Table of Contents
FreeBSD Jail
FreeBSD is a method used to create a virtual system within our system. The systems created with this method are completely independent from the main system. In this way, they are not affected by a possible security vulnerability. Also, when a service running in the jail is compromised, the services running on the main system are not affected.
Jails can be thought of as a kind of operating system-level virtualization.
It is a system that makes FreeBSD stand out from other operating systems in terms of security.
Bu sayfada anlatılan installation and usage information. It is about creating a completely separate structure called Thick Jail.
In addition, VNET features will be used to enable Jails to run on a separate network.
The installed jail will have all the basic FreeBSD files.
The FreeBSD version running in the jail cannot be more up-to-date than the FreeBSD version running on the main system.
This article will explain Jail installation, usage and management.
- Internet access is required on your FreeBSD system.
- The
__JAIL_NAME__used throughout the article will be a name of your choice. The name uch32bitjail is used in the example commands. - The
__VERSION__used throughout the article is the FreeBSD version of the jail you will install. The version used in the example commands is 13.2-RELEASE. - Throughout the article,
__ARCHITECTURE__is the FreeBSD architecture of the jail you will install. The architecture used in the example commands is i386.- The example commands are used for i386 jail installation in amd64 architecture.
FreeBSD Jail Installation
Jail installation steps can be listed as follows.
- Creation of folders.
- Downloading the required base archive.
- Making settings on the main system.
- Creating and editing jail configuration files.
Folder Structure
Jails do not have to be kept in a specific directory. The script will use the directory /usr/jails. You can change it if you want…
Run and create the folders by changing the necessary places in the command below.
mkdir -p /usr/jails/files mkdir /usr/jails/__JAIL_NAME__
The -p parameter creates folders recursively. So if the folder /usr/jails does not exist, it creates it too.
Downloading Required Files
The downloaded files will be kept in /usr/jails/files to avoid re-downloading them when needed.
You can use it to quickly install a new jail if needed. However, if you are short on space, you can download these files again for each jail installation.
- Edit and run the command below to download the necessary files.
fetch https://download.freebsd.org/ftp/releases/__ARCHITECTURE__/__ARCHITECTURE__/__VERSION__/base.txz -o /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txzExample;
fetch https://download.freebsd.org/ftp/releases/i386/i386/13.2-RELEASE/base.txz -o /usr/jails/files/13.2-RELEASE-i386-base.txz
- Edit and run the following command to extract the downloaded base archive to the relevant jail location.
tar -xpf /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txz -C /usr/jails/__JAIL_NAME__ --unlinkExample;
tar -xpf /usr/jails/files/13.2-RELEASE-i386-base.txz -C /usr/jails/uch32bitjail --unlink
- If you are low on disk space, you can run the following command to delete the downloaded files. To install a new jail you will need to download it again.
rm -f /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txzExample;
rm -f /usr/jails/files/13.2-RELEASE-i386-base.txz
Main System Settings
For jails to work, some adjustments need to be made on the main system.
- The internet connection and time settings for Jail need to be copied directly from the main system. Edit and run the following command.
cp /etc/resolv.conf /usr/jails/__JAIL_NAME__/etc/resolv.conf cp /etc/localtime /usr/jails/__JAIL_NAME__/etc/localtimeÖrnek;
cp /etc/resolv.conf /usr/jails/uch32bitjail/etc/resolv.conf cp /etc/localtime /usr/jails/uch32bitjail/etc/localtime
- Edit and run the following command to get possible updates for Jail.
freebsd-update -b /usr/jails/__JAIL_NAME__/ fetch installÖrnek;
freebsd-update -b /usr/jails/uch32bitjail/ fetch install
- If you want the jails to start automatically when the machine starts, run the following command.1)
sysrc jail_enable="YES" # Initially to start the jails. sysrc jail_parallel_start="YES" # If you add this line, the jails will be started in the background.
VNET Settings
The jail prepared in this article is prepared completely independently from the main system. Therefore, the jail needs to run on a separate network. VNET will be used for this.
If you don't want your jail to have internet access via a separate network 2) you can skip this part.
- Run the following command to create an adapter bridge.
ifconfig bridge createIt should give you an output. This output contains the name of the bridge adapter. Make a note of this name.As an examplebridge0
- Once the bridge is created, it will be necessary to add it to the
em0interface by running the following command:
Hereem0is the adapter name of the device. This name may be different in your system. You can use theifconfigcommand to find out.
Below is a sample output. You can see the name in the highlighted line.
- Run the following command and add the bridge to interface em0. Here
bridge0is the bridge name created in the previous command andem0is the network interface on the host system.
ifconfig bridge0 addm em0
- Add the following lines to the
/etc/rc.conffile so that this happens automatically on every startup.
defaultrouter="192.168.1.1" cloned_interfaces="bridge0" ifconfig_bridge0="inet 192.168.1.150/24 addm em0 up"
Jail Configuration
There are two ways to set configuration files for jails. If you are going to use a lot of jails, it makes more sense to choose the second way.
First Way
Configuration information is kept in a single file. This file is /etc/jail.conf.
You need to add new entries to this file for each new jail.
Second Way
Configuration information is kept in a separate file for each jail. These files are kept in the /etc/jail.conf.d/ folder.
For each new jail you need to create a new file in this folder. This method avoids confusion if you have many jails.
Open the configuration file according to the selected method and add the highlighted lines by editing them.
Detailed information is written next to them as a comment.
Pay attention to the line breaks in the files to be created. Use LF instead of CRLF. Otherwise unwanted results may occur.
- /etc/jail.conf
__JAIL_NAME__ { # Jail'in ismi exec.start = "/bin/sh /etc/rc"; # Jail başlatıldığında çalıştırılacak olan komutlar. exec.stop = "/bin/sh /etc/rc.shutdown"; # Jail kapatıldığında çalıştırılacak olan komutlar. exec.consolelog = "/var/log/jail_console_${name}.log"; # Komu çıktılarının yazılacağı dosya. allow.raw_sockets; # Raw soketlerin kullanılmasına izin verir. (ping gibi) exec.clean; # Komutları temiz bir ortamda çalıştırılması. mount.devfs; # /dev dizinine bir devfs(5) dosya sistemi ekleme. host.hostname = "${name}"; path = "/usr/jails/${name}"; # Komutların çalıştırılacağı dizin. Kısaca jail'in kurulu olduğu dizin. vnet; vnet.interface = "${epair}b"; $id = "154"; # Ip adresinin son kısmını hesaplayacak olan değer. Her jail için farklı olmalıdır. $ip = "192.168.1.${id}/24"; $gateway = "192.168.1.1"; $bridge = "bridge0"; # vnet ayarlamalarında oluşturulan köprü ismi. $epair = "epair${id}"; exec.prestart += "ifconfig ${epair} create up"; exec.prestart += "ifconfig ${epair}a up descr jail:${name}"; exec.prestart += "ifconfig ${bridge} addm ${epair}a up"; exec.start += "ifconfig ${epair}b ${ip} up"; exec.start += "route add default ${gateway}"; exec.poststop = "ifconfig ${bridge} deletem ${epair}a"; exec.poststop += "ifconfig ${epair}a destroy"; }
Jail Management
- You can use the following command to list the jails currently running on the system.
jls
- You can use the command below to start Jail. If you have not set it to autostart at startup, you will have to use the command below.
service jail start __JAIL_NAME__ service jail onestart __JAIL_NAME__
- You can use the following command to stop the jail.
service jail stop __JAIL_NAME__
- You can use the following command to restart Jail.
service jail restart __JAIL_NAME__
Jail'i Silme
Since security is a top priority in FreeBSD, even root privileges are not enough to delete some files. File flags control this system.
- First stop the jail you are going to delete. Then run the command below according to your jail and change the file flags.
chflags -R 0 /usr/jails/__JAIL_NAME__
- You can now delete the jail folder with the following command.
rm -rf /usr/jails/__JAIL_NAME__
- Finally, complete the deletion process by deleting the configuration file for the relevant jail. If you configured with the first way. Edit the
/etc/jail.conffile. If you configured with the second way. Delete the file/etc/jail.conf.d/JAIL_NAME.conf.
Jail Package Management
If you have not given internet access to your jail.3) You can use the following command to install packages from the main system to jail.
pkg -j __JAIL_NAME__ install __PACKET_NAME__Example;
pkg -j uch32bitjail install wget
Jail Access
Although it is more convenient to manage the jail through the main system, you can access the jail with the following command.
jexec -u root __JAIL_NAME__
Command Execution on Jail
To run a command on Jail, you need to add the following prefix to the command you will run.
jexec -l __JAIL_NAME__ __COMMAND__Örnek;
jexec -l uch32bitjail service stop apache24
Taken from UCH Wiki. https://wiki.ulascemh.com/doku.php?id=en:cs:op:bsd:jail