JAIL setup

[Wojciech Puchar]

can anyone point me to howto about configuring jailed subserver?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: JAIL setup

[Brian Josefsen]

On Sun, May 14, 2006 at 01:38:34PM +0200, Wojciech Puchar wrote:
 can anyone point me to howto about configuring jailed subserver?

read the jail and jails man pages are you're getting there fast.

-- 
Med venlig hilsen / Best regards
Brian Josefsen
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: JAIL setup

[Matt Bostock]

Brian Josefsen josefsen at wasd.dk writes:
 can anyone point me to howto about configuring jailed subserver?

http://erdgeist.org/arts/software/ezjail/

Matt :)

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: jail setup

[Matthew Seaman]

On Wed, Apr 07, 2004 at 10:51:00PM -0400, dave wrote:
 Hello,
 I'm setting up a jail under 5.2.1 to run pure-ftpd in. I did the
 following:
 cvsupped the source
 cd /usr/src
 make world DESTDIR=/usr/jail/ftp
 cd etc
 make distribution DESTDIR=/usr/jail/ftp
 then linked /dev/null to kernel inside the jail area.
 I'm following an onlamp article at:
 and understood that sendmail and perl and some other items would be
 available. When i do a pkg_info from within the jail there aren't any
 packages. did i miss a step? Is there something i should have installed to
 make this go easier?

That's exactly what I'd expect to see.  When you run pkg_info(1)
within the jail, it looks for the contents of /var/db/pkg *within the
jail* You can't see the package data for packages you install from the
base system when you're in the jail.  You'ld have to install the
packages from inside the jail for that to show up.

Be aware that On-Lamp article was written in reference to FreeBSD 4.x
-- some things are a bit different with FreeBSD 5.x.  You should have
sendmail in the base system unless you've disable building it by
putting 'NO_SENDMAIL=yes' into /etc/make.conf.  You won't have perl as
part of the base in 5.x -- you will definitely have to install from
ports/packages to get that.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

jail setup

[dave]

Hello,
I'm setting up a jail under 5.2.1 to run pure-ftpd in. I did the
following:
cvsupped the source
cd /usr/src
make world DESTDIR=/usr/jail/ftp
cd etc
make distribution DESTDIR=/usr/jail/ftp
then linked /dev/null to kernel inside the jail area.
I'm following an onlamp article at:
and understood that sendmail and perl and some other items would be
available. When i do a pkg_info from within the jail there aren't any
packages. did i miss a step? Is there something i should have installed to
make this go easier?
Thanks.
Dave.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jail setup

[Chris Meyers]

On Fri, 2004-03-05 at 00:57, Harald Schmalzbauer wrote:
 ...cut...
  Things seem to be fine. I can see the jailed environment and everything
  looks fine. I log out and then try to set up the last configuations so I
  can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the
  following lines:
 
  ifconfig_fxp0_alias0=10.0.0.203 netmask 255.255.255.0
 
 This is wrong. The jail can only have one IP so netmask has to be 0x 
 (255.255.255.255)
 Do you have something like this on the host?
 fconfig_fxp0=inet 10.0.0.202  netmask 0xff00 #host
 ifconfig_fxp_alias0=inet 10.0.0.203 netmask 0x#jail 1 
...cut again...
 
 Change the IP like I wrote above and everything should be fine.
 
 -Harry

This all worked (thank you Harry), but now I have a slightly different
problem. I can ssh to the jail, but I get the following message:

Warning: no access to tty (Bad file descriptor). Thus no job control in
this shell. You can use the 'fetch' command to retrieve files over ftp
or http. 
fetch http://www.freebsd.org/index.html
will download the front page of the FreeBSD web site.

I figured this had something to do with my MAKEDEV problem so after
re-reading the jail manpage (thanks albi) I found the following:

mount_devfs devfs /usr/jail/dev

Now I can ssh to the 10.0.0.203 address without problem. This is OK, but
not ideal. I am wondering if there is something I need to do to set up
the devfs in the jail permanantly, or do I have to run the mount_devfs
command every time I start the jail. I was planning on writing a
/usr/local/etc/rc.d shell script to start the jail on boot up anyway, so
adding the mount command to that isn't a big deal, I was just wondering
if there was another way.

Thanks,
Chris


signature.asc
Description: This is a digitally signed message part

Jail setup

[Chris Meyers]

I need to set up a new mail server at a different building, so I thought
I would put sendmail and its services (virus scanning etc.) in a jail to
be a bit more secure. I thought that before I do this for real I would
try setting up a jail on a test server and see if I can ssh to it and
generally get things to work. I can't.

Here's what I have set up so far. I found a couple how-tos and I am
following them; one is an ONLamp article
(http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other
is the jails section of the AbsoluteBSD book. I am running 5.1.

On the server I set up a /usr/jail directory to put the jail into. Then
I ran the following from /usr/src/:

# make world DESTDIR=/usr/jail
# cd etc
# make distribution DESTDIR=/usr/jail
# cd /usr/jail/dev
# sh MAKEDEV jail

This is where I had my first problem, MAKEDEV doesn't exist. At first I
was a bit concerned about this, then I remembered that in 5.0 and above
MAKEDEV isn't necessary, it is handled by the kernel (If that isn't
right someone please tell me). I didn't worry about this.

Next I ran:
# cd ../
# ln -sf /dev/null kernel

Then I started my jail:
#jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh

Things seem to be fine. I can see the jailed environment and everything
looks fine. I log out and then try to set up the last configuations so I
can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the
following lines:

ifconfig_fxp0_alias0=10.0.0.203 netmask 255.255.255.0
sendmail_enable=NONE
inetd_flags=-wW -a 10.0.0.202

I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config. 

In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added:

portmap_enable=NO
ifconfig_fxp0=inet 10.0.0.203 netmask 255.255.255.0
sendmail_enable=YES
sshd_enable=YES

and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config

I then rebooted to shut all services down. When the system was back up
and running I ran the commands to mount and start the jail:

# mount -t procfs proc /usr/jail/proc
# jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc

Things seem to boot fine until it gets to sendmail; it seems to hang
there (sshd starts fine though). Eventually sendmail times out and I get
a prompt. I figure my jail is running (minus sendmail which I don't care
about at the moment), and a ps -ax|grep J shows a few jailed processes
running including sshd. From another system I try:
% ssh 10.0.0.203
and I get nothing. I can ping 10.0.0.203 just fine (as well as
10.0.0.202). A sockstat -4 shows:
root sshd   3041  3  tcp4   10.0.0.203:22 *:*
root syslogd2908  4  udp4   10.0.0.203:514*:*
root sshd   2650  3  tcp4   10.0.0.202:22 *:*

so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to
202 without problem, I just can't get into the jail.

Can anybody tell me where I screwed up, or other things to look for. Any
help would be appreciated.

Thanks,
Chris


signature.asc
Description: This is a digitally signed message part

Re: Jail setup

[albi]

On Thu, 04 Mar 2004 17:31:55 -0600
Chris Meyers [EMAIL PROTECTED] wrote:

 I need to set up a new mail server at a different building, so I
 thought I would put sendmail and its services (virus scanning etc.) in
 a jail to be a bit more secure. I thought that before I do this for
 real I would try setting up a jail on a test server and see if I can
 ssh to it and generally get things to work. I can't.
 
 Here's what I have set up so far. I found a couple how-tos and I am
 following them; one is an ONLamp article
 (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other

btw, this article differs from the jail-manpage, the manpage is more
strict about /dev/

 is the jails section of the AbsoluteBSD book. I am running 5.1.
- cut -
 and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config

i'm using some jails, and have not used the ListenAddress of ssh, and i
can ssh to the jails just fine

the description of your problem sounds more like a DNS-problem though

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jail setup

[Harald Schmalzbauer]

Am Freitag, 5. März 2004 00:31 schrieb Chris Meyers:
 I need to set up a new mail server at a different building, so I thought
 I would put sendmail and its services (virus scanning etc.) in a jail to
 be a bit more secure. I thought that before I do this for real I would
 try setting up a jail on a test server and see if I can ssh to it and
 generally get things to work. I can't.

 Here's what I have set up so far. I found a couple how-tos and I am
 following them; one is an ONLamp article
 (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other
 is the jails section of the AbsoluteBSD book. I am running 5.1.

 On the server I set up a /usr/jail directory to put the jail into. Then
 I ran the following from /usr/src/:

 # make world DESTDIR=/usr/jail
 # cd etc
 # make distribution DESTDIR=/usr/jail
 # cd /usr/jail/dev
 # sh MAKEDEV jail

 This is where I had my first problem, MAKEDEV doesn't exist. At first I
 was a bit concerned about this, then I remembered that in 5.0 and above
 MAKEDEV isn't necessary, it is handled by the kernel (If that isn't
 right someone please tell me). I didn't worry about this.

 Next I ran:
 # cd ../
 # ln -sf /dev/null kernel

 Then I started my jail:
 #jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh

 Things seem to be fine. I can see the jailed environment and everything
 looks fine. I log out and then try to set up the last configuations so I
 can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the
 following lines:

 ifconfig_fxp0_alias0=10.0.0.203 netmask 255.255.255.0

This is wrong. The jail can only have one IP so netmask has to be 0x 
(255.255.255.255)
Do you have something like this on the host?
fconfig_fxp0=inet 10.0.0.202  netmask 0xff00 #host
ifconfig_fxp_alias0=inet 10.0.0.203 netmask 0x#jail 1 

 sendmail_enable=NONE
 inetd_flags=-wW -a 10.0.0.202

 I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config.

 In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added:

 portmap_enable=NO
 ifconfig_fxp0=inet 10.0.0.203 netmask 255.255.255.0
 sendmail_enable=YES
 sshd_enable=YES

 and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config

This isn't neccessary, since the jail has only that one IP.
IT's important that the host is limited to one address like you wrote a few 
lines above!

Change the IP like I wrote above and everything should be fine.

-Harry


 I then rebooted to shut all services down. When the system was back up
 and running I ran the commands to mount and start the jail:

 # mount -t procfs proc /usr/jail/proc
 # jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc

 Things seem to boot fine until it gets to sendmail; it seems to hang
 there (sshd starts fine though). Eventually sendmail times out and I get
 a prompt. I figure my jail is running (minus sendmail which I don't care
 about at the moment), and a ps -ax|grep J shows a few jailed processes
 running including sshd. From another system I try:
 % ssh 10.0.0.203
 and I get nothing. I can ping 10.0.0.203 just fine (as well as
 10.0.0.202). A sockstat -4 shows:
 root sshd   3041  3  tcp4   10.0.0.203:22 *:*
 root syslogd2908  4  udp4   10.0.0.203:514*:*
 root sshd   2650  3  tcp4   10.0.0.202:22 *:*

 so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to
 202 without problem, I just can't get into the jail.

 Can anybody tell me where I screwed up, or other things to look for. Any
 help would be appreciated.

 Thanks,
 Chris


pgp0.pgp
Description: signature

Re: Jail setup with FreeBSD 5.0

[Jens Rehsack]

Axel Gruner wrote:

Hi.

I am trying to setup a jail in FreeBSD 5.0 RC2. 
I found out to use mount -t devfs / $D/dev instead of cd %D/dev; sh
MAKEDEV jail. So, i configured my jail a bit, and wanted to start it
with the command:jail /jail/ssh testhome 192.168.0.201 /bin/sh /etc/rc
But the jail is not starting, here the output:

hw.bus.devctl_disable: 1 - 1
Entropy harvesting:sysctl: kern.random.sys.harvest.interrupt: Operation
not perm itted
 interruptssysctl: kern.random.sys.harvest.ethernet: Operation not
permitted ethernetsysctl: kern.random.sys.harvest.point_to_point:
Operation not permitted point_to_point.
Fast boot: skipping disk checks.
mount: /: unknown special file or file system
adjkerntz[76259]: sysctl(put_wallclock): Operation not permitted
Doing initial network setup:.
ifconfig: ioctl (SIOCDIFADDR): permission denied
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384
Additional routing options:.
Mounting NFS file systems:.
ELF ldconfig path: /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Starting local daemons:.
Updating motd.
Configuring syscons: keymap blanktime.
Initial i386 initialization:.
Additional ABI support:.
Local package initialization:.
Additional TCP options:.
ln: vga: Operation not permitted
Starting cron.
Starting background file system checks.
Mon Dec 23 12:19:27 CET 2002

So after that i mounted also procfs (like it is told in jail manpage).
Same result.

So, how different is it to setup up a jail in FreeBSD 5 compared to
FreeBSD 4.x? Or, where is my mistake?

Thanks in advance.

What's your concrete question?


--
L i  W W W  i Jens Rehsack
LW W W
L i   W   W W   W   i  nnnLiWing IT-Services
L iW W   W Wi  n  n  g   g
  i W W i  n  n  g   gFriesenstraße 2
  06112 Halle
 g
 g   g
Tel.:  +49 - 3 45 - 5 17 05 91ggg e-Mail: [EMAIL PROTECTED]
Fax:   +49 - 3 45 - 5 17 05 92http://www.liwing.de/



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Jail setup with FreeBSD 5.0

[Axel Gruner]

Hi.

I am trying to setup a jail in FreeBSD 5.0 RC2. 
I found out to use mount -t devfs / $D/dev instead of cd %D/dev; sh
MAKEDEV jail. So, i configured my jail a bit, and wanted to start it
with the command:jail /jail/ssh testhome 192.168.0.201 /bin/sh /etc/rc
But the jail is not starting, here the output:

hw.bus.devctl_disable: 1 - 1
Entropy harvesting:sysctl: kern.random.sys.harvest.interrupt: Operation
not perm itted
 interruptssysctl: kern.random.sys.harvest.ethernet: Operation not
permitted ethernetsysctl: kern.random.sys.harvest.point_to_point:
Operation not permitted point_to_point.
Fast boot: skipping disk checks.
mount: /: unknown special file or file system
adjkerntz[76259]: sysctl(put_wallclock): Operation not permitted
Doing initial network setup:.
ifconfig: ioctl (SIOCDIFADDR): permission denied
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384
Additional routing options:.
Mounting NFS file systems:.
ELF ldconfig path: /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Starting local daemons:.
Updating motd.
Configuring syscons: keymap blanktime.
Initial i386 initialization:.
Additional ABI support:.
Local package initialization:.
Additional TCP options:.
ln: vga: Operation not permitted
Starting cron.
Starting background file system checks.
Mon Dec 23 12:19:27 CET 2002

So after that i mounted also procfs (like it is told in jail manpage).
Same result.

So, how different is it to setup up a jail in FreeBSD 5 compared to
FreeBSD 4.x? Or, where is my mistake?

Thanks in advance.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Jail setup with mount_union?

[bsd]

Nevermind. I just tried a couple of jail setups with a base and a couple
of mount_union'd directories. My machine promptly locked up on loggin into
them with ssh. Bleh. And mount_null doesn't seem to be what I want, as I
want write access without affecting the lower layer. O'well.

On Tue, 26 Nov 2002 [EMAIL PROTECTED] wrote:

 I want to setup multiple jails with mount_union using a common base, but
 the warning on the bottom of the man page is severely limiting my
 consideration of its use. Is the warning on the bottom of that man page
 still valid? And are there other ways to setup a common base for jails?
 Perhaps mount_null? Thanks.




 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message





To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Jail setup with mount_union?

[Kirk Strauser]

At 2002-11-26T21:36:31Z, [EMAIL PROTECTED] writes:

 Nevermind. I just tried a couple of jail setups with a base and a couple
 of mount_union'd directories. My machine promptly locked up on loggin into
 them with ssh.

I never had much luck with the setup, either.  That's too bad, because it
seems like an almost ideal solution to a lot of jail problems.
-- 
Kirk Strauser
In Googlis non est, ergo non est.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message