|Version 15 (modified by 12 years ago) ( diff ),|
Warning: XXX: Work in progress, please do not FOLLOW not yet completed.
This document will describe the setup of jail(8) and how-to configure all applications to work properly within a jail(8). It has the following design criteria/assumptions:
- file:/usr/ports is shared throughout all installations (so are all the configuration for the ports then) and every system build all ports himself.
- The sample jail is called
pzwetand is located in file:/usr/jail/pzwet and has IP
220.127.116.11assigned to it.
- All services dependencies are within their own jail, so I can start and stop jails without affecting the others.
- My sendmail setup has spam filtering --powered by file:mail/spamass-milter-- support for incoming email only.
- I do not list all the dependencies to be installed, but only the 'meta' port services I like to have running on the system.
Important: Your jail server should not run any public facing services which does 'wildcard' binding to IP addresses, else it will 'claim' the service before your jail can take it. Tip: Jails does NOT have a local loopback device, so you will need to use UNIX sockets on places you would normally use the loopback address.
First make sure to install the jail using the method in the handbook
pzwet# cat <<EOF >> /etc/rc.conf # # Base Services sshd_enable="YES" syslogd_flags="-ss" sendmail_enable="YES" # saving entropy bits is not useful within jails, as your host will do handle this. entropy_dir="NO" # Get some jitter in your cron runs to make sure the does not all run at time same time. # Do NOT use if you rely on having your process to start at 'exact' that time. cron_flags="-J10" # # Port Services spamass_milter_enable="YES" spamass_milter_localflags="-i 18.104.22.168,0.0.0.0 -r -1 -- -U /var/run/spamd.sock" spamd_enable="YES" spamd_flags="--socketpath=/var/run/spamd.sock --nouser-config --username=nobody" EOF
pzwet# make -C /usr/ports/security/sudo WITH_INSULTS=yes BATCH=yes install clean pzwet# make -C /usr/ports/devel/subversion WITH_MOD_DAV_SVN=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/ports-mgmt/portaudit BATCH=yes install clean; /usr/local/sbin/portaudit -Fda pzwet# make -C /usr/ports/editors/vim-lite BATCH=yes install clean pzwet# make -C /usr/ports/mail/spamass-milter BATCH=yes install clean pzwet# make -C /usr/ports/sysutils/screen BATCH=yes install clean
Update port INDEX tree and report on pending upgrades every Saturday: pzwet# echo '0 3 * * sat root /usr/sbin/portsnap -I cron update && /usr/sbin/pkg_version -vIL=' >> /etc/crontab