I’m installing a jail on a freshly upgraded DragonFly BSD 2.13-DEVELOPMENT box. There’s instructions in the DragonFly manual, and on the Web site. They’re fine as far as they go, but to make the jail truly useful you need to do a little more.
Before starting, decide some important facts about your jail.
My jail hostname will be mwltest4, on the IP 192.0.2.9, in the directory /jail/mwltest4.
A jail requires exclusive use of a single IP address. That IP must be bound to the server as an alias. Make an appropriate alias entry in /etc/rc.conf. Note that an alias needs an all-ones netmask. While we’re there, enable jails and tell the host server that we’re building the jail mwltest4
.
ifconfig_em0_alias0="inet 192.0.2.9 netmask 255.255.255.255"
jail_enable="YES"
jail_list="mwltest4"
rc.conf also needs entries for each jail, so that the various jail management utilities can find and configure the jail.
jail_mwltest4_rootdir="/jail/mwltest4"
jail_mwltest4_hostname="mwltest4"
jail_mwltest4_ip="192.0.2.9"
Start by seeing what network ports your server listens on. I’ve removed all of the entries with remote addresses, because those are live network sessions; I’m only interested in what ports the server is listening on.
# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
...
root sendmail 670 4 tcp4 127.0.0.1:25 *:*
root sshd 656 5 tcp4 *:22 *:*
Any entry where the local address is an asterisk followed by a colon and a port number will be a problem. We need to bind those daemons to the server’s main IP address. In this example, the only problem daemon is SSH. Bind SSH to a single IP address with a ListenAddress
directive in /etc/ssh/sshd_config
.
ListenAddress 192.0.2.8
Run /etc/rc.d/sshd restart
, and sshd will bind only to the specified IP.
I want my jails on their own filesystem, so I create a new HAMMER PFS and a directory for this particular jail.
# mkdir /jail/mwltest4# hammer pfs-master /jail
Creating PFS #9 succeeded!
/jail
sync-beg-tid=0x0000000000000001
sync-end-tid=0x00000001068ea510
shared-uuid=34cc9fbe-ffc2-11e0-9527-010c29ce51d2
unique-uuid=34cc9fdd-ffc2-11e0-9527-010c29ce51d2
label=""
prune-min=00:00:00
operating as a MASTER
snapshots directory defaults to /var/hammer/
Now install the userland, exactly as per the jail instructions.
# setenv D /jail/mwltest4
# cd /usr/src/
# make installworld DESTDIR=$D
Go get more caffiene. By the time you return you should see:
===> etc
===> etc/sendmail
install -o root -g wheel -m 644 /usr/src/Makefile_upgrade.inc /jail/mwltest4/etc/upgrade/
#
It finished successfully. Now install /etc
.
# cd etc/
# make distribution DESTDIR=$D -DNO_MAKEDEV_RUN
Now mount a device filesystem for the jail.
# cd $D
# ln -sf dev/null kernel
# mount_devfs $D/dev
Edit /etc/fstab to have the host mount the jail devfs whenever the system starts.
devfs /jail/mwltest4/dev devfs rw 0 0
Our jail should be ready. Start it in single-user mode.
# jail /jail/mwltest4/ mwltest4 127.0.0.1,192.0.2.9 /bin/sh
# uname -a
DragonFly mwltest4 2.13-DEVELOPMENT DragonFly v2.13.0.49.gf6ce8-DEVELOPMENT #0: Tue Oct 18 10:51:40 EDT 2011 mwlucas@mwltest2.blackhelicopters.org:/usr/obj/usr/src/sys/GENERIC i386
#
Before starting your jail in multiuser mode
As I use LDAP for central account administration, but the jail isn’t yet LDAPilated, I manually set my new user ID to be identical to that on the host, and I add that account to the wheel group. Also modify /etc/ssh/sshd_config to listen only to the jail’s IP address. (While this isn’t strictly necessary, it will simplify managing the host server.)
On the host, with my unprivileged account, I run:
$ cp -rp .ssh /jail/mwltest4/usr/home/mwlucas/
$ cp .cshrc /jail/mwltest4/usr/home/mwlucas/
My jail account now has my authorized_keys file and my SSH configuration, with correct permissions, along with my preferred shell environment.
Start the jail in multiuser mode:
# /etc/rc.d/jail start mwltest4
Configuring jails:.
Starting jails: mwltest4.
#
I can now SSH to the jail, become root, and install pkgsrc.
# cd /usr/src
# make pkgsrc-create
If problems occur you may have to rm -rf pkgsrc and try again.
mkdir -p /usr/pkgsrc
cd /usr/pkgsrc && git init
git: not found
*** Error code 127
Stop in /usr.
Crap. The DragonFly install installs git via package as part of the OS install. git is used for installing pkgsrc. You use pkgsrc to install git. How can we bootstrap git? pkg_radd lets you install remote packages, but it is built on pkg_add, part of pkgsrc.
Find a FTP server (or mount an ISO) with the version of the scmgit package that runs on your host server. I would up getting the scmgit-base-1.7.4.1 package from the 2011Q1 pkgsrc. This is the same package that was originally installed on my DragonFly machine, and it still runs on the DragonFly installed on this host, so it should be okay.
# pkg_add -f -P /jail/mwltest4/ ftp://ftp.allbsd.org/pub/DragonFly/packages/i386/DragonFly-2.10/pkgsrc-2011Q1/devel/scmgit-base-1.7.4.1.tgz
pkg_add: Warning: package `scmgit-base-1.7.4.1' was built for a platform:
pkg_add: DragonFly/i386 2.10.0 (pkg) vs. DragonFly/i386 2.13 (this host)
pkg_add: Warning: package `p5-Error-0.17016nb1' was built for a platform:
pkg_add: DragonFly/i386 2.10.0 (pkg) vs. DragonFly/i386 2.13 (this host)
...
You’ll see many more warnings. The package wants to install TK and Python, but those packages are not available on this particula FTP server. But the -f flag means “Go ahead and install even if some dependencies are missing.” I use the -P to assign the package a new installation root directory in my jail’s root.
Do I like these errors? No. But if I can install a working git, I can install pkgsrc and build a current package with all the dependencies. Log back into the jail and see if it works.
# cd /usr
# make pkgsrc-create
If problems occur you may have to rm -rf pkgsrc and try again.
mkdir -p /usr/pkgsrc
cd /usr/pkgsrc && git init
warning: templates not found /usr/pkg/share/git-core/templates
Initialized empty Git repository in /usr/pkgsrc/.git/
...
Wait a while, and you’ll have a working pkgsrc tree. From here, you can bootstrap pkgsrc:
# cd /usr/pkgsrc/bootstrap
# ./bootstrap
# ./cleanup
This gets you /usr/pkg/sbin/pkg_add
.
At this point, I consider my jail complete. While it doesn’t have all the third-party programs I need, I can now easily install them from within the jail, either from pkgsrc or with pkg_radd.
If you’re running 2.13, you may encounter some crashing; the last bits of the giant lock around the VM system are being unraveled.
Oh, and you could look at vkernels too, instead of jails, though vkernels are aimed more at development than resource separation.
I believe, Dragonfly have nullfs support, so you can simply mount /usr/pkgsrc and distfiles directories from host system into jail.
Have you tried a jail-management utility like ezjail yet (I certainly understand doing it “the hard way” at least once)? I’d think they would work the same as on FreeBSD, but am not sure.
Not yet. Once I’ve done this a few times, to get all the education I can out of it, I’ll check them out. Assuming I need more jails, that is.
nullfs works if you want the same pkgsrc version on all hosts, and want to keep them in lockstep throughout the application’s lifetime.
That’s not true in some cases. I often use jails and VMs to isolate userland software requirements, so I can upgrade a database without upgrading, say, the Web server.
Hi Michael,
You can setup devfs mounts for the jails directly in the rc.conf of the machine hosting them. See below an excerpt of /etc/defaults/rc.conf:
[…]
#jail_example_procfs_enable=”NO” # mount procfs in jail
#jail_example_devfs_enable=”NO” # mount devfs in jail
#jail_example_mount_enable=”NO” # mount/umount jail’s fs
[…]
Cheers,
Antonio Huete
Good to know, thanks