==Making images for jailing on FreeBSD (6.1)==
by Nathan Butcher 2006.12.6
Some variables which will differ depending on your enviroment/desires:-
$HOST_IP (Ip address of interface on server)
$HOST_INTERFACE (interface on the host server which you aill create an alias for the jail on)
$JAIL_IP (IP address for jail)
$JAIL_HOSTNAME (hostname for the jail)
##################
Create image for jailing (example of 4GB)
change the count to your preferred image size
I'm calling this image "4gbjail.img"
1024k = 1GB, so multiply the number of GB you need by 1024 (duh..)
# dd if=/dev/zero of=4gbjail.img bs=1k count=4096k
Add the blank image file to a device node (giving it id number 0)
It should now appear as /dev/md0 (given that it has id 0, or the number would be something else)
# mdconfig -a -t vnode -f 4gbjail.img -u 0
Autolabel the image. This creates some semblance of a partition table on the image, although nothing formatted yet.
# disklabel -r -w md0 auto
Create initial file system on it, otherwise we can't mount or use the image.
# newfs /dev/md0
Create mount directory so we have a place to park our images, and now to finally mount the new image
# mkdir -p /mnt/jail/0
# mount /dev/md0 /mnt/jail/0
******
Set up the image for use
Mount the empty image
# mdconfig -a -t vnode -f 4gbjail.img -u 0
# mount /dev/md0 /mnt/jail/0
Build FreeBSD system into mounted image
# cd /usr/src
# make world DESTDIR=/mnt/jail/0
# make distribution DESTDIR=/mnt/jail/0
Mount dev onto image
# mount_devfs devfs /mnt/jail/0/dev
Add fake kernel link
# cd /mnt/jail/0
# ln -sf /dev/null kernel
Edit rc.conf and remove issues from using aliased IP addresses from HOST machine (not jail)
# vi /etc/rc.conf
-------------------------------------
sendmail_enable="NO"
inetd_flags="-wW -a $HOST_IP"
rpcbind_enable="NO"
-------------------------------------
Jump into jailed environment and set it up with sysinstall
# jail /mnt/jail/0 $JAIL_HOSTNAME $JAIL_IP /bin/sh
(jail) # sysinstall
FIX: Timezone, Console
Edit resolv.conf (so we can get DNS lookups)
(jail) # vi /etc/resolv.conf
(jail) # exit
Set up an IP alias for your jailed environment.
It will share an interface with your host machine, but the IP will differ (and point to your jailed environment)
# ifconfig $HOST_INTERFACE inet alias $JAIL_IP 255.255.255.255
Mount proc into the jailed environment
# mount -t procfs proc /mnt/jail/0/proc
Jump into jailed enviroment, and have fun setting thigs up for later use.
# jail /mnt/jail/0 $JAIL_HOSTNAME $JAIL_IP /bin/sh
You may want to sysinstall again now and get all the packages you want, or optionally install ports and the BSD sources.
You can now tailor a system image for mass production.
At this point you will probably want to backup your jail image now. From here on in, we will be customizing the images per jail owner/customer.
************
To unmount the image (obviously enough)
# umount /mnt/jail/0
And to remove it as a device node
# mdconfig -d -u 0
Backup your image
# cp 4gbjail.img /root/backup/4gbjail.img
And remount it again
# mdconfig -a -t vnode -f 4gbjail.img -u 0
# mount /dev/md0 /mnt/jail/0
*********
Adding users/passwords/ssh-keys
Now you can create appropriate root and user accounts (and passwords) for your jail.
Doing this over multiple jail mounts is actually easy if you use the -V option of "pw usermod".
You can use it to change the etc directory you will write user information to.
In this case we edit the user and password files which are inside our mounted jails.
Unfortunately, you aren't asked to retype the password for confirmation with this command, so be careful.
This can also be lodged in a script.
# pw usermod -V /mnt/jail/0/etc root -h 0
# pw usermod -V /mnt/jail/0/etc admin -h 0
etc.
The following command will start the jail:
**IMPORTANT NOTE**
If you are making an image for production, do NOT do this until you are finished building and backing up your "production-use" image.
Kickstarting the jail will initialize ssh key generation for that particular image (assuming you enabled it)
You don't want to dirty your production image with pre-generated keys.
# jail /mnt/jail/0 $JAIL_HOSTNAME $JAIL_IP /bin/sh /etc/rc
******
To shutdown the jail:
Jails can be shutdown by issuing a "kill -TERM" to Jailed processes
(these processes will have a "J" flag to them if you view the results of "ps -ax").
That's a bit messy, but there happens to be a "jkill" command in the ports collection. It makes this process a lot more simplified:
( /usr/ports/sysutils/jkill ).
The jkill command acts a lot like the "shutdown" command, except that it works on jailed environments.
(Issuing "shutdown" inside a jail does nothing)
That's the gist of it basically.
##################
In order to manage your jails, you may need to develop a custom script to handle them - especially if you have many of them.
You will also need to mount devfs and procfs every time you mount the jail, so keep that in mind.
Mounting jail ---->
# mdconfig -a -t vnode -f 4gbjail.img -u 0
# mount /dev/md0 /mnt/jail/0
# mount_devfs devfs /mnt/jail/0/dev
# mount -t procfs proc /mnt/jail/0/proc
# jail /mnt/jail/0 $JAIL_HOSTNAME $JAIL_IP /bin/sh /etc/rc
Unmounting jail ---->
# jkill -h $JAIL_HOSTNAME
# umount /mnt/jail/0/proc
# umount /mnt/jail/0/dev
# umount /mnt/jail/0
# mdconfig -d -u 0
#######################
Jail Maintenance
When a jail is running, you should use the "jexec" command to enter a jail and do maintenance.
First of all, you need to find out the jail ID of the jail you want to enter with the "jls" command:
# jls
And you should see something like this:-
JID IP Address Hostname Path
1 192.168.1.1 jail1.somedomain.com /jail/1
Now that we have determined that the jail we want to enter has an ID of 1,
we can now jump into that jail with the following command:
# jexec 1 /bin/sh