Poor Uses for jail(8) • kernel access (you don ’ t get a kernel) • limited network interface access • limited device driver access • when chroot(8) will simply do the job • some applications require particular low-level system calls: • Notably, PostgreSQL doesn ’ t run (securely) in jails based on SysV IPC
How To jail(8) • DEFINITIVE instructions in jail man pages , 1. compile a FreeBSD userland from source somewhere on host machine, minor tweaks. 2. create an IP alias on a network interface 3. run the jail(8) call with the IP, and userland, to ‘ boot ’ the jail, (so to speak).
Practical Comparison host:/path/to/jaildir/ 1 a d ed0 ed0 0 ed1 a 2 d d h 0 ed1 a tmp 2 d d h tmp mem mem var t n m m e var mnt m m e k m k dev dev null dev dev l l u n o t b o rc.d boot rc.d etc etc p r o c FreeBSD p r o c /dev/null b kernel l i kernel lib n i root b s sbin root n i b home n i b e m user user sbin o usr sbin h s r u user bin user bin local local sbin sbin s t r bin o s r c p s r t o bin src p
making a jail
Host Machine
preflight (simple) 1. get source to build with (cvsup is great) 2. make somewhere for the jails to live (partitions, disk mounts, etc...) 3.make somewhere for jail-related start/mgmt scripts to live (starting jails from /etc/rc.d/jail can thrash violently in most contexts! Bad!)
preflight- (man, definitive)
preflight- (build from src)
preflight- (build from src)
preflight- (build from src)
kernel lib n i b s n i b e m o sbin h usr u n s i b e r local sbin ports bin s r c jails
preflight- (build from src)
local sbin preflight ports bin s r c jails $D
preflight- (build from src) compile!
preflight- (build from src) compile!
preflight host:/path/to/jaildir/ lib ports
preflight host:/path/to/jaildir/ t m p v a r mnt etc lib n i b s bin home sbin s r u n i b local ports
preflight- (mount /dev)
preflight- (mount /dev)
preflight- (null kernel)
preflight- (null kernel)
preflight host:/path/to/jaildir/ t m p v a r mnt etc lib n i b s bin home sbin s r u n i b local ports
preflight host:/path/to/jaildir/ ed0 da1 0 ed1 a d t m p m e m v a r mnt kmem dev dev null etc lib n i b s bin home sbin s r u n i b local
preflight • Common Question: • Why isn ’ t there an automated build system for this stage? • - Take care with the build procedure, it ’ s better to automate things later, once you have basics setup. • (network, users, packages, time, etc.)
preflight- (config host) jailinghost:/etc/rc.conf (stock)
preflight- (config host) jailinghost:/etc/rc.conf
preflight- (master system) jailinghost:/etc/ssh/sshd_conf
da1 ed0 0 ed1 a 2 d d h t m p m e m mnt v a r kmem dev dev o t b o rc.d etc ? proc FreeBSD kernel lib root n i b s bin home u s e sbin r r u s user n i b local sbin ports bin src s a i l j
configure - call jailed sh (analagous to booting a machine in su mode) Text
configure - call jailed sh (analagous to booting a machine in su mode) Text
configure - call jailed sh (analagous to booting a machine in su mode) Text
configure - call jailed sh configure the jail, inside the jail Text
configure - call jailed sh configure the jail, inside the jail Text
configure - call jailed sh sysctl, whee! Text
configure - call jailed sh root pw Text
configure - call jailed sh root pw Text
configure - call jailed sh add users Text
configure - call jailed sh add users Text
configure - call jailed sh add users Text
configure - call jailed sh set timezone Text
configure - call jailed sh set timezone Text
configure - call jailed sh set timezone Text
configure - call jailed sh set timezone Text
configure - call jailed sh set timezone Text
configure - call jailed sh network options... Text
configure - call jailed sh run ssh, important Text
configure - call jailed sh check rc.conf in jail Text
configure - call jailed sh check rc.conf in jail Text
Recommend
More recommend
