Creating A Jail With VNC Server On FreeBSD

This article explains how you can run a VNC server from within a jail on FreeBSD.

 

Creating jail from source:

Create a directory where our jails will be stored:

# mkdir -p /home/jails

Or in /usr directory:

# mkdir -p /usr/jails
# mkdir /home/jails/testjail

Go to the /usr/src directory and check if you have the FreeBSD source code.

# cd /usr/src
# ls

You should see something like that:

COPYRIGHT               contrib                 release
LOCKS                   crypto                  rescue
MAINTAINERS             etc                     sbin
Makefile                games                   secure
Makefile.inc1           gnu                     share
ObsoleteFiles.inc       include                 sys
README                  kerberos5               tools
UPDATING                lib                     usr.bin
bin                     libexec                 usr.sbin

If you have an empty directory or only a sys directory you must install the FreeBSD source code:
You can do this by running sysinstall or download the source code from cvs.

# sysinstall

Go to configuration then to distributions and select “src” and press ok. After that you should have all source code in the /usr/src/ directory. Then you should update your source code with the latest version from cvs. You must create a file “stable-supfile” in your home directory or somewhere else.

# vi ~/stable-supfile

And put into some lines like that:

# Your closer mirror of freebsd source code, for me is from Poland
*default host=cvsup.pl.FreeBSD.org
*default base=/usr
*default prefix=/usr
# for version 7.2 of FreeBSD you put RELENG_7_2 7.1 - RELENG_7_1 7.0 - RELENG_7_0 6.4 RELENG_6_4
*default release=cvs tag=RELENG_7_2
*default delete use-rel-suffix
*default compress
src-all

Next after you save the file you can update your FreeBSD source code with csup:

# csup /root/stable-supfile

After that you can compile your jail from source code:

# cd /usr/src
# make world DESTDIR=/home/jails/testjail
# make distribution DESTDIR=/home/jails/testjail

When you once compile World you can create new jails with two commands without compiling world once more:

# make installworld DESTDIR=/home/jails/otherjail
# make distribution DESTDIR=/home/jails/otherjail

When your jail is prepared you must do some changes in some configuration files.

# vi /home/jails/testjail/etc/rc.conf

And you put there:

sendmail_enable="NONE"
sshd_enable="YES"
# cp /etc/resolv.conf /home/jails/testjail/etc/
# touch /home/jails/testjail/etc/fstab

 

Running jail for the first time:

To run jail you must mount devfs to jail:

# mount -t devfs devfs /home/jails/testjail/dev

Then you must configure an alias to your network interface. In my FreeBSD I have bge0 interface and alias I create like that:

# ifconfig bge0 alias 192.168.2.2

Running jail:

# jail /home/jails/testjail shell 192.168.2.2 /bin/tcsh

When you are in jail you can set up a root password:

# passwd

Then you must add one non-root account that will give you access to jail via ssh.

# adduser

To leve the jail you must use the exit command.

# exit

Your jail is nearly ready. You must add some lines to the /etc/rc.conf file and after that your jail will start when your serwer will be starting.

# alias to your network interface
ifconfig_bge0_alias0="192.168.2.2"
# line that enabling jails in freebsd
jail_enable="yes"
# list of your jails ex. “testjail otherjail httpjail sshjail”
jail_list="testjail"
jail_testjail_rootdir="/home/jails/testjail"
jail_testjail_hostname="testjail"
jail_testjail_ip="192.168.2.2"
jail_testjail_exec_start="/bin/sh /etc/rc"
jail_testjail_exec_stop="/bin/sh /etc/rc.shutdown"
jail_testjail_devfs_enable="YES"

If you want to have the ports tree in jail and don’t want to replicate it we can mount /usr/ports/ directory to jail with one line in /etc/fstab file. Line like this:

/usr/ports              /home/jails/testjail/usr/ports/         nullfs  rw,auto 0 0

Starting and stopping jails without rebooting the system:

# /etc/rc.d/jail start testjail
# /etc/rc.d/jail stop testjail

If you want to get a list of your jails you can get it with this command:

# jls

Installing xorg and vnc in jail from packages:

# pkg_add –r xorg
# pkg_add –r vnc

To run vnc on user account you write:

$ vncserver

When you for the first time run vncserver you must set up a password for the vnc connection.

Default when you connect to vnc there will be run twm. You can change it by editing the ~/.vnc/xstartup file. You must change the last line from „twm &” to ex. „wmaker &” for WindowMaker environment.

To connect to the vnc jail you must write in vncviewer jail_ip_address and vnc port. Ex. 192.168.2.2:1

Some errors with vnc in jail: When you have a message of non recognizing colors you must edit /usr/local/bin/vncserwer file and change the line:

$cmd .= " -co /usr/X11R6/lib/X11/rgb";

When we have message
!!!!!!!!!!!!!!!!!!!!!!!!!!
no free display on jailname

You must edit /usr/local/bin/vncserver and change pack function to sockaddr_in in two lines in function CheckDisplayNumber:

[…]
pack ---> sockaddr_in(6000 +$n, &INADDR_ANY))) {
[…]
pack ---> sockaddr_in(5900 +$n, &INADDR_ANY))) {
[…]

Code should be like this:

sub CheckDisplayNumber
{
    local ($n) = @_;
    socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n";
    eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))';
    if (!bind(S, sockaddr_in(6000 + $n, &INADDR_ANY))) {
        close(S);
        return 0;
    }
    close(S);
    socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n";
    eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))';
    if (!bind(S, sockaddr_in(5900 + $n, &INADDR_ANY))) {
        close(S);
        return 0;
    }
    close(S);

 

Port forwarding in IPWF for jails

If you want to forward some ports to the jail you must have compiled a FreeBSD kernel with some options enabled:

options 	IPFIREWALL
options 	IPFIREWALL_DEFAULT_TO_ACCEPT
options 	IPFIREWALL_VERBOSE
options		IPFIREWALL_FORWARD
options 	IPDIVERT

Port forwarding rule:

ipfw add fwd ip_adres_jail,port_jail tcp from any to adresip_local port_local
ex.
ipfw add fwd 192.168.2.2,21 tcp from any to me 21
ipfw add fwd 192.168.2.2,21 tcp from any to 72.46.154.23 21
Share this page:

1 Comment(s)