Date: Thu, 13 Apr 2006 17:21:38 -0300 From: "Ricardo A. Reis" <ricardo_bsd@yahoo.com.br> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Prototyping for basejail distribuition Message-ID: <op.s7yqucz5p1tyz6@localhost>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi,
I attach 2 files in this email, the first is a Makefile and the second is
jail.conf.
For demonstre my idea i resolved create one "Pseudo Prototyping", for test
is necessary:
1 - Create dir /usr/local/basejail
2 - Copy Makefile to /usr/local/basejail
3 - Copy jail.conf to /etc
4 - The initial basejail is precompiled is distributed in CD1,
for simular basejail is necessary a installworld structure in
/usr/local/basejail
cd /usr/src ; make installworld DESTDIR=/usr/local/basejail
Now is necessary config jail.conf,
-----
#sample template for create freebsd jail
#
# RC.CONF GLOBAL VARIABLES
#
exec_start="/bin/sh /etc/rc"
exec_stop="/bin/sh /etc/rc.shutdown"
devfs_enable="NO"
fdescfs_enable="NO"
procfs_enable="NO"
mount_enable="NO"
devfs_ruleset="ruleset_name"
flags="-l -U root"
#
# JAIL RC.CONF
#
sendmail_enable="NO"
inetd_flags="-wW -a"
rpcbind_enable="NO"
network_interfaces=""
#
# FILES
#
copy_to_jail="/etc/localtime /etc/resolv.conf /etc/csh.cshrc
/etc/csh.login"
#
# JAILS
#
jail_node01_rootdir="/usr/jail/node01"
jail_node01_hostname="node01.example.com"
jail_node01_ip="127.0.0.1 "
jail_node02_rootdir="/usr/jail/node02"
jail_node02_hostname="node02.example.com"
jail_node02_ip="127.0.0.2 "
-------
In this moment is possible create large numbers of jail, i
implemente in makefile,
[root@daemon:/usr/local/basejail] # make
>>> Sample in /usr/share/examples/etc/jail.conf
jail == create jail
rcconf == create rc.conf for start jails
etcconfig == create rc.conf for jails and copy file
showconfig == show information
Thanks for any comments,
Sorry for my english and poor Makefile.
--
Ricardo A. Reis
UNIFESP
Unix and Network Adm
[-- Attachment #2 --]
#sample tamplate for create freebsd jail
#
# RC.CONF GLOBAL VARIABLES
#
exec_start="/bin/sh /etc/rc"
exec_stop="/bin/sh /etc/rc.shutdown"
devfs_enable="NO"
fdescfs_enable="NO"
procfs_enable="NO"
mount_enable="NO"
devfs_ruleset="ruleset_name"
flags="-l -U root"
#
# JAIL RC.CONF
#
sendmail_enable="NO"
inetd_flags="-wW -a"
rpcbind_enable="NO"
network_interfaces=""
#
# FILES
#
copy_to_jail="/etc/localtime /etc/resolv.conf /etc/csh.cshrc /etc/csh.login"
#
# JAILS
#
jail_node01_rootdir="/usr/jail/node01"
jail_node01_hostname="node01.example.com"
jail_node01_ip="127.0.0.1"
jail_node02_rootdir="/usr/jail/node02"
jail_node02_hostname="node02.example.com"
jail_node02_ip="127.0.0.2"
[-- Attachment #3 --]
#-*- mode: Fundamental; tab-width: 4; -*-
# ex:ts=4
DISTBASE?=/usr/local/basejail
CONFIGCFG?=/etc/jail.conf
JLISTR!= grep '^jail_[a-z].*_rootdir' $(CONFIGCFG) 2>/dev/null | cut -d= -f2 | sed -e 's/"//g' |tr ' ' '\n'
JLISTN!= grep '^jail_[a-z].*_' $(CONFIGCFG) 2>/dev/null | cut -d= -f1 |cut -d_ -f2 |sort |uniq
JLISTIIP!= grep '^jail_$(JLISTN)_ip' $(CONFIGCFG) 2>/dev/null | cut -d= -f2 | sed -e 's/"//g'
TMPDIR?=/tmp
.if !exists(${CONFIGCFG})
@echo ""
@echo ">>> Please configure $(CONFIGCFG)"
@echo ">>> Sample in /usr/share/examples$(CONFIGCFG)"
@echo ""
@exit 1
.else
. include "$(CONFIGCFG)"
.endif
help:
@echo ""
@echo ">>> Sample in /usr/share/examples$(CONFIGCFG)"
@echo ""
@echo "jail == create jail"
@echo "rcconf == create rc.conf for start jails"
@echo "etcconfig == create rc.conf for jails and copy file"
@echo "showconfig == show information for jail.conf"
jail:
.if ${JLISTR} != "" || ${JLISTR} != "" || ${JLISTN} != ""
.for _rootdir in $(JLISTR)
. if !exists(${_rootdir})
@echo ">>STAGE 1 - Creating ROOTDIR: (${_rootdir})"
@mkdir -p ${_rootdir}
. endif
#
#CPIO BASEJAIL
#
@rm -rf $(TMPDIR)/jail.*
@TMPFILE_01=`mktemp $(TMPDIR)/jail.XXXXXX` || exit 1 && \
echo ">>STAGE 2 - Populing Jail: (${_rootdir})" - $${TMPFILE_01} ;\
cd $(DISTBASE) ; find . -depth -print0 |cpio --null -pvdm ${_rootdir} >$${TMPFILE_01} 2>&1 ;\
rm -rf ${_rootdir}/Makefile
.endfor
@echo ""
@echo "For create rc.conf use target (rconf)"
@echo ""
.else
@echo ">>> Please define jail TEMPLATE, see jail.cfg(8)"
.endif
rconf:
#
#CREATE RC.CONF FOR START JAIL
#
@echo $(JLISTN) | tr ' ' '\n' | \
while read _jname; do \
JROOTD=`grep ^jail_$${_jname}_rootdir $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g'` ; \
JIP=`grep ^jail_$${_jname}_ip $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g'` ; \
JFDQN=`grep ^jail_$${_jname}_hostname $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g'` ; \
echo jail_$${_jname}_rootdir=\"$${JROOTD}\" ;\
echo jail_$${_jname}_ip=\"$${JIP}\" ;\
echo jail_$${_jname}_hostname=\"$${JFDQN}\" ;\
echo jail_$${_jname}_exec_start=\"$(exec_start)\" ;\
echo jail_$${_jname}_exec_stop=\"$(exec_stop)\" ;\
echo jail_$${_jname}_devfs_enable=\"$(devfs_enable)\" ;\
echo jail_$${_jname}_fdescfs_enable=\"$(fdescfs_enable)\" ;\
echo jail_$${_jname}_procfs_enable=\"$(procfs_enable)\" ;\
echo jail_$${_jname}_mount_enable=\"$(mount_enable)\" ;\
echo jail_$${_jname}_devfs_ruleset=\"$(devfs_ruleset)\" ;\
echo jail_$${_jname}_fstab=\"/etc/fstab.$${_jname}\" ;\
echo jail_$${_jname}_flags=\"$(flags)\" ;\
echo "" ;\
done
etcconfig:
#
#CREATE RC.CONF FOR JAIL
#
@echo ">>STAGE 1 - Creating RC.CONF for JAIL"
@echo $(JLISTN) | tr ' ' '\n' | \
while read _jname; do \
JROOTD=`grep "^jail_$${_jname}_rootdir" $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g ; s/ //g'` ; \
JIP=`grep ^jail_$${_jname}_ip $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g'` ; \
exec 3<&0 ;\
exec > $${JROOTD}/etc/rc.conf;\
echo "sendmail_enable=\"$(sendmail_enable)\"" ;\
echo "inetd_flags=\"$(inetd_flags) $${JIP}\"" ;\
echo "rpcbind_enable=\"$(rpcbind_enable)\"" ;\
echo "network_interfaces=\"$(network_interfaces)\"" ;\
exec 0<&3 ;\
exec 3<&- ;\
done
@echo ">>STAGE 2 - Coping archives to Jail"
@echo $(JLISTN) | tr ' ' '\n' | \
while read _jname; do \
JROOTD=`grep "^jail_$${_jname}_rootdir" $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g ; s/ //g'` ; \
for _files in `echo $(copy_to_jail) | tr ' ' '\n'`; do\
cp $${_files} $${JROOTD}/$${_files} ;\
done ; \
done
showconfig:
@echo ">>STAGE 1 - Search information in $(CONFIGCFG)"
@echo ""
@echo ">>SYSTEM RC.CONF Template Atual:"
@echo ""
@echo "jail_XXXXXXX_exec_start=\"$(exec_start)\""
@echo "jail_XXXXXXX_exec_stop=\"$(exec_stop)\""
@echo "jail_XXXXXXX_devfs_enable=\"$(devfs_enable)\""
@echo "jail_XXXXXXX_fdescfs_enable=\"$(fdescfs_enable)\""
@echo "jail_XXXXXXX_procfs_enable=\"$(procfs_enable)\""
@echo "jail_XXXXXXX_mount_enable=\"$(mount_enable)\""
@echo "jail_XXXXXXX_devfs_ruleset=\"$(devfs_ruleset)\""
@echo "jail_XXXXXXX_fstab=\"/etc/fstab.XXXXXXX\""
@echo "jail_XXXXXXX_flags=\"$(flags)\""
@echo ""
@echo ">>JAIL RC.CONF Template Atual:"
@echo ""
@echo "sendmail_enable=\"$(sendmail_enable)\""
@echo "inetd_flags=\"$(inetd_flags) $${JIP}\""
@echo "rpcbind_enable=\"$(rpcbind_enable)\""
@echo "network_interfaces=\"$(network_interfaces)\""
@echo ""
@echo ">>Files to Jail:"
@echo ""
@echo "$(copy_to_jail)"
@echo ""
@echo ">>Jails Config:"
@echo ""
@echo $(JLISTN) | tr ' ' '\n' | \
while read _jname; do \
JROOTD=`grep "^jail_$${_jname}_rootdir" $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g ; s/ //g'` ; \
JIP=`grep ^jail_$${_jname}_ip $(CONFIGCFG) 2>/dev/null |cut -d= -f2 | sed -e 's/"//g'` ; \
echo "NAME = $${_jname}" ;\
echo "ROOTDIR = $${JROOTD}" ;\
echo "IP = $${JIP}" ;\
echo "" ;\
done
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.s7yqucz5p1tyz6>