Differences between revisions 17 and 18
Revision 17 as of 2013-05-29 14:06:27
Size: 3395
Comment: Example of debootstrapping a GNU/kFreeBSD jail
Revision 18 as of 2013-05-29 14:16:26
Size: 3434
Comment:
Deletions are marked like this. Additions are marked like this.
Line 71: Line 71:
`jls` (to list running jails) is not available yet. `jls` (to list running jails) is not available yet. [[DebianBug:709225]]
Line 73: Line 73:
`jexec` is not available yet, but you can probably get by with `jail -m jid=$JID command=/bin/bash` `jexec` is not available yet, but you can probably get by with:
{{{
#
jail -m jid=$JID command=/bin/bash
# cd
}}}

Wheezy

A complete Debian GNU/kFreeBSD system should work within a jail, on a GNU/kFreeBSD or regular FreeBSD host system, with a few limitations.

Jails work a lot like Linux OpenVZ. On the host you can see all processes running in all jails. Within a jail, you can only see the processes running in that jail.

Limitations

Be aware that some files in /proc or /sys, such as /proc/mounts, are not partitioned per jail, and this may leak some (read-only) information about the host, or other guests' mountpoints.

Some features such as sysvipc are not namespaced for individual jails, so for security reasons they are disabled by default. fakeroot requires this to be enabled. Running more than one postgresql-server instance in a shared sysvipc namespace would clash, and not normally work.

The raw_sockets feature is normally disabled, to prevent IP spoofing from inside the jail. The ping tool will not work properly as a result.

Creating a new jailed system

JID=101

debootstrap \
 --exclude=devd,dmidecode,isc-dhcp-client,isc-dhcp-common,kldutils,pf,vidcontrol \
 wheezy /srv/jail/$JID

HOSTNAME=jail$JID.example.com
echo "$HOSTNAME" > /srv/jail/$JID/hostname

The --exclude to debootrap lists some packages that are probably not useful in a jailed system. The devd package will typically not work in a jail.

Ensure the jailed system's /etc/resolv.conf is suitable. If a DNS resolver runs on the host system, you should reference it by unicast (public or private) IP address such as "nameserver 10.1.0.1", instead of e.g. "nameserver 127.0.0.1".

The jailed system will not have a loopback interface unless you create one.

Starting or stopping a jail

Assuming a debootstrap'd installation already exists in /srv/jail/$JID/, here is an example of how to start it up inside a jail:

JID=101

# Linux-like /proc and /sys filesystems
mount -t linprocfs linprocfs /srv/jail/$JID/proc
mount -t linsysfs linsysfs /srv/jail/$JID/sys
  
# Ramdisk required for /run
mount -t tmpfs tmpfs /srv/jail/$JID/run
  
# A restricted, read-only /dev filesystem
mount -t devfs devfs /srv/jail/$JID/dev
  
# Compatibility symlink from /dev/shm to /run/shm
ln -s /run/shm /srv/jail/$JID/dev/
  
# Optionally enable networking
HOSTNAME=jail$JID.example.com
# This IP address should also be assigned to one of the host's interfaces
IP=10.1.0.$JID

mkdir -p /var/run/jail
jail -J /var/run/jail/$JID.jid -c jid=$JID \
  name=jail$JID \
  path=/srv/jail/$JID \
  host.hostname=$HOSTNAME \
  ip4.addr=$IP \
  command=/bin/sh -- -c "/etc/init.d/rc S && /etc/init.d/rc 2"

If openssh-server is installed within the jail, you should be able to SSH into it like a virtual private server.

jls (to list running jails) is not available yet. 709225

jexec is not available yet, but you can probably get by with:

# jail -m jid=$JID command=/bin/bash
# cd

A jail stops 'running' when all processes within it exit. (Within the jail, /etc/init.d/rc 0 ; exec kill -1 might be a way to force a shutdown?)

Squeeze

The libjail package was not distributed with Squeeze. The kernel functionality has existed since FreeBSD 4.x however, so it may work if you can build the necessary userland tools.