Add new sysutils/ezjail section. Reviewed on IRC, -doc, and with
individuals through email. Particular thanks to Glen Barber for his experience and patience.
This commit is contained in:
parent
53814f7852
commit
c405269a35
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=45496
1 changed files with 637 additions and 3 deletions
|
@ -591,9 +591,10 @@ jail_<replaceable>www</replaceable>_devfs_enable="YES" # mount devfs in
|
|||
|
||||
<note>
|
||||
<para>Simpler solutions exist, such as
|
||||
<package>sysutils/ezjail</package>, which provides an easier
|
||||
method of administering &os; jails and is not as sophisticated
|
||||
as this setup.</para>
|
||||
<application>ezjail</application>, which provides an easier
|
||||
method of administering &os; jails but is less versatile than
|
||||
this setup. <application>ezjail</application> is covered in
|
||||
more detail in <xref linkend="jails-ezjail"/>.</para>
|
||||
</note>
|
||||
|
||||
<para>The goals of the setup described in this section are:</para>
|
||||
|
@ -982,4 +983,637 @@ jail_www_devfs_enable="YES"</programlisting>
|
|||
update the configuration files.</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="jails-ezjail">
|
||||
<info>
|
||||
<title>Managing Jails with
|
||||
<application>ezjail</application></title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<personname>
|
||||
<firstname>Warren</firstname>
|
||||
<surname>Block</surname>
|
||||
</personname><contrib>Originally contributed by </contrib>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</info>
|
||||
|
||||
<para>Creating and managing multiple jails can quickly become
|
||||
tedious and error-prone. Dirk Engling's
|
||||
<application>ezjail</application> automates and greatly
|
||||
simplifies many jail tasks. A <emphasis>basejail</emphasis> is
|
||||
created as a template. Additional jails use &man.mount.nullfs.8;
|
||||
to share many of the basejail directories without using
|
||||
additional disk space. Each additional jail takes only a few
|
||||
megabytes of disk space before applications are installed.
|
||||
Upgrading the copy of the userland in the basejail automatically
|
||||
upgrades all of the other jails.</para>
|
||||
|
||||
<para>Additional benefits and features are described in detail on
|
||||
the <application>ezjail</application> web site, <link
|
||||
xlink:href="https://erdgeist.org/arts/software/ezjail/"></link>.</para>
|
||||
|
||||
<sect2 xml:id="jails-ezjail-install">
|
||||
<title>Installing <application>ezjail</application></title>
|
||||
|
||||
<para>Installing <application>ezjail</application> consists of
|
||||
adding a loopback interface for use in jails, installing the
|
||||
port or package, and enabling the service.</para>
|
||||
|
||||
<procedure xml:id="jails-ezjail-install-procedure">
|
||||
<step>
|
||||
<para>To keep jail loopback traffic off the host's loopback
|
||||
network interface <literal>lo0</literal>, a second
|
||||
loopback interface is created by adding an entry to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>cloned_interfaces="${cloned_interfaces} lo1"</programlisting>
|
||||
|
||||
<para>The second loopback interface <literal>lo1</literal>
|
||||
will be created when the system starts. It can also be
|
||||
created manually without a restart:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service netif cloneup</userinput>
|
||||
Created clone interfaces: lo1.</screen>
|
||||
|
||||
<para>Jails can be allowed to use aliases of this secondary
|
||||
loopback interface without interfering with the
|
||||
host.</para>
|
||||
|
||||
<para>Inside a jail, access to the loopback address
|
||||
<systemitem class="ipaddress">127.0.0.1</systemitem> is
|
||||
redirected to the first <acronym>IP</acronym> address
|
||||
assigned to the jail. To make the jail loopback
|
||||
correspond with the new <literal>lo1</literal> interface,
|
||||
that interface must be specified first in the list of
|
||||
interfaces and <acronym>IP</acronym> addresses given when
|
||||
creating a new jail.</para>
|
||||
|
||||
<para>Give each jail a unique loopback address in the
|
||||
<systemitem
|
||||
class="ipaddress">127.0.0.0</systemitem><systemitem
|
||||
class="netmask">/8</systemitem> netblock.</para>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<para>Install
|
||||
<package role="port">sysutils/ezjail</package>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>cd /usr/ports/sysutils/ezjail</userinput>
|
||||
&prompt.root; <userinput>make install clean</userinput></screen>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<para>Enable <application>ezjail</application> by adding
|
||||
this line to <filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>ezjail_enable="YES"</programlisting>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<para>The service will automatically start on system boot.
|
||||
It can be started immediately for the current
|
||||
session:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service ezjail start</userinput></screen>
|
||||
</step>
|
||||
</procedure>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="jails-ezjail-initialsetup">
|
||||
<title>Initial Setup</title>
|
||||
|
||||
<para>With <application>ezjail</application> installed, the
|
||||
basejail directory structure can be created and populated.
|
||||
This step is only needed once on the jail host
|
||||
computer.</para>
|
||||
|
||||
<para>In both of these examples, <option>-p</option> causes the
|
||||
ports tree to be retrieved with &man.portsnap.8; into the
|
||||
basejail. That single copy of the ports directory will be
|
||||
shared by all the jails. Using a separate copy of the ports
|
||||
directory for jails isolates them from the host. The
|
||||
<application>ezjail</application> <acronym>FAQ</acronym>
|
||||
explains in more detail: <link
|
||||
xlink:href="http://erdgeist.org/arts/software/ezjail/#FAQ"></link>.</para>
|
||||
|
||||
<procedure xml:id="jails-ezjail-initialsetup-procedure">
|
||||
<step>
|
||||
<stepalternatives>
|
||||
<step>
|
||||
<title>To Populate the Jail with &os;-RELEASE</title>
|
||||
|
||||
<para>For a basejail based on the &os; RELEASE matching
|
||||
that of the host computer, use
|
||||
<command>install</command>. For example, on a host
|
||||
computer running &os; 10-STABLE, the latest
|
||||
RELEASE version of &os; -10 will be installed in
|
||||
the jail):</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin install -p</userinput></screen>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<title>To Populate the Jail with
|
||||
<command>installworld</command></title>
|
||||
|
||||
<para>The basejail can be installed from binaries
|
||||
created by <buildtarget>buildworld</buildtarget> on
|
||||
the host with
|
||||
<command>ezjail-admin update</command>.</para>
|
||||
|
||||
<para>In this example, &os; 10-STABLE has been
|
||||
built from source. The jail directories are created.
|
||||
Then <buildtarget>installworld</buildtarget> is
|
||||
executed, installing the host's
|
||||
<filename>/usr/obj</filename> into the
|
||||
basejail.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin update -i -p</userinput></screen>
|
||||
|
||||
<para>The host's <filename>/usr/src</filename> is used
|
||||
by default. A different source directory on the host
|
||||
can be specified with <option>-s</option> and a path,
|
||||
or set with <varname>ezjail_sourcetree</varname> in
|
||||
<filename>/usr/local/etc/ezjail.conf</filename>.</para>
|
||||
</step>
|
||||
</stepalternatives>
|
||||
</step>
|
||||
</procedure>
|
||||
|
||||
<tip>
|
||||
<para>The basejail's ports tree is shared by other jails.
|
||||
However, downloaded distfiles are stored in the jail that
|
||||
downloaded them. By default, these files are stored in
|
||||
<filename>/var/ports/distfiles</filename> within each
|
||||
jail. <filename>/var/ports</filename> inside each jail is
|
||||
also used as a work directory when building ports.</para>
|
||||
</tip>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="jails-ezjail-create">
|
||||
<title>Creating and Starting a New Jail</title>
|
||||
|
||||
<para>New jails are created with
|
||||
<command>ezjail-admin create</command>. In these examples,
|
||||
the <literal>lo1</literal> loopback interface is used as
|
||||
described above.</para>
|
||||
|
||||
<procedure xml:id="jails-ezjail-create-steps">
|
||||
<title>Create and Start a New Jail</title>
|
||||
|
||||
<step>
|
||||
<para>Create the jail, specifying a name and the loopback
|
||||
and network interfaces to use, along with their
|
||||
<acronym>IP</acronym> addresses. In this example, the
|
||||
jail is named <literal>dnsjail</literal>.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin create <replaceable>dnsjail</replaceable> '<replaceable>lo1|127.0.1.1</replaceable>,<replaceable>em0</replaceable>|<replaceable>192.168.1.50</replaceable>'</userinput></screen>
|
||||
|
||||
<tip xml:id="jails-ezjail-raw-network-sockets">
|
||||
<para>Most network services run in jails without
|
||||
problems. A few network services, most notably
|
||||
&man.ping.8;, use
|
||||
<emphasis>raw network sockets</emphasis>. In jails, raw
|
||||
network sockets are disabled by default for security.
|
||||
Services that require them will not work.</para>
|
||||
|
||||
<para>Occasionally, a jail genuinely needs raw sockets.
|
||||
For example, network monitoring applications often use
|
||||
&man.ping.8; to check the availability of other
|
||||
computers. When raw network sockets are actually needed
|
||||
in a jail, they can be enabled by editing the
|
||||
<application>ezjail</application>
|
||||
configuration file for the individual jail,
|
||||
<filename>/usr/local/etc/ezjail/<replaceable>jailname</replaceable></filename>.
|
||||
Modify the <literal>parameters</literal>
|
||||
entry:</para>
|
||||
|
||||
<programlisting>export jail_<replaceable>jailname</replaceable>_parameters="allow.raw_sockets=1"</programlisting>
|
||||
|
||||
<para>Do not enable raw network sockets unless services in
|
||||
the jail actually require them.</para>
|
||||
</tip>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<para>Start the jail:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin start <replaceable>dnsjail</replaceable></userinput></screen>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<para>Use a console on the jail:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin console <replaceable>dnsjail</replaceable></userinput></screen>
|
||||
</step>
|
||||
</procedure>
|
||||
|
||||
<para>The jail is operating and additional configuration can be
|
||||
completed. Typical settings added at this point
|
||||
include:</para>
|
||||
|
||||
<procedure>
|
||||
<step>
|
||||
<title>Set the
|
||||
<systemitem class="username">root</systemitem>
|
||||
Password</title>
|
||||
|
||||
<para>Connect to the jail and set the
|
||||
<systemitem class="username">root</systemitem> user's
|
||||
password:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin console <replaceable>dnsjail</replaceable></userinput>
|
||||
&prompt.root; <userinput>passwd</userinput>
|
||||
Changing local password for root
|
||||
New Password:
|
||||
Retype New Password:</screen>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<title>Time Zone Configuration</title>
|
||||
|
||||
<para>The jail's time zone can be set with &man.tzsetup.8;.
|
||||
To avoid spurious error messages, the &man.adjkerntz.8;
|
||||
entry in <filename>/etc/crontab</filename> can be
|
||||
commented or removed. This job attempts to update the
|
||||
computer's hardware clock with time zone changes, but
|
||||
jails are not allowed to access that hardware.</para>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<title><acronym>DNS</acronym> Servers</title>
|
||||
|
||||
<para>Enter domain name server lines in
|
||||
<filename>/etc/resolv.conf</filename> so
|
||||
<acronym>DNS</acronym> works in the jail.</para>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<title>Edit <filename>/etc/hosts</filename></title>
|
||||
|
||||
<para>Change the address and add the jail name to the
|
||||
<literal>localhost</literal> entries in
|
||||
<filename>/etc/hosts</filename>.</para>
|
||||
</step>
|
||||
|
||||
<step>
|
||||
<title>Configure <filename>/etc/rc.conf</filename></title>
|
||||
|
||||
<para>Enter configuration settings in
|
||||
<filename>/etc/rc.conf</filename>. This is much like
|
||||
configuring a full computer. The host name and
|
||||
<acronym>IP</acronym> address are not set here. Those
|
||||
values are already provided by the jail
|
||||
configuration.</para>
|
||||
</step>
|
||||
</procedure>
|
||||
|
||||
<para>With the jail configured, the applications for which the
|
||||
jail was created can be installed.</para>
|
||||
|
||||
<tip>
|
||||
<para>Some ports must be built with special options to be used
|
||||
in a jail. For example, both of the network monitoring
|
||||
plugin packages
|
||||
<package role="port">net-mgmt/nagios-plugins</package> and
|
||||
<package role="port">net-mgmt/monitoring-plugins</package>
|
||||
have a <literal>JAIL</literal> option which must be enabled
|
||||
for them to work correctly inside a jail.</para>
|
||||
</tip>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="jails-ezjail-update">
|
||||
<title>Updating Jails</title>
|
||||
|
||||
<sect3 xml:id="jails-ezjail-update-os">
|
||||
<title>Updating the Operating System</title>
|
||||
|
||||
<para>Because the basejail's copy of the userland is shared by
|
||||
the other jails, updating the basejail automatically updates
|
||||
all of the other jails. Either source or binary updates can
|
||||
be used.</para>
|
||||
|
||||
<para>To build the world from source on the host, then
|
||||
install it in the basejail, use:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin update -b</userinput></screen>
|
||||
|
||||
<para>If the world has already been compiled on the host,
|
||||
install it in the basejail with:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin update -i</userinput></screen>
|
||||
|
||||
<para>Binary updates use &man.freebsd-update.8;. These
|
||||
updates have the same limitations as if
|
||||
&man.freebsd-update.8; were being run directly. The most
|
||||
important one is that only -RELEASE versions of &os; are
|
||||
available with this method. To update the basejail to the
|
||||
latest patched release of the version of &os; on the host
|
||||
computer, use:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin update -r</userinput></screen>
|
||||
|
||||
<para>After updating the basejail, &man.mergemaster.8; can be
|
||||
run to update each jail's configuration files.</para>
|
||||
|
||||
<para>How to use &man.mergemaster.8; depends on the purpose
|
||||
and trustworthiness of a jail. If a jail's services or
|
||||
users are not trusted, then &man.mergemaster.8; should only
|
||||
be run from within that jail:</para>
|
||||
|
||||
<example xml:id="jails-ezjail-update-mergemaster-untrusted">
|
||||
<title>&man.mergemaster.8; on Untrusted Jail</title>
|
||||
|
||||
<para>Delete the link from the jail's
|
||||
<filename>/usr/src</filename> into the basejail and
|
||||
create a new <filename>/usr/src</filename> in the jail
|
||||
as a mountpoint. Mount the host computer's
|
||||
<filename>/usr/src</filename> read-only on the jail's
|
||||
new <filename>/usr/src</filename> mountpoint:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>rm /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput>
|
||||
&prompt.root; <userinput>mkdir /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput>
|
||||
&prompt.root; <userinput>mount -t nullfs -o ro /usr/src /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput></screen>
|
||||
|
||||
<para>Get a console in the jail:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin console <replaceable>jailname</replaceable></userinput></screen>
|
||||
|
||||
<para>Inside the jail, run <command>mergemaster</command>.
|
||||
Then exit the jail console:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>cd /usr/src</userinput>
|
||||
&prompt.root; <userinput>mergemaster -U</userinput>
|
||||
&prompt.root; <userinput>exit</userinput></screen>
|
||||
|
||||
<para>Finally, unmount the jail's
|
||||
<filename>/usr/src</filename>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>umount /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput></screen>
|
||||
</example>
|
||||
|
||||
<example xml:id="jails-ezjail-update-mergemaster-trusted">
|
||||
|
||||
<title>&man.mergemaster.8; on Trusted Jail</title>
|
||||
|
||||
<para>If the users and services in a jail are trusted,
|
||||
&man.mergemaster.8; can be run from the host:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>mergemaster -U -D /usr/jails/<replaceable>jailname</replaceable></userinput></screen>
|
||||
</example>
|
||||
</sect3>
|
||||
|
||||
<sect3 xml:id="jails-ezjail-update-ports">
|
||||
<title>Updating Ports</title>
|
||||
|
||||
<para>The ports tree in the basejail is shared by the other
|
||||
jails. Updating that copy of the ports tree gives the other
|
||||
jails the updated version also.</para>
|
||||
|
||||
<para>The basejail ports tree is updated with
|
||||
&man.portsnap.8;:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin update -P</userinput></screen>
|
||||
</sect3>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="jails-ezjail-control">
|
||||
<title>Controlling Jails</title>
|
||||
|
||||
<sect3 xml:id="jails-ezjail-control-stop-start">
|
||||
<title>Stopping and Starting Jails</title>
|
||||
|
||||
<para><application>ezjail</application> automatically starts
|
||||
jails when the computer is started. Jails can be manually
|
||||
stopped and restarted with <command>stop</command> and
|
||||
<command>start</command>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin stop <replaceable>sambajail</replaceable></userinput>
|
||||
Stopping jails: sambajail.</screen>
|
||||
|
||||
<para>By default, jails are started automatically when the
|
||||
host computer starts. Autostarting can be disabled
|
||||
with <command>config</command>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin config -r norun <replaceable>seldomjail</replaceable></userinput></screen>
|
||||
|
||||
<para>This takes effect the next time the host computer is
|
||||
started. A jail that is already running will not be
|
||||
stopped.</para>
|
||||
|
||||
<para>Enabling autostart is very similar:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin config -r run <replaceable>oftenjail</replaceable></userinput></screen>
|
||||
</sect3>
|
||||
|
||||
<sect3 xml:id="jails-ezjail-control-backup">
|
||||
<title>Archiving and Restoring Jails</title>
|
||||
|
||||
<para>Use <command>archive</command> to create a
|
||||
<filename>.tar.gz</filename> archive of a jail. The file
|
||||
name is composed from the name of the jail and the current
|
||||
date. Archive files are written to the archive directory,
|
||||
<filename>/usr/jails/ezjail_archives</filename>. A
|
||||
different archive directory can be chosen by setting
|
||||
<varname>ezjail_archivedir</varname> in the configuration
|
||||
file.</para>
|
||||
|
||||
<para>The archive file can be copied elsewhere as a backup, or
|
||||
an existing jail can be restored from it with
|
||||
<command>restore</command>. A new jail can be created from
|
||||
the archive, providing a convenient way to clone existing
|
||||
jails.</para>
|
||||
|
||||
<para>Stop and archive a jail named
|
||||
<literal>wwwserver</literal>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin stop <replaceable>wwwserver</replaceable></userinput>
|
||||
Stopping jails: wwwserver.
|
||||
&prompt.root; <userinput>ezjail-admin archive <replaceable>wwwserver</replaceable></userinput>
|
||||
&prompt.root; <userinput>ls /usr/jails/ezjail-archives/</userinput>
|
||||
wwwserver-201407271153.13.tar.gz</screen>
|
||||
|
||||
<para>Create a new jail named
|
||||
<literal>wwwserver-clone</literal> from the archive created
|
||||
in the previous step. Use the <filename>em1</filename>
|
||||
interface and assign a new <acronym>IP</acronym> address to
|
||||
avoid conflict with the original:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin create -a /usr/jails/ezjail_archives/wwwserver-201407271153.13.tar.gz <replaceable>wwwserver-clone</replaceable> 'lo1|127.0.3.1,em1|192.168.1.51'</userinput></screen>
|
||||
</sect3>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="jails-ezjail-example-bind">
|
||||
<title>Full Example: <application>BIND</application> in a
|
||||
Jail</title>
|
||||
|
||||
<para>Putting the <application>BIND</application>
|
||||
<acronym>DNS</acronym> server in a jail improves security by
|
||||
isolating it. This example creates a simple caching-only name
|
||||
server.</para>
|
||||
|
||||
<itemizedlist xml:id="jails-ezjail-example-bind-assumptions">
|
||||
<listitem>
|
||||
<para>The jail will be called
|
||||
<literal>dns1</literal>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The jail will use <acronym>IP</acronym> address
|
||||
<literal>192.168.1.240</literal> on the host's
|
||||
<literal>re0</literal> interface.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The upstream <acronym>ISP</acronym>'s DNS servers are
|
||||
at <literal>10.0.0.62</literal> and
|
||||
<literal>10.0.0.61</literal>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The basejail has already been created and a ports tree
|
||||
installed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<example xml:id="jails-ezjail-example-bind-steps">
|
||||
<para>Create a cloned loopback interface by adding a line to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>cloned_interfaces="${cloned_interfaces} lo1"</programlisting>
|
||||
|
||||
<para>Immediately create the new loopback interface:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service netif cloneup</userinput>
|
||||
Created clone interfaces: lo1.</screen>
|
||||
|
||||
<para>Create the jail:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin create dns1 'lo1|127.0.2.1,re0|192.168.1.240'</userinput></screen>
|
||||
|
||||
<para>Start the jail, connect to a console running on it, and
|
||||
perform some basic configuration:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ezjail-admin start dns1</userinput>
|
||||
&prompt.root; <userinput>ezjail-admin console dns1</userinput>
|
||||
&prompt.root; <userinput>passwd</userinput>
|
||||
Changing local password for root
|
||||
New Password:
|
||||
Retype New Password:
|
||||
&prompt.root; <userinput>tzsetup</userinput>
|
||||
&prompt.root; <userinput>sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab</userinput>
|
||||
&prompt.root; <userinput>sed -i .bak -e 's/127.0.0.1/127.0.2.1/g; s/localhost.my.domain/dns1.my.domain dns1/' /etc/hosts</userinput></screen>
|
||||
|
||||
<para>Temporarily set the upstream <acronym>DNS</acronym>
|
||||
servers in <filename>/etc/resolv.conf</filename> so ports
|
||||
can be downloaded:</para>
|
||||
|
||||
<programlisting>nameserver 10.0.0.62
|
||||
nameserver 10.0.0.61</programlisting>
|
||||
|
||||
<para>Still using the jail console, install
|
||||
<package role="port">dns/bind99</package>.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>cd /usr/ports/dns/bind99</userinput>
|
||||
&prompt.root; <userinput>make -C /usr/ports/dns/bind99 install clean</userinput></screen>
|
||||
|
||||
<para>Configure the name server by editing
|
||||
<filename>/usr/local/etc/namedb/named.conf</filename>.</para>
|
||||
|
||||
<para>Create an Access Control List (<acronym>ACL</acronym>)
|
||||
of addresses and networks that are permitted to send
|
||||
<acronym>DNS</acronym> queries to this name server. This
|
||||
section is added just before the <literal>options</literal>
|
||||
section already in the file:</para>
|
||||
|
||||
<programlisting>...
|
||||
// or cause huge amounts of useless Internet traffic.
|
||||
|
||||
acl "trusted" {
|
||||
192.168.1.0/24;
|
||||
localhost;
|
||||
localnets;
|
||||
};
|
||||
|
||||
options {
|
||||
...</programlisting>
|
||||
|
||||
<para>Use the jail <acronym>IP</acronym> address in the
|
||||
<literal>listen-on</literal> setting to accept
|
||||
<acronym>DNS</acronym> queries from other computers on the
|
||||
network:</para>
|
||||
|
||||
<programlisting> listen-on { 192.168.1.240; };</programlisting>
|
||||
|
||||
<para>A simple caching-only <acronym>DNS</acronym> name server
|
||||
is created by changing the <literal>forwarders</literal>
|
||||
section. The original file contains:</para>
|
||||
|
||||
<programlisting>/*
|
||||
forwarders {
|
||||
127.0.0.1;
|
||||
};
|
||||
*/</programlisting>
|
||||
|
||||
<para>Uncomment the section by removing the
|
||||
<literal>/*</literal> and <literal>*/</literal> lines.
|
||||
Enter the <acronym>IP</acronym> addresses of the upstream
|
||||
<acronym>DNS</acronym> servers. Immediately after the
|
||||
<literal>forwarders</literal> section, add references to the
|
||||
<literal>trusted</literal> <acronym>ACL</acronym> defined
|
||||
earlier:</para>
|
||||
|
||||
<programlisting> forwarders {
|
||||
10.0.0.62;
|
||||
10.0.0.61;
|
||||
};
|
||||
|
||||
allow-query { any; };
|
||||
allow-recursion { trusted; };
|
||||
allow-query-cache { trusted; };</programlisting>
|
||||
|
||||
<para>Enable the service in
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>named_enable="YES"</programlisting>
|
||||
|
||||
<para>Start and test the name server:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service named start</userinput>
|
||||
wrote key file "/usr/local/etc/namedb/rndc.key"
|
||||
Starting named.
|
||||
&prompt.root; <userinput>/usr/local/bin/dig @192.168.1.240 freebsd.org</userinput></screen>
|
||||
|
||||
<para>A response that includes</para>
|
||||
|
||||
<screen>;; Got answer;</screen>
|
||||
|
||||
<para>shows that the new <acronym>DNS</acronym> server is
|
||||
working. A long delay followed by a response
|
||||
including</para>
|
||||
|
||||
<screen>;; connection timed out; no servers could be reached</screen>
|
||||
|
||||
<para>shows a problem. Check the configuration settings and
|
||||
make sure any local firewalls allow the new
|
||||
<acronym>DNS</acronym> access to the upstream
|
||||
<acronym>DNS</acronym> servers.</para>
|
||||
|
||||
<para>The new <acronym>DNS</acronym> server can use itself for
|
||||
local name resolution, just like other local computers. Set
|
||||
the address of the <acronym>DNS</acronym> server in the
|
||||
client computer's
|
||||
<filename>/etc/resolv.conf</filename>:</para>
|
||||
|
||||
<programlisting>nameserver 192.168.1.240</programlisting>
|
||||
|
||||
<para>A local <acronym>DHCP</acronym> server can be configured
|
||||
to provide this address for a local <acronym>DNS</acronym>
|
||||
server, providing automatic configuration on
|
||||
<acronym>DHCP</acronym> clients.</para>
|
||||
</example>
|
||||
</sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
|
|
Loading…
Reference in a new issue