[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ezjail] Implementing bind9 in multiple jails.



Hello Rick,

Do not install bind9 from ports.
Use default bind install (for example version 9.3.3 comes with FreeBSD
6.2).
Add to your jailed /etc/rc.conf:

# Prevent rpc
rpcbind_enable="NO"

named_enable="YES"
named_chrootdir=""

To /etc/namedb/named.conf add within options:

listen-on { x.x.x.x; };

And below options:

controls {
        inet x.x.x.x port 953 allow { x.x.x.x; } keys { rndc-key; };
};

Where x.x.x.x is your jail IP.
This will force named to listen on jailed IP port 53 and 953 for rndc.





BR,
 
Catalin Miclaus
Senior Network/Security Administrator
Starcomms Ltd.
www.starcomms.com
Phone: xxxxxxxxxxxxx

-----Original Message-----
From: rick AT alpha.alegria.capnet.state.tx DOT us
[mailto:rick AT alpha.alegria.capnet.state.tx DOT us] On Behalf Of rick
Sent: Friday, February 15, 2008 7:37 PM
To: ezjail AT erdgeist DOT org
Subject: [ezjail] Implementing bind9 in multiple jails.

When I try to run bind9 inside of an ezjail sandbox, it complains about 
not being able to create the devfs:

   test237# ./named start
   mount_devfs: Operation not permitted
   ./named: WARNING: devfs_domount(): Unable to mount devfs on
   /var/named/dev
   devfs rule: ioctl DEVFSIO_RAPPLY: Inappropriate ioctl for device
   devfs rule: ioctl DEVFSIO_RAPPLY: Inappropriate ioctl for device
   Starting named.
   test237# ps -auxw | grep -i name
   bind 28512  0.0  0.1  7420  4512  ??  SsJ   6:00PM   0:00.00
/usr/sbin/named -t /var/named -u bind
   test237# df -k
   Filesystem    1K-blocks   Used     Avail Capacity  Mounted on
   /dev/aacd1s1d 130610200 658586 119502798     1%    /
   test237# sockstat
   USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS
   FOREIGN ADDRESS
   bind     named      28512 3  dgram  -> /var/run/logpriv
   bind     named      28512 20 udp4   10.8.124.66:49386  *:*
   bind     named      28512 21 tcp4   10.8.124.66:953    *:*
   test237#

Yes, I know bind already is in a jail by default, but I want to be able
to 
run multiple separate instances of named in different sandboxes, to be
run 
by entirely different IT groups who should not have access to each
other's 
configurations - and at the same time I would like it to be run the 
standard FreeBSD way in the /var/named/ jail so everything will still
look 
like a normal, stand-alone system.

The inability to create the devfs may not be the only problem, so if 
anyone is running bind9 inside an ezjail sandbox and has a list of 
"gotchas" and how to solve them, that would be appreciated.

rick