Version 35 (modified by Rick van der Zwet, 13 years ago) ( diff )


Warning: XXX: Work in progress, please do not FOLLOW not yet completed.

This document will describe the setup of jail(8) and how-to configure all applications to work properly within a jail(8). It has the following design criteria/assumptions:

  • file:/usr/ports is shared throughout all installations (so are all the configuration for the ports then) and every system build all ports himself.
  • The sample jail is called pzwet and is located in file:/usr/jail/pzwet and has IP assigned to it.
  • All services dependencies are within their own jail, so I can start and stop jails without affecting the others.
  • My sendmail setup has spam filtering --powered by file:mail/spamass-milter-- support for incoming email only.
  • I do not list all the dependencies to be installed, but only the 'meta' port services I like to have running on the system.
  • Keep the list of installed packages as small as possible. As least X11 as possible.

Important: Your jail server should not run any public facing services which does 'wildcard' binding to IP addresses, else it will 'claim' the service before your jail can take it. Tip: Jails does NOT have a local loopback device, so you will need to use UNIX sockets on places you would normally use the loopback address. Tip: Make sure your port directory is clean before start. Run find /usr/ports/ -mindepth 3 -maxdepth 3 -type d -name work | rev | cut -c 5- | rev | xargs -n 1 -I % make -C % clean if you are not sure. First make sure to install the jail using the method in the handbook

pzwet# cat <<EOF >> /etc/rc.conf
# Base Services


# saving entropy bits is not useful within jails, as your host will do handle this.
# Get some jitter in your cron runs to make sure the does not all run at time same time. 
# Do NOT use if you rely on having your process to start at 'exact' that time.

# Port Services
spamass_milter_localflags="-i, -r -1 -- -U /var/run/spamd.sock"

spamd_flags="--socketpath=/var/run/spamd.sock --nouser-config --username=nobody"



Install the ports: pzwet# make -C /usr/ports/security/sudo WITH_INSULTS=yes BATCH=yes install clean pzwet# make -C /usr/ports/devel/subversion WITH_MOD_DAV_SVN=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/ports-mgmt/portaudit BATCH=yes install clean; /usr/local/sbin/portaudit -Fda pzwet# make -C /usr/ports/editors/vim-lite BATCH=yes install clean pzwet# make -C /usr/ports/mail/spamass-milter BATCH=yes install clean pzwet# make -C /usr/ports/sysutils/screen BATCH=yes install clean pzwet# make -C /usr/ports/databases/mysql51-server BATCH=yes install clean pzwet# make -C /usr/ports/www/drupal6 WITHOUT_X11=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/mail/mailman WITH_SENDMAIL=yes BATCH=yes install clean pzwet# make -C /usr/ports/www/trac BATCH=yes install clean Create a User Accounts and set Passwords, please replace with your own detail of course: pzwet# passwd root pzwet# pw user add -m -w random -G wheel -c 'Rick van der Zwet' -n rvdzwet

All all members of group will to do sudo powers: pzwet# sed -i 's+# %wheel ALL=(ALL) ALL+%wheel ALL=(ALL) ALL+' /usr/local/etc/sudoers; visudo -c

Update port INDEX tree and report on pending upgrades every Saturday: pzwet# echo '0 3 * * sat root /usr/sbin/portsnap -I cron update && /usr/sbin/pkg_version -vIL=' >> /etc/crontab

Highly experimental HACK to automatically execute all commands in this page

 ( awk '/<<EOF/,/^EOF/ {print NR " " $0}' foo.txt; awk '/^pzwet#/ {print NR " " $0}' foo.txt ) |\
   sort -nu | cut -d " " -f 2- | sed 's/^[a-zA-Z0-9]*# //g'
Note: See TracWiki for help on using the wiki.