BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Virtualization with FreeBSD Jails
Pages: 1, 2

Configuring the Jail

Next, read the part of the man page titled "Configuring the Jail." It will tell you how to configure a few settings within the jail. I made these changes to the jail directly from the host environment (that is, I did not start the jail; I modified the files from outside). These are things I changed, but I can't point to a man page as to why it's a good thing to do these things:



  • adjkerntz. I'm not sure about this. I commented out the /etc/crontab entry for adjkerntz within the jail environment. If you don't do this, you'll see this type of notification from cron via email:

    adjkerntz[11643]: sysctl(put_wallclock): Operation not permitted
  • /etc/ssh. I was actually duplicating an existing physical machine into this environment. Therefore, copying over the keys from this directory will avoid "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning messages. If you are creating a new environment, you don't have to worry about this step.

Starting the Jail for the First Time

From man jail, to start a jail, issue the command:

[root@mtwenty:/home/dan] # jail /usr/jails/192.168.0.155 bacula.example.org 192.168.0.155\
    /bin/sh
#

That prompt (#) indicates you are now in the jail environment. Now you can run the start up processes:

# sh /etc/rc
Loading configuration files.
bacula.example.org
Setting hostname: bacula.example.org.
Generating nsswitch.conf.
Generating host.conf.
Starting syslogd.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Starting local daemons:.
Updating motd.
/etc/rc: WARNING: Setting entropy source to blocking mode.
====================================================
Type a full screenful of random junk to unblock
it and remember to finish with Enter. This will
timeout in 300 seconds, but waiting for
the timeout without typing junk may make the
entropy source deliver predictable output.

Just hit Enter for fast+insecure startup.
====================================================
kern.random.sys.seeded: 1
jalkjlkajdflkajdfl iur opiquv dropuivwaopieuaoijdfl;uiop9^[[12~84718e0
r9invpfinadfpisad;ifsda;lsajdfl lk;kasf;kladfs
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
5c:48:47:4f:e0:c5:a2:ed:71:bc:83:b5:42:3f:95:e4 root@bacula.example.org
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in
/etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
4d:bb:af:fa:b1:4b:43:cc:47:b6:78:44:ad:4e:ef:1f root@bacula.example.org
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
9b:b5:26:98:f8:0d:da:bb:2c:57:75:d1:c4:58:52:c1 root@bacula.example.org
Starting sshd.
Starting cron.
Local package initialization:.

Sun Sep 11 17:22:42 EDT 2005
#

For the most part, this looks exactly like a normal startup.

I had some problems with ps:

# ps auwx
ps: bad namelist

This usually indicate a kernel that is not in sync with world. To fix this problem, I repeated some of the steps under man 8 jail:

# make distribution DESTDIR=$D
# mount_devfs devfs $D/dev
# cd $D
# ln -sf dev/null kernel

In hindsight, I think I missed the mount_devfs step. Symptoms included getting logged in by ssh, but then the screen would freeze. Performing these steps fixed that problem.

Starting and Stopping the Jail Automagically

I found an interesting tool for starting and stopping a jail: sysutils/jailutils. I installed it in the host environment.

Using this tool, I created this start/stop script:

#!/bin/sh

case "$1" in
   start)
       mount_devfs devfs /usr/jails/192.168.0.155/dev     && \
       mount -t procfs proc /usr/jails/192.168.0.155/proc && \
       /usr/local/sbin/jstart /usr/jails/192.168.0.155 bacula.example.org 192.168.0.155 \
          /bin/sh /etc/rc > /dev/null && echo -n ' jail bacula.example.org'
       ;;
   stop)
       /usr/local/sbin/jkill bacula.example.org > /dev/null && echo -n ' jail' && \
       umount /usr/jails/192.168.0.155/proc && \
       umount /usr/jails/192.168.0.155/dev
       ;;
   *)
       echo "Usage: `basename $0 {start|stop}" >&2
       ;;
esac

exit 0

This is a very limited script. It doesn't check that a jail is already running before starting it. That would be a nice addition. If you want to add it, I look forward to your patch.

In addition, you might want to add this to the host environment's /etc/sysctl.conf:

security.jail.set_hostname_allowed

Under 4.*, this variable had a slightly different name.

Jails Run Well

Jails run virtual machines very well. They look very much like real systems. You must look pretty close to be able to tell you're in a jail. My jail allows the Bacula developers to have a machine of their own. It also allows me to keep their work totally separate from my own.

You can use a jail used to deal with security issues and to increase the utilization of an existing machine while giving everyone their own virtual machine. There's no reason why you couldn't run many different jails on the same computer.

Dan Langille runs a consulting group in Ottawa, Canada, and lives in a house ruled by felines.


Return to the BSD DevCenter.



Sponsored by: