# SVN inside an ezjail



## madmarcos (May 11, 2010)

Hi,
I am trying to install SVN inside ezjail using FreeBSD 8. I only want the jail users to be able to ssh into the jails and/or use their respective jailed SVN installations, and deposit files via sftp. For the below example jail, SSH will use port 12250 and SVN will use port 12260, and I would like to use SVN to use SSH (although I am open to other options inside the jail).

The jails are setup using the server's single local IP address (192.168...) 
SSH for each jail is configured to use a different port and has been set correctly in /etc/ssh/sshd_config.
I have confirmed that I can SSH into a jail using the right port. 

I have also configured SSH with an appropriate public/private key pair to allow SSH connections inside the jail (for SVN to use SSH) and confirmed that this works (without it I was getting a no-tty error from password-based SSH authentication). 

in /etc/rc.conf I have:

```
svnserve_enable="YES"
svnserve_flags="-d --listen-port=12260 --listen-host 0.0.0.0"
svnserve_data="/usr/home/jailuser1/repository/"
svnserve_user="jailuser1"
svnserve_group="jailuser1"
```

I modified /home/jailuser1/repository/conf/svnserve.conf:

```
anon-access = read
auth-access = write
password-db = passwd
```

and modified /home/jailuser1/repository/conf/passwd appropriately

I have set the SVN_SSH shell variable to "ssh -p 12250" 

I think that's it. when I try to connect outside the server (but still in the LAN) using:
`svn co [url=svn+ssh://jailuser1@192.168.1.89:12260/usr/home/jailuser1/repository]svn+ssh://jailuser1@192.168.1.89:12260/ ... repository[/url]`

I get an SVN unexpectedly terminated message after a short while. 
as an experiment, I installed SVN on the same server outside the jail and it works perfectly. 

if I telnet 192.168.1.89 12260, I get some SVN-esque output.

so maybe there is something about the jail itself that is preventing SVN from authenticating using SSH? maybe the custom ports are not configured correctly/completely?

any help is appreciated!
thanks!


----------



## SirDice (May 11, 2010)

madmarcos said:
			
		

> The jails are setup using the server's single local IP address (192.168...)
> SSH for each jail is configured to use a different port and has been set correctly in /etc/ssh/sshd_config.


That's not how you should use a jail. Each jail should have it's own IP address, different from the host. You configure each service inside a jail to bind to that specific IP address.


----------



## madmarcos (May 11, 2010)

thanks for the response!

each jail should have its own private or public IP address? my LAN is residential and only has 1 public IP address. 

my server only has 1 NIC, so I would then create an alias for the interface for the jail's IP address?


----------



## anomie (May 11, 2010)

Presumably SVN will be for your LAN users (is that true?), so each jail should have an IP on your private subnet. 

For more context and a solid conceptual understanding of how this all works, be sure to read: 

 Chapter 15 Jails
 jail(8)


----------



## madmarcos (May 11, 2010)

thanks for the response and the links. 

I want to access the server from outside my residential LAN, hopefully with just my single public IP address and port forwarding.


----------



## SirDice (May 11, 2010)

madmarcos said:
			
		

> I want to access the server from outside my residential LAN, hopefully with just my single public IP address and port forwarding.


You can forward any 'external' port to any 'internal' port. Meaning your ssh daemon doesn't have to listen on port 2222 if you forward port 2222. You can just as easily forward the 'external' port 2222 to the 'internal' port 22 of one of your jails.


----------



## madmarcos (May 11, 2010)

after creating a new jail with a distinct private IP address and aliasing it to the hosting interface, SSH and SVN installed and are working with the default ports.

all SVN activities seem a bit slow so perhaps I need to set up public/private key authentication by default for SSH, but it is at least working. 

thanks for the help!


----------



## SirDice (May 12, 2010)

Make sure all your services are bound to an IP address, including the ones running on the host. By default most daemons will bind to 0.0.0.0 aka any and all addresses.


----------

