1 / 15

Virtually-Networked FreeBSD Jails

Learn how to set up virtual networking with ZFS in FreeBSD jails. Discover the history of jails, virtual networking, and ZFS, and explore the benefits of combining them. Find out how to overcome challenges and make the process easier. Get a demo of creating a template jail from scratch and using the jailadmin Drupal module. Explore future work and potential improvements in FreeBSD jails.

arabela
Download Presentation

Virtually-Networked FreeBSD Jails

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BSDCan 2012 Virtually-NetworkedFreeBSD Jails Shawn Webb shwebb@wayfair.com

  2. Who Am I • Software Engineer and Security Analyst for Wayfair LLC • Independent security researcher • Tech blogger • Disclaimer: any beliefs, opinions, etc. are mine and do not necessarily reflect those of my employer

  3. What’s Covered • Quick history • Jails, virtual networking, and ZFS • Setting up virtual networking • Basic jailing • Combining virtual network, jailing, and ZFS • Future work

  4. History of Jails • Introduced in FreeBSD 4.x by Poul-Henning Kamp • Continuously being improved • Secure replacement for chroot • OS-based virtualization • Inspired Solaris’ Zones/Containers

  5. History of Virtual Networking • Called VIMAGE (or vnet) • Work started in 7-CURRENT • Official feature in 9-RELEASE/9-STABLE • Analogous to Solaris Crossbow • Not as feature-complete as Crossbow • Reasons to use VIMAGE • Network security • NATing jails

  6. History of ZFS • The God of filesystems • ZFS first integrated on 06 April 2007 • zpool v28 merged into 8-STABLE and in 9-RELEASE/9-STABLE • Many wonderful features • New, powerful features coming from Delphix and Joyent

  7. Reasons to Combine all Three • Basic cloud-like infrastructure • ZFS for instant snapshots and clones • vnet for VLANs and private networks • Jails for VMs • Gotcha’s • No pf or ipf support • Must use IPFW

  8. Setting up Virtual Networking # Kernel Config options VIMAGE options IPFIREWALL options IPDIVERT # rc.conf NAT gateway_enable=“YES” firewall_enable=“YES” firewall_type=“OPEN” # Change! natd_enable=“YES” natd_interface=“em0” # Change! natd_flags=“” • Special kernel config • Enable VIMAGE, IPFW • Set up firewall • Set up NAT • Not required, but useful

  9. Setting up Virtual Networking ifconfig bridge0 create ifconfig epair0 create ifconfig bridge0 inet 192.168.2.1 ifconfig bride0 addm epair0a ifconfig epair0a up ifconfig epair0b vnet [jail] jexec [jail] ifconfig epair0b inet 192.168.2.2 jexec [jail] route add default 192.168.2.1 • Create bridge • epair devices • Pair of two ifconfig-able devices (epair[n]{a,b}) • Two ends of an ethernet cable • Plug one end into bridge • Plug other end into jail

  10. Setting up Basic Jailing # Initial installation D=/jails/template zfs create –omountpoint=/jails tank/jails zfs create tank/jails/template cd /usr/src make installworld DESTDIR=$D make distribution DESTDIR=$D portsnap –p $D/usr/ports fetch extract # Set default route, DNS resolution echo ‘nameserver 4.4.4.4’ > \ $D/etc/resolv.conf # Set up temporary vnet ifconfig bridge0 create ifconfig bridge0 inet 192.168.2.1 ifconfig epair0 create ifconfig bridge0 addm epair0 ifconfig epair0 up • Use ZFS to create template jail dataset • Create snapshot • Attack of the clones • Install world/distribution • Install ports tree • Install ports

  11. # Start the jail and set up networking in it jail –c vnethost.hostname=template name=template path=/jails/template ifconfig epair0b vnet template jexec template ifconfig epair0b inet 192.168.2.2 jexec template route add default 192.168.21.1 # Install ports jexec template sh *** NOW IN JAIL *** cd /usr/ports/security/sudo make install clean distclean *** EXIT JAIL *** # Snapshot for clones zfs snapshot tank/jails/template@date # New jail: zfs clone tank/jails/template@date tank/jails/newjail

  12. So Many Commands! • A lot of initial work • Takes a lot of time • Problems: • FreeBSD’s rc.d does not support vnet jails • People reporting kernel panics destroying epair devices • I have had one or two kernel panics

  13. Making it Easy • I’ve written a Drupal module to admin vnet jails • Should support IPv6 out-of-the-box • Plans: • epairifconfig aliases • Reporting • Privilege separation • External API • Make vnet optional • Will not support non-ZFS setups • https://github.com/lattera/drupal-jailadmin • Will release a new version at the end of today

  14. Demo • Demo of creating a template jail from scratch • Demo of using jailadmin Drupal module

  15. Future Work • Obvious rc.d support • Dtrace support • Like Solaris Zones • Metrics • Debugging • Complete virtualization • Certain resources still shared (i.e. 127.0.0.1) • KVM in a jail? (Need KVM first)

More Related