FreeBSD14.2 ; Jail Install

Jail

It is a mechanism that allows multiple virtual FreeBSD environments to be created on a FreeBSD environment.
A jail is an extension of chroot, and a jail environment (called a prisoners) built on a host ring (called a jailer) behaves as a FreeBSD machine running separately from the host environment.
The prisoner cannot directly attach to the jailer or another parallel prisoner.

Features of JAIL
・High speed operation because it is not emulation.
・Each prisoner can be assigned an IP address different from that of the jailer.
・Since the same file system is used for a jailer and a prisoner, it is necessary to be careful about the assignment of UID/GID.

This time, build two prisoners (prisoner1 and prisoner2) in jailer (FreeBSD14.2)

Building Jail

1.Creation of PRISONER base directory
Create a directory (jail) that will be the root directory for prisoner1 and prisoner2. In this case, we will create them in /home, but you can create them anywhere you like.

2.Base System Installation
Install the base system on prisoner1 and prisoner2. Download base.txz from the FreeBSD repository and extract it to prisoner1 and prisoner2.

3.Copy /etc/resolv.conf
Create a "resolv.conf" file for prisoner1 and prisoner2 to enable name resolution.
Since the contents of "resolv.conf" are the same as those of jailer, copy this file from the jailer side.

4.Suppress kernel-related log output in prisoner
Edit "syslog.conf" to prevent kernel-related output in prisoner1 and prisoner2 logs.

5.Stopping adjkerntz
Edit the crontab so that the kernel time zone is not set by each prisoner's cron.
(Since the kernel time zone is set periodically by the jailer's cron, it is not necessary to set the time zone by the prisoner's cron.)

6.Settings for PRISONER name resolution
Edit "hosts" so that prisoner1 and prisoner2 can resolve their own names.
Add the IP address and FQDN pairs to be assigned to prisoner1 and prisoner2.

7.Setting up a jailer and prisoner to avoid duplicating UID/GIDs
In a jail, the jailer and each prisoner share a single file system, so if the UID/GID used on the jailer side is used on the prisoner side without modification, the user on the jailer side can treat the user's files on the prisoner side as his or her own. Therefore, the user on the jailer side and each user on the prisoner side must be treated as the same. Therefore, it is necessary to assign non-overlapping UID/GIDs to the jailer and each prisoner.

※ However, for predefined users such as "root" and users added via ports such as "pgsql" and "postfix", the same UID/GID is assigned to the jailer and prisoner.
To change the UID/GID of these users, use "vipw" to change the UID/GID directly.
(Changing the UID/GID with "vipw" does not automatically update the UID/GID of the owner of files owned by these users, so it is necessary to chown/chgrp them.)

8.Mounting of prisoner1 and prisoner2 devfs
Mount the dev of each prisoner so that the device is available on each prisoner.

9.Settings in PRISONER
Use "chroot" to move to the root directory of PRISONER1 and PRISONER2 and configure the settings.
(Use "exit" to return to the jailer side from the chrooted directory.)

At the end of each, set the root password for that prisoner (this password is distinct from the root password for the jailer).

10.Configuration for starting the jail environment
On the jailer side, set the IP address, FQDN, etc. to be assigned to the prisoner1 and prisoner2 sides.
Add the following to the end of "/etc/rc.conf".
em0 should be set to the name of the interface of each user.

"jail_sysvipc_allow=" is a setting to allow or deny access to shared memory from processes on the prisoner.
For security purposes, set to "NO", but set to "YES" when running software that uses shared memory, such as PostgreSQL.

Describe the settings of prisoner1 and prisoner2 in "/etc/jail.conf" as follows

By default, programs that use raw sockets such as traceroute, ping, WIDE-DHCP using bpf, etc. do not work properly in prisoner
To use these programs, add the setting "allow.raw_sockets;" in each prisoner setting in "/etc/jail.conf".

Reboot the system
Enable each prisoner.

11.Remove PRISONER
To rebuild the PRISONER environment from scratch again, delete and rebuild PRISONER as follows

When deleting PRISONER1

12.Jail-related commands available in Jailer

List of prisonser in operation

The "JID" displayed on the leftmost side is an ID assigned to a prisoner, and is used to identify the prisoner to be moved by "jexec" as described below.

➁Transition from JAILER to PRISONER
JWhen transitioning to a PRISONER with an ID of "1" using the shell "/bin/csh"

➂Start/Stop PRISONER

13. Ping from jail to host machine

Transition to and execute prisoner1 with a JID of "1".

Ping host machine (192.168.11.83) 3 times

Copied title and URL