Jail How To:
Maybe common since is not working for me.
So I RTWM and I tried to do it by the book but it did not work. I keep screwing up maybe, so today, I did my 5th re-install. I should have follow this old link (March 6th, 2010) [i]that keeps coming up from the dead[i/] from start but I saw no build-this, merge-that before you go to the jail section, like in the handbook, but no where in the handbook indicated the short-cut to do jail. Seem that those links were the short-cut all along, but I read RTWM on other links.
This is only FreeBSD 9.0-current and this is for jail only. Do I need to complete every single step in the entire makeworld section? I guest not. Anyway, (January 31st, 2011) came the Noodle, deep-down in link with the rest of the story:
# cd /usr/src
# make buildworld ... << I stop here this time. goodies sitting in obj
# make buildkernel
# make installkernel
# shutdown -r now.
# etc ...
# etc ...
Just in case the Noodle instructions are incomplete as I always wonder about others I saw, I go straight to the jail section of the handbook. This part tells me to do this among many other things, again. So this time I only added to the mroot directory what the Noodle said in the 10th post, a year too late.
# mkdir /j /j/mroot # cd /usr/src # make installworld DESTDIR=/j/mroot SRCCONF=/root/src.conf.internetz
IT'S COMPILING !!! So this is how it's suppose to be done ... Right? If so, now even noobs like me know not to expect the handbook to show every possible thing.
You save my sanity and my world Mr. Noodle
Anyway, with the perfectly [i]i thin[i/] modified src.conf.internetz file (at bottom) I got my first error being bind9 related:
install -C -o root -g wheel -m 444 libz.a /j/mroot/usr/lib install -s -o root -g wheel -m 444 libz.so.6 /j/mroot/lib ln -fs /lib/libz.so.6 /j/mroot/usr/lib/libz.so install -C -o root -g wheel -m 444 /usr/src/lib/libz/zconf.h /usr/src/lib/libz/ zlib.h /j/mroot/usr/include ===> lib/bind (install) ===> lib/bind/bind9 (install) install -C -o root -g wheel -m 444 libbind9.a /j/mroot/usr/lib install -s -o root -g wheel -m 444 libbind9.so.50 /j/mroot/usr/lib install: libbind9.so.50: No such file or directory *** Error code 71 Stop in /usr/src/lib/bind/bind9. *** Error code 1 Stop in /usr/src/lib/bind. *** Error code 1 Stop in /usr/src/lib. *** Error code 1 Stop in /usr/src. *** Error code 1
One more thing I notice ... maybe this is the way it's suppose to work but it's very strange to me. The new world is in /usr/obj but make installworld is still pointing to /usr/src during run-time, from command-line.
I lost lots of time for nothing and is now very close to seeing how jail works. Would someone of experience show me how to get this thing going. In return, other than helping you someday, I'll be in position today to reserve a cell for you in this prison, rent free .. for life.
Who could ask for more.
PS: Can this be fixed or more added until the jail is so small it goes notice, space wise.
# Apache Jail Config-1 05/14/2011 # ------------------------------------------------------- # source: http://forums.freebsd.org/showthread.php?t=12022 # March 6th, 2010 by klabacita # # based on nbari*, vivek and SirDice threads. # I combined all. Hope to include more/remove wrong type # entries for each type server at smallest possible config: # apache-2.2.17_2.tbz # cherokee-1.2.2.tbz # mysql-server-5.5.11.tbz # racoon2-20100526a_1.tbz # jail for a apache-server only ... COMBO-1: WITHOUT_ACCT="YES" WITHOUT_ACPI="YES" # do not build acpiconf(8) and related programs WITHOUT_AMD="YES" WITHOUT_APM="YES" WITHOUT_ASSERT_DEBUG="YES" WITHOUT_AT="YES" WITHOUT_ATM="YES" # do not build ATM related programs and libraries WITHOUT_AUDIT="YES" WITHOUT_AUTHPF="YES" # do not build and install authpf (setuid/gid) WITHOUT_BIND_DNSSEC="YES" # Do not build dnssec-keygen, dnssec-signzone WITHOUT_BIND_ETC="YES" # Do not install files to /etc/namedb WITHOUT_BIND_LIBS_LWRES="YES" # Do not install the lwres library WITHOUT_BIND_MTREE="YES" # Do not run mtree to create chroot directories WITHOUT_BIND_NAMED="YES" # Do not build named, rndc, lwresd, etc. #WITHOUT_BIND_UTILS= # Do not build dig, host, nslookup, nsupdate - vivek WITH_BIND_LIBS= # Install the BIND libs and include files - vivek ##WITHOUT_BIND="YES" # Do not build any part of BIND (by SirDice) ##WITHOUT_BIND_DNSSEC="YES" # no dnssec-keygen, dnssec-signzone (by SirDice) #WITHOUT_BIND_ETC="YES" # Do not install files to /etc/namedb (by SirDice) ## #WITHOUT_BIND_LIBS_LWRES="YES" # no install the lwres library (blank by SirDice) ##WITHOUT_BIND_MTREE="YES" # Do not run mtree to create chroot directories (SD) ##WITHOUT_BIND_NAMED="YES" # Do not build named, rndc, lwresd, etc. (by SirDice) WITHOUT_BLUETOOTH="YES" # do not build Bluetooth related stuff WITHOUT_BOOT="YES" # do not build boot blocks and loader WITHOUT_BSD_CPIO="YES" WITHOUT_BSNMP="YES" WITHOUT_CALENDAR="YES" WITHOUT_CDDL="YES" #WITHOUT_CRYPT="YES" # do not build any crypto code (by SirDice only) WITHOUT_CTM="YES" WITHOUT_CVS="YES" # do not build CVS (original blank by vivek) WITHOUT_DICT="YES" WITHOUT_EXAMPLES="YES" WITHOUT_FLOPPY="YES" WITHOUT_FORTRAN="YES" # do not build g77 and related libraries - vivek WITHOUT_FORTH="YES" WITHOUT_FREEBSD_UPDATE="YES" WITHOUT_GAMES="YES" # do not build games (games/ subdir)WITHOUT_GDB="YES" WITHOUT_GDB="YES" # do not build GDB - vivek WITHOUT_GPIB="YES" # do not build GPIB support WITHOUT_GSSAPI="YES" WITHOUT_HTML="YES" WITHOUT_I4B="YES" # do not build isdn4bsd package - vivek WITHOUT_INET6="YES" WITHOUT_INFO="YES" # do not make or install info files - vivek WITHOUT_IPFILTER="YES" # do not build IP Filter package WITHOUT_IPFW="YES" WITHOUT_IPX="YES" WITHOUT_JAIL="YES" WITHOUT_KERBEROS="YES" # do not build and install Kerberos 5 (KTH Heimdal) WITHOUT_KVM="YES" WITHOUT_LEGACY_CONSOLE="YES" WITHOUT_LIB32="YES" WITHOUT_LPR="YES" # do not build lpr and related programs WITHOUT_MAIL="YES" WITHOUT_MAILWRAPPER="YES" WITHOUT_MAN="YES" # do not build manual pages WITHOUT_MODULES="YES" # do not build modules with the kernel - vivek WITHOUT_NCP="YES" WITHOUT_NDIS="YES" WITHOUT_NETCAT="YES" # do not build netcat WITHOUT_NIS="YES" # no NIS support and related programs. (blank by SirDice) WITHOUT_NLS="YES" WITHOUT_NLS_CATALOGS="YES" # no NLS catalog for csh(1) (original blank by vivek) WITHOUT_NS_CACHING="YES" WITHOUT_NTP="YES" WITHOUT_OBJC="YES" # do not build Objective C support - vivek WITHOUT_OPENSSH="YES" # do not build OpenSSH - vivek WITHOUT_PF="YES" # do not build PF firewall package WITHOUT_PMC="YES" WITHOUT_PPP="YES" WITHOUT_PROFILE="YES" # Avoid compiling profiled libraries WITHOUT_QUOTAS="YES" WITHOUT_RCMDS="YES" # do not build or install BSD r* commands (rsh, etc). WITHOUT_RCS="YES" WITHOUT_RESCUE="YES" WITHOUT_ROUTED="YES" WITHOUT_SENDMAIL="YES" # do not build sendmail and related programs WITHOUT_SETUID_LOGIN="YES" # - vivek WITHOUT_SHAREDOCS="YES" # do not build the 4.4BSD legacy docs WITHOUT_SYSCONS="YES" WITHOUT_SYSINSTALL="YES" WITHOUT_TELNET="YES" WITHOUT_USB="YES" # do not build usbd(8) and related programs WITHOUT_VINUM="YES" # do not build Vinum utilities (by SirDice only) PPP_WITHOUT_NAT="YES" # do not build with NAT (see make.conf(5)) - vivek PPP_WITHOUT_NETGRAPH="YES" # do not build with Netgraph support - vivek PPP_WITHOUT_RADIUS="YES" # do not build with RADIUS support - vivek PPP_WITHOUT_SUID="YES" # build with normal permissions - vivek WITHOUT_WIRELESS="YES" WITHOUT_WPA_SUPPLICANT_EAPOL="YES" WITHOUT_ZFS="YES" # more notes: # Put the following lines into the /etc/fstab file, so that the # read-only template for # the jails and the read-write space will # be available in the respective jails: #/home/j/mroot /home/j/ns nullfs ro 0 0 #/home/j/mroot /home/j/mail nullfs ro 0 0 #/home/j/mroot /home/j/www nullfs ro 0 0 #/home/js/ns /home/j/ns/s nullfs rw 0 0 #/home/js/mail /home/j/mail/s nullfs rw 0 0 #/home/js/www /home/j/www/s nullfs rw 0 0 ## Configure the jails in /etc/rc.conf: #jail_enable="YES" #jail_set_hostname_allow="NO" #jail_list="ns mail www" #jail_ns_hostname="ns.example.org" #jail_ns_ip="192.168.3.17" #jail_ns_rootdir="/usr/home/j/ns" #jail_ns_devfs_enable="YES" #jail_mail_hostname="mail.example.org" #jail_mail_ip="192.168.3.18" #jail_mail_rootdir="/usr/home/j/mail" #jail_mail_devfs_enable="YES" #jail_www_hostname="www.example.org" #jail_www_ip="220.127.116.11" #jail_www_rootdir="/usr/home/j/www" #jail_www_devfs_enable="YES"
This is not a How-To until I learn How-To. It could be a How-To not start at the wrong place to waste your life-time before getting to get to do what you were after in the first place. Now you forgot, or retired .
For jail, it's don't RTWM until it's done.
I am now a proud owner of a FreeBSD Jail! I only had to comment out the bind and than it compile.
Can't wait to find out what other stuff than can be removed from the famous Noodle/SirDice src.conf.internetz file. But I guest I got to test it against certain programs first. This is exciting! Sometime it takes a good talking to to work things out, even along. It works for me lots of times
Act Now! Jail Offer still stands.
Thanks for being here
40GB ad4 = Total on 1-Trig 0178MB ad4s1f = Minimum Install on usr 0181MB ad4s1f = with usr/bash/bash 0077MB ad4s1a = new kernel & mod, old removed 1982MB ad4s1f = with src + buildworld 1 1/2 hour 0219MB ad4s1a = 142MB increase
usr/share was more than active. I think a lots of stuff should be removed from source since it may never be used by a web or mysql server.
Why not... Time to google about it. I read the smaller the better
Last edited by sharris; 15th May 2011 at 02:54 AM.
Yes nilsgecko, thanks to all the work many people have done around the world to show most of the puzzle, but I don't know why things are so complicated by many ways of doing jail. Even ez-jail seems complicated because it talk flavors but it don't tell me it creates a full jail and not a tiny service jail. I found that info else where last night, after an year of wondering (it comes nothing close to what's in the hand-book).
That why I fear doing anything until now. I learned dd'ing for nearly anything fairly well. Now I simply replace that tiny 40GB partition in under 15 minutes with AMD-64. I do that under ARCH install on a tiny (1035MB) Extended-5 partition and saved it on a gigantic Extended-8 Ext-2 and Extended-9 Fat-32 just because it cost me nothing to <cp -prv> it to the fat32 partition or reverse. I copy the best to a flash stick and pocket it. You can rob me of my money, you can take my ugly wife and ALL my spoil kids .. but if you take my flash-stick, I can only promise you this:
That's why it's only 40GB on a 1-Trig HDD. I have 2 more big primary partitions next to FreeBSD in the waiting. If things go well I simply <newfs -U /dev/ad4s2> and use that for more space for whatever, and/or more jails... cool planning hey!
But still it makes no since with all of these complicated ways to do jail when all you have to do is this, than carefully gut the mroot down to size manually and remove certain libraries and bsd programs ... (if a hacker enter, he be piss-off that he have no tools to work-with.. he have to go home and make some noise just to bring some back with him, or reverse). heehee
Anyway, now you also delete those empty directories in the share and every where else except /var if any. Now you have let places for the hacker to hide his sh^t just incase you missed that 200MB worth of network noise.
Keep this as your template and use cpdup to copy it else-where, where you add your needed service for each. I even founded a better way for free. It's about simply changing permission and resetting it once moved. I been wanting to do this from day-1. Now I know it can be done and you get <fsck> defrag of 0 for free just like I thought. This was my biggest dream and its about to come true. We all have our trips. This was my's and very few others according to google.
Big deal about more disk-space wasted per-jail. This is not the tiny 80x4 MB HDD most docs was written for back in the 80's and 90's. Heck, I bet your jail-template can be as small as 35MB-100MB if you gut it properly but no one tells you that on the net. I think Apache only needs libc and FreeBSD fantastic network stack-plus. I want as much total jail independence as possible, and who care about 10MB-100MB each memory wasted. 4 - 8 GB of RAM is standard these days. .. with 4GB you can get up to one million static connections for web-page viewing. A full install of FreeBSD itself only use under 10MB of RAM and 2% of CPU, (but don't ask, your answer may be "WHY"? THE-END again.)
# cd /usr/src
# make buildworld
# make installworld
Now to the Good Part:
Out of all the complicated ways I found while googling that scared the life out of me all year long, I really like what this guy is talking, and he choose the old-fashion FreeBSD way, but he leaves out no important details that the user is concern about. I found it yesterday .. I'll be trying it tomorrow after I get this jail of jails gutted, clean-up and tucked away (dd and saved).
But now we got jail2. Maybe that's why the easy way works, but nobody ever go into details but this guy, Mr. Kris Zentner. It's like a one on one conversation with words to live by.
I usually be speculating as I spit out my ideas. If all is well, cool, but if I am wrong I need to be told. Time to go to work. I'll take my time so I can do it right the first time, especially just to remember until I find the best way any WHY. Bottom line, there better be a reason.
Last edited by sharris; 17th May 2011 at 04:59 AM.
|Thread||Thread Starter||Forum||Replies||Last Post|
|How do I start Xorg from within a jail?||Mr-Biscuit||FreeBSD General||7||17th May 2010 05:51 PM|
|DI-604; jail does not see network||redshirt||FreeBSD General||8||6th May 2010 02:09 PM|
|Set time in Jail||tanked||FreeBSD General||5||22nd August 2008 01:51 PM|
|Getting around Jail IP Adresses||starbuck||FreeBSD Security||8||9th August 2008 01:15 AM|
|Network not working in my jail.||krreagan||FreeBSD Security||7||5th May 2008 11:43 PM|