FreeBSD10.0構築 - jail + VIMAGE on sakuravps

FreeBSD 10.0でjail環境とネットワークを整理するメモ。
構築する内容は以下。

  • jail on ZFS
  • VIMAGEでネットワークを整理

インストール

  • HDDの設定をZFSにしてインストールする。
  • カーネルのsrcを入れておく

カーネルのリビルド

VIMAGEのオプションをonにしてカーネルを再ビルドする。

# vi /usr/src/sys/amd64/conf/VIMAGE
include GENERIC
ident VIMAGE
 	
options         VIMAGE
# cd /usr/src
# make buildkernel KERNCONF=VIMAGE
# make installkernel KERNCONF=VIMAGE
# shutdown -r now

必要なアプリケーションのインストール

# pkg update
# pkg upgrade
# pkg install zsh vim ezjail

jail作成

/usr/local/etc/ezjail.conf を設定

ezjail_jaildir=/usr/jails
ezjail_jailtemplate=${ezjail_jaildir}/newjail
ezjail_jailbase=${ezjail_jaildir}/basejail
ezjail_archivedir="${ezjail_jaildir}/ezjail_archives"
ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="zroot/jails"
ezjail_zfs_jail_properties="-o atime=off"

ezjailを使ってjailを作ってしまう

# ezjail-admin install
# ezjail-admin create -c zfs database 192.168.255.101

/etc/rc.conf を編集

hostname="core"

#ipv4
ifconfig_em0="inet 192.168.0.202 netmask 255.255.255.0"
defaultrouter="192.168.0.254"
gateway_enable="YES"
#router_enable="YES"

#ipv6
ipv6_enable="YES"
ifconfig_em0_ipv6="inet6 fd00::1/64"
ipv6_gateway_enable="YES"
#ipv6_router_enable="YES"

#services
sshd_enable="YES"
ntpd_enable="YES"
zfs_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

#vimage network
cloned_interfaces="bridge0"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
gateway_enable="YES"

#jail
jail_enable="YES"
jail_list="database"

/boot/loader.conf を編集

autoboot_delay="2"
zfs_load="YES"
# cp /etc/defaults/devfs.rules /etc/
# reboot

/etc/jail.conf を編集

allow.raw_sockets = "0";
allow.set_hostname = "0";
allow.sysvipc = "0";
allow.mount.devfs;
vnet;
vnet.interface      = "epair${if}b";

host.hostname       = "${name}.local";
path                = "/usr/jails/${name}";
mount.fstab         = "/etc/fstab.${name}";
mount.devfs         = "1";
devfs_ruleset       = "4";
exec.consolelog     = "/var/log/${name}.console.log";
exec.prestart       = "ifconfig epair${if} create up >/dev/null";
exec.prestart      += "ifconfig bridge0 addm epair${if}a";
exec.prestart      += "ifconfig bridge0 inet 192.168.255.1/24 up";
exec.prestart      += "ifconfig bridge0 inet6 fc00::1/64 up";
exec.start          = "/sbin/ifconfig lo0 up 127.0.0.1";
exec.start         += "/sbin/ifconfig epair${if}b inet up ${ipaddr}";
exec.start         += "/sbin/ifconfig epair${if}b inet6 up ${ipaddr6}";
exec.start         += "/sbin/route add default ${defaultroute}";
exec.start         += "/sbin/route -n add -inet6 default ${defaultroute6}";
exec.start         += "/bin/sh /etc/rc";
exec.stop           = "/bin/sh /etc/rc.shutdown";
exec.poststop       = "ifconfig epair${if}a destroy";
persist;

database {
        $if           	= 0;
        $ipaddr       	= 192.168.255.101;
        $ipaddr6      	= fc00::101;
        $defaultroute 	= 192.168.255.1;
        $defaultroute6 	= fc00::1;
        devfs_ruleset 	= "4";
}
# jail -c database
# reboot

ネットワーク設定

jailからの外向け通信に関しては、pfを使ってNATをかける。
/etc/pf.conf を設定する

ext_if="em0"
int_if="bridge0"
ext_addr_v4 = "10.40.1.150"

table <jail_v4> const { 192.168.255.0/24 }
table <jail_v6> const { fc00::/8 }

table <external_v6> const { global v6アドレス }

table <private_v4> const { 192.168.0.0/16 }
table <private_v6> const { fc00::/8 }
table <special> const { ::1, 127.0.0.1 }

nat on $ext_if inet from <jail_v4> to ! <private_v4> -> ($ext_if)
nat on $ext_if inet6 from <jail_v6> to ! <private_v6> -> <external_v6>

# from external to jail
rdr pass on $ext_if inet proto tcp from !<jail_v4> to ($ext_if) port {80, 443} -> 192.168.255.1
rdr pass on $ext_if inet6 proto tcp from !<jail_v6> to ($ext_if) port {80, 443} -> fc00::1

# from external if
block in log quick on $ext_if from { <private_v4> <private_v6> } to any

pass in quick on $ext_if proto tcp from any to $ext_if port {10022, http} flags S/SA keep state

#send rst to IDENT
block return-rst in quick on $ext_if proto tcp from any to any port 113

block in log quick on $ext_if proto tcp all

#udp
block in log quick on $ext_if proto udp all

# to wan
block out quick on $ext_if from any to { <jail_v4> <jail_v6> <special> }

pass out quick on $ext_if proto tcp all modulate state
pass out quick on $ext_if proto udp all keep state

#icmp
pass out quick on $ext_if inet proto icmp all
#block out log quick on $ext_if proto icmp all

# lan
pass in quick on $int_if all
pass out quick on $int_if all

### loopback ###
pass in quick on lo0 all
pass out quick on lo0 all

jailのresolve.conf を設定する

以上で通信までできる。あとはFirewallの設定だけ。

追記

と思っていたが、なぜかjail.confでアドレスを振るとv6がうまく動かない。

exec.start += "/sbin/ifconfig epair${if}b inet6 up ${ipaddr6}";
exec.start += "/sbin/route -n add -inet6 default ${defaultroute6}";

を削除して、jail側のrc.confに記載した。

Written on March 22, 2014