FreeBSD jail is kind of chrooted, kernel buildin advanced funciton to create several environments in one operating system. All those environments are using the same kernel – but have they own IP spaces, disk space, users and application. By desing host users (root) can access disk space utilized by the jail, but the oposite is not the case. Also jailed environment cannot access processes running in the host system – but rather can see just they own processes.
Description of FreeBSD jail for samba purpose in this article will be fairly easy. Thanks to hard work of freebsd developers there are just few steps to configure and run FBSD jail. Of course, more advanced configuration means more complicated. But, let’s start with something simple.
We will use three technologies to do this configuration:
- ezjail (ezjail-admin)
- nullfs
- samba
First of all, update your FreeBSD using the following command:
freebsd-update fetch update
pkg update
pkg upgrade
Install ezjail (command necessary to install and manage our jail):
pkg install ezjail
Add the following to the /etc/rc.conf
ezjail_enable="YES"
cloned_interfaces="lo1"
Next, lets download our environment:
ezjail-admin installezjail-admin update -p
Where -p paramteres determine to use portsnap to fetch and extract FreeBSD port tree from portsnap. Above commands create template-like directory structure that is used to create new jails.
Verify you network configuration using ifconfig command. You should see your active network card and lo interface. Restart network settings (with our changes in /etc/rc.conf file) to create lo1 interface:
service netif cloneup
ifconfig
You should see that system has created clone interface, and ifconfig should show it.
Lets create our samba jail (customize IP addr to your environment):
ezjail-admin create samba01 'lo1|127.0.1.1,em0|192.168.10.157'
If you want to use “local” directory inside jail environment the easest way will be to bind directory from host system to jailed by adding the following line to /etc/fstab in host system (modify it as you like):
/host-jailshare /usr/jails/samba01/data nullfs rw 0 0
Check your environment, start it and get access to the console:
ezjail-admin list
ezjail-admin start samba01
ezjail-admin console samba01
Create/update your /etc/hosts (by adding 127.0.1.1 localhost) and /etc/resolv.conf (by adding ie nameserver 8.8.8.8).
Install jail samba package:
pkg install samba413
Edit and configure samba according to your needs. Simple configuration:
root@samba01:~ # cat /usr/local/etc/smb4.conf
[global]
interfaces = 192.168.10.157
bind interfaces only = yes
remote announce = 192.168.10.255
map to guest = bad user
[data]
comment = data on fbsd samba server
path = /data
read only = no
guest ok = yes
valid users = smbuser
writable = yes
browseable = yes
Also create samba user:
adduser smbuser
smbpasswd -a smbuser
Run and verify samba process status:
service samba_server start
service samba_server status
Samba should now run and be ready to use from the other servers. Verify and adjust configuration to fit your needs.
As promised, simple and fast configuraiton. If you want to have more secure/advanced configuration I can recommend the following:
- https://docs.freebsd.org/en/books/handbook/jails/ — general information
- https://www.youtube.com/watch?v=hQmOc0egcl4 — security and other interesting information
No Comments