linux-only jail possible?

John Nielsen lists at jnielsen.net
Thu Mar 4 18:23:06 UTC 2010


I went ahead and gave this a try with some encouraging results. Comments 
below.

On Thursday 04 March 2010 05:40:50 Alexander Leidinger wrote:
> On Wed, 3 Mar 2010 19:06:36 +0100 Roman Divacky <rdivacky at freebsd.org>
> 
> wrote:
> > On Wed, Mar 03, 2010 at 11:59:49AM -0500, John Nielsen wrote:
> > > On Wednesday 03 March 2010 03:00:50 Roman Divacky wrote:
> > > > I succesfully ran chroot of linux environment on freebsd back in
> > > > 2007/2008. I firmly believe jail should work fine too
> > >
> > > Good to know, thanks! Would you mind sharing some more details?
> > > (Off-list is fine if you prefer.) Was it a more or less complete
> > > environment? What distro / version of Linux?
> >
> > I downloaded gentoo 2007 untarred it into /compat/linux and
> > chroot /compat/linux /bin/bash
> >
> > it just worked - nothing special was necessary
> >
> > dont remember much details but I had no problems with that setup
> 
> It does not need to be in this directory off course. You can install
> the gentoo-dist ports (not the gentoo-baase port). After that you can
> copy all the files to the place where you want to have the jail.

I went with CentOS 5.4 as that's the native environment I'm trying to match. 
I didn't use ports at all, just manually extracted enough RPM's from the DVD 
image to bootstrap the environment enough to run bash and rpm. From there I 
did a chroot into the environment and ran (Linux) bash. Running rpm natively 
I was able to get yum up and running and from there installing everything 
else I wanted was relatively easy.

> Now you just need to configure a jail. It does not matter much if you
> use the jail stuff in the base system or a framework like ezjail or
> similar, as long as you configure an appropriate startup script in the
> linux-jail. The linux-startup part you need to do yourself, I do not
> think the default linux startup stuff is approrpiate. I suggest to
> start at least a sshd before you start the software you want to
> use. This way you can login into the linux-jail and investigate issues
> like it is a real system.

I actually did install the init scripts, etc. I was pleasantly surprised to 
find (after reading through them) that rc.sysinit can be skipped entirely 
while rc itself will do the right thing for the rest of the init scripts 
(starting services, etc). Here's what I'm using:

jail_centos_exec_start="/bin/sh /etc/rc.d/rc 3"
jail_centos_exec_stop="/bin/sh /etc/rc.d/rc 0"

> I suggest to monitor the kernel messages on the FreeBSD host. There may
> be linux-syscalls which are not implemented (e.g. epoll stuff).

Thanks, I had forgotten about that. So far nothing seems to have blown up 
too terribly.

The "consoletype" utility runs despite this message:
linux: pid 2100 (consoletype): ioctl fd=0, cmd=0x541c ('T',28) is not 
implemented

And sshd and crond both run despite this one:
linux: pid 2221 (sshd): syscall keyctl not implemented
linux: pid 2240 (crond): syscall keyctl not implemented

Syslogd ran without complaint as well but didn't actually log anything. I 
had to run it with "-p /var/run/log" (inside the jail via 
/etc/sysconfig/syslog) and create a symlink to the socket in the jail's 
/dev/log (outside the jail via exec_poststart). That's not ideal since 
there's a period of time between when syslogd starts in the jail and the 
symlink is created, but it works after that. It would be better in the 
exec_prestart RC knob but the jail's devfs isn't necessarily mounted at that 
point.

My current hurdle is sshd:
Mar  3 22:20:51 centos sshd[88836]: fatal: openpty returns device for which 
ttyname fails.

Apparently the Linux sshd isn't using /dev/ptmx appropriately. I'll probably 
just have to replace it with one that does..

I haven't gotten as far as actually running Apache or our application yet 
but Python runs just fine (as evidenced by yum working) and I'm encouraged by 
my success thus far.

> There
> is currently no effort to implement those. There may be partial
> implementations for some sysctls (Roman has something somewhere), but
> nothing is in FreeBSD and no efforts are on the way to bring them in.
> If your software needs something like this, you either need to
> implement them yourself, switch the software to not use this (maybe
> by changing the linux emulation to 2.4 instead of 2.6), or to forget
> about using FreeBSD for this. emulation@ is a good address to ask
> questions regarding the status of things,
> http://wiki.freebsd.org/linux-kernel has some infos too.

I seem to have lucked out in this aspect. You and Roman are just too on-the-
ball it would seem (and my software needs aren't that extravagant..).

Thanks again to all who have replied for the feedback and encouragement. 
I'll follow up if I manage to get sshd and apache running happily.

JN


More information about the freebsd-jail mailing list