linux-only jail possible?
John Nielsen
lists at jnielsen.net
Thu Mar 4 18:23:06 UTC 2010
I went ahead and gave this a try with some encouraging results. Comments
below.
On Thursday 04 March 2010 05:40:50 Alexander Leidinger wrote:
> On Wed, 3 Mar 2010 19:06:36 +0100 Roman Divacky <rdivacky at freebsd.org>
>
> wrote:
> > On Wed, Mar 03, 2010 at 11:59:49AM -0500, John Nielsen wrote:
> > > On Wednesday 03 March 2010 03:00:50 Roman Divacky wrote:
> > > > I succesfully ran chroot of linux environment on freebsd back in
> > > > 2007/2008. I firmly believe jail should work fine too
> > >
> > > Good to know, thanks! Would you mind sharing some more details?
> > > (Off-list is fine if you prefer.) Was it a more or less complete
> > > environment? What distro / version of Linux?
> >
> > I downloaded gentoo 2007 untarred it into /compat/linux and
> > chroot /compat/linux /bin/bash
> >
> > it just worked - nothing special was necessary
> >
> > dont remember much details but I had no problems with that setup
>
> It does not need to be in this directory off course. You can install
> the gentoo-dist ports (not the gentoo-baase port). After that you can
> copy all the files to the place where you want to have the jail.
I went with CentOS 5.4 as that's the native environment I'm trying to match.
I didn't use ports at all, just manually extracted enough RPM's from the DVD
image to bootstrap the environment enough to run bash and rpm. From there I
did a chroot into the environment and ran (Linux) bash. Running rpm natively
I was able to get yum up and running and from there installing everything
else I wanted was relatively easy.
> Now you just need to configure a jail. It does not matter much if you
> use the jail stuff in the base system or a framework like ezjail or
> similar, as long as you configure an appropriate startup script in the
> linux-jail. The linux-startup part you need to do yourself, I do not
> think the default linux startup stuff is approrpiate. I suggest to
> start at least a sshd before you start the software you want to
> use. This way you can login into the linux-jail and investigate issues
> like it is a real system.
I actually did install the init scripts, etc. I was pleasantly surprised to
find (after reading through them) that rc.sysinit can be skipped entirely
while rc itself will do the right thing for the rest of the init scripts
(starting services, etc). Here's what I'm using:
jail_centos_exec_start="/bin/sh /etc/rc.d/rc 3"
jail_centos_exec_stop="/bin/sh /etc/rc.d/rc 0"
> I suggest to monitor the kernel messages on the FreeBSD host. There may
> be linux-syscalls which are not implemented (e.g. epoll stuff).
Thanks, I had forgotten about that. So far nothing seems to have blown up
too terribly.
The "consoletype" utility runs despite this message:
linux: pid 2100 (consoletype): ioctl fd=0, cmd=0x541c ('T',28) is not
implemented
And sshd and crond both run despite this one:
linux: pid 2221 (sshd): syscall keyctl not implemented
linux: pid 2240 (crond): syscall keyctl not implemented
Syslogd ran without complaint as well but didn't actually log anything. I
had to run it with "-p /var/run/log" (inside the jail via
/etc/sysconfig/syslog) and create a symlink to the socket in the jail's
/dev/log (outside the jail via exec_poststart). That's not ideal since
there's a period of time between when syslogd starts in the jail and the
symlink is created, but it works after that. It would be better in the
exec_prestart RC knob but the jail's devfs isn't necessarily mounted at that
point.
My current hurdle is sshd:
Mar 3 22:20:51 centos sshd[88836]: fatal: openpty returns device for which
ttyname fails.
Apparently the Linux sshd isn't using /dev/ptmx appropriately. I'll probably
just have to replace it with one that does..
I haven't gotten as far as actually running Apache or our application yet
but Python runs just fine (as evidenced by yum working) and I'm encouraged by
my success thus far.
> There
> is currently no effort to implement those. There may be partial
> implementations for some sysctls (Roman has something somewhere), but
> nothing is in FreeBSD and no efforts are on the way to bring them in.
> If your software needs something like this, you either need to
> implement them yourself, switch the software to not use this (maybe
> by changing the linux emulation to 2.4 instead of 2.6), or to forget
> about using FreeBSD for this. emulation@ is a good address to ask
> questions regarding the status of things,
> http://wiki.freebsd.org/linux-kernel has some infos too.
I seem to have lucked out in this aspect. You and Roman are just too on-the-
ball it would seem (and my software needs aren't that extravagant..).
Thanks again to all who have replied for the feedback and encouragement.
I'll follow up if I manage to get sshd and apache running happily.
JN
More information about the freebsd-jail
mailing list