Security Notices

$Id: jail.php 298 2009-12-30 01:53:00Z gjb $

jexec 1 /bin/csh

To begin configuring the host server, the following have to be completed:

• buildworld
• build kernel
• installworld

I will use the default /usr/share/examples/cvsup/standard-supfile, and csup from the cvsup11 server:

cp /usr/share/examples/cvsup/standard-supfile /etc/supfile
sed -i '' 's/CHANGE_THIS/cvsup11/g' /etc/supfile ; csup -g -L 2 /etc/supfile

If you need to make any adjustments to your kernel, edit /usr/src/sys/$ARCH/conf/GENERIC file, where $ARCH is your machine's architec ture. Then proceed with the build:

cd /usr/src
make buildworld
make KERNCONF=GENERIC buildkernel
make KERNCONF=GENERIC installkernel

If no errors were present, shutdown into single-user mode, and finish the build:

shutdown now

When prompted for a shell, you can use the default /bin/sh or another, such as /bin/csh.

cd /usr/src
make installworld; reboot

After a successful build and install, make sure you are running your new kernel:

uname -sr

To finish the host configuration, you need to:

• create Jail root directories
• edit /etc/rc.conf
• edit /etc/hosts

Before continuing, you need to know what network interface you will use for the Jails. Output from:

ifconfig

on my system reflects em0 and fwe0. Since I use em0 as my main interface, for ease of configuration, I will configure fwe0 for the Jails. Note that you can create interfaces by editing /etc/rc.conf if you do not have alternate interfaces, and do not want to use your main external interface.

ifconfig_em0="DHCP"
ifconfig_fwe0_alias0="inet 10.0.0.1 netmask 255.255.255.255"
ifconfig_fwe0_alias1="inet 10.0.0.2 netmask 255.255.255.255"

While I am editing /etc/rc.conf, I disable sendmail, as it will be running inside a Jail:

sendmail_enable="NONE"

To start the new interfaces, restart networking:

/etc/rc.d/netif restart

Now, add the Jail entries to /etc/rc.conf. In this example (and following pages), I will create two jails: 'WWW' and 'MAIL':

jail_enable="YES"
jail_list="WWW MAIL"

jail_WWW_ip="10.0.0.1"
jail_WWW_hostname="www.yourdomain.com"
jail_WWW_rootdir="/usr/jails/WWW"
jail_WWW_devfs_enable="YES"
jail_MAIL_ip="10.0.0.2"
jail_MAIL_hostname="mail.yourdomain.com"
jail_MAIL_rootdir="/usr/jails/MAIL"
jail_MAIL_devfs_enable="YES"

Now, make the respective Jail root directories:

mkdir -p /usr/jails/MAIL /usr/jails/WWW

With a jail host configured, it is time to actually build the Jails. To begin, we have to:

• install world
• edit each Jail's /etc/rc.conf
• create the /etc/resolv.conf
• edit each Jail's /etc/hosts

cd /usr/src
make installworld DESTDIR=/usr/jails/WWW ; make installworld DESTDIR=/usr/jails/MAIL
make distribution DESTDIR=/usr/jails/WWW ; make distribution DESTDIR=/usr/jails/MAIL

I use the host's /etc/resolv.conf, as I have not found a need to use separate DNS configurations:

cp /etc/resolv.conf /usr/jails/WWW/etc
cp /etc/resolv.conf /usr/jails/MAIL/etc

Now, create a default /etc/rc.conf, just basic enough to get started with the real work:

cd /usr/jails
echo sshd_enable=\"YES\" >> WWW/etc/rc.conf
echo sshd_enable=\"YES\" >> MAIL/etc/rc.conf

not complete