Re: JAIL setup
Brian Josefsen wasd.dk> writes: > can anyone point me to howto about configuring jailed subserver? http://erdgeist.org/arts/software/ezjail/ Matt :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: JAIL setup
On Sun, May 14, 2006 at 01:38:34PM +0200, Wojciech Puchar wrote: > can anyone point me to howto about configuring jailed subserver? read the jail and jails man pages are you're getting there fast. -- Med venlig hilsen / Best regards Brian Josefsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
JAIL setup
can anyone point me to howto about configuring jailed subserver? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jail setup
On Wed, Apr 07, 2004 at 10:51:00PM -0400, dave wrote: > Hello, > I'm setting up a jail under 5.2.1 to run pure-ftpd in. I did the > following: > cvsupped the source > cd /usr/src > make world DESTDIR=/usr/jail/ftp > cd etc > make distribution DESTDIR=/usr/jail/ftp > then linked /dev/null to kernel inside the jail area. > I'm following an onlamp article at: > and understood that sendmail and perl and some other items would be > available. When i do a pkg_info from within the jail there aren't any > packages. did i miss a step? Is there something i should have installed to > make this go easier? That's exactly what I'd expect to see. When you run pkg_info(1) within the jail, it looks for the contents of /var/db/pkg *within the jail* You can't see the package data for packages you install from the base system when you're in the jail. You'ld have to install the packages from inside the jail for that to show up. Be aware that On-Lamp article was written in reference to FreeBSD 4.x -- some things are a bit different with FreeBSD 5.x. You should have sendmail in the base system unless you've disable building it by putting 'NO_SENDMAIL=yes' into /etc/make.conf. You won't have perl as part of the base in 5.x -- you will definitely have to install from ports/packages to get that. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
jail setup
Hello, I'm setting up a jail under 5.2.1 to run pure-ftpd in. I did the following: cvsupped the source cd /usr/src make world DESTDIR=/usr/jail/ftp cd etc make distribution DESTDIR=/usr/jail/ftp then linked /dev/null to kernel inside the jail area. I'm following an onlamp article at: and understood that sendmail and perl and some other items would be available. When i do a pkg_info from within the jail there aren't any packages. did i miss a step? Is there something i should have installed to make this go easier? Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Jail setup
On Fri, 2004-03-05 at 00:57, Harald Schmalzbauer wrote: > ...cut... > > Things seem to be fine. I can see the jailed environment and everything > > looks fine. I log out and then try to set up the last configuations so I > > can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the > > following lines: > > > > ifconfig_fxp0_alias0="10.0.0.203 netmask 255.255.255.0" > > This is wrong. The jail can only have one IP so netmask has to be 0x > (255.255.255.255) > Do you have something like this on the host? > fconfig_fxp0="inet 10.0.0.202 netmask 0xff00" #host > ifconfig_fxp_alias0="inet 10.0.0.203 netmask 0x"#jail 1 ...cut again... > > Change the IP like I wrote above and everything should be fine. > > -Harry This all worked (thank you Harry), but now I have a slightly different problem. I can ssh to the jail, but I get the following message: Warning: no access to tty (Bad file descriptor). Thus no job control in this shell. You can use the 'fetch' command to retrieve files over ftp or http. fetch http://www.freebsd.org/index.html will download the front page of the FreeBSD web site. I figured this had something to do with my MAKEDEV problem so after re-reading the jail manpage (thanks albi) I found the following: mount_devfs devfs /usr/jail/dev Now I can ssh to the 10.0.0.203 address without problem. This is OK, but not ideal. I am wondering if there is something I need to do to set up the devfs in the jail permanantly, or do I have to run the mount_devfs command every time I start the jail. I was planning on writing a /usr/local/etc/rc.d shell script to start the jail on boot up anyway, so adding the mount command to that isn't a big deal, I was just wondering if there was another way. Thanks, Chris signature.asc Description: This is a digitally signed message part
Re: Jail setup
Am Freitag, 5. März 2004 00:31 schrieb Chris Meyers: > I need to set up a new mail server at a different building, so I thought > I would put sendmail and its services (virus scanning etc.) in a jail to > be a bit more secure. I thought that before I do this for real I would > try setting up a jail on a test server and see if I can ssh to it and > generally get things to work. I can't. > > Here's what I have set up so far. I found a couple how-tos and I am > following them; one is an ONLamp article > (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other > is the jails section of the AbsoluteBSD book. I am running 5.1. > > On the server I set up a /usr/jail directory to put the jail into. Then > I ran the following from /usr/src/: > > # make world DESTDIR=/usr/jail > # cd etc > # make distribution DESTDIR=/usr/jail > # cd /usr/jail/dev > # sh MAKEDEV jail > > This is where I had my first problem, MAKEDEV doesn't exist. At first I > was a bit concerned about this, then I remembered that in 5.0 and above > MAKEDEV isn't necessary, it is handled by the kernel (If that isn't > right someone please tell me). I didn't worry about this. > > Next I ran: > # cd ../ > # ln -sf /dev/null kernel > > Then I started my jail: > #jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh > > Things seem to be fine. I can see the jailed environment and everything > looks fine. I log out and then try to set up the last configuations so I > can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the > following lines: > > ifconfig_fxp0_alias0="10.0.0.203 netmask 255.255.255.0" This is wrong. The jail can only have one IP so netmask has to be 0x (255.255.255.255) Do you have something like this on the host? fconfig_fxp0="inet 10.0.0.202 netmask 0xff00" #host ifconfig_fxp_alias0="inet 10.0.0.203 netmask 0x"#jail 1 > sendmail_enable="NONE" > inetd_flags="-wW -a 10.0.0.202" > > I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config. > > In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added: > > portmap_enable="NO" > ifconfig_fxp0="inet 10.0.0.203 netmask 255.255.255.0" > sendmail_enable="YES" > sshd_enable="YES" > > and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config This isn't neccessary, since the jail has only that one IP. IT's important that the host is limited to one address like you wrote a few lines above! Change the IP like I wrote above and everything should be fine. -Harry > > I then rebooted to shut all services down. When the system was back up > and running I ran the commands to mount and start the jail: > > # mount -t procfs proc /usr/jail/proc > # jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc > > Things seem to "boot" fine until it gets to sendmail; it seems to hang > there (sshd starts fine though). Eventually sendmail times out and I get > a prompt. I figure my jail is running (minus sendmail which I don't care > about at the moment), and a ps -ax|grep J shows a few jailed processes > running including sshd. From another system I try: > % ssh 10.0.0.203 > and I get nothing. I can ping 10.0.0.203 just fine (as well as > 10.0.0.202). A sockstat -4 shows: > root sshd 3041 3 tcp4 10.0.0.203:22 *:* > root syslogd2908 4 udp4 10.0.0.203:514*:* > root sshd 2650 3 tcp4 10.0.0.202:22 *:* > > so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to > 202 without problem, I just can't get into the jail. > > Can anybody tell me where I screwed up, or other things to look for. Any > help would be appreciated. > > Thanks, > Chris pgp0.pgp Description: signature
Re: Jail setup
On Thu, 04 Mar 2004 17:31:55 -0600 Chris Meyers <[EMAIL PROTECTED]> wrote: > I need to set up a new mail server at a different building, so I > thought I would put sendmail and its services (virus scanning etc.) in > a jail to be a bit more secure. I thought that before I do this for > real I would try setting up a jail on a test server and see if I can > ssh to it and generally get things to work. I can't. > > Here's what I have set up so far. I found a couple how-tos and I am > following them; one is an ONLamp article > (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other btw, this article differs from the jail-manpage, the manpage is more strict about /dev/ > is the jails section of the AbsoluteBSD book. I am running 5.1. - cut - > and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config i'm using some jails, and have not used the ListenAddress of ssh, and i can ssh to the jails just fine the description of your problem sounds more like a DNS-problem though ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Jail setup
I need to set up a new mail server at a different building, so I thought I would put sendmail and its services (virus scanning etc.) in a jail to be a bit more secure. I thought that before I do this for real I would try setting up a jail on a test server and see if I can ssh to it and generally get things to work. I can't. Here's what I have set up so far. I found a couple how-tos and I am following them; one is an ONLamp article (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other is the jails section of the AbsoluteBSD book. I am running 5.1. On the server I set up a /usr/jail directory to put the jail into. Then I ran the following from /usr/src/: # make world DESTDIR=/usr/jail # cd etc # make distribution DESTDIR=/usr/jail # cd /usr/jail/dev # sh MAKEDEV jail This is where I had my first problem, MAKEDEV doesn't exist. At first I was a bit concerned about this, then I remembered that in 5.0 and above MAKEDEV isn't necessary, it is handled by the kernel (If that isn't right someone please tell me). I didn't worry about this. Next I ran: # cd ../ # ln -sf /dev/null kernel Then I started my jail: #jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh Things seem to be fine. I can see the jailed environment and everything looks fine. I log out and then try to set up the last configuations so I can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the following lines: ifconfig_fxp0_alias0="10.0.0.203 netmask 255.255.255.0" sendmail_enable="NONE" inetd_flags="-wW -a 10.0.0.202" I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config. In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added: portmap_enable="NO" ifconfig_fxp0="inet 10.0.0.203 netmask 255.255.255.0" sendmail_enable="YES" sshd_enable="YES" and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config I then rebooted to shut all services down. When the system was back up and running I ran the commands to mount and start the jail: # mount -t procfs proc /usr/jail/proc # jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc Things seem to "boot" fine until it gets to sendmail; it seems to hang there (sshd starts fine though). Eventually sendmail times out and I get a prompt. I figure my jail is running (minus sendmail which I don't care about at the moment), and a ps -ax|grep J shows a few jailed processes running including sshd. From another system I try: % ssh 10.0.0.203 and I get nothing. I can ping 10.0.0.203 just fine (as well as 10.0.0.202). A sockstat -4 shows: root sshd 3041 3 tcp4 10.0.0.203:22 *:* root syslogd2908 4 udp4 10.0.0.203:514*:* root sshd 2650 3 tcp4 10.0.0.202:22 *:* so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to 202 without problem, I just can't get into the jail. Can anybody tell me where I screwed up, or other things to look for. Any help would be appreciated. Thanks, Chris signature.asc Description: This is a digitally signed message part
Re: Jail setup with FreeBSD 5.0
Axel Gruner wrote: Hi. I am trying to setup a jail in FreeBSD 5.0 RC2. I found out to use "mount -t devfs / $D/dev" instead of "cd %D/dev; sh MAKEDEV jail". So, i configured my jail a bit, and wanted to start it with the command:"jail /jail/ssh testhome 192.168.0.201 /bin/sh /etc/rc" But the jail is not starting, here the output: hw.bus.devctl_disable: 1 -> 1 Entropy harvesting:sysctl: kern.random.sys.harvest.interrupt: Operation not perm itted interruptssysctl: kern.random.sys.harvest.ethernet: Operation not permitted ethernetsysctl: kern.random.sys.harvest.point_to_point: Operation not permitted point_to_point. Fast boot: skipping disk checks. mount: /: unknown special file or file system adjkerntz[76259]: sysctl(put_wallclock): Operation not permitted Doing initial network setup:. ifconfig: ioctl (SIOCDIFADDR): permission denied lo0: flags=8049 mtu 16384 Additional routing options:. Mounting NFS file systems:. ELF ldconfig path: /usr/lib /usr/lib/compat a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout Starting local daemons:. Updating motd. Configuring syscons: keymap blanktime. Initial i386 initialization:. Additional ABI support:. Local package initialization:. Additional TCP options:. ln: vga: Operation not permitted Starting cron. Starting background file system checks. Mon Dec 23 12:19:27 CET 2002 So after that i mounted also "procfs" (like it is told in jail manpage). Same result. So, how different is it to setup up a jail in FreeBSD 5 compared to FreeBSD 4.x? Or, where is my mistake? Thanks in advance. What's your concrete question? -- L i W W W i Jens Rehsack LW W W L i W W W W i nnnLiWing IT-Services L iW W W Wi n n g g i W W i n n g gFriesenstraße 2 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91ggg e-Mail: <[EMAIL PROTECTED]> Fax: +49 - 3 45 - 5 17 05 92http://www.liwing.de/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Jail setup with FreeBSD 5.0
Hi. I am trying to setup a jail in FreeBSD 5.0 RC2. I found out to use "mount -t devfs / $D/dev" instead of "cd %D/dev; sh MAKEDEV jail". So, i configured my jail a bit, and wanted to start it with the command:"jail /jail/ssh testhome 192.168.0.201 /bin/sh /etc/rc" But the jail is not starting, here the output: hw.bus.devctl_disable: 1 -> 1 Entropy harvesting:sysctl: kern.random.sys.harvest.interrupt: Operation not perm itted interruptssysctl: kern.random.sys.harvest.ethernet: Operation not permitted ethernetsysctl: kern.random.sys.harvest.point_to_point: Operation not permitted point_to_point. Fast boot: skipping disk checks. mount: /: unknown special file or file system adjkerntz[76259]: sysctl(put_wallclock): Operation not permitted Doing initial network setup:. ifconfig: ioctl (SIOCDIFADDR): permission denied lo0: flags=8049 mtu 16384 Additional routing options:. Mounting NFS file systems:. ELF ldconfig path: /usr/lib /usr/lib/compat a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout Starting local daemons:. Updating motd. Configuring syscons: keymap blanktime. Initial i386 initialization:. Additional ABI support:. Local package initialization:. Additional TCP options:. ln: vga: Operation not permitted Starting cron. Starting background file system checks. Mon Dec 23 12:19:27 CET 2002 So after that i mounted also "procfs" (like it is told in jail manpage). Same result. So, how different is it to setup up a jail in FreeBSD 5 compared to FreeBSD 4.x? Or, where is my mistake? Thanks in advance. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Jail setup with mount_union?
At 2002-11-26T21:36:31Z, [EMAIL PROTECTED] writes: > Nevermind. I just tried a couple of jail setups with a base and a couple > of mount_union'd directories. My machine promptly locked up on loggin into > them with ssh. I never had much luck with the setup, either. That's too bad, because it seems like an almost ideal solution to a lot of jail problems. -- Kirk Strauser In Googlis non est, ergo non est. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Jail setup with mount_union?
Nevermind. I just tried a couple of jail setups with a base and a couple of mount_union'd directories. My machine promptly locked up on loggin into them with ssh. Bleh. And mount_null doesn't seem to be what I want, as I want write access without affecting the lower layer. O'well. On Tue, 26 Nov 2002 [EMAIL PROTECTED] wrote: > I want to setup multiple jails with mount_union using a common base, but > the warning on the bottom of the man page is severely limiting my > consideration of its use. Is the warning on the bottom of that man page > still valid? And are there other ways to setup a common base for jails? > Perhaps mount_null? Thanks. > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Jail setup with mount_union?
I want to setup multiple jails with mount_union using a common base, but the warning on the bottom of the man page is severely limiting my consideration of its use. Is the warning on the bottom of that man page still valid? And are there other ways to setup a common base for jails? Perhaps mount_null? Thanks. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message