UCH

This article will explain Jail installation, usage and management.

• Internet access is required on your FreeBSD system</wrap>. * The __JAIL_NAME__ used throughout the article will be a name of your choice. The name uch32bitjail is used in the example commands. * The __VERSION__ used throughout the article is the FreeBSD version of the jail you will install. The version used in the example commands is 13.2-RELEASE. * Throughout the article, ''__ARCHITECTURE__ is the FreeBSD architecture of the jail you will install. The architecture used in the example commands is i386. * The example commands are used for i386 jail installation in amd64 architecture. </WRAP> ===== FreeBSD Jail Installation ===== Jail installation steps can be listed as follows. - Creation of folders. - Downloading the required base archive. - Making settings on the main system. - Creating and editing jail configuration files. ==== Folder Structure ==== Jails do not have to be kept in a specific directory. The script will use the directory /usr/jails. You can change it if you want… Run and create the folders by changing the necessary places in the command below. <code bash> mkdir -p /usr/jails/files mkdir /usr/jails/JAIL_NAME </code>

  The -p parameter creates folders recursively. So if the folder /usr/jails does not exist, it creates it too.

  ==== Downloading Required Files ==== The downloaded files will be kept in /usr/jails/files to avoid re-downloading them when needed. You can use it to quickly install a new jail if needed. However, if you are short on space, you can download these files again for each jail installation. * Edit and run the command below to download the necessary files. > <code bash> fetch https://download.freebsd.org/ftp/releases/__ARCHITECTURE__/__ARCHITECTURE__/__VERSION__/base.txz -o /usr/jails/files/VERSION-ARCHITECTURE-base.txz </code> » Example; » <code bash> fetch https://download.freebsd.org/ftp/releases/i386/i386/13.2-RELEASE/base.txz -o /usr/jails/files/13.2-RELEASE-i386-base.txz </code> * Edit and run the following command to extract the downloaded base archive to the relevant jail location. > <code bash> tar -xpf /usr/jails/files/VERSION-ARCHITECTURE-base.txz -C /usr/jails/JAIL_NAME –unlink </code> » Example; » <code bash> tar -xpf /usr/jails/files/13.2-RELEASE-i386-base.txz -C /usr/jails/uch32bitjail –unlink </code> * If you are low on disk space, you can run the following command to delete the downloaded files. To install a new jail you will need to download it again. > <code bash> rm -f /usr/jails/files/VERSION-ARCHITECTURE-base.txz </code> » Example; » <code bash> rm -f /usr/jails/files/13.2-RELEASE-i386-base.txz </code> ==== Main System Settings ==== For jails to work, some adjustments need to be made on the main system. * The internet connection and time settings for Jail need to be copied directly from the main system. Edit and run the following command. > <code bash> cp /etc/resolv.conf /usr/jails/JAIL_NAME/etc/resolv.conf cp /etc/localtime /usr/jails/JAIL_NAME/etc/localtime </code> » Örnek; » <code bash> cp /etc/resolv.conf /usr/jails/uch32bitjail/etc/resolv.conf cp /etc/localtime /usr/jails/uch32bitjail/etc/localtime </code> * Edit and run the following command to get possible updates for Jail. > <code bash> freebsd-update -b /usr/jails/JAIL_NAME/ fetch install </code> » Örnek; » <code bash> freebsd-update -b /usr/jails/uch32bitjail/ fetch install </code> * If you want the jails to start automatically when the machine starts, run the following command.1) > <code bash> sysrc jail_enable=“YES” # Initially to start the jails. sysrc jail_parallel_start=“YES” # If you add this line, the jails will be started in the background. </code> ==== VNET Settings ==== The jail prepared in this article is prepared completely independently from the main system. Therefore, the jail needs to run on a separate network. VNET will be used for this. If you don't want your jail to have internet access via a separate network 2) you can skip this part. * Run the following command to create an adapter bridge. > <code bash> ifconfig bridge create </code> » It should give you an output. This output contains the name of the bridge adapter. Make a note of this name. »> As an example bridge0 * Once the bridge is created, it will be necessary to add it to the em0 interface by running the following command: > Here em0 is the adapter name of the device. This name may be different in your system. You can use the ifconfig command to find out. > > Below is a sample output. You can see the name in the highlighted line. »<code sh [enable_line_numbers=“true”, ,highlight_lines_extra=“1”]> em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP> ether 08:00:27:06:c2:65 inet 192.168.1.47 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> </code> * Run the following command and add the bridge to interface em0. Here bridge0 is the bridge name created in the previous command and em0 is the network interface on the host system. > <code bash> ifconfig bridge0 addm em0 </code> * Add the following lines to the /etc/rc.conf file so that this happens automatically on every startup. > <code bash> defaultrouter=“192.168.1.1” cloned_interfaces=“bridge0” ifconfig_bridge0=“inet 192.168.1.150/24 addm em0 up” </code> ==== Jail Configuration ==== There are two ways to set configuration files for jails. If you are going to use a lot of jails, it makes more sense to choose the second way. === First Way === Configuration information is kept in a single file. This file is /etc/jail.conf. You need to add new entries to this file for each new jail. === Second Way === Configuration information is kept in a separate file for each jail. These files are kept in the /etc/jail.conf.d/ folder. For each new jail you need to create a new file in this folder. This method avoids confusion if you have many jails. —– Open the configuration file according to the selected method and add the highlighted lines by editing them. Detailed information is written next to them as a comment.

  Pay attention to the line breaks in the files to be created. Use LF instead of CRLF. Otherwise unwanted results may occur.

  <file bash /etc/jail.conf [highlight_lines_extra=“1,15,18”]> JAIL_NAME { # Jail'in ismi exec.start = “/bin/sh /etc/rc”; # Jail başlatıldığında çalıştırılacak olan komutlar. exec.stop = “/bin/sh /etc/rc.shutdown”; # Jail kapatıldığında çalıştırılacak olan komutlar. exec.consolelog = “/var/log/jail_console_${name}.log”; # Komu çıktılarının yazılacağı dosya. allow.raw_sockets; # Raw soketlerin kullanılmasına izin verir. (ping gibi) exec.clean; # Komutları temiz bir ortamda çalıştırılması. mount.devfs; # /dev dizinine bir devfs(5) dosya sistemi ekleme. host.hostname = “${name}”; path = “/usr/jails/${name}”; # Komutların çalıştırılacağı dizin. Kısaca jail'in kurulu olduğu dizin. vnet; vnet.interface = “${epair}b”; $id = “154”; # Ip adresinin son kısmını hesaplayacak olan değer. Her jail için farklı olmalıdır. $ip = “192.168.1.${id}/24”; $gateway = “192.168.1.1”; $bridge = “bridge0”; # vnet ayarlamalarında oluşturulan köprü ismi. $epair = “epair${id}”; exec.prestart += “ifconfig ${epair} create up”; exec.prestart += “ifconfig ${epair}a up descr jail:${name}”; exec.prestart += “ifconfig ${bridge} addm ${epair}a up”; exec.start += “ifconfig ${epair}b ${ip} up”; exec.start += “route add default ${gateway}”; exec.poststop = “ifconfig ${bridge} deletem ${epair}a”; exec.poststop += “ifconfig ${epair}a destroy”; } </file> ===== Jail Management ===== * You can use the following command to list the jails currently running on the system. > <code bash> jls </code> * You can use the command below to start Jail. If you have not set it to autostart at startup, you will have to use the command below. > <code bash> service jail start JAIL_NAME service jail onestart JAIL_NAME </code> * You can use the following command to stop the jail. > <code bash> service jail stop JAIL_NAME </code> * You can use the following command to restart Jail. > <code bash> service jail restart JAIL_NAME </code> ==== Jail'i Silme ====

  Since security is a top priority in FreeBSD, even root privileges are not enough to delete some files. File flags control this system.

  * First stop the jail you are going to delete. Then run the command below according to your jail and change the file flags. > <code bash> chflags -R 0 /usr/jails/JAIL_NAME </code> * You can now delete the jail folder with the following command. > <code bash> rm -rf /usr/jails/JAIL_NAME </code> * Finally, complete the deletion process by deleting the configuration file for the relevant jail. If you configured with the first way. Edit the /etc/jail.conf file. If you configured with the second way. Delete the file /etc/jail.conf.d/JAIL_NAME.conf''. ==== Jail Package Management ==== If you have not given internet access to your jail.³⁾ You can use the following command to install packages from the main system to jail. > <code bash> pkg -j JAIL_NAME install PACKET_NAME </code> » Example; » <code bash> pkg -j uch32bitjail install wget </code> ==== Jail Access ==== Although it is more convenient to manage the jail through the main system, you can access the jail with the following command. <code bash> jexec -u root JAIL_NAME </code> ==== Command Execution on Jail ==== To run a command on Jail, you need to add the following prefix to the command you will run. > <code bash> jexec -l JAIL_NAME COMMAND </code> » Örnek; » <code bash> jexec -l uch32bitjail service stop apache24 </code> Taken from UCH Wiki. https://wiki.ulascemh.com/doku.php?id=en:cs:op:bsd:jail