Version 35 (modified by 14 years ago) ( diff ) | ,
---|
Warning: XXX: Work in progress, please do not FOLLOW not yet completed.
This document will describe the setup of jail(8) and how-to configure all applications to work properly within a jail(8). It has the following design criteria/assumptions:
- file:/usr/ports is shared throughout all installations (so are all the configuration for the ports then) and every system build all ports himself.
- The sample jail is called
pzwet
and is located in file:/usr/jail/pzwet and has IP178.63.108.109
assigned to it. - All services dependencies are within their own jail, so I can start and stop jails without affecting the others.
- My sendmail setup has spam filtering --powered by file:mail/spamass-milter-- support for incoming email only.
- I do not list all the dependencies to be installed, but only the 'meta' port services I like to have running on the system.
- Keep the list of installed packages as small as possible. As least X11 as possible.
Important: Your jail server should not run any public facing services which does 'wildcard' binding to IP addresses, else it will 'claim' the service before your jail can take it.
Tip: Jails does NOT have a local loopback device, so you will need to use UNIX sockets on places you would normally use the loopback address.
Tip: Make sure your port directory is clean before start. Run find /usr/ports/ -mindepth 3 -maxdepth 3 -type d -name work | rev | cut -c 5- | rev | xargs -n 1 -I % make -C % clean
if you are not sure.
First make sure to install the jail using the method in the handbook
pzwet# cat <<EOF >> /etc/rc.conf # # Base Services sshd_enable="YES" syslogd_flags="-ss" sendmail_enable="YES" # saving entropy bits is not useful within jails, as your host will do handle this. entropy_dir="NO" # Get some jitter in your cron runs to make sure the does not all run at time same time. # Do NOT use if you rely on having your process to start at 'exact' that time. cron_flags="-J10" # # Port Services spamass_milter_enable="YES" spamass_milter_localflags="-i 178.63.108.109,0.0.0.0 -r -1 -- -U /var/run/spamd.sock" spamd_enable="YES" spamd_flags="--socketpath=/var/run/spamd.sock --nouser-config --username=nobody" mysql_enable="YES" mysql_args="--skip-networking" apache22_enable="YES" EOF
Install the ports: pzwet# make -C /usr/ports/security/sudo WITH_INSULTS=yes BATCH=yes install clean pzwet# make -C /usr/ports/devel/subversion WITH_MOD_DAV_SVN=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/ports-mgmt/portaudit BATCH=yes install clean; /usr/local/sbin/portaudit -Fda pzwet# make -C /usr/ports/editors/vim-lite BATCH=yes install clean pzwet# make -C /usr/ports/mail/spamass-milter BATCH=yes install clean pzwet# make -C /usr/ports/sysutils/screen BATCH=yes install clean pzwet# make -C /usr/ports/databases/mysql51-server BATCH=yes install clean pzwet# make -C /usr/ports/www/drupal6 WITHOUT_X11=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/mail/mailman WITH_SENDMAIL=yes BATCH=yes install clean pzwet# make -C /usr/ports/www/trac BATCH=yes install clean Create a User Accounts and set Passwords, please replace with your own detail of course: pzwet# passwd root pzwet# pw user add -m -w random -G wheel -c 'Rick van der Zwet' -n rvdzwet
All all members of group will to do sudo powers: pzwet# sed -i 's+# %wheel ALL=(ALL) ALL+%wheel ALL=(ALL) ALL+' /usr/local/etc/sudoers; visudo -c
Update port INDEX tree and report on pending upgrades every Saturday: pzwet# echo '0 3 * * sat root /usr/sbin/portsnap -I cron update && /usr/sbin/pkg_version -vIL=' >> /etc/crontab
Highly experimental HACK to automatically execute all commands in this page
( awk '/<<EOF/,/^EOF/ {print NR " " $0}' foo.txt; awk '/^pzwet#/ {print NR " " $0}' foo.txt ) |\ sort -nu | cut -d " " -f 2- | sed 's/^[a-zA-Z0-9]*# //g'