# About Jail



## concept (Nov 14, 2011)

Hi, I set up FreeBSD on an old desktop which is currently connected to a router, where it gets its internet. So my base FreeBSD is:

base FreeBSD hostname: concept@192.168.1.1
base FreeBSD home network ip: 192.168.1.100
base FreeBSD interface: vr0

I have set up a jail in /usr/jails/ and added this to my base FreeBSD rc.conf:


```
jail_newjail_rootdir="/usr/jails/newjail"
jail_newjail_hostname="newjail@concept.192.168.1.1
jail_newjail_ip="192.168.1.101"
```
Do I need to make another rc.conf for the jail and enable sshd to be able to ssh to the jail's IP? Thanks.


----------



## concept (Nov 14, 2011)

Okay, I can ssh to the jail's IP now, but I can't log in to the root account or user account of the jail. How or where do I make account credentials for the jail?


----------



## SirDice (Nov 14, 2011)

Think of the jail as a separate machine. You just installed a clean FreeBSD on it. How many user accounts are there by default?


----------



## concept (Nov 14, 2011)

I think I got it now, I just have to find out the rules for jail users and passwd creation. Now I have a couple of questions..

1. How do I remove a jail completely? All I know is *rm -rf* which I guess wouldn't work for removing jail.
2. Is it more secure if I make a jail for each service? eg. www/mails/ircd?

Thanks a lot in advance!


----------



## SirDice (Nov 14, 2011)

concept said:
			
		

> 1. How do i remove a jail completely? All i know is rm -rf which i guess wouldn't work for removing jail.


Why wouldn't it work? Just make sure the jail isn't running when you do.



> 2. Is it more secure if i make a jail for each service? eg. www/mails/ircd


It usually is. It's usually a Good Thing(tm) to compartmentalize.


----------



## concept (Nov 14, 2011)

I have an old_jail which I tried to remove with *rm -rf* but it gave me something like a permission denied error. I'm pretty sure I was root when I did it. Anyway, I tried to delete the /usr/jails dir and not just the jailname dir and it worked. Do I need to do something more or is it completely removed already? Thanks again!


----------



## SirDice (Nov 14, 2011)

You can get some errors because of some chflags(1). They're usually easily removed.


----------



## concept (Nov 14, 2011)

These errors, are they going to just show up or is there a way I can determine where are they and just remove them already?


----------



## fluca1978 (Nov 14, 2011)

concept said:
			
		

> These errors, are they going to just show up or is there a way i can determine where are they and just remove them already?



I don't understand your question, you should see in the error message what is causing the removal to fail, isn't it?


----------



## concept (Nov 14, 2011)

So I have set up a jail on FreeBSD-8.2 following the manual. After the setup, I copied these files rc.conf, /etc/passwd from base to jail. And this is what I did in order:


```
jexec id passwd (to change the jail root password)
    jexec id adduser (i added a user as a non-root)
```
Why can't I log in to the jail through ssh? But I can log in with *jexec id login*? I mean I can connect to the jail but it fails to authenticate?

And why can't I execute any commands like rehash/ping/ps when I'm inside my jail? Which files do I still need to copy from the base? Thanks.


----------



## concept (Nov 14, 2011)

fluca1978 said:
			
		

> I don't understand your question, you should see in the error message what is causing the removal to fail, isn't it?



Oh sorry, I was pointing out the errors that may show up according to SirDice.


----------



## concept (Nov 15, 2011)

I tried to follow these guide on bsdguide. I have my jail named "webserver" now, I edited the sshd_config of jail to add 
	
	



```
ListenAdress <ip add of jail (192.168.1.107)>
```
 The host's IP is 192.168.1.107. I can ping the jail but i can't connect to the jail thru ssh. Btw, I changed my ssh port to another port for added security, do I need to uncomment that line also on jail's sshd_config?

And every time I try to start ssh or any service from inside the jail I get this error. 
	
	



```
ps: /boot/kernel/kernel
```

When I installed pf on host I remember that I renamed the kernel to a custom name, if that what's causing this problem how do I fix it?

Thanks in advance.


----------



## SirDice (Nov 15, 2011)

concept said:
			
		

> I tried to follow these guide on bsdguide. I have my jail named "webserver" now, I edited the sshd_config of jail to add ListenAdress <ip add of jail (192.168.1.107)> The host's IP is 192.168.1.107. I can ping the jail but i can't connect to the jail thru ssh. Btw, i change my ssh port to another port for added security, do i need to uncomment that line also on jail's sshd_config?


You need to configure the host's sshd to only listen on the host's address. Same for the jails. Port is not relevant.



> And everytime i try to start ssh or any service from inside the jail i get this error. "ps: /boot/kernel/kernel".


This looks like your jail and host OS are not in sync. I.e. you have a different version of the base OS in the jail compared to the kernel on the host.



> When i installed pf on host i remember that i renamed the kernel to a custom name, if that what's causing this problem how do i fix it?


Not relevant.


----------



## concept (Nov 15, 2011)

How do i make them sync? I tried to `# uname -a` in the Host and It is the same on what i see in my jail.


```
FreeBSD concept 8.2-RELEASE-p4 FreeBSD 8.2-RELEASE-p4 #0: Mon Nov  7 18:39:02 PHT 2011 concept.192.168.1.1:/usr/obj/usr/src/sys/CONCEPTKERNEL  i386
```

The only difference is the hostname.


----------



## SirDice (Nov 15, 2011)

That command only shows a few kernel variables. Since there is only one kernel those values don't mean anything inside a jail. There isn't a command to get the version of the OS unfortunately.

How did you install your host and your jail?


----------



## concept (Nov 15, 2011)

I installed the host by dvd which i downloaded from the ftp site. And this is how i installed my jail

```
cd /usr/
mkdir jails
cd jails
mkdir webserver
sysinstall
minimal distribution from ftp site
```


----------



## fbsd1 (Dec 2, 2011)

You should really look into using sysutils/qjail port for jail creation and management.


----------



## folivora (Dec 5, 2011)

I would take a look into http://www.freebsd.org/doc/handbook/jails-intro.html, there is "quite" good documentation about managing jails.

I agree with fbsd1 that sysutils/qjail might be worth of testing. You can easily create different kind of templates. Also updating of jails might be "easier".

- folivora


----------

