www.dachev.info

Nikolay Dachev

encrypted (geli) jail

In progress ..

Set global vars

export JNAME="enjail"
export JDIR="/usr/local/jails/encrypted/$JNAME"
export JID="2"

Create jail root folders

mkdir -p $JDIR/mnt
cd $JDIR

Create encrypted img disk (2G)

dd if=/dev/zero of=$JDIR/$JNAME.img bs=2m count=1024

Create vnode device

 mdconfig -a -t vnode -f $JDIR/$JNAME.img -u $JID

Generate geli master key (will ask for master key password) and init the encryption

dd if=/dev/random of=$JDIR/$JNAME.key bs=64 count=1
geli init -K $JDIR/$JNAME.key -s 4096 /dev/md$JID

Attach the encrypted img with the Generated Key

 geli attach -k $JDIR/$JNAME.key /dev/md$JID

Create the New File System and mount it

dd if=/dev/random of=/dev/md$JID.eli bs=1m
newfs /dev/md$JID.eli
mount /dev/md$JID.eli $JDIR/mnt

Install FreeBSD jail

bsdinstall jail $JDIR/mnt

Clear and umount after jail installation finish

umount -f $JDIR/mnt
geli detach /dev/md$JID.eli
mdconfig -d -u $JID

Generate jail config file

# create main jail config
ee /usr/local/jails/encrypted/jail.conf

# --- encrypted jails general config start ---
$rootpath = "/usr/local/jails";
jid = $id;
path = "$rootpath/${id}";
host.hostname = "$hostname";
vnet;
vnet.interface = "epair${id}b";

exec.prestart = "mdconfig -a -t vnode -f ${jimage} -u ${id}";
exec.prestart += "geli attach -k ${gkey} /dev/md${id}";
exec.prestart += "mkdir -p ${rootpath}/${id}";
exec.prestart += "mount /dev/md${id}.eli ${rootpath}/${id}";
exec.prestart += "mount -t devfs devfs ${rootpath}/${id}/dev";
exec.prestart += "ifconfig epair${id} create";
exec.prestart += "ifconfig epair${id}a up";
exec.prestart += "ifconfig epair${id}a ${jipa}";

exec.start = "/bin/sh /etc/rc";
exec.start += "ifconfig epair${id}b ${jipb}";
exec.start += "route add default ${jgw}";
exec.stop = "/bin/sh /etc/rc.shutdown";

exec.poststop = "ifconfig epair${id}a destroy";
exec.poststop += "umount -f ${rootpath}/${id}/dev";
exec.poststop += "umount -f ${rootpath}/${id}";
exec.poststop += "geli detach /dev/md${id}.eli";
exec.poststop += "mdconfig -d -u ${id}";
exec.clean;
# --- encrypted jails general config stop ---

# --- jails config ---
enjail {
       $id = 2;
       $jimage = "/usr/local/jails/encrypted/$name/$name.img";
       $gkey = "/usr/local/jails/encrypted/$name/$name.key";
       $hostname = "enjail.sof.dachev.lan";
       $jipb = "10.1.2.2/30";
       $jipa = "10.1.2.1/30";
       $jgw = "10.1.2.1";

       allow.raw_sockets;
}

Start / Stop jail

# start
jail -f /usr/local/jails/encrypted/jail.conf -c enjail

# stop
jail -f /usr/local/jails/encrypted/jail.conf -r enjail

Вашият коментар