Creating A Jail With VNC Server On FreeBSD
This article explains how you can run a VNC server from within a jail on FreeBSD.
Creating jail from source:
Create a directory where our jails will be stored:
# mkdir -p /home/jails
Or in /usr directory:
# mkdir -p /usr/jails
# mkdir /home/jails/testjail
Go to the /usr/src directory and check if you have the FreeBSD source code.
# cd /usr/src
# ls
You should see something like that:
COPYRIGHT contrib release LOCKS crypto rescue MAINTAINERS etc sbin Makefile games secure Makefile.inc1 gnu share ObsoleteFiles.inc include sys README kerberos5 tools UPDATING lib usr.bin bin libexec usr.sbin
If you have an empty directory or only a sys directory you must install the FreeBSD source code:
You can do this by running sysinstall or download the source code from cvs.
# sysinstall
Go to configuration then to distributions and select “src” and press ok. After that you should have all source code in the /usr/src/ directory. Then you should update your source code with the latest version from cvs. You must create a file “stable-supfile” in your home directory or somewhere else.
# vi ~/stable-supfile
And put into some lines like that:
# Your closer mirror of freebsd source code, for me is from Poland *default host=cvsup.pl.FreeBSD.org *default base=/usr *default prefix=/usr # for version 7.2 of FreeBSD you put RELENG_7_2 7.1 - RELENG_7_1 7.0 - RELENG_7_0 6.4 RELENG_6_4 *default release=cvs tag=RELENG_7_2 *default delete use-rel-suffix *default compress src-all
Next after you save the file you can update your FreeBSD source code with csup:
# csup /root/stable-supfile
After that you can compile your jail from source code:
# cd /usr/src
# make world DESTDIR=/home/jails/testjail
# make distribution DESTDIR=/home/jails/testjail
When you once compile World you can create new jails with two commands without compiling world once more:
# make installworld DESTDIR=/home/jails/otherjail
# make distribution DESTDIR=/home/jails/otherjail
When your jail is prepared you must do some changes in some configuration files.
# vi /home/jails/testjail/etc/rc.conf
And you put there:
sendmail_enable="NONE" sshd_enable="YES"
# cp /etc/resolv.conf /home/jails/testjail/etc/
# touch /home/jails/testjail/etc/fstab
Running jail for the first time:
To run jail you must mount devfs to jail:
# mount -t devfs devfs /home/jails/testjail/dev
Then you must configure an alias to your network interface. In my FreeBSD I have bge0 interface and alias I create like that:
# ifconfig bge0 alias 192.168.2.2
Running jail:
# jail /home/jails/testjail shell 192.168.2.2 /bin/tcsh
When you are in jail you can set up a root password:
# passwd
Then you must add one non-root account that will give you access to jail via ssh.
# adduser
To leve the jail you must use the exit command.
# exit
Your jail is nearly ready. You must add some lines to the /etc/rc.conf file and after that your jail will start when your serwer will be starting.
# alias to your network interface ifconfig_bge0_alias0="192.168.2.2" # line that enabling jails in freebsd jail_enable="yes" # list of your jails ex. “testjail otherjail httpjail sshjail” jail_list="testjail" jail_testjail_rootdir="/home/jails/testjail" jail_testjail_hostname="testjail" jail_testjail_ip="192.168.2.2" jail_testjail_exec_start="/bin/sh /etc/rc" jail_testjail_exec_stop="/bin/sh /etc/rc.shutdown" jail_testjail_devfs_enable="YES"
If you want to have the ports tree in jail and don’t want to replicate it we can mount /usr/ports/ directory to jail with one line in /etc/fstab file. Line like this:
/usr/ports /home/jails/testjail/usr/ports/ nullfs rw,auto 0 0
Starting and stopping jails without rebooting the system:
# /etc/rc.d/jail start testjail
# /etc/rc.d/jail stop testjail
If you want to get a list of your jails you can get it with this command:
# jls
Installing xorg and vnc in jail from packages:
# pkg_add –r xorg
# pkg_add –r vnc
To run vnc on user account you write:
$ vncserver
When you for the first time run vncserver you must set up a password for the vnc connection.
Default when you connect to vnc there will be run twm. You can change it by editing the ~/.vnc/xstartup file. You must change the last line from „twm &” to ex. „wmaker &” for WindowMaker environment.
To connect to the vnc jail you must write in vncviewer jail_ip_address and vnc port. Ex. 192.168.2.2:1
Some errors with vnc in jail: When you have a message of non recognizing colors you must edit /usr/local/bin/vncserwer file and change the line:
$cmd .= " -co /usr/X11R6/lib/X11/rgb";
When we have message
!!!!!!!!!!!!!!!!!!!!!!!!!!
no free display on jailname
You must edit /usr/local/bin/vncserver and change pack function to sockaddr_in in two lines in function CheckDisplayNumber:
[…] pack ---> sockaddr_in(6000 +$n, &INADDR_ANY))) { […] pack ---> sockaddr_in(5900 +$n, &INADDR_ANY))) { […]
Code should be like this:
sub CheckDisplayNumber { local ($n) = @_; socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n"; eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))'; if (!bind(S, sockaddr_in(6000 + $n, &INADDR_ANY))) { close(S); return 0; } close(S); socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n"; eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))'; if (!bind(S, sockaddr_in(5900 + $n, &INADDR_ANY))) { close(S); return 0; } close(S);
Port forwarding in IPWF for jails
If you want to forward some ports to the jail you must have compiled a FreeBSD kernel with some options enabled:
options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPDIVERT
Port forwarding rule:
ipfw add fwd ip_adres_jail,port_jail tcp from any to adresip_local port_local ex. ipfw add fwd 192.168.2.2,21 tcp from any to me 21 ipfw add fwd 192.168.2.2,21 tcp from any to 72.46.154.23 21