# BIND9 in Jail



## SacamantecaS (Sep 27, 2011)

Hello

I'm trying to install two dns servers (master-slave) in jails to separate the system, but I encounter a fault. As much as I have searched the forum and the rest of the Internet, I haven´t found a possible solution. It occurs to me to make this directory writable, but not to what extent it could have security problems for the rest of jails or the system itself. I wanted to know if anyone has solved one way or know how to fix it.


```
making install in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/i
sc/include/isc
/bin/sh ../../../../mkinstalldirs /usr/include/isc
mkdir /usr/include/isc
mkdir: /usr/include/isc: Read-only file system
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include
/isc.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include
.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1/lib.
*** Error code 1

Stop in /var/ports/basejail/usr/ports/dns/bind98/work/bind-9.8.1.
*** Error code 1

Stop in /basejail/usr/ports/dns/bind98.
*** Error code 1

Stop in /basejail/usr/ports/dns/bind98.
```

 Thank you very much.

Regards


----------



## quintessence (Sep 28, 2011)

Hello,

Are you trying to install Bind from outside the jail with DESTDIR or PREFIX?


----------



## SacamantecaS (Oct 5, 2011)

I had not happened, I'll try and tell them how it went. Thank you very much.


----------



## SacamantecaS (Oct 8, 2011)

Hello

I tested with the following command:

```
make install clean DESTDIR=/usr/jails/ns01
```

I keep getting error. I can only think write permission to put the path and try, but not if it will have a security vulnerability or so then back to left as read-only, bind fails


```
/bin/sh ../../../../mkinstalldirs /usr/include/isc
mkdir /usr/include/isc
mkdir: /usr/include/isc: Read-only file system
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib/isc/incl
ude/isc.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib/isc/incl
ude.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib/isc.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1/lib.
*** Error code 1

Stop in /var/ports/tmp/mountpoint.XxdwH4/dns/bind98/work/bind-9.8.1.
*** Error code 1

Stop in /tmp/mountpoint.XxdwH4/dns/bind98.
*** Error code 1

Stop in /tmp/mountpoint.XxdwH4/dns/bind98.
===>  Chrooted make in /usr/jails/ns01/ failed
===>  Cleaning up...
*** Error code 1

Stop in /usr/ports/dns/bind98.
```

thanks

best regards


----------



## quintessence (Oct 9, 2011)

Hello,

You should install Bind inside the jail. If you don't want to fetch ports tree in the jail you can mount system ports into the jail with nullfs for example:

`# mount -t nullfs /usr/ports /usr/jails/ns1/usr/ports`

Then "enter" in the jail and install Bind in it.


----------



## SacamantecaS (Oct 10, 2011)

Hello,

I also do not work. I deleted the path and I created the mount point, but inside the jail, still gives me the same error. I tried to stop and start the jail, but still gives error . I see that gives another path in the error.


```
ANFITRION:
/usr/ports on /usr/jails/ns01/usr/ports (nullfs, local)

JAIL:
/bin/sh ../../../../mkinstalldirs /usr/include/isc
mkdir /usr/include/isc
mkdir: /usr/include/isc: Read-only file system
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include/isc.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc/include.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib/isc.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1/lib.
*** Error code 1

Stop in /var/ports/usr/ports/dns/bind98/work/bind-9.8.1.
*** Error code 1

Stop in /usr/ports/dns/bind98.
*** Error code 1

Stop in /usr/ports/dns/bind98.
ns01#
```

Thanks.

Best regards


----------



## SacamantecaS (Oct 18, 2011)

Hello

I think I leave it as impossible, I am not able to find the solution . So try to get some physical machines or virtual machines xen in linux. thanks

regards


----------



## geodni (Oct 22, 2011)

Have you tried using PREFIX=/some/path building and installing from outside the jail like suggested by quintessence ?

If it does not help, can you provide the following details ?

ports full path on host
output of mount command on the host (outside a jail) with only /usr/ports part
output of mount command inside a jail
 full path of directory and from which host you execute your make install


----------



## ifdnrg (May 10, 2012)

Hi,

*Y*ou just need to uncheck the 'replace base bind' option,


----------



## SacamantecaS (Dec 27, 2012)

Hello

At the end I left it as impossible, install it on machines dedicated ... Coming soon (months) I want to try again, perhaps with version 9.0 or retry with it, to learn what was the error. Thanks

Regards


----------



## fonz (Dec 27, 2012)

Is there a particular reason why you're trying to install bind from ports instead of using the bind that's in the base system (and therefore is already there when you've created the jail)?

Fonz


----------



## bbzz (Dec 27, 2012)

SacamantecaS said:
			
		

> Hello
> 
> At the end I left it as impossible, install it on machines dedicated ... Coming soon (months) I want to try again, perhaps with version 9.0 or retry with it, to learn what was the error. Thanks
> 
> Regards



What is impossible? To run bind in jail? Its very possible base/ports version, doesn't matter.


----------



## SirDice (Dec 28, 2012)

The port installs headers in /usr/include/. This directory seems to be read-only inside your jail. As far as I know this only happens during installation. Having write access to that directory is not needed to _run_ bind98.


----------



## lockdoc (Dec 28, 2012)

Bind does work in a jail:

*Assumption*

My configuration assumes the following:

```
* Installed Jail in /var/jails/dns.my-domain.int
* LAN Addr: 192.168.10.0/24
* NIC: sk0
```

Change appropriate values, such as NIC name or network and install jail.


*Host*

*rc.conf*

```
hostname="router.my-domain.int"
ifconfig_sk0="192.168.10.1 netmask 255.255.255.0"


ifconfig_sk0_alias0="inet 192.168.10.10 netmask 255.255.255.255"   # dns
ifconfig_lo0_alias0="inet 127.0.10.10 netmask 255.255.255.255"     # dns

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_devfs_enable="YES"
jail_mount_enable="YES"
jail_list="dns"

############### DNS
jail_dns_ip="sk0|192.168.10.10,lo0|127.0.10.10"
jail_dns_hostname="dns.my-domain.int"
jail_dns_rootdir="/var/jails/dns.my-domain.int"
jail_dns_fstab="/var/jails/fstab.dns"
```

*fstab.dns*

```
/usr/ports       /var/jails/dns.my-domain.int/usr/ports       nullfs noatime,rw 0 0
/var/db/portsnap /var/jails/dns.my-domain.int/var/db/portsnap nullfs noatime,rw 0 0
```


*Jail*

*Install*

```
root> cd /usr/ports/dns/bind99
root> make config
 # check REPLACE_BASE
root> make install clean
```

*rc.conf*

```
named_enable="YES"
named_chrootdir=""
```


----------



## fbsd1 (Jan 3, 2013)

Try quick way to create your jails and admin them by using sysutils/qjail port on the host.

```
qjail install
qjail update -p
qjail create -n your-lan-nic-name jail-name lan-ip-address
qjail start jail-name 
qjail console jail-name 
cd /usr/ports/dns/bind
make install clean
exit
```

That should do it.

NOTE: If your jail can not access the internet means your firewall is not NATing the LAN ip address you assigned to your jail.


----------



## Beeblebrox (Jan 3, 2013)

> named_chrootdir=""


* I don't think chroot should be called when you are already in a jail (jailception?) Maybe re-build with chroot option disabled.
* What is the error you are getting if you jexec into the running jail and manually start bind? Have you enabled this in host /etc/<wherever preferred>?

```
jail_bind_parameters="allow.raw_sockets"
```


----------



## kpa (Jan 3, 2013)

That actually turns off the chroot and it has to be that way in rc.conf(5).


----------



## baneff (Jul 1, 2013)

ifdnrg said:
			
		

> Hi,
> 
> *Y*ou just need to uncheck the 'replace base bind' option,



I have exactly the same problem. Your solution solved the problem completely, thanks.

But I have a question. What is the difference between enabled and disabled option 'replace base BIND'? In the past I always set this checkbox when installing BIND in a standard environment, not in an jail. I would like to know what problems are possible when this option is disabled in the jailed environment.

Thank you.


----------



## kpa (Jul 1, 2013)

With the option checked the port will overwrite binaries and scripts in the base system, namely in directories /usr/sbin, /etc/rc.d and so on. When the option is not checked the port will install everything using /usr/local as the prefix and does not overwrite anything in the base system. In my opinion there's no advantage to using the replace option, it just complicates installation and upgrading.


----------



## baneff (Jul 1, 2013)

kpa said:
			
		

> With the option checked the port will overwrite binaries and scripts in the base system, namely in directories /usr/sbin, /etc/rc.d and so on. When the option is not checked the port will install everything using /usr/local as the prefix and does not overwrite anything in the base system. In my opinion there's no advantage to using the replace option, it just complicates installation and upgrading.



Thanks for answer. This is interesting, but after installation I did not find a start script in /usr/local/etc/rc.d/. In /etc/rc.d/ it is present, but not in /usr/local/etc/rc.d/. Is this normal?

P.S. I try to install Sendmail from ports in a jail. I get the same result:

```
...
install: /usr/bin/vacation: Read-only file system
*** Error code 71
...
```
Sorry for off topic, but what to do in this case?

Thanks.


----------



## TheDreamer (Aug 21, 2015)

I realize this is an old thread...but

_I came across this thread in looking to see how to do pretty much the same thing...._



baneff said:


> Thanks for answer. This is interesting, but after installation I did not find a start script in /usr/local/etc/rc.d/. In /etc/rc.d/ it is present, but not in /usr/local/etc/rc.d/. Is this normal?



This seems to be normal, set named_program in /etc/rc.conf to point to the port's `named`, and update named_conf, if needed.  Since I had previously installed bind on base system with the REPLACE_BASE option, which has since been removed, I no longer had base configs so I had laid down various symlinks in trying to get bind to start again before I found the other parameters available in the rc script.

I got the direction to set named_program, while following the mailing list discussions about the loss of the REPLACE_BASE option.  It is now provided through pkg-message after the port/pkg is installed (when applicable.)



> P.S. I try to install Sendmail from ports in a jail. I get the same result:
> 
> ```
> ...
> ...



This would suggest that at one time the port mail/sendmail had an option similar REPLACE_BASE to dns/bind99, rather than the update /etc/mail/mailer.conf that I've done with my install of the `sendmail` port.

The Dreamer.


----------



## wblock@ (Aug 22, 2015)

With BIND, there is no need for confusing links that will be lost during a system upgrade.  When installed as a port, BIND expects configuration files to go in /usr/local/etc like any other port.  In /usr/local/etc/namedb, specifically.


----------



## TheDreamer (Sep 5, 2015)

if only the `pkg upgrade`, had moved things when REPLACE_BASE suddenly vanished on me and left me scrambling to get services back up.

Though cleaning up from mess caused by upgrading to 9.9.7-P1, is something I still haven't gotten around to resolving. But actual disruption was due to unrelated problems...

...like having a weeks to do KSK rollover and not getting it partly done until a week past, and, at last check, still not completely done.  There would've been more time if I had known that the emergency key rollover was never going to get done... the contractor's (that had caused the compromise of KSK back in April, and was to work on setting up new appliances to replace, and go with a KSK rollover to it) last day fell in the middle of what would've been our normal 2 month KSK rollover window.  Because as once again proven, getting office person that manages domain registrar needs more than a month to make the change.  This would've been the first time with a 2 month window if it wasn't about to be replaced.

Plus in conjunction with that, zone refreshes for one of the zones had gotten broke a few days before.  The important zone, of course.  The upgrade only broke my master server, since its the only one that was still using views.  Though soon the others will have views again, since the proper fix to sharing zones between views means I can get zone transfers between views to finally work.

So, I find myself trying to replicate production DNS in jails on my FreeBSD workstation to test changes.  Except getting to where I can do that has taken a lot longer than I had expected.  Surprised my kluge is still holding up, but definitely don't want it to stick around any longer than needed.

At least its not like the forgotten quick fix of borrowing another system and making all the configuration in memory only...and in tmpfs.  Such that a couple years later when the box is rebooted, all trace of it ever being a DNS server vanishes.  Not how I had planned to spend my evening/night....  The former admin got a chuckle out of it when I pinged him on IRC about it.

The Dreamer.

_Actually, there's lots of things I wish  pkg upgrade actually did...._


----------



## wisdown (Sep 13, 2015)

I Have 3 Virtual FreeBSD Machines runing bind9 jailed inside of them without problems.
By the way, I am not using ezjail or iocage, only the defaults like handbook explain, example:

Preparing the image:

`zfs create zroot/usr/jails/ns1
cd /usr/src
make buildworld
make installworld DESTDIR=/usr/jails/ns1
make distribution DESTDIR=/usr/jails/ns1
mount -t devfs devfs /usr/jails/ns1/dev`

Enabling Jails on Host:

`nano /etc/rc.conf`

```
jail_enable="YES"
jail_conf="/etc/jail.conf"
jail_parallel_start="YES"
jail_list="nsf"
```


Setup Jail:

`nano /etc/jail.conf`

```
ns1 {
    path  = /usr/jails/ns1;
    mount.devfs;
    host.hostname = ns1.yourdomain.com;
    ip4.addr = XXX.XXX.XXX.XXX;
    interface = YourNIC;
    exec.start =  "/bin/sh /etc/rc";
    exec.stop = "/bin/sh  /etc/rc.shutdown";
    }
```

Using ports one time for install stuff on jail:

`mkdir -p /usr/jails/ns1/usr/ports
mount_nullfs /usr/ports /usr/jails/ns1/usr/ports
mount_nullfs /var/run /usr/jails/ns1/var/run`

Note: Without the last mount the error reported about read permission occurs...

Setup DNS servers for jail use:
`nano /usr/jails/ns1/etc/resolv.conf`

```
nameserver 208.67.222.222    #OpenDNS
nameserver 208.67.220.220    # OpenDNS
nameserver 8.8.8.8    # Google
```

Setup Jail rc.conf:

`nano /usr/jails/nsf/etc/rc.conf`

```
hostname="ns1.youdormain.com"
ifconfig_vmx3f0="inet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX"
defaultrouter="XXX.XXX.XXX.X"
dump_dev="NO"
clear_tmp_enable="YES"
kern_securelevel_enable="YES"
kern_securelevel="3"
```

Starting and connecting on jail

`service jail start
jls
jexec 1 /bin/sh`

I have did a guide for get bind9 inside jails and DNSSec enable, maybe would help you:

https://forums.freebsd.org/threads/guide-bind-9-10-install-on-freebsd-10.45716/


----------

