sleepy.wtf

User Tools

Site Tools

Trace: 2021_desktop_build jails
freebsd:jails

This is an old revision of the document!

Table of Contents

Setting up Host

  • disable syslogd's network access with -ss flags
    sysrc syslogd_flags="-ss"
  • bind sshd to specific IP
    /etc/ssh/sshd_config
    ListenAddress 10.0.0.1

To Do: 

sysrc jail_enable="YES"
service jail enable
/etc/jail.conf
$j="/jails";
$path="$j/$name";
host.hostname="$name.domain.com";
 
mount.devfs;
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
 
examplehost {
	ip4.addr="10.0.0.70";
}

Create zfs jail base

zfs create -o quota=30G zroot/jails/BASE_12.2-STABLE
cd /usr/src
make installworld DESTDIR=/jails/BASE_12.2-STABLE
make distribution DESTDIR=/jails/BASE_12.2-STABLE

Configure zfs jail base

touch /jails/BASE_12.2-STABLE/etc/fstab
cp /etc/localtime /jails/BASE_12.2-STABLE/etc/
cp /etc/resolv.conf /jails/BASE_12.2-STABLE/etc/
echo "sendmail_enable="NO"" >> /jails/BASE_12.2-STABLE/etc/rc.conf
echo "ntpd_enable="NO"" >> /jails/BASE_12.2-STABLE/etc/rc.conf
echo "sshd_enable="YES"" >> /jails/BASE_12.2-STABLE/etc/rc.conf
  • jails don't use fstab, but some programs need it 
    touch /jails/BASE_12.2-STABLE/etc/fstab
  • jails will probably be in same timezone as host 
    cp /etc/localtime /jails/BASE_12.2-STABLE/etc/
  • don't need to configure dns servers 
    cp /etc/resolv.conf /jails/BASE_12.2-STABLE/etc/
  • don't need sendmail 
    echo "sendmail_enable="NO"" >> /jails/BASE_12.2-STABLE/etc/rc.conf
  • no need to run ntpd since jail cannot change time 
    echo "ntpd_enable="NO"" >> /jails/BASE_12.2-STABLE/etc/rc.conf
  • enable sshd 
    echo "sshd_enable="YES"" >> /jails/BASE_12.2-STABLE/etc/rc.conf

install typical packages, add user, install dotfiles, copy keys.

jexec -l BASE pkg install nano zsh git-lite
jexec -l BASE adduser sleepy
jexec BASE adduser
jexec -l -U sleepy BASE git clone https://gitlab.com/ikiryuta/dotfiles.git
jexec -l -U sleepy BASE /home/sleepy/dotfiles/install_links.sh
jexec -l BASE /home/sleepy/dotfiles/install_links.sh
jexec -l BASE chsh -s zsh
jexec -l -u sleepy BASE mkdir /home/sleepy/.ssh
cp ~sleepy/.ssh/authorized_keys_jails /jails/BASE_12.2-STABLE/home/sleepy/.ssh/authorized_keys
jexec -l BASE chown -R sleepy:sleepy /home/sleepy/.ssh
jexec -l BASE chmod 700 /home/sleepy/.ssh
jexec -l BASE chmod 600 /home/sleepy/.ssh/authorized_keys

Snapshot the BASE jail 

zfs snapshot zroot/jails/BASE_12.2-STABLE@CLEAN_JAILS_BASE

Create jail

  • create new jail dataset 
    zfs clone zroot/jails/BASE_12.2-STABLE@2020-09-21_12.2-PRERELEASE_clean zroot/jails/python
  • add entry to /etc/jail.conf for new jail
    /etc/jail.conf
    python {
	ip4.addr="10.0.0.50";
}
  • add entry to /etc/rc.conf new jail ip alias
    /etc/rc.conf
    ifconfig_igb0_alias2="inet 10.0.0.50 netmask 255.255.255.0"

    or

    /etc/rc.conf
    ifconfig_igb0_aliases="inet 10.0.0.49-69 netmask 255.255.255.0"

To Do

  • create ZFS dataset with 20% reserve quota
    • zfs create -o quota=300G -o mountpoint=/jails zroot/jails
  • disable syslogd's network access with -ss
    • sysrc syslogd_flags=“-ss”
  • bind SSHd to specific IP
    • /etc/ssh/sshd_config 
      ListenAddress 10.0.0.1
freebsd/jails.1601171623.txt.gz · Last modified: (external edit)