JAIL
JAIL
[FreeBSD]
portsをjail環境にも
mount_null /usr/ports /home/jail/usr/ports
/etc/fstabにnoautoで書いておくと、必要な時にjail内でportsのメンテが出来る。
/usr/ports /home/jail/usr/ports null rw,noauto 0 0
FreeBSD 5.1R jail
MAKEDEV jail
では無くてjail_*_devfs_rulesetで指定する。
/etc/rc.conf
jail_enable="YES" jail_list="jailhost" jail_set_hostname_allow="NO" jail_socket_unixiproute_only="YES" jail_sysvipc_allow="NO" jail_stop_jailer="NO" # sysutils/jailer jail_jailhost_rootdir="/path/to/jailhost" jail_jailhost_hostname="jailhost.example.jp" jail_jailhost_ip="192.168.HOGE.FUGA" jail_jailhost_exec="/bin/sh /etc/rc" jail_jailhost_devfs_enable="YES" jail_jailhost_fdescfs_enable="NO" jail_jailhost_procfs_enable="NO" #jail_jailhost_devfs_ruleset="devfsrules_jail_jailhost" #jail_jailhost_devfs_ruleset="devfsrules_jail_nologin_jailhost" # nologin devfs
/etc/devfs.rule
[devfsrules_jail_nologin=5] add include $devfsrules_hide_all add include $devfsrules_unhide_basic
5.1Rからのjail関連コマンド
FreeBSD 4.8R jail
- FreeBSD Jail Software and Docs
- host
cd $jail_dir;ln -sf dev/null $jail_dir/kernel echo 'jail.set_hostname_allowed=0' >> /etc/sysctl.conf cp -p /etc/resolv.conf $jail_dir/etc ln -sf /usr/share/zoneinfo/Asia/Tokyo $jail_dir/etc/localtime touch $jail_dir/etc/wall_cmos_clock cat /dev/null >$jail_dir/etc/fstab echo '#proc '$jail_dir/proc' procfs rw 0 0' >>/etc/fstab
in jail
- ConfigureJailEnvironment
以下の作業はchroot /home/jailかssh jailしてjail環境内で行う。
- 空ファイルをつくり、mountなどを無効化
ln -sf dev/null kernel touch /etc/fstab chflags noschg /sbin/init rm /sbin/init rm /sbin/mount rm /sbin/umount ln /usr/bin/true /sbin/init ln /usr/bin/true /sbin/mount ln /usr/bin/true /sbin/umount
- periodicをjail向けに変更
cd /etc fetch http://memberwebs.com/nielsen/freebsd/jails/docs/4.7/periodic.conf touch /var/log/wtmp
- atと時間調整をコメントアウト
vi /etc/crontab commentout /usr/libexec/atrun commentout adjkerntz
- jailに不必要なファイルを削除
cd / fetch http://memberwebs.com/nielsen/freebsd/jails/docs/jail_remove.txt chflags noschg /sbin/init /usr/sbin/sliplogin
jail_remove.txtから/mntと/procを削除して
cat jail_remove.txt | xargs rm -rf
- /etc/rc.conf
portmap_enable="NO" network_interfaces="" inetd_enable="NO" sendmail_enable="NONE" sshd_enable="YES" sshd_flags="-4" syslogd_flags="-ss" tcp_keepalive="NO" tcp_extensions="NO"
Link
- FreeBSD-AT RANDOM jail環境の構築
- jail/chroot mini tree 構築用 Makefile
- FreeBSD PRESS掲載のjail構築スクリプト
- jailのmake installworld
J=/here/is/jail cd /usr/src make installworld DESTDIR=$J mergemaster -i -D $J -t $J/var/tmp/temproot cd $J/dev ./MAKEDEV jail
- devfs in jail でお困りのこと。
- jail 内の Ports を親環境から portaudit する
- コンパクトなJail環境の構築
- ACM Queue - Building Systems to be Shared Securely - Running multiple virtual servers on one machine makes sense, but what happens when not everyone plays nice?
jail開発者のPoul-Henning Kampが書いた詳細な論文
- Subwiki . Freebsd . JailAdmin
- How to make a working jail
BIND jail mini tree
http://gouketsu.net/simm/d/20021130.html#p01
EXTRAFILES=? /usr/lib/libc.so.4 ? /usr/libexec/ld-elf.so.1
でmakejail.shを実行しても良い。
- chroot BIND9
Squid jail
proftpd jail
- Lightweight FTP jail with NAT
cvsサーバー
- cvs サーバの構築
- tcpserverとdaemontoolsでcvs pserver
isc-dhcpd
- BSDHound How to chroot your existing isc-dhcpd server on freebsd
postfix-current
- Postfix in a FreeBSD jail
最終更新時間:2006年01月30日 12時30分39秒