1. StackOverflow 文件
  2. FreeBSD 教程
  3. FreeBSD Jails
  4. 部署 jail

部署 jail

Created: November-22, 2018

監獄只是一個具有強烈隔離的 chroot。所以,如果你想建立 jail,你只需要建立一個替代 root 並在其中啟動一個新的 jail。

從二進位制檔案部署簡單的 jail

# create our alternative root path
JAILROOT="/path/to/my/jail"
mkdir -p "${JAILROOT}"
cd "${JAILROOT}"

# get distribution from freebsd repository
fetch http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.0-RELEASE/base.txz

# extract it in our alternative root
tar xJvf base.txz

# now we can launch our jail
jail -c name=simplejail path=${JAILROOT} 

# to check if jail is up and running we use jls
jls

# now we can enter in our new jail
jexec simplejail sh

從原始碼部署簡單的 jail

# create our alternative root path
JAILROOT="/path/to/my/jail"
mkdir -p "${JAILROOT}"

# we need to build binaries from source...
cd /usr/src
make buildworld

# ... and install it in our alternative path
make installworld DESTDIR=${JAILROOT}

# now we can launch our jail
jail -c name=simplejail path=${JAILROOT} 

# to check if jail is up and running we use jls
jls

# now we can enter in our new jail
jexec simplejail sh

簡單的瘦監獄部署

瘦 jail 只是一個帶有 nullfs 的共享只讀備用根的監獄

初始化我們的環境

# making our shared alternative root
SHARED_ROOT=/path/to/your/shared/root
mkdir -p "${SHARED_ROOT}"

# making our jail root
JAIL_ROOT=/path/to/your/jail/root
mkdir -p "${JAIL_ROOT}"

下載來源

# to initialize our shared root, we can use 
# all method described above. Here, we will use
# simple binary initialization from official
# repository
cd "${SHARED_ROOT}"

# get distribution from freebsd repository
fetch http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.0-RELEASE/base.txz

# extract it in our alternative root
tar xJvf base.txz

初始化我們的薄監獄

# now we need to initialize our dedicated
# jail root
cd "${JAIL_ROOT}"
mkdir base

# we make symbolic link pointing to 
# files stored in read-only directory
for link in bin boot lib libexec rescue sbin
do
  ln -s ${link} /base/${link}
done

# we do same thing with directory in /usr
for link in bin include lib lib32 libdata libexec sbin share
do
  ln -s usr/${link} /base/usr/${link}
done

# now we are ready to start our jail!
jail -c name=thinjail path="${JAIL_ROOT}" \
        mount="${SHARED_ROOT} ${JAIL_ROOT} nullfs ro 0 0"

# check if our thin jail is ok...
jls

# we can now grab in it!
jexec thinjail sh