PC-BSD + Warden + Jails

[nickednamed]

Hi there,

I am new to FreeBSD [hence my choice to use PC-BSD] and I am trying to setup a jail which will run postgresql, apache and OpenERP, and should be available over a small local network.

I am running one PC-BSD "server" wirelessly connected to a router, and we have a dynamic IP from our ISP.

So far I have created the Jail using Warden, I am able to SSH into the jail, but I have not been able to gain internet access from within the jail [and therefore cannot install the software which i need].

After reading the FreeBSD documentation, Warden Wiki, and many other things, I am no closer and i just keep editing and re-editing my rc.conf files [copying lines from the host's rc.conf to the jail's], among other things in the vain hop it will work.

No luck yet.

Could someone point my in the direction of a checklist or something?

What must I add to which files in order to get this done?

[gregober]

I have managed to make It work somehow.
But I still need to make It persistent.

On host system (nothing needs to be done on jail itself)

Edit /etc/sysctl.conf and add the following :

security.jail.sysvipc_allowed=1
kern.ipc.shmall=65536
kern.ipc.shmmax=134217728
kern.ipc.semmap=4096


With your jail started do a "jls" to list your jails
Identify the one that should contain your database and do

jail -m jid="x" allow.sysvipc=1
where x=your_jail_id

then you can start your jail and do :

/usr/local/etc/rc.d/postgresql initdb

If someone can help me to make this persistent through reboot - I'd be very grateful.

[jaxxed]

Doesn't allowing sysvipc kind of defeat the purpose of using jails. At the very least it superfluous just to gain access to the internet.

I haven't tried this to see if it works, but I will do that now.

There is another more intensive method that involves NATing all of the primary Jail IPs. You can still have direct network access by assigning a second range of IPs specifically to each jail.

e.g.

Host:
192.168.0.100
NATs all 10.0.0.0/24 -> 192.168.0.100
Firewall limits: ports 80 to 192.168.0.201,192.168.0.202

Jail: www1
10.0.0.1 -> also uses 192.168.0.201
Jail: www2
10.0.0.2 -> also uses 192.168.0.202
Jail: db1
10.0.0.10 -> also uses 192.168.0.210

Jail: portsjail
10.0.0.20 (no alias)
Jail: portsjail for Skype
10.0.0.21 (no alias)

Jail: debian
10.0.0.30 (no alias)

Some implementations of this approach use a manually created loopback interface specifically for the jails, for even more granular control of the firewall/nat, but then you will have to do more networking. There are example of this approach on the internet

[emosto]

I've just stumbled upon similar issue with TrueOS installation of PC-BSD.

The quickiest way was to edit

/usr/local/share/warden/scripts/backend/startjail.sh

Go to the end of the file. You should see:

Code:

else # If we have a custom start script if [ -e "${JMETADIR}/jail-start" ] ; then sCmd=`cat ${JMETADIR}/jail-start` echo "Starting jail with: ${sCmd}" jexec ${JID} ${sCmd} 2>&1 else echo "Starting jail with: /etc/rc" jexec ${JID} /bin/sh /etc/rc 2>&1 fi fi

Just add this after the else line:

Code:

jail -m jid="${JID}" allow.sysvipc=1

and you will have something like:

Code:

else jail -m jid="${JID}" allow.sysvipc=1 # If we have a custom start script if [ -e "${JMETADIR}/jail-start" ] ; then sCmd=`cat ${JMETADIR}/jail-start` echo "Starting jail with: ${sCmd}" jexec ${JID} ${sCmd} 2>&1 else echo "Starting jail with: /etc/rc" jexec ${JID} /bin/sh /etc/rc 2>&1 fi fi

Save the file. This makes it work on my setup. Hopefully helps you too.

Cheers,
Emil

[gregober]

Ok,


Since yesterday and the new 9.1-RC3 version we are able to do new things with the jail / warden system…*One of the new things is being able to set some variable in the jail environment.

This allows a simple resolution of our problem…*

1. Update the host in order to allow him to have jails with raw sockets

1.a. Edit or create /etc/sysctl.conf and add the following :

Code:

# for postgresql jail security.jail.allow_raw_sockets=1 kern.ipc.shmall=65536 kern.ipc.shmmax=134217728 kern.ipc.semmap=4096

1.b. Reboot the system


2. Create your jail using warden

2.a. Use the newly available "set" flag :

Code:

# warden set flags xxx.yyy.zzz.ttt allow.raw_sockets=true,allow.sysvipc=true

Where x.y.z.t is the IP of your jail.

2.b. Log into the jail, compile / install postgres

Code:

# cd /usr/ports/databases/postgresql # make install clean

and then launch the initdb script :

Code:

# /usr/local/etc/rc.d/postgresql initdb

Verify that everything is ok and running smoothly.

2.c. Add postgres to the rc.conf script of your jail :

Code:

postgresql_enable="YES"

And that's It !