pavement

Jails

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Minor edit)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
A dedicated machine for a server is a costly thing. For a server which is not often used, it is desirable to still be able to use the same machine, but without the drawbacks of having all the servers on one installation. These are sometimes limited via chrooted servers. A better way is with the help of a jail.
+
A dedicated machine for a server is a costly thing. For a server which is not often used, it is desirable to still be able to use the same machine, but without the drawbacks of having all the servers on one installation. These are sometimes limited via chrooted servers. A better way is with the help of a jail.<br>
 +
<br>
 +
NOTE:  This was written in 2007, its now 2012 and a lot things have changed since 2007. There is now a port system utility called qjail which greatly simplifies jail creation and administration.<br>
 +
<br>
 +
'''Full details can be found on the
 +
[http://qjail.sourceforge.net/ qjail project website].'''
  
  
== Creating the jail ==
+
 
 +
== Creating a jail [manual method] ==
  
 
Install cpdup ({PORTSDIR}/sysutils/cpdup)
 
Install cpdup ({PORTSDIR}/sysutils/cpdup)
Line 16: Line 22:
  
 
  # mkdir /usr/jail/skel /usr/jail/skel/home /usr/jail/skel/distfiles
 
  # mkdir /usr/jail/skel /usr/jail/skel/home /usr/jail/skel/distfiles
 +
# cd /usr/jail/mroot
 
  # mv etc /usr/jail/skel
 
  # mv etc /usr/jail/skel
 
  # mv usr/local /usr/jail/skel/usr-local
 
  # mv usr/local /usr/jail/skel/usr-local
Line 25: Line 32:
 
  # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev
 
  # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev
 
  # cd /usr/jail/mroot
 
  # cd /usr/jail/mroot
  # mkdir /usr/ports
+
  # mkdir usr/ports
 
  # mkdir s
 
  # mkdir s
 
  # ln -s s/etc etc
 
  # ln -s s/etc etc
Line 31: Line 38:
 
  # ln -s s/root root
 
  # ln -s s/root root
 
  # ln -s ../s/usr-local usr/local
 
  # ln -s ../s/usr-local usr/local
  # ln -s ../s/usr-X11R6 usr/local
+
  # ln -s ../s/usr-local usr/X11R6
 
  # ln -s ../../s/distfiles usr/ports/distfiles
 
  # ln -s ../../s/distfiles usr/ports/distfiles
 
  # ln -s s/tmp tmp
 
  # ln -s s/tmp tmp
Line 46: Line 53:
 
In /etc/rc.conf set
 
In /etc/rc.conf set
 
  rpcbind_enable="NO"
 
  rpcbind_enable="NO"
 
  
  
Line 56: Line 62:
 
For every server:
 
For every server:
 
* Edit /etc/fstab on your host system:
 
* Edit /etc/fstab on your host system:
/usr/jail/mroot      /usr/jail/{server}    nullfs  ro  0  0
+
/usr/jail/mroot      /usr/jail/{server}    nullfs  ro  0  0
/usr/jails/{server}  /usr/jail/{server}/s  nullfs  rw  0  0
+
/usr/jails/{server}  /usr/jail/{server}/s  nullfs  rw  0  0
 
* Create the mount-points
 
* Create the mount-points
 
# mkdir /usr/jail/{server}
 
# mkdir /usr/jail/{server}

Latest revision as of 20:09, 9 August 2012

A dedicated machine for a server is a costly thing. For a server which is not often used, it is desirable to still be able to use the same machine, but without the drawbacks of having all the servers on one installation. These are sometimes limited via chrooted servers. A better way is with the help of a jail.

NOTE: This was written in 2007, its now 2012 and a lot things have changed since 2007. There is now a port system utility called qjail which greatly simplifies jail creation and administration.

Full details can be found on the qjail project website.


[edit] Creating a jail [manual method]

Install cpdup ({PORTSDIR}/sysutils/cpdup)

# pkg_add -r cpdup 

Alternatively if that doesn't work try:

# cd {PORTSDIR}/sysutils/cpdup && make install clean

Next create a template:

# mkdir /usr/jail /usr/jail/mroot
# cd /usr/src
# make installworld DESTDIR=/usr/jail/mroot
# cpdup /usr/src /usr/jail/mroot/usr/src
# mkdir /usr/jail/skel /usr/jail/skel/home /usr/jail/skel/distfiles
# cd /usr/jail/mroot
# mv etc /usr/jail/skel
# mv usr/local /usr/jail/skel/usr-local
# mv tmp /usr/jail/skel
# mv var /usr/jail/skel
# mv root /usr/jail/skel
# mergemaster -t /usr/jail/skel/var/tmp/temproot -D /usr/jail/skel -i
# cd /usr/jail/skel
# rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev
# cd /usr/jail/mroot
# mkdir usr/ports
# mkdir s
# ln -s s/etc etc
# ln -s s/home home
# ln -s s/root root
# ln -s ../s/usr-local usr/local
# ln -s ../s/usr-local usr/X11R6
# ln -s ../../s/distfiles usr/ports/distfiles
# ln -s s/tmp tmp
# ln -s s/var var

Edit /etc/rc.conf:

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list="{server1} {server2}"
jail_devfs_enable="YES"

Search man 5 rc.conf for more jail settings If you would like to have some standard configuration settings for (almost) all jails modify the files in /usr/jail/skel. (e.g. /etc/resolve.conf) In /etc/rc.conf set

rpcbind_enable="NO"


Create a jail skeleton

# mkdir /usr/jails

For every server:

  • Edit /etc/fstab on your host system:
/usr/jail/mroot       /usr/jail/{server}     nullfs  ro  0   0
/usr/jails/{server}   /usr/jail/{server}/s   nullfs  rw  0   0
  • Create the mount-points
  1. mkdir /usr/jail/{server}
  2. cpdup /usr/jail/skel /usr/jails/{server}
  • Edit /etc/rc.conf:
jail_{server}_hostname="server.example.org"
jail_{server}_ip="192.168.x.x"
jail_{server}_rootdir="/usr/jail/{server}"

Finally mount the jails and start them.

# mount -a
# /etc/rc.d/jail start

They should be running now and you should be able to see them by typing:

jls

If you wish to access the system type:

jexec tcsh {JID}

One often creates a build jail in which one creates the packages for the separate jails creating less "pollution" in your jails. One can now install the packages for the jail.

For more information see:

man 8 jail
Personal tools