Reply
 
Thread Tools Display Modes
  #1  
Old 02-25-2012, 06:49 PM
nickednamed nickednamed is offline
Junior Member
 
Join Date: Feb 2012
Posts: 7
Thanks: 4
Thanked 0 Times in 0 Posts
Default PC-BSD + Warden + Jails
Hi there,

I am new to FreeBSD [hence my choice to use PC-BSD] and I am trying to setup a jail which will run postgresql, apache and OpenERP, and should be available over a small local network.

I am running one PC-BSD "server" wirelessly connected to a router, and we have a dynamic IP from our ISP.

So far I have created the Jail using Warden, I am able to SSH into the jail, but I have not been able to gain internet access from within the jail [and therefore cannot install the software which i need].

After reading the FreeBSD documentation, Warden Wiki, and many other things, I am no closer and i just keep editing and re-editing my rc.conf files [copying lines from the host's rc.conf to the jail's], among other things in the vain hop it will work.

No luck yet.

Could someone point my in the direction of a checklist or something?

What must I add to which files in order to get this done?
Reply With Quote
  #2  
Old 10-30-2012, 11:42 PM
gregober gregober is offline
Junior Member
 
Join Date: Oct 2012
Location: Paris
Posts: 23
Thanks: 0
Thanked 0 Times in 0 Posts
Default
I have managed to make It work somehow.
But I still need to make It persistent.

On host system (nothing needs to be done on jail itself)

Edit /etc/sysctl.conf and add the following :

security.jail.sysvipc_allowed=1
kern.ipc.shmall=65536
kern.ipc.shmmax=134217728
kern.ipc.semmap=4096


With your jail started do a "jls" to list your jails
Identify the one that should contain your database and do

jail -m jid="x" allow.sysvipc=1
where x=your_jail_id

then you can start your jail and do :

/usr/local/etc/rc.d/postgresql initdb

If someone can help me to make this persistent through reboot - I'd be very grateful.

Last edited by gregober; 10-30-2012 at 11:47 PM.
Reply With Quote
  #3  
Old 11-06-2012, 03:41 PM
jaxxed jaxxed is offline
Member
 
Join Date: Jul 2012
Posts: 42
Thanks: 2
Thanked 4 Times in 4 Posts
Default
Doesn't allowing sysvipc kind of defeat the purpose of using jails. At the very least it superfluous just to gain access to the internet.

I haven't tried this to see if it works, but I will do that now.

There is another more intensive method that involves NATing all of the primary Jail IPs. You can still have direct network access by assigning a second range of IPs specifically to each jail.

e.g.

Host:
192.168.0.100
NATs all 10.0.0.0/24 -> 192.168.0.100
Firewall limits: ports 80 to 192.168.0.201,192.168.0.202

Jail: www1
10.0.0.1 -> also uses 192.168.0.201
Jail: www2
10.0.0.2 -> also uses 192.168.0.202
Jail: db1
10.0.0.10 -> also uses 192.168.0.210

Jail: portsjail
10.0.0.20 (no alias)
Jail: portsjail for Skype
10.0.0.21 (no alias)

Jail: debian
10.0.0.30 (no alias)

Some implementations of this approach use a manually created loopback interface specifically for the jails, for even more granular control of the firewall/nat, but then you will have to do more networking. There are example of this approach on the internet
Reply With Quote
  #4  
Old 11-09-2012, 09:11 AM
emosto emosto is offline
Junior Member
 
Join Date: Nov 2012
Posts: 1
Thanks: 0
Thanked 1 Time in 1 Post
Default
I've just stumbled upon similar issue with TrueOS installation of PC-BSD.

The quickiest way was to edit

/usr/local/share/warden/scripts/backend/startjail.sh

Go to the end of the file. You should see:

Code:
else
  # If we have a custom start script
  if [ -e "${JMETADIR}/jail-start" ] ; then
    sCmd=`cat ${JMETADIR}/jail-start`
    echo "Starting jail with: ${sCmd}"
    jexec ${JID} ${sCmd} 2>&1
  else
    echo "Starting jail with: /etc/rc"
    jexec ${JID} /bin/sh /etc/rc 2>&1
  fi
fi

Just add this after the else line:
Code:
  jail -m jid="${JID}" allow.sysvipc=1
and you will have something like:

Code:
else
  jail -m jid="${JID}" allow.sysvipc=1
  # If we have a custom start script
  if [ -e "${JMETADIR}/jail-start" ] ; then
    sCmd=`cat ${JMETADIR}/jail-start`
    echo "Starting jail with: ${sCmd}"
    jexec ${JID} ${sCmd} 2>&1
  else
    echo "Starting jail with: /etc/rc"
    jexec ${JID} /bin/sh /etc/rc 2>&1
  fi
fi
Save the file. This makes it work on my setup. Hopefully helps you too.

Cheers,
Emil
Reply With Quote
The Following User Says Thank You to emosto For This Useful Post:
jaxxed (11-23-2012)
  #5  
Old 11-19-2012, 11:16 AM
gregober gregober is offline
Junior Member
 
Join Date: Oct 2012
Location: Paris
Posts: 23
Thanks: 0
Thanked 0 Times in 0 Posts
Default [Solved] PC-BSD + Warden + Jails
Ok,


Since yesterday and the new 9.1-RC3 version we are able to do new things with the jail / warden system…*One of the new things is being able to set some variable in the jail environment.

This allows a simple resolution of our problem…*

1. Update the host in order to allow him to have jails with raw sockets

1.a. Edit or create /etc/sysctl.conf and add the following :

Code:
# for postgresql jail
security.jail.allow_raw_sockets=1
kern.ipc.shmall=65536
kern.ipc.shmmax=134217728
kern.ipc.semmap=4096
1.b. Reboot the system


2. Create your jail using warden

2.a. Use the newly available "set" flag :

Code:
# warden set flags xxx.yyy.zzz.ttt allow.raw_sockets=true,allow.sysvipc=true
Where x.y.z.t is the IP of your jail.

2.b. Log into the jail, compile / install postgres

Code:
# cd /usr/ports/databases/postgresql
# make install clean
and then launch the initdb script :

Code:
# /usr/local/etc/rc.d/postgresql initdb
Verify that everything is ok and running smoothly.

2.c. Add postgres to the rc.conf script of your jail :

Code:
postgresql_enable="YES"

And that's It !
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:40 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.