çå®ããŠã¿ããã£ã
ãã£ãã FreeBSD ãªã®ã§ãçšéããšã«ç°å¢ã Jail ã§åããŠãã£ããããããã£ãã
ãŸã£ããã«ããã®ãæ©ã« Jail ã¯ãããŸããã
ç°å¢
- ãããã® VPS 1Gãã©ã³ïŒRAM 1GBãHDD 100GBïŒ
- FreeBSD 12.0-RELEASE
- ZFS (zroot) ã§ãã
ã©ãããæ§æã«ãããïŒ
ãã¹ããšãªãç°å¢ã§ã¯æ¥µåããŒã¢ã³ãèµ°ããããå Jail å
ã«åããããã«ããã
ãã¡ãã®èšäºã倧ãã«åèã«ãããŠããã ããŸããã
qiita.com
ãããšåãããã«ãå€ããã® SSH 㯠pf ã«ããããŒããã©ã¯ãŒãã§ããŒãããšã« Jail ãæ¯ãåããŠããŸãã
åã€ã³ã¹ããŒã«å㯠pf ã§ã¯ãªã ipfw ã䜿ã£ãŠããã®ã§ãããipfw 㧠NAT ãã€ã€ Jail ã§ãµãŒãã¹ãå
¬éãããšããæ¹æ³ãããåãããé æ«ããŠãããã§ãããâŠpf ã ãšæ¥œã¡ãã§ããã
HTTP(S) ã«é¢ããŠã¯ãçé¢å£ãšãªã Jail ãïŒã€ç«ãŠãŠãnginx ã§ãã¹ãåãèŠãŠæ¯ãåãããäºå®ã
Jail ã€ããã
id:dankogai ããã®ãã¡ãã®èšäºãåèã«ããšããããããããšãããã£ãšæžããŠãã£ãŠåãããããã£ãã
blog.livedoor.jp
ãŸãã¯ãã¹ãç°å¢ã§ãJail æ¯ã« IP ã¢ãã¬ã¹ãçšæããŸãã
匟ããã®èšäºã«ãããããã«ãå¥ã«ãã¹ãç°å¢ã® IP ã¢ãã¬ã¹ããã®ãŸãŸäœ¿ã£ãŠãããããã§ãããåããã»ããããã¹ãããªããããªããšæããŸããã
/etc/rc.conf
ïŒåç¥ïŒ
ifconfig_lo0="inet 127.0.0.1"
ifconfig_lo0_alias0="inet 10.0.0.254 10.0.0.255 netmask 255.255.255.0"
ifconfig_lo0_alias1="inet 10.0.0.11"
ifconfig_lo0_alias2="inet 10.0.0.12"
:
:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
jail_enable="YES"
ïŒä»¥äžç¥ïŒ
ãããªæãã§ãå¿
èŠãªã ã IP ã¢ãã¬ã¹ãåæã
pf ãš Jail ãæå¹ã«ããŠãããŸãã
/etc/pf.conf
rc.conf ã§åºãŠãã pf.conf ãçšæããŸããpf ã®ã«ãŒã«ãæå®ãããã¡ã€ã«ã§ãã
ïŒæåã®èšäºã®äŸã®ã»ãšãã©ãã®ãŸãŸã§ãïŒ
ïŒåç¥ïŒ
ext_if="vtnet0"
int_if="lo0"
table <private> const { 10.0.0.0/24 }
nat on $ext_if inet from ($int_if) to ! <private> -> ($ext_if)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 2211 -> 10.0.0.11 port 22
rdr pass on $ext_if proto tcp from any to ($ext_if) port 2212 -> 10.0.0.12 port 22
:
:
rdr pass on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.12 port http
rdr pass on $ext_if proto tcp from any to ($ext_if) port https -> 10.0.0.12 port https
block in log all
pass in proto tcp to any port ssh
pass out all keep state
ããã§ã10.0.0.12 ã HTTP(S) ã®çªå£ã«å²ãæ¯ããããSSH 以å€ã« HTTP(S) ã®ããŒãããã¡ãã«ãã¹ãããèšå®ãè¿œå ããŠããŸãã
ãŸãããã¹ãç°å¢ã«ã SSH ãããã®ã§ãããè¿œå ã
/etc/jail.conf
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
interface = lo0;
path = "/jails/$name";
host.hostname = $name;
allow.chflags;
allow.raw_sockets;
base {
ip4.addr = 10.0.0.11;
}
httpd {
ip4.addr = 10.0.0.12;
}
"# each jail" ã®äžã®ããã«æžããŠãããšèµ·åæã«ãã¡ãã¡ IP ã¢ãã¬ã¹ãšãæå®ããªããŠè¯ããŠæ¥œãªãã§ãããããã«æžããã Jail ã¯ãã¹ãã®èµ·åæã«èªåçã« start ãããŠããŸãããã§ããäœãæžãã°æ¢ããããã®ããªâŠ
rc.confãpf.confãjail.conf ãæŽã£ããäžæŠåèµ·åããŸãããã
Jail ç°å¢ã®é圢ãäœã
FreeBSD ã®åã€ã³ã¹ããŒã«æã«ãã«ãŒããã¡ã€ã«ã·ã¹ãã ã ZFS ã«ããŠãããŸãããJail æ¯ã« ZFS ã® dataset ãå²ãåœãŠããšãšãŠã楜ããã ããã§ãã
ãŸãã¯ãbase ãšããååã§ãJail ç°å¢ã®é圢ãäœã£ãŠã¿ãŸãã
# zfs create -o mountpoint=/jails zroot/jails
# zfs create zroot/jails/base
# bsdinstall jail /jails/base
èŠæ
£ããã€ã³ã¹ããŒã©ãŒã§ã€ã³ã¹ããŒã«ãå§ãŸããŸããbase ãš lib32 ãããã°ãšããããåããŸãã
Jail èµ·å
# service jail start base
ãšããŠèµ·åããŸããããŸãèµ·åã§ããã°ã
# jls
JID IP Address Hostname Path
1 10.0.0.11 base.example.com /jails/base
ã¿ãããªæãã§ãªã¹ãã«è¡šç€ºãããŸãã
次ã«ãJail ç°å¢ã®ã³ã³ãœãŒã«ã«å
¥ã£ãŠã¿ãŸãã
# jexec base
root@base:/ #
ãããªãã°ãšãããã Jail ã®èµ·åæåã§ãã
ã§ãããããã®æ®µé㧠freebsd-update ããã£ãŠãããŸãããïŒäœæ¥ã¯çç¥ïŒã
ã²ãšéãçºããããJail ã®ã·ã§ã«ãæããŠãã
# service jail stop base
ã§æ¢ããŠãããŸãã
é圢ç°å¢ã®è€è£œ
ZFS ã®æ¬é çºæ®ã§ãã
# zfs snapshot zroot/jails/base@12.0p11
ãã㧠dataset ã®ã¹ãããã·ã§ãããåããŸãã@ ã®åŸãã¯ã¹ãããã·ã§ããã®åãããããååãä»ããŸãïŒããã§ã¯ãªãªãŒã¹çªå·ïŒãããçªå·ïŒã
ãããŠãããè€è£œããŸãã
# zfs clone zroot/jails/base@12.0p11 zroot/jails/httpd
ããã§ãbase ã httpd ã«ãã£ããã¯ããŒã³ãããŸããã
ååãå€ããŠç¹°ãè¿ãã°ãé圢ãããããã§ãè€è£œã§ããŸãã
ã¡ãªã¿ã«ãäžèŠã«ãªã£ãç°å¢ã¯
# zfs destroy zroot/jails/httpd
ãšããã°æ¶ãå»ããŸããã¹ãããã·ã§ããã destroy ã§æ¶ããŸãããã¯ããŒã³å
ãšãªã£ãŠãããã¡ã€ã«ã·ã¹ãã ãã¹ãããã·ã§ããã¯ãã¯ããŒã³ãã dataset ããããã¡ã¯æ¶ããŸããã-R ã¹ã€ãããä»ããã°ã¯ããŒã³ãããšãæ¶ãããšã¯ã§ããŸãã*1
ããšã¯ã# jexec httpd
ããŠãæ®éã® FreeBSD ç°å¢ãšåãããã«å¿
èŠãªãŠãŒã¶ãŒã adduser ããããããã±ãŒãžã pkg add ãããããŠç°å¢ãäœã£ãŠãããŸãããã