Thread: Jail How To:
View Single Post
  #1   (View Single Post)  
Old 15th May 2011
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default Jail How To:

Maybe common since is not working for me.

So I RTWM and I tried to do it by the book but it did not work. I keep screwing up maybe, so today, I did my 5th re-install. I should have follow this old link (March 6th, 2010) [i]that keeps coming up from the dead[i/] from start but I saw no build-this, merge-that before you go to the jail section, like in the handbook, but no where in the handbook indicated the short-cut to do jail. Seem that those links were the short-cut all along, but I read RTWM on other links.

http://forums.freebsd.org/showthread.php?t=12022

This is only FreeBSD 9.0-current and this is for jail only. Do I need to complete every single step in the entire makeworld section? I guest not. Anyway, (January 31st, 2011) came the Noodle, deep-down in link with the rest of the story:

http://www.freebsd.org/doc/handbook/makeworld.html
[/code]
# cd /usr/src
# make buildworld ... << I stop here this time. goodies sitting in obj
# make buildkernel
# make installkernel
# shutdown -r now.
# etc ...
# etc ...
[/code]


Just in case the Noodle instructions are incomplete as I always wonder about others I saw, I go straight to the jail section of the handbook. This part tells me to do this among many other things, again. So this time I only added to the mroot directory what the Noodle said in the 10th post, a year too late.

http://www.freebsd.org/doc/handbook/...plication.html
Code:
# mkdir /j /j/mroot
# cd /usr/src
# make installworld DESTDIR=/j/mroot SRCCONF=/root/src.conf.internetz

IT'S COMPILING !!! So this is how it's suppose to be done ... Right? If so, now even noobs like me know not to expect the handbook to show every possible thing.

You save my sanity and my world Mr. Noodle

Anyway, with the perfectly [i]i thin[i/] modified src.conf.internetz file (at bottom) I got my first error being bind9 related:

Code:
install -C -o root -g wheel -m 444   libz.a /j/mroot/usr/lib
install -s -o root -g wheel -m 444     libz.so.6 /j/mroot/lib
ln -fs /lib/libz.so.6  /j/mroot/usr/lib/libz.so
install -C -o root -g wheel -m 444  /usr/src/lib/libz/zconf.h /usr/src/lib/libz/
zlib.h /j/mroot/usr/include
===> lib/bind (install)
===> lib/bind/bind9 (install)
install -C -o root -g wheel -m 444   libbind9.a /j/mroot/usr/lib
install -s -o root -g wheel -m 444     libbind9.so.50 /j/mroot/usr/lib
install: libbind9.so.50: No such file or directory
*** Error code 71

Stop in /usr/src/lib/bind/bind9.
*** Error code 1

Stop in /usr/src/lib/bind.
*** Error code 1

Stop in /usr/src/lib.
*** Error code 1

Stop in /usr/src.
*** Error code 1
What do this mean? What is the cause of the problem? Everything in the src.conf seems perfect. I did nothing wrong to it. How do I solve this problem?


One more thing I notice ... maybe this is the way it's suppose to work but it's very strange to me. The new world is in /usr/obj but make installworld is still pointing to /usr/src during run-time, from command-line.

I lost lots of time for nothing and is now very close to seeing how jail works. Would someone of experience show me how to get this thing going. In return, other than helping you someday, I'll be in position today to reserve a cell for you in this prison, rent free .. for life.

Who could ask for more.

Thanks





PS: Can this be fixed or more added until the jail is so small it goes notice, space wise.

Code:
#  Apache Jail Config-1                         05/14/2011
#  -------------------------------------------------------

# source:  http://forums.freebsd.org/showthread.php?t=12022
#          March 6th, 2010 by klabacita
#
# based on nbari*, vivek and SirDice threads.
# I combined all. Hope to include more/remove wrong type
# entries for each type server at smallest possible config:
# apache-2.2.17_2.tbz
# cherokee-1.2.2.tbz
# mysql-server-5.5.11.tbz
# racoon2-20100526a_1.tbz

# jail for a apache-server only ... COMBO-1:

WITHOUT_ACCT="YES"
WITHOUT_ACPI="YES"            # do not build acpiconf(8) and related programs
WITHOUT_AMD="YES"
WITHOUT_APM="YES"
WITHOUT_ASSERT_DEBUG="YES"
WITHOUT_AT="YES"
WITHOUT_ATM="YES"             # do not build ATM related programs and libraries
WITHOUT_AUDIT="YES"
WITHOUT_AUTHPF="YES"          # do not build and install authpf (setuid/gid)

WITHOUT_BIND_DNSSEC="YES"     # Do not build dnssec-keygen, dnssec-signzone
WITHOUT_BIND_ETC="YES"        # Do not install files to /etc/namedb
WITHOUT_BIND_LIBS_LWRES="YES" # Do not install the lwres library
WITHOUT_BIND_MTREE="YES"      # Do not run mtree to create chroot directories
WITHOUT_BIND_NAMED="YES"      # Do not build named, rndc, lwresd, etc.
#WITHOUT_BIND_UTILS=        # Do not build dig, host, nslookup, nsupdate - vivek
WITH_BIND_LIBS=             # Install the BIND libs and include files - vivek

##WITHOUT_BIND="YES"         # Do not build any part of BIND (by SirDice)
##WITHOUT_BIND_DNSSEC="YES"  # no dnssec-keygen, dnssec-signzone (by SirDice)
#WITHOUT_BIND_ETC="YES"     # Do not install files to /etc/namedb (by SirDice)
##  #WITHOUT_BIND_LIBS_LWRES="YES" # no install the lwres library (blank by SirDice)
##WITHOUT_BIND_MTREE="YES"   # Do not run mtree to create chroot directories (SD)
##WITHOUT_BIND_NAMED="YES"   # Do not build named, rndc, lwresd, etc. (by SirDice)


WITHOUT_BLUETOOTH="YES"       # do not build Bluetooth related stuff
WITHOUT_BOOT="YES"            # do not build boot blocks and loader
WITHOUT_BSD_CPIO="YES"
WITHOUT_BSNMP="YES"
WITHOUT_CALENDAR="YES"
WITHOUT_CDDL="YES"
#WITHOUT_CRYPT="YES"           # do not build any crypto code (by SirDice only)
WITHOUT_CTM="YES"
WITHOUT_CVS="YES"              # do not build CVS (original blank by vivek) 
WITHOUT_DICT="YES"
WITHOUT_EXAMPLES="YES"
WITHOUT_FLOPPY="YES"
WITHOUT_FORTRAN="YES"         # do not build g77 and related libraries - vivek
WITHOUT_FORTH="YES"
WITHOUT_FREEBSD_UPDATE="YES"
WITHOUT_GAMES="YES"           # do not build games (games/ subdir)WITHOUT_GDB="YES"
WITHOUT_GDB="YES"             # do not build GDB - vivek
WITHOUT_GPIB="YES"            # do not build GPIB support
WITHOUT_GSSAPI="YES"
WITHOUT_HTML="YES"
WITHOUT_I4B="YES"             # do not build isdn4bsd package - vivek
WITHOUT_INET6="YES"
WITHOUT_INFO="YES"            # do not make or install info files - vivek
WITHOUT_IPFILTER="YES"        # do not build IP Filter package
WITHOUT_IPFW="YES"
WITHOUT_IPX="YES"
WITHOUT_JAIL="YES"
WITHOUT_KERBEROS="YES"        # do not build and install Kerberos 5 (KTH Heimdal)
WITHOUT_KVM="YES"
WITHOUT_LEGACY_CONSOLE="YES"
WITHOUT_LIB32="YES"
WITHOUT_LPR="YES"             # do not build lpr and related programs
WITHOUT_MAIL="YES"
WITHOUT_MAILWRAPPER="YES"
WITHOUT_MAN="YES"             # do not build manual pages
WITHOUT_MODULES="YES"         # do not build modules with the kernel - vivek
WITHOUT_NCP="YES"
WITHOUT_NDIS="YES"
WITHOUT_NETCAT="YES"          # do not build netcat
WITHOUT_NIS="YES"             # no NIS support and related programs. (blank by SirDice)

WITHOUT_NLS="YES"
WITHOUT_NLS_CATALOGS="YES"    # no NLS catalog for csh(1) (original blank by vivek)
WITHOUT_NS_CACHING="YES"
WITHOUT_NTP="YES"
WITHOUT_OBJC="YES"            # do not build Objective C support - vivek
WITHOUT_OPENSSH="YES"         # do not build OpenSSH - vivek
WITHOUT_PF="YES"              # do not build PF firewall package
WITHOUT_PMC="YES"
WITHOUT_PPP="YES"
WITHOUT_PROFILE="YES"         # Avoid compiling profiled libraries
WITHOUT_QUOTAS="YES"
WITHOUT_RCMDS="YES"           # do not build or install BSD r* commands (rsh, etc).
WITHOUT_RCS="YES"
WITHOUT_RESCUE="YES"
WITHOUT_ROUTED="YES"
WITHOUT_SENDMAIL="YES"        # do not build sendmail and related programs
WITHOUT_SETUID_LOGIN="YES"          #  - vivek

WITHOUT_SHAREDOCS="YES"       # do not build the 4.4BSD legacy docs
WITHOUT_SYSCONS="YES"
WITHOUT_SYSINSTALL="YES"
WITHOUT_TELNET="YES"
WITHOUT_USB="YES"             # do not build usbd(8) and related programs

WITHOUT_VINUM="YES"           # do not build Vinum utilities   (by SirDice only)

PPP_WITHOUT_NAT="YES"         # do not build with NAT (see make.conf(5)) - vivek
PPP_WITHOUT_NETGRAPH="YES"    # do not build with Netgraph support - vivek
PPP_WITHOUT_RADIUS="YES"      # do not build with RADIUS support - vivek
PPP_WITHOUT_SUID="YES"        # build with normal permissions - vivek

WITHOUT_WIRELESS="YES"
WITHOUT_WPA_SUPPLICANT_EAPOL="YES"
WITHOUT_ZFS="YES"



# more notes:

# Put the following lines into the /etc/fstab file, so that the
# read-only template for # the jails and the read-write space will
# be available in the respective jails:

#/home/j/mroot   /home/j/ns     nullfs  ro  0   0
#/home/j/mroot   /home/j/mail   nullfs  ro  0   0
#/home/j/mroot   /home/j/www    nullfs  ro  0   0
#/home/js/ns     /home/j/ns/s   nullfs  rw  0   0
#/home/js/mail   /home/j/mail/s nullfs  rw  0   0
#/home/js/www    /home/j/www/s  nullfs  rw  0   0


##  Configure the jails in /etc/rc.conf:
#jail_enable="YES"
#jail_set_hostname_allow="NO"
#jail_list="ns mail www"
#jail_ns_hostname="ns.example.org"
#jail_ns_ip="192.168.3.17"
#jail_ns_rootdir="/usr/home/j/ns"
#jail_ns_devfs_enable="YES"
#jail_mail_hostname="mail.example.org"
#jail_mail_ip="192.168.3.18"
#jail_mail_rootdir="/usr/home/j/mail"
#jail_mail_devfs_enable="YES"
#jail_www_hostname="www.example.org"
#jail_www_ip="62.123.43.14"
#jail_www_rootdir="/usr/home/j/www"
#jail_www_devfs_enable="YES"

This is not a How-To until I learn How-To. It could be a How-To not start at the wrong place to waste your life-time before getting to get to do what you were after in the first place. Now you forgot, or retired .

For jail, it's don't RTWM until it's done.
..
Reply With Quote