Freebsd Jails

From MineOS
Jump to: navigation, search
#http://blog.danmassey.net/?p=262
#http://www.cyberciti.biz/faq/howto-setup-freebsd-jail-with-ezjail/
 
pkg_add -r ezjail
echo 'ezjail_enable="YES"' >> /etc/rc.conf
ezjail-admin create testjail.codeemo.com 10.10.10.101
[snipped]
/usr/jails/testjail.codeemo.com/./COPYRIGHT
/usr/jails/testjail.codeemo.com/./basejail
3295 blocks
Warning: IP 10.10.10.101 not configured on a local interface.
Warning: Some services already seem to be listening on all IP, (including 10.10.10.101)
  This may cause some confusion, here they are:
root     ntpd       1315  20 udp4   *:123                 *:*
root     ntpd       1315  21 udp6   *:123                 *:*
root     syslogd    1239  6  udp6   *:514                 *:*
root     syslogd    1239  7  udp4   *:514                 *:*
 
echo '10.10.10.101            testjail.codeemo.com' >> /etc/hosts
/usr/local/etc/rc.d/ezjail start
jls
jexec ''1'' sh
echo 'nameserver 192.168.1.1' > /etc/resolv.conf

sysctl security.jail.allow_raw_sockets=1 allows ping
sysctl net.inet.ip.forwarding=1

Contents

alias (not preferred)

/etc/rc.conf

hostname="wootdot-freebsd"
wlans_urtw0="wlan0"
ifconfig_wlan0="WPA  inet 192.168.1.200 netmask 255.255.0.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
linux_enable="YES"
hald_enable="YES"
dbus_enable="YES"
noip_enable="YES"
 
#jails
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
ezjail_enable="YES"
gateway_enable="YES"
cloned_interfaces="vlan0 tun"
ifconfig_vlan0="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_vlan0_alias0="inet 10.0.0.2 netmask 255.255.255.255"
ifconfig_vlan0_alias1="inet 10.0.0.3 netmask 255.255.255.255"
ifconfig_vlan0_alias2="inet 10.0.0.4 netmask 255.255.255.255"
ifconfig_vlan0_alias3="inet 10.0.0.5 netmask 255.255.255.255"
ifconfig_vlan0_alias4="inet 10.0.0.6 netmask 255.255.255.255"
ifconfig_vlan0_alias5="inet 10.0.0.7 netmask 255.255.255.255"
ifconfig_vlan0_alias6="inet 10.0.0.8 netmask 255.255.255.255"
ifconfig_vlan0_alias7="inet 10.0.0.9 netmask 255.255.255.255"
 
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
 
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
 
#virtualbox in jails
vboxnet_enable="YES"
jail_sysvipc_allow="YES"


/boot/loader.conf

vboxdrv_load="YES"
fdescfs_load="YES"
linprocfs_load="YES"
linsysfs_load="YES"
tmpfs_load="YES"

pf

/etc/rc.conf

defaultrouter="192.168.1.1"
gateway_enable="YES"
cloned_interfaces="vlan0"
ifconfig_vlan0="inet 10.0.0.1 netmask 255.255.255.0"
 
ezjail_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

/etc/pf.conf

ext_if="wlan0"
int_if="vlan0"
internal_net="10.0.0.0/24"
 
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to 192.168.1.200 port 5901 -> 10.0.0.1 port 5901
rdr on $ext_if proto tcp from any to 192.168.1.200 port 8080 -> 10.0.0.2 port 80
rdr on $ext_if proto tcp from any to 192.168.1.200 port 3389 -> 10.0.0.3 port 3389
rdr on $ext_if proto tcp from any to 192.168.1.200 port 4000 -> 10.0.0.3 port 3389
 
pass in all
pass out all

vbox

host

pkg_add -r virtualbox-ose-kmod
kldload vboxdrv

adding to /etc/defaults/devfs.rules allows to run multiple machines within a jailed VirtualBox.

add path 'vbox*' unhide

rc.conf

jail_sysvipc_allow="YES"

To ensure the module always gets loaded after a reboot, add the following line to /boot/loader.conf: /boot/loader.conf

vboxdrv_load="YES"

To use the kernel modules that allow bridged or host-only networking, add the following to /etc/rc.conf and reboot the computer:

vboxnet_enable="YES"

jail

Due to the jail interface, virtualbox-ose-kmod will fail. Before the failure, though, all the dependencies will be installed (unfortunately more than needed, e.g., QT/SDL/X). The second pkg_add will install the virtualbox-ose despite the virtualbox-ose-kmod dependency failure.

pkg_add -r virtualbox-ose
pkg_add -i -r virtualbox-ose

GNU/kFreeBSD

kldload fdescfs linprocfs linsysfs tmpfs
pkg_add -r debootstrap
ezjail-admin create debian 10.0.0.10
[clear out /usr/jails/debian]
debootstrap wheezy /usr/jails/debian http://cdn.debian.net/debian
 
umount /dev/fd
umount /sys
umount /usr/jails/debian/dev
 
mount -t linprocfs linprocfs /usr/jails/debian/proc
mount -t linsysfs linsysfs /usr/jails/debian/sys
mount -t tmpfs tmpfs /usr/jails/debian/run
mount -t devfs devfs /usr/jails/debian/dev
 
mkdir -p /usr/jails/debian/basejail #suppresses error, mounts unnecessary nullfs
ezjail-admin start debian
jexec 1 /bin/sh
 
(inside debian)
echo "nameserver 192.168.1.1" > /etc/resolv.conf
ln -s /bin/login /usr/bin/login
 
(outside)
ezjail-admin console debian

http://lists.freebsd.org/pipermail/freebsd-questions/2010-May/216905.html

flags => "-n debian"

fstab

linprocfs       /usr/jails/debian/proc linprocfs rw 0   0
linsysfs        /usr/jails/debian/sys linsysfs rw 0     0
tmpfs           /usr/jails/debian/run tmpfs rw  0       0
devfs           /usr/jails/debian/dev devfs rw  0       0

for linux kernel compilation

cd /usr/src
wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.8.2.tar.bz2
tar -xjf linux-3.8.2.tar.bz2
apt-get install libncurses5-dev
apt-get install libc6-dev
adduser kernel
su - kernel