Running Bind 9 in a FreeBSD 6.1 Jail

From RMBwiki

Jump to: navigation, search


This article will outline the procedure for running Bind 9 inside of a FreeBSD 6.1 jail. A real jail, not a chroot sandbox, a real jail using the jail command. We also are going to do it without building an entire working FreeBSD system inside the jail, which a lot of writeups will tell you is necessary to use a jail; not true.

Contents

[edit]

Why would you do this?

Security

[edit]

Prerequisites

  • A server running FreeBSD 6.1
  • Bind 9 installed
  • Bash installed
    • This isn't really a prerequisite, but I use it, and some of the commands I use here for examples only work in bash, like the which command. If you can't look at these commands and translate them into your shell of choice, save yourself some trouble and install bash and just type bash before copying pasting all these commands.
[edit]

Setup

Basically, we are going to create a micro environment that contains everything named needs to run, which isn't a whole lot actually. If you are wondering what named is, it is the program that runs the Bind Name Server.

[edit]

Create the jail location

In the example below: replace /jails/nameserver with what-the-heck-ever you want your jail's location to be. 

# JAIL="/jails/nameserver"
# mkdir -p $JAIL/{bin,dev,etc/namedb,lib,libexec,var/{run/named,log}}

Next step is to create the user list. We are only going to include root. 

# if [ "$JAIL" != "" ] ; then echo "root:*:0:0::0:0:Charlie:/:/nologin"  > $JAIL/etc/master.passwd ; fi
# if [ "$JAIL" != "" ] ; then touch $JAIL/etc/group ; fi
# if [ "$JAIL" != "" ] ; then pwd_mkdb -d $JAIL/etc $JAIL/etc/master.passwd ;fi

Now the directory structure is more or less set up.

[edit]

Dynamic Libraries

The next thing we need to do is find out which libraries named needs in the jail in order to run. 

# ldd `which named`

It will likely output something like this: 

/usr/sbin/named:
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x281ef000)
        libpthread.so.2 => /usr/lib/libpthread.so.2 (0x282e1000)
        libc.so.6 => /lib/libc.so.6 (0x28306000)

Great, only three. Get them into our lib section:

Do NOT blindly copy and paste this command, study the output of the ldd command above and modify this command accordingly (hint: look at what is after the "=>") 

# cp -p /lib/libcrypto.so.4 /usr/lib/libpthread.so.2 /lib/libc.so.6 $JAIL/lib/
[edit]

Get the loader in there

The loader is what helps the named binary find it's dynamic libraries. named will look for /libexec/ld-elf.so.1 therefore. . . 

# cp -p /libexec/ld-elf.so.1 $JAIL/libexec
[edit]

Get the named binary in there

The final step is copying named itself into the jail. 

# cp -p `which named` $JAIL/bin/
[edit]

Configuration

If you haven't guessed already, the Bind configuration goes in $JAIL/etc/namedb I can't help you there because it's up to you to configure your Name Server as you see fit. It wouldn't hurt to 

# cp -pr /etc/namedb/* $JAIL/etc/namedb/

as a starting point though, especially if you are anxious to see this run.

[edit]

Running the jail

Hopefully you followed all the directions above, and neither of us made a mistake. make sure you have your configuration files in the right place.

In the examples below, you should replace:

  • /jails/nameserver should be replaced by the path to your jail. Whatever you set $JAIL to in the examples above
  • hostname should be replaced with the hostname you want for your nameserver (ns1.yourdomain.com maybe)
  • w.x.y.z should be replaced with the IP address you are using for this jail. Usually that is an aliased IP that you aren't going to use for anything else.
  • myjail should be replaced with your pet name for the jail
[edit]

Manually

To run the jail for the first time do it like this: 

# mount_devfs devfs $JAIL/dev
# devfs -m $JAIL/dev rule -s 4 applyset
# jail $JAIL hostname a.b.c.d /bin/named

If everything goes well, you should see the new jail running when you type jls

[edit]

Automatically on Startup

Add this into your /etc/rc.conf: 

jail_enable="YES"                     # Set to NO to disable starting of any jails
jail_list="myjail"                    # Space separated list of names of jails
jail_set_hostname_allow="NO"          # Allow root user in a jail to change its hostname
jail_socket_unixiproute_only="YES"    # Route only TCP/IP within a jail

jail_myjail_rootdir="/jails/nameserver"
jail_myjail_hostname="hostname"
jail_myjail_ip="w.x.y.z"
jail_myjail_exec_start="/bin/named"
jail_myjail_devfs_enable="YES"
jail_myjail_devfs_ruleset="devfsrules_jail"
  • Note: The first 4 lines above are global. If you have more than one jail running automatically, you wouldn't add the first 4 multiple times. Also, you would merge the jail_names list together.
Retrieved from "http://richbellamy.com/wiki/Running_Bind_9_in_a_FreeBSD_6.1_Jail"
Personal tools