohamed Farag
Resume for Mohamed Farag
 
Artificial Intelligence Programming in Art by Mohamed Farag
Artificial Intelligence Programming in Art by Mohamed FaragArtificial Intelligence Programming in Art by Mohamed Farag
Artificial Intelligence Programming in Art by Mohamed Farag
 
Downtown Arena Renderings
Downtown Arena RenderingsDowntown Arena Renderings
Downtown Arena Renderings
 
E learning Simplified for 8th Graders
E learning Simplified for 8th GradersE learning Simplified for 8th Graders
E learning Simplified for 8th Graders
 
èDip 4rt eso
èDip 4rt esoèDip 4rt eso
èDip 4rt eso
 
Co jsme se naučili od spuštění Fakturoidu
Co jsme se naučili od spuštění FakturoiduCo jsme se naučili od spuštění Fakturoidu
Co jsme se naučili od spuštění Fakturoidu
 
ruby on rails pitfalls
ruby on rails pitfallsruby on rails pitfalls
ruby on rails pitfalls
 
Message Queues : A Primer - International PHP Conference Fall 2012
Message Queues : A Primer - International PHP Conference Fall 2012Message Queues : A Primer - International PHP Conference Fall 2012
Message Queues : A Primer - International PHP Conference Fall 2012
 
Dec 06, Sermon Am
Dec 06, Sermon AmDec 06, Sermon Am
Dec 06, Sermon Am
 
Responding to student writing
Responding to student writingResponding to student writing
Responding to student writing
 
Axiologix Company Presentation Jan 2011
Axiologix Company Presentation Jan 2011Axiologix Company Presentation Jan 2011
Axiologix Company Presentation Jan 2011
 
Wiki Technology By IT ROCKS
Wiki Technology By IT ROCKSWiki Technology By IT ROCKS
Wiki Technology By IT ROCKS
 
Mariocarretero reseñaconstructivismo
Mariocarretero reseñaconstructivismoMariocarretero reseñaconstructivismo
Mariocarretero reseñaconstructivismo
 
How to start? - The Execution
How to start? - The Execution How to start? - The Execution
How to start? - The Execution
 
Lessons Learned and Best Practices for Game Development in the Cloud
Lessons Learned and Best Practices for Game Development in the CloudLessons Learned and Best Practices for Game Development in the Cloud
Lessons Learned and Best Practices for Game Development in the Cloud
 
Temple romà
Temple romàTemple romà
Temple romà
 
Jan. 17. I Am Jonah
Jan. 17. I Am JonahJan. 17. I Am Jonah
Jan. 17. I Am Jonah
 
Odissea per a 4 rt de la eso
Odissea per a 4 rt de la esoOdissea per a 4 rt de la eso
Odissea per a 4 rt de la eso
 
Startup: 10 Mosse per crearne una
Startup: 10 Mosse per crearne unaStartup: 10 Mosse per crearne una
Startup: 10 Mosse per crearne una
 
you know databases, how hard can MySQL be?
you know databases, how hard can MySQL be?you know databases, how hard can MySQL be?
you know databases, how hard can MySQL be?
 

Similar to FreeBSD Jail Complete Example

Andresen 8 21 02
Andresen 8 21 02Andresen 8 21 02
Andresen 8 21 02FNian
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyNugroho Gito
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDocker, Inc.
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdfqqlove2
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdfsptlove
 

Similar to FreeBSD Jail Complete Example (20)

Andresen 8 21 02
Andresen 8 21 02Andresen 8 21 02
Andresen 8 21 02
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
FreeBSD Portscamp, Kuala Lumpur 2016
FreeBSD Portscamp, Kuala Lumpur 2016FreeBSD Portscamp, Kuala Lumpur 2016
FreeBSD Portscamp, Kuala Lumpur 2016
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of Technology
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
KCC_Final.pdf
KCC_Final.pdfKCC_Final.pdf
KCC_Final.pdf
 
Jana treek 4
Jana treek 4Jana treek 4
Jana treek 4
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 
Unixtoolbox
UnixtoolboxUnixtoolbox
Unixtoolbox
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 
 
Develop
DevelopDevelop
Develop
 

More from Mohammed Farrag

Mum Article Recognition for Mohamed Farag
Mum Article Recognition for Mohamed FaragMum Article Recognition for Mohamed Farag
Mum Article Recognition for Mohamed FaragMohammed Farrag
 
The practices, challenges and opportunities of board composition and leadersh...
The practices, challenges and opportunities of board composition and leadersh...The practices, challenges and opportunities of board composition and leadersh...
The practices, challenges and opportunities of board composition and leadersh...Mohammed Farrag
 
Confirmation letter info tech 2013(1)
Confirmation letter info tech 2013(1)Confirmation letter info tech 2013(1)
Confirmation letter info tech 2013(1)Mohammed Farrag
 

More from Mohammed Farrag (8)

Mum Article Recognition for Mohamed Farag
Mum Article Recognition for Mohamed FaragMum Article Recognition for Mohamed Farag
Mum Article Recognition for Mohamed Farag
 
Create 2015 Event
Create 2015 EventCreate 2015 Event
Create 2015 Event
 
The practices, challenges and opportunities of board composition and leadersh...
The practices, challenges and opportunities of board composition and leadersh...The practices, challenges and opportunities of board composition and leadersh...
The practices, challenges and opportunities of board composition and leadersh...
 
Confirmation letter info tech 2013(1)
Confirmation letter info tech 2013(1)Confirmation letter info tech 2013(1)
Confirmation letter info tech 2013(1)
 
Google APPs and APIs
Google APPs and APIsGoogle APPs and APIs
Google APPs and APIs
 
FreeBSD Handbook
FreeBSD HandbookFreeBSD Handbook
FreeBSD Handbook
 
Master resume
Master resumeMaster resume
Master resume
 
Mohammed Farrag Resume
Mohammed Farrag ResumeMohammed Farrag Resume
Mohammed Farrag Resume
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

FreeBSD Jail Complete Example

  • 1. FreeBSD Jail Complete Example The goals of the setup described below are:  Create a simple and easy to understand jail structure. This implies not having to run a full installworld on each and every jail.  Make it easy to add new jails or remove existing ones.  Make it easy to update or upgrade existing jails.  Make it possible to run a customized FreeBSD branch.  Be paranoid about security, reducing as much as possible the possibility of compromise.  Save space and inodes, as much as possible. As it has been already mentioned, this design relies heavily on having a single master template which is read-only (known as nullfs) mounted into each jail and one read-write device per jail. A device can be a separate physical disc, a partition, or a vnode backed md(4) device. In this example, we will use read-write nullfs mounts. The file system layout is described in the following list:  Each jail will be mounted under the /home/j directory.  /home/j/mroot is the template for each jail and the read-only partition for all of the jails.  A blank directory will be created for each jail under the /home/j directory.  Each jail will have a /s directory, that will be linked to the read-write portion of the system.  Each jail shall have its own read-write system that is based upon /home/j/skel.  Each jailspace (read-write portion of each jail) shall be created in /home/js. Note: This assumes that the jails are based under the /home partition. This can, of course, be changed to anything else, but this change will have to be reflected in each of the examples below. 15.6.1.2 Creating the Template This section will describe the steps needed to create the master template that will be the read-only portion for the jails to use. It is always a good idea to update the FreeBSD system to the latest -RELEASE branch. Check the corresponding Handbook Chapter to accomplish this task. In the case the update is not feasible, the buildworld will be required in order to be able to proceed. Additionally, the sysutils/cpdup package will be required. We will use the portsnap(8) utility to download the FreeBSD Ports Collection. The Handbook Portsnap Chapter is always good reading for newcomers.
  • 2. 1. First, create a directory structure for the read-only file system which will contain the FreeBSD binaries for our jails, then change directory to the FreeBSD source tree and install the read-only file system to the jail template: 2. # mkdir /home/j /home/j/mroot 3. # cd /usr/src 4. # make installworld DESTDIR=/home/j/mroot 5. Next, prepare a FreeBSD Ports Collection for the jails as well as a FreeBSD source tree, which is required for mergemaster: 6. # cd /home/j/mroot 7. # mkdir usr/ports 8. # portsnap -p /home/j/mroot/usr/ports fetch extract 9. # cpdup /usr/src /home/j/mroot/usr/src 10. Create a skeleton for the read-write portion of the system: 11. # mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles 12. # mv etc /home/j/skel 13. # mv usr/local /home/j/skel/usr-local 14. # mv tmp /home/j/skel 15. # mv var /home/j/skel 16. # mv root /home/j/skel 17. Use mergemaster to install missing configuration files. Then get rid of the extra directories that mergemaster creates: 18. # mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel - i 19. # cd /home/j/skel 20. # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev 21. Now, symlink the read-write file system to the read-only file system. Please make sure that the symlinks are created in the correct s/ locations. Real directories or the creation of directories in the wrong locations will cause the installation to fail. 22. # cd /home/j/mroot 23. # mkdir s 24. # ln -s s/etc etc 25. # ln -s s/home home 26. # ln -s s/root root 27. # ln -s ../s/usr-local usr/local 28. # ln -s ../s/usr-X11R6 usr/X11R6 29. # ln -s ../../s/distfiles usr/ports/distfiles 30. # ln -s s/tmp tmp 31. # ln -s s/var var 32. As a last step, create a generic /home/j/skel/etc/make.conf with its contents as shown below: 33. WRKDIRPREFIX?= /s/portbuild Having WRKDIRPREFIX set up this way will make it possible to compile FreeBSD ports inside each jail. Remember that the ports directory is part of the read-only system. The custom path for WRKDIRPREFIX allows builds to be done in the read- write portion of every jail. 15.6.1.3 Creating Jails
  • 3. Now that we have a complete FreeBSD jail template, we can setup and configure the jails in /etc/rc.conf. This example demonstrates the creation of 3 jails: “NS”, “MAIL” and “WWW”. 1. Put the following lines into the /etc/fstab file, so that the read-only template for the jails and the read-write space will be available in the respective jails: 2. /home/j/mroot /home/j/ns nullfs ro 0 0 3. /home/j/mroot /home/j/mail nullfs ro 0 0 4. /home/j/mroot /home/j/www nullfs ro 0 0 5. /home/js/ns /home/j/ns/s nullfs rw 0 0 6. /home/js/mail /home/j/mail/s nullfs rw 0 0 7. /home/js/www /home/j/www/s nullfs rw 0 0 Note: Partitions marked with a 0 pass number are not checked by fsck(8) during boot, and partitions marked with a 0 dump number are not backed up by dump(8). We do not want fsck to check nullfs mounts or dump to back up the read-only nullfs mounts of the jails. This is why they are marked with “0 0” in the last two columns of each fstab entry above. 8. Configure the jails in /etc/rc.conf: 9. jail_enable="YES" 10. jail_set_hostname_allow="NO" 11. jail_list="ns mail www" 12. jail_ns_hostname="ns.example.org" 13. jail_ns_ip="192.168.3.17" 14. jail_ns_rootdir="/usr/home/j/ns" 15. jail_ns_devfs_enable="YES" 16. jail_mail_hostname="mail.example.org" 17. jail_mail_ip="192.168.3.18" 18. jail_mail_rootdir="/usr/home/j/mail" 19. jail_mail_devfs_enable="YES" 20. jail_www_hostname="www.example.org" 21. jail_www_ip="62.123.43.14" 22. jail_www_rootdir="/usr/home/j/www" 23. jail_www_devfs_enable="YES" Warning: The reason why the jail_name_rootdir variable is set to /usr/home instead of /home is that the physical path of the /home directory on a default FreeBSD installation is /usr/home. The jail_name_rootdir variable must not be set to a path which includes a symbolic link, otherwise the jails will refuse to start. Use the realpath(1) utility to determine a value which should be set to this variable. Please see the FreeBSD-SA-07:01.jail Security Advisory for more information. 24. Create the required mount points for the read-only file system of each jail: 25. # mkdir /home/j/ns /home/j/mail /home/j/www 26. Install the read-write template into each jail. Note the use of sysutils/cpdup, which helps to ensure that a correct copy is done of each directory: 27. # mkdir /home/js 28. # cpdup /home/j/skel /home/js/ns 29. # cpdup /home/j/skel /home/js/mail
  • 4. 30. # cpdup /home/j/skel /home/js/www 31. In this phase, the jails are built and prepared to run. First, mount the required file systems for each jail, and then start them using the /etc/rc.d/jail script: 32. # mount -a 33. # /etc/rc.d/jail start The jails should be running now. To check if they have started correctly, use the jls(8) command. Its output should be similar to the following: # jls JID IP Address Hostname Path 3 192.168.3.17 ns.example.org /home/j/ns 2 192.168.3.18 mail.example.org /home/j/mail 1 62.123.43.14 www.example.org /home/j/www At this point, it should be possible to log onto each jail, add new users or configure daemons. The JID column indicates the jail identification number of each running jail. Use the following command in order to perform administrative tasks in the jail whose JID is 3: # jexec 3 tcsh 15.6.1.4 Upgrading In time, there will be a need to upgrade the system to a newer version of FreeBSD, either because of a security issue, or because new features have been implemented which are useful for the existing jails. The design of this setup provides an easy way to upgrade existing jails. Additionally, it minimizes their downtime, as the jails will be brought down only in the very last minute. Also, it provides a way to roll back to the older versions should any problems occur. 1. The first step is to upgrade the host system in the usual manner. Then create a new temporary read-only template in /home/j/mroot2. 2. # mkdir /home/j/mroot2 3. # cd /usr/src 4. # make installworld DESTDIR=/home/j/mroot2 5. # cd /home/j/mroot2 6. # cpdup /usr/src usr/src 7. # mkdir s The installworld run creates a few unnecessary directories, which should be removed: # chflags -R 0 var # rm -R etc var root usr/local tmp 8. Recreate the read-write symlinks for the master file system: 9. # ln -s s/etc etc 10. # ln -s s/root root 11. # ln -s s/home home
  • 5. 12. # ln -s ../s/usr-local usr/local 13. # ln -s ../s/usr-X11R6 usr/X11R6 14. # ln -s s/tmp tmp 15. # ln -s s/var var 16. The right time to stop the jails is now: 17. # /etc/rc.d/jail stop 18. Unmount the original file systems: 19. # umount /home/j/ns/s 20. # umount /home/j/ns 21. # umount /home/j/mail/s 22. # umount /home/j/mail 23. # umount /home/j/www/s 24. # umount /home/j/www Note: The read-write systems are attached to the read-only system (/s) and must be unmounted first. 25. Move the old read-only file system and replace it with the new one. This will serve as a backup and archive of the old read-only file system should something go wrong. The naming convention used here corresponds to when a new read- only file system has been created. Move the original FreeBSD Ports Collection over to the new file system to save some space and inodes: 26. # cd /home/j 27. # mv mroot mroot.20060601 28. # mv mroot2 mroot 29. # mv mroot.20060601/usr/ports mroot/usr 30. At this point the new read-only template is ready, so the only remaining task is to remount the file systems and start the jails: 31. # mount -a 32. # /etc/rc.d/jail start