Warning: XXX: Work in progress, please do not FOLLOW not yet completed. This document will describe the setup of jail(8) and how-to configure all applications to work properly within a jail(8). It has the following design criteria/assumptions: * file:/usr/ports is shared throughout all installations (so are all the configuration for the ports then) and every system build all ports himself. * The sample jail is called {{{pzwet}}} and is located in file:/usr/jail/pzwet and has IP {{{178.63.108.109}}} assigned to it. * All services dependencies are within their own jail, so I can start and stop jails without affecting the others. * My sendmail setup has spam filtering --powered by file:mail/spamass-milter-- support for ''incoming'' email only. * I do not list all the dependencies to be installed, but only the 'meta' port services I like to have running on the system. * Keep the list of installed packages as small as possible. As least X11 as possible. Important: Your jail server should not run ''any'' public facing services which does 'wildcard' binding to IP addresses, else it will 'claim' the service before your jail can take it. Tip: Jails does '''NOT''' have a local loopback device, so you will need to use UNIX sockets on places you would normally use the loopback address. Tip: Make sure your port directory is clean before start. Run {{{#!sh find /usr/ports/ -mindepth 3 -maxdepth 3 -type d -name work | rev | cut -c 5- | rev | xargs -n 1 -I % make -C % clean}}} if you are not sure. First make sure to install the jail using the [http://www.freebsd.org/doc/handbook/jails.html method in the handbook] {{{#!sh pzwet# cat <> /etc/rc.conf # # Base Services sshd_enable="YES" syslogd_flags="-ss" sendmail_enable="YES" # saving entropy bits is not useful within jails, as your host will do handle this. entropy_dir="NO" # Get some jitter in your cron runs to make sure the does not all run at time same time. # Do NOT use if you rely on having your process to start at 'exact' that time. cron_flags="-J10" # # Port Services spamass_milter_enable="YES" spamass_milter_localflags="-i 178.63.108.109,0.0.0.0 -r -1 -- -U /var/run/spamd.sock" spamd_enable="YES" spamd_flags="--socketpath=/var/run/spamd.sock --nouser-config --username=nobody" mysql_enable="YES" mysql_args="--skip-networking" apache22_enable="YES" EOF }}} Install the ports: pzwet# make -C /usr/ports/security/sudo WITH_INSULTS=yes BATCH=yes install clean pzwet# make -C /usr/ports/devel/subversion WITH_MOD_DAV_SVN=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/ports-mgmt/portaudit BATCH=yes install clean; /usr/local/sbin/portaudit -Fda pzwet# make -C /usr/ports/editors/vim-lite BATCH=yes install clean pzwet# make -C /usr/ports/mail/spamass-milter BATCH=yes install clean pzwet# make -C /usr/ports/sysutils/screen BATCH=yes install clean pzwet# make -C /usr/ports/databases/mysql51-server BATCH=yes install clean pzwet# make -C /usr/ports/www/drupal6 WITHOUT_X11=yes APACHE_VERSION=22 BATCH=yes install clean Create a User Accounts and set Passwords, please replace with your own detail of course: pzwet# passwd root pzwet# pw user add -m -w random -G wheel -c 'Rick van der Zwet' -n rvdzwet All all members of group will to do sudo powers: pzwet# sed -i '' 's+# %wheel ALL=(ALL) ALL+%wheel ALL=(ALL) ALL+' /usr/local/etc/sudoers; visudo -c Update port INDEX tree and report on pending upgrades every Saturday: pzwet# echo '0 3 * * sat root /usr/sbin/portsnap -I cron update && /usr/sbin/pkg_version -vIL=' >> /etc/crontab === Highly experimental HACK to automatically execute all commands in this page === {{{#!sh ( awk '/<