[FreeBSD] Jail Setup - BSD

Users browsing this thread: 1 Guest(s)
yrmt yrmt Offline | 22-07-2012, 07:08 PM | #1
Grey Hair Nixers
Install a Secure Web Server (nginx) in a FreeBSD jail:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

For this tutorial, you'll learn how to setup a jail on
a FreeBSD system and install a web server with php, mysql.
--
You must know UNIX basic commands and have the FreeBSD source installed.

To install a port, use "make install clean". You can also use
"make config-recursive install clean" to get all configure options prompted
at the beginning, which can be useful for big ports.

1. JAIL
¯¯¯¯¯¯¯¯
First, make sure you have a compiled the FreeBSD world. If not, in /usr/src:

PHP Code:
<?php 

-> make buildworld

This might take a couple of hours. Never forget that you can do some optimisations
in /etc/make.conf or decide to not build some modules and/or options in /etc/src.conf.

When FreeBSD's userland is compiled, we'll make the Jail directory and install the system:
We'll call the jail "jail0", you can call it whatever you want.

PHP Code:
<?php 

-> mkdir /usr/jail0



 -> make installworld DESTDIR=/usr/jail0



 -> make distribution DESTDIR=/usr/jail0



 -> mount -t devfs devfs /usr/jail0/dev

The jail is installed. Now we have to put some information in our /etc/rc.conf:

PHP Code:
<?php 

-> jail_enable="YES"   

 -> jail_list="jail0"  

 -> jail_www_rootdir="/usr/jail0"

 -> jail_www_hostname="home.beastiejail.bsd" 

 -> jail_www_ip="192.168.1.10"  

 -> jail_www_devfs_enable="YES"    

 -> # jail_www_devfs_ruleset="jail0_ruleset" -> ( you can set some rules to devices for more security in /etc/devfs.rules ).

You have to make an alias or choose a network interface for the jail.
( in my case, i have only one ethernet port. ) Also in /etc/rc.conf:

PHP Code:
<?php 

-> ifconfig_bge0_alias0="inet 192.168.1.10 netmask 255.255.255.255"

Make the alias:
PHP Code:
<?php 

-> ifconfig bge0 inet alias 192.168.1.10
As you can see, my network interface is called "bge0". If you don't know what you

interface is, run "ifconfig -a" :).

So now your jail, "jail0" should be started at boot, but you can also start it directly
with:

PHP Code:
<?php 

-> /etc/rc.d/jail start

First, execute a:

PHP Code:
<?php 

-> jls

( Jail LiSt )

The output should look like this:

PHP Code:
<?php 

JID  IP Address  Hostname    Path

  1  192.168.1.10    home.beastiejail.bsd  /usr/jail0

You can enter in it with jexec:
( tool to execute processes in jails )

-> jexec 1 sh
| The process to execute, here sh will give us a shell
ID of the jail. JID

You can now check that you are in the jail by typing jls. (should return an empty list)

Check that you have an active internet connection. But don't use ping, it won't work.
Try, for example, to install something you need, like:

PHP Code:
<?php 

-> pkg_add -r -v nginx

If it doesn't work, check ifconfig -a and this should be in your jail's /etc/rc.conf:

PHP Code:
<?php 

-> ifconfig_bge0="inet 192.168.1.10 netmask 255.255.255.255"

 -> hostname="home.beastiejail.bsd"

Restarting or shutting down a jail can't be done like on your main system, but you can execute:

PHP Code:
<?php 

-> /bin/sh /etc/rc.shutdown

( there is also an application in ports called jkill { /usr/ports/sysutils/jkill } that can help )

At this point, you should have an internet connection working.

You might want to set root's password with "passwd" and set the timezone:

PHP Code:
<?php 

-> cp /usr/share/zoneinfo/<yourtimezone> /etc/localtime

Mount procfs, run:

PHP Code:
<?php 

-> mount -t procfs proc /usr/jail/proc

-> write that in jail's /etc/fstab:
\__
|proc /proc procfs rw 0 0 |
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
CrossFold CrossFold Offline | 24-07-2012, 09:37 AM | #2
Long time nixers
Great tutorial! :D But I think you should do something for the PHP code coloring, it is really hard to read on this dark background.
yrmt yrmt Offline | 24-07-2012, 09:59 AM | #3
Grey Hair Nixers
Yeah, I need to fix that.


View a Printable Version