help with Jails

[raulfg3]

hello I'm interesting into install Owncloud onto a jail to avoid php problems every time I update Nas4Free to latest rev.

I instal a proto jail using instructions find on wiki and now I can ping to 192.168.1.201 that is the Ip of the jail

and I can do jls:

Code: Select all

rnas:~# jls
   JID  IP Address      Hostname                      Path
     1  192.168.1.201   proto.domain.local            /jail/proto
rnas:~#

But I don't know how continue to install owcloud inside the jail and make it visible to wan ( I suppose than need to install php, mySQL and Apache), but not sure, someone can help me in the right direction?.

Perhaps can link some page that describe how to installl?.

I find ezjail that describe HOWTO install a webserver on FreeBSD but not sure if is posible to do the same on Nas4Free.

[alexey123]

In first, you need put Jail ip from some subnet as your NAS.
For example: my NASes have ip=10.0.0.1, and jail on it I define as 10.0.0.20
In second
You need properly define interface of jail. Interface name must be some as Lan interface name on Network|Interface Management tab.
After you give correct values - try execute from jail

Code: Select all

ping www.google.com

If success - try access to NAS4Free webgui, but type jail's ip and port of gui.
For exmple, you gui have 10.0.0.1:8765 and jail have ip 10.0.0.20. Try access 10.0.0.20:8765.
If this steps work - execute from jail

Code: Select all

portsnap fetch extract  

or better way install ports from sources

Code: Select all

cp /usr/share/examples/cvsup/ports-supfile /etc/ports-supfile
ee /etc/ports-supfile

Change *default host=CHANGE_THIS.FreeBSD.org on better server from list
Better = minimum time response on ping.
And you not need some ports as Chinese, and languages, your not need x11.

Code: Select all

csup -L 2 /root/ports-supfile

when you install port collection - install
1. webmin. - test it and compare with NAS4Free webgui. As for me - NAS4FRee more user-friendly, but webmin have more functions.
2. MySQL.
3. Apache22
4. PHP + PHP-extensions.

[raulfg3]

Thanks, my NAS IP is 192.168.1.17 and my jail IP is 192.168.1.201
I can sucesfully log from my win7 client using putty to 192.168.1.201
I can ping google.com sucesfully.
Edit: I think that if ssh to 192.168.1.201 I log into jail = ERROR, I log into Nas4Free, to log into Jail I need to execute

Code: Select all

jexec 1 csh

like csbruva say in the next post.


I'll try install ports and the rest as soon as posible. thanks.

[fsbruva]

You get into the jail with

Code: Select all

jexec 1 csh

Once inside, just pkg_add -r to your heart's content to get the software working. Just follow installation instructions for FreeBSD.

[fsbruva]

Need any more help with this? PM me if so - happy to help.

[raulfg3]

sorry I need to have some time to test, perhaps this weekend.

Thanks a lot for your help.

[fsbruva]

I was able to install apache using pkg_add -r apache22 within the jail.
Added apache_enable="YES" to the jail's rc.conf.
Exited jail, restarted it (/etc/rc.d/jail restart {name})
Re-entered jail (NEW JID due to restart!!!!!)
Visited jail's IP in browser - saw "It works!," loaded from /usr/local/www/apache22/data/index.html

The rest of the install is just how to get owncloud working with apache.

[alexey123]

http://www.freshports.org/www/owncloud/
When I repair(upgrade) my home server, I try it.

[raulfg3]

strange I can't ping
inside the jail:

Code: Select all

root@192.168.1.201's password:
Last login: Thu Oct 25 19:43:58 2012 from 192.168.1.10
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

Welcome to NAS4Free!
rnas:~# jls
   JID  IP Address      Hostname                      Path
     1  192.168.1.201   proto                         /jail/proto
rnas:~# ping 192.168.1.201
PING 192.168.1.201 (192.168.1.201): 56 data bytes
64 bytes from 192.168.1.201: icmp_seq=0 ttl=64 time=0.139 ms
64 bytes from 192.168.1.201: icmp_seq=1 ttl=64 time=0.160 ms
64 bytes from 192.168.1.201: icmp_seq=2 ttl=64 time=0.207 ms
64 bytes from 192.168.1.201: icmp_seq=3 ttl=64 time=0.083 ms
64 bytes from 192.168.1.201: icmp_seq=4 ttl=64 time=0.101 ms
^C
--- 192.168.1.201 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.083/0.138/0.207/0.044 ms
rnas:~# jexec 1 csh
You have mail.
root@proto:/ # ping 192.168.1.201
ping: socket: Operation not permitted

but I can use pkg_add

so I have Wan Connection.

[raulfg3]

ok, I install apache:

Code: Select all

root@proto:/ # pkg_add -r apache22
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/Latest/apache22.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/All/expat-2.0.1_2.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/All/perl-5.14.2_2.tbz... Done.
Removing stale symlinks from /usr/bin...
    Skipping /usr/bin/perl
    Skipping /usr/bin/perl5
Done.
Creating various symlinks in /usr/bin...
    Symlinking /usr/local/bin/perl5.14.2 to /usr/bin/perl
    Symlinking /usr/local/bin/perl5.14.2 to /usr/bin/perl5
Done.
Cleaning up /etc/make.conf... Done.
Spamming /etc/make.conf... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/All/pcre-8.31_1.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/All/gdbm-1.9.1.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/All/db42-4.2.52_5.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-stable/All/apr-1.4.6.1.4.1_1.tbz... Done.
===> Creating users and/or groups.
Using existing group 'www'.
Using existing user 'www'.

To run apache www server from startup, add apache22_enable="YES"
in your /etc/rc.conf. Extra options can be found in startup script.

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

root@proto:/ #

[fsbruva]

Pinging within the jail is only possible if you enable the N4F kernel parameter to permit raw io socket connections for the jail. Normally, the jail has no need for raw socket access, because it is generally used for network discovery/mapping. The thought is that if the jail got owned, you would not want the malicious user to be able to map your network. An easier network connectivity test is just to:

Code: Select all

fetch www.google.com/index.html

It will toss an error for either DNS (/etc/resolv.conf), or no connectivity. And, it doesn't lower the security of your jail.

[raulfg3]

thanks.

How I test if apache is install properly from outside my jail

PD: IP of my jail is 192.168.1.201

[fsbruva]

Access your jail ip from a browser.

[raulfg3]

In this case I do something wrong, if I conect to http://192.168.1.201 I load the nas4free login page.

I think that perhaps is need something like http://192.168.1.201/usr/local/www/apac ... index.html
or something similar.

[fsbruva]

No. That is expected. It is because the N4F gui is listening on all ip's. I have moved my webgui to https, so I don't have the problem. Let me look into it.

Also, once apache is installed, you need to:

Code: Select all

service apache22 start

[fsbruva]

Alright.
I will have to submit a feature request, because the webgui (if you use the rc.d scripts) will ALWAYS start by listening to all addresses.
For now, you have two options.
First (maybe not so good)-
Is to change the webgui port away from 80. (HTTPS, or some other port)

The second (better) is to make your apache server listen on a different address:
Open /usr/local/etc/apache22/httpd.conf, and change the "Listen 80" to some other port ("Listen 81" or "Listen 192.168.1.201:81").
Then:

Code: Select all

service apache22 restart

Then visit http://192.168.1.201:81

[fsbruva]

Also - I only installed apache because that's what owncloud recommended. But now I find out that there is a certain php5 module that is necessary for apache, and the only way to get it is to build php5 from the ports collection. UGH.

I will remove apache and see how hard it is to get a copy of lighttpd running in the jail. That's what you sucessfully configured before, so that seems better.

[fsbruva]

Alright - lighttpd is an EASY install. Post install, you need to again change the server's listening address by editing /usr/local/etc/lighttpd/lighttpd.conf, and changing the following values:

Code: Select all

server.port = 81
server.use-ipv6 = "disable"

Then:

Code: Select all

mkdir /usr/local/www/data

And put a simple html file in data. OR, just copy the owncloud folder into /usr/local/www, and then alter the var.server_root value in the lighttpd.conf file.

Then, the rest of your other instructions should work....

[fsbruva]

Got it working!!

Code: Select all

pkg_add -r lighttpd
pkg_add -r php5
pkg_add -r php5-extensions
pkg_add -r php5-xmlrpc
pkg_add -r php5-gettext
pkg_add -r php5-mcrypt
pkg_add -r php5-mbstring
pkg_add -r php5-zip
pkg_add -r php5-gd
pkg_add -r php5-zlib
cd /tmp
fetch http://mirrors.owncloud.org/releases/owncloud-4.5.1.tar.bz2
tar xf owncloud-4.5.1.tar.bz2
cp -r /tmp/owncloud /usr/local/www/
chown -R www:www /usr/local/www/

Change these settings in /usr/local/etc/lighttpd/lighttpd.conf:
server.port = 81 #example
server.use-ipv6 = "disable" #mandatory, unless you enable ipv6 for all jails
server.document-root = "/usr/local/www/owncloud"
var.server_root = "/usr/local/www/owncloud"

Add these two settings to /usr/local/etc/lighttpd/lighttpd.conf:
cgi.assign = ( ".php" => "/usr/local/bin/php-cgi" )
server.modules += ( "mod_cgi" )

Test:

Code: Select all

/usr/local/etc/rc.d/lighttpd onestart

Then browse to 192.168.1.201:81

I think the rest is just a matter of messing with permissions, I think. Also, adding lighttpd_enable="YES" to the jail's rc.conf.

Great Success!?!!

[raulfg3]

Thanks in advanced I'll try it next morning, I agree very much, all time that you spend to help me.

I post a new HOWTO with all step well documented.


PD: only a question not related to owclod.

Do you test ezjails?. = http://erdgeist.org/arts/software/ezjail/


it appears a little easy to create / delete /update / jails
and you only need to do

Code: Select all

pkg_add -r ezjail

to install it


other interesting post:
http://forums.freebsd.org/showthread.php?t=16860

http://people.virginia.edu/~ll2bf/docs/ ... _jail.html

[alexey123]

For allow pings from jail need add over webgui System|Advanced|sysctl.conf tab
MIB security.jail.allow_raw_sockets
Value 1


For run Apache under jail I make next.
1.Install webmin ( may be not need, but I wont work from webgui )
2. pkg_add -r apache22.
3. I correct webmin for Apache configuration tab
In line Path to httpd.conf or apache2.conf I insert valid path /usr/local/etc/apache22/httpd.conf
Under webmin gui I go to unused modules and open Apache tab
4 . Edit httpd.conf on global section
Load module section - I comment

Code: Select all

# LoadModule unique_id_module libexec/apache22/mod_unique_id.so

and add line with myjail IP

#ServerName http://www.example.com:80
ServerName 10.0.0.20:80

Now Apache ask load module accf_http.co
I exit from jail and go to /jail/work

Code: Select all

cd /jail/work
fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/`uname -m`/`uname -m`/`uname -r | cut -d- -f1-2`/kernel.txz
tar xvf /jail/work/kernel.txz -C /jail/proto/

OK I have module. Native it placed now on /mnt/data/jail//boot/kernel/ folder.
For run jail and Apache after start I modify jail startup script

Code: Select all

#!/bin/tcsh -x
#mounting to /jail
mkdir /jail
mount_nullfs /mnt/data/jail /jail
# copy jail binaries to /usr
cp -r /jail/conf/root/ /
# link config files to /etc
ln -s /jail/conf/rc.conf.local /etc
#  Add module for Apache
ln -s /jail/proto/boot/kernel/accf_http.ko /boot/modules/accf_http.ko
kldload accf_http
#start all jails
/etc/rc.d/jail start

Manualy, without restart server, from NAS4Free root

Code: Select all

ln -s /jail/proto/boot/kernel/accf_http.ko /boot/modules/accf_http.ko
kldload accf_http

Now I go to webmin section Bootup and Shutdown, check Apache22 and in bottom page push on button <Start now and on boot>
I have It works! on My jail's IP under browser. Apache is installed

[fsbruva]

Do you test ezjails?. = http://erdgeist.org/arts/software/ezjail/


it appears a little easy to create / delete /update / jails

I am in the process of documenting ezjail-admin script (so I can understand his methods), and then move them into php. The trouble is his method uses freebsd-update, which is run from the N4F host. This is not part of the normal N4F install, and depends on numerous other binaries to run. Because I would like my solution to be simpler, I will be implementing the ezjail methods in php. Also, there is much more flexibility with the config.xml to store jail parameters, and there are several places where his script requires prompts from the user (not possible via GUI).

The other issue is I am developing a lang.inc file so that other languages can be developed for my extension - all the errors in ezjail are in English, so just using the script is less than helpful.

[fsbruva]

I post a new HOWTO with all step well documented.

Just make a shell script that does it all, so users can type:

Code: Select all

jexec 1 raulfg3_owncloud.csh

Replacing the lines of code within the .conf file is easy to do with grep, and the rest are all just shell commands.

[alexey123]

fsbruva
Your wiki howto is great, but as i says before - "not clean" for full version. On embedded install work perfect.
What my problem? I not like embedded, I like full install. Now I use embedded at Home NAS because my IDE hard disks have End Of Life - I detect trouble over Graphs, I find IO overload, and when I check drivers by hand, i have problem with IO speed. Smarcontrol not says any fault. ( I keep files on SATA drive, but HP D530 not want boot from IDE when SATA connected and I need use USB ).
But in laboratory I have full - install and I want jail, running properly. My problem - sometimes, one per 30-40 reboots, I need fsck drive, when placed jail.

[raulfg3]

I use you lighttpd aproach, but I don't know what do with:

Add these two settings to /usr/local/etc/lighttpd/lighttpd.conf:
cgi.assign = ( ".php" => "/usr/local/bin/php-cgi" )
server.modules += ( "mod_cgi" )

I don't understand where to copy , in the end of file?

[alexey123]

Lighttpd how to http://redmine.lighttpd.net/projects/1/ ... figuration

Example working configuration you can find in NAS4Free folder /var/etc/
files
lighttpd.conf - nas4free webgui
webserv.conf - webserver

[raulfg3]

Ok, I see that only need to add at the end of file.

now I see my owcloud interface when do 192.168.1.201:81

owncloud.jpg

now I need to add my shares to fstab to use in owncloud.

my shares are:

Code: Select all

/mnt/NAS-A/Fotos
/mnt/NAS-A/Video
/mnt/NAS-A/Musica

what can need to add to fstab.proto to mount inside the jail this 3 folders?.

PD: thanks a lot to fsbruva and alexey123 I can't stay here without your help.

PD2: my next step once owcloud is fully working/configured is to install in the same proto jail minidlna.

[alexey123]

Congratulations

Inspect all values from list.

Code: Select all

sysctl -a | grep jail

For save values to file use

Code: Select all

sysctl -a | grep jail > jail.txt

File will place into current folder, such /root. Adjust for your requirements.
I think need open forum, not topic - Jail environment

But why you use port 81? My Apache work on 80 port, and I not write port after adress. WebGui have same port? replace webgui port on System|General Setup

[raulfg3]

I post a new HOWTO with all step well documented.

Just make a shell script that does it all, so users can type:

Code: Select all

jexec 1 raulfg3_owncloud.csh

Replacing the lines of code within the .conf file is easy to do with grep, and the rest are all just shell commands.

Sorry me knowledge is not as great as you have, it's imposible to me to do a script , in fact still need some help to mount my folder /mnt/NAS-A/Video to share it with owncloud and minidlna.

[raulfg3]

But why you use port 81? My Apache work on 80 port, and I not write port after adress. WebGui have same port? replace webgui port on System|General Setup

YES, Nas4Free webGui use 80, so I redirect owncloud to 81