FreeBSD is a method used to create a virtual system within our system. The systems created with this method are completely independent from the main system. In this way, they are not affected by a possible security vulnerability. Also, when a service running in the jail is compromised, the services running on the main system are not affected.
Jails can be thought of as a kind of operating system-level virtualization.
It is a system that makes FreeBSD stand out from other operating systems in terms of security.
Bu sayfada anlatılan installation and usage information. It is about creating a completely separate structure called Thick Jail.
In addition, VNET features will be used to enable Jails to run on a separate network.
The installed jail will have all the basic FreeBSD files.
The FreeBSD version running in the jail cannot be more up-to-date than the FreeBSD version running on the main system.
This article will explain Jail installation, usage and management.
__JAIL_NAME__ used throughout the article will be a name of your choice. The name uch32bitjail is used in the example commands.__VERSION__ used throughout the article is the FreeBSD version of the jail you will install. The version used in the example commands is 13.2-RELEASE.__ARCHITECTURE__ is the FreeBSD architecture of the jail you will install. The architecture used in the example commands is i386.Jail installation steps can be listed as follows.
Jails do not have to be kept in a specific directory. The script will use the directory /usr/jails. You can change it if you want…
Run and create the folders by changing the necessary places in the command below.
mkdir -p /usr/jails/files mkdir /usr/jails/__JAIL_NAME__
The -p parameter creates folders recursively. So if the folder /usr/jails does not exist, it creates it too.
The downloaded files will be kept in /usr/jails/files to avoid re-downloading them when needed.
You can use it to quickly install a new jail if needed. However, if you are short on space, you can download these files again for each jail installation.
fetch https://download.freebsd.org/ftp/releases/__ARCHITECTURE__/__ARCHITECTURE__/__VERSION__/base.txz -o /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txzExample;
fetch https://download.freebsd.org/ftp/releases/i386/i386/13.2-RELEASE/base.txz -o /usr/jails/files/13.2-RELEASE-i386-base.txz
tar -xpf /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txz -C /usr/jails/__JAIL_NAME__ --unlinkExample;
tar -xpf /usr/jails/files/13.2-RELEASE-i386-base.txz -C /usr/jails/uch32bitjail --unlink
rm -f /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txzExample;
rm -f /usr/jails/files/13.2-RELEASE-i386-base.txz
For jails to work, some adjustments need to be made on the main system.
cp /etc/resolv.conf /usr/jails/__JAIL_NAME__/etc/resolv.conf cp /etc/localtime /usr/jails/__JAIL_NAME__/etc/localtimeÖrnek;
cp /etc/resolv.conf /usr/jails/uch32bitjail/etc/resolv.conf cp /etc/localtime /usr/jails/uch32bitjail/etc/localtime
freebsd-update -b /usr/jails/__JAIL_NAME__/ fetch installÖrnek;
freebsd-update -b /usr/jails/uch32bitjail/ fetch install
sysrc jail_enable="YES" # Initially to start the jails. sysrc jail_parallel_start="YES" # If you add this line, the jails will be started in the background.
The jail prepared in this article is prepared completely independently from the main system. Therefore, the jail needs to run on a separate network. VNET will be used for this.
If you don't want your jail to have internet access via a separate network 2) you can skip this part.
ifconfig bridge createIt should give you an output. This output contains the name of the bridge adapter. Make a note of this name.As an examplebridge0
em0 interface by running the following command:Hereem0is the adapter name of the device. This name may be different in your system. You can use theifconfigcommand to find out.
Below is a sample output. You can see the name in the highlighted line.
bridge0 is the bridge name created in the previous command and em0 is the network interface on the host system.ifconfig bridge0 addm em0
/etc/rc.conf file so that this happens automatically on every startup.defaultrouter="192.168.1.1" cloned_interfaces="bridge0" ifconfig_bridge0="inet 192.168.1.150/24 addm em0 up"
There are two ways to set configuration files for jails. If you are going to use a lot of jails, it makes more sense to choose the second way.
Configuration information is kept in a single file. This file is /etc/jail.conf.
You need to add new entries to this file for each new jail.
Configuration information is kept in a separate file for each jail. These files are kept in the /etc/jail.conf.d/ folder.
For each new jail you need to create a new file in this folder. This method avoids confusion if you have many jails.
Open the configuration file according to the selected method and add the highlighted lines by editing them.
Detailed information is written next to them as a comment.
Pay attention to the line breaks in the files to be created. Use LF instead of CRLF. Otherwise unwanted results may occur.
__JAIL_NAME__ { # Jail'in ismi exec.start = "/bin/sh /etc/rc"; # Jail başlatıldığında çalıştırılacak olan komutlar. exec.stop = "/bin/sh /etc/rc.shutdown"; # Jail kapatıldığında çalıştırılacak olan komutlar. exec.consolelog = "/var/log/jail_console_${name}.log"; # Komu çıktılarının yazılacağı dosya. allow.raw_sockets; # Raw soketlerin kullanılmasına izin verir. (ping gibi) exec.clean; # Komutları temiz bir ortamda çalıştırılması. mount.devfs; # /dev dizinine bir devfs(5) dosya sistemi ekleme. host.hostname = "${name}"; path = "/usr/jails/${name}"; # Komutların çalıştırılacağı dizin. Kısaca jail'in kurulu olduğu dizin. vnet; vnet.interface = "${epair}b"; $id = "154"; # Ip adresinin son kısmını hesaplayacak olan değer. Her jail için farklı olmalıdır. $ip = "192.168.1.${id}/24"; $gateway = "192.168.1.1"; $bridge = "bridge0"; # vnet ayarlamalarında oluşturulan köprü ismi. $epair = "epair${id}"; exec.prestart += "ifconfig ${epair} create up"; exec.prestart += "ifconfig ${epair}a up descr jail:${name}"; exec.prestart += "ifconfig ${bridge} addm ${epair}a up"; exec.start += "ifconfig ${epair}b ${ip} up"; exec.start += "route add default ${gateway}"; exec.poststop = "ifconfig ${bridge} deletem ${epair}a"; exec.poststop += "ifconfig ${epair}a destroy"; }
jls
service jail start __JAIL_NAME__ service jail onestart __JAIL_NAME__
service jail stop __JAIL_NAME__
service jail restart __JAIL_NAME__
Since security is a top priority in FreeBSD, even root privileges are not enough to delete some files. File flags control this system.
chflags -R 0 /usr/jails/__JAIL_NAME__
rm -rf /usr/jails/__JAIL_NAME__
/etc/jail.conf file. If you configured with the second way. Delete the file /etc/jail.conf.d/JAIL_NAME.conf.If you have not given internet access to your jail.3) You can use the following command to install packages from the main system to jail.
pkg -j __JAIL_NAME__ install __PACKET_NAME__Example;
pkg -j uch32bitjail install wget
Although it is more convenient to manage the jail through the main system, you can access the jail with the following command.
jexec -u root __JAIL_NAME__
To run a command on Jail, you need to add the following prefix to the command you will run.
jexec -l __JAIL_NAME__ __COMMAND__Örnek;
jexec -l uch32bitjail service stop apache24
Taken from UCH Wiki. https://wiki.ulascemh.com/doku.php?id=en:cs:op:bsd:jail