はじめに
FreeBSD 12を使用した自宅サーバの構築を行った。FreeBSD 12はリリースされて間もない状態ですが、カーネルに標準でVIMAGEが取り込まれDNSの外向きと、内向きを別々のシステム(jail+VIMAGE)が同一ホストで構築できることから採用することにしました。その時の構築手順を備忘録の意味も含め、具体的にいくつかに渡り説明する。
-
基本システム編その1
- 背景
- 基本のインストール
- 日本語環境の設定
-
基本システム編その2
- セキュリティ
- ftpサーバ
-
基本システム編その3(この記事)
- jail
- 基本システム編おわり
-
jail内基本システム編
- 基本の設定(jail1・jail2共通)
-
DNS編
- DNSの構築におけるこれまでの問題
- bind9インストール
- NTPサーバ
-
Let's Encrypt編
- Let's Encryptについて
- certbotのインストール
- 各種設定
- 証明書の取得
- Webサーバ編
- メールサーバ編
- ファイルサーバ編
jailの構築
外向きと内向きの2つのjailを構築し、ホストにはサーバー類は構築しないこととする。そこで、jailの管理維持のためにqjailを使用する。
qjailのインストール
# pkg install qjail
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 1.1MB/s 00:06
Processing entries: 100%
FreeBSD repository update completed. 31804 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
qjail: 5.4
Number of packages to be installed: 1
Proceed with this action? [y/N]: y
[1/1] Installing qjail-5.4...
[1/1] Extracting qjail-5.4: 100%
Message from qjail-5.4:
########################################################################
Use the qjail utility to deploy small or large numbers of jails quickly.
First issue "rehash" command to enable the qjail command (if using csh).
Then issue
"man qjail-intro" To read the qjail introduction.
"man qjail" For qjail usage details.
"man qjail-howto" For example of driving public traffic to non-vnet jails.
"man qjail-vnet-howto" For example of creating vnet jails.
"man qjail-ipv6-testing" For example of testing jails with ipv6 addresses.
########################################################################
ファイルシステムインストール
# qjail install
resolving server address: ftp2.freebsd.org:80
requesting http://ftp2.freebsd.org/pub/FreeBSD/releases/amd64/amd64/12.0-RELEASE/base.txz
remote size / mtime: 154325028 / 1544159064
base.txz 147 MB 120 kBps 20m48s
The RELEASE distribution files are populating template.
Estimated less than 1 minute for this to complete.
sharedfs is being populated.
Estimated less than 1 minute for this to complete.
Successfully installed qjail system.
外向き用(jail1)と内向き用(jail2)のjailを作成
# qjail create -4 192.168.1.41 jail1
Successfully created jail1
# qjail create -4 192.168.1.42 jail2
Successfully created jail2
作成したjailにVIMAGE用の設定を行う
# qjail config -w em0 -v none jail1
Successfully enabled vnet.interface for jail1
Successfully enabled vnet for jail1
# qjail config -w em0 -v none jail2
Successfully enabled vnet.interface for jail2
Successfully enabled vnet for jail2
設定ファイルを確認する。
/usr/local/etc/qjail.config/jail1
jail1 {
host.hostname = "jail1";
path = "/usr/jails/jail1";
mount.fstab = "/usr/local/etc/qjail.fstab/jail1";
exec.consolelog = "/var/log/qjail.jail1.console.log";
mount.devfs;
devfs_ruleset = "4";
vnet = "new";
vnet.interface = "epair1b";
exec.start = "ifconfig epair1b 192.168.1.41";
exec.start += "route add default 192.168.1.1";
exec.start += "/bin/echo "epair1b" > /etc/epair";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
/usr/local/etc/qjail.config/jail2
jail2 {
host.hostname = "jail2";
path = "/usr/jails/jail2";
mount.fstab = "/usr/local/etc/qjail.fstab/jail2";
exec.consolelog = "/var/log/qjail.jail2.console.log";
mount.devfs;
devfs_ruleset = "4";
vnet = "new";
vnet.interface = "epair2b";
exec.start = "ifconfig epair2b 192.168.1.42";
exec.start += "route add default 192.168.1.1";
exec.start += "/bin/echo "epair2b" > /etc/epair";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
この設定ファイルでは共有メモリー(system V IPCリソース)の操作ができないことが判明。そこで以下のように1行追加する。
/usr/local/etc/qjail.config/jail1
allow.sysvipc = "1";
host.hostname = "jail1";
path = "/usr/jails/jail1";
mount.fstab = "/usr/local/etc/qjail.fstab/jail1";
exec.consolelog = "/var/log/qjail.jail1.console.log";
mount.devfs;
devfs_ruleset = "4";
vnet = "new";
vnet.interface = "epair1b";
exec.start = "ifconfig epair1b 192.168.1.41";
exec.start += "route add default 192.168.1.1";
exec.start += "/bin/echo "epair1b" > /etc/epair";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
/usr/local/etc/qjail.config/jail2
jail2 {
llow.sysvipc = "1";
host.hostname = "jail2";
path = "/usr/jails/jail2";
mount.fstab = "/usr/local/etc/qjail.fstab/jail2";
exec.consolelog = "/var/log/qjail.jail2.console.log";
mount.devfs;
devfs_ruleset = "4";
vnet = "new";
vnet.interface = "epair2b";
exec.start = "ifconfig epair2b 192.168.1.42";
exec.start += "route add default 192.168.1.1";
exec.start += "/bin/echo "epair2b" > /etc/epair";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
jail用ports collectionの初期設定
ホストで操作する
# portsnap -p /usr/jails/sharedfs/usr/ports fetch
# portsnap -p /usr/jails/sharedfs/usr/ports extract
日本語マニュアル
# fetch ftp://ftp.koganemaru.co.jp/pub/jman12/ja-cat-doc-12.0.20181218.amd64.txz
ja-cat-doc-12.0.20181218.amd64.txz 9419 kB 546 kBps 17s
# tar -zxf ja-cat-doc-12.0.20181218.amd64.txz -C /usr/jails/sharedfs/
tar: Removing leading '/' from member names
# rm /usr/jails/sharedfs/+COMPACT_MANIFEST /usr/jails/sharedfs/+MANIFEST ja-cat-doc-12.0.20181218.amd64.txz
# ln -s ja /usr/jails/sharedfs/usr/share/man/ja_JP.eucJP
起動する
# qjail start
Jail successfully started jail1
Jail successfully started jail2
確認する。2つのjailが確認でき、ネットワーク設定もem0・epair1a・epair2aがブリッジ接続されている。
# jls
JID IP Address Hostname Path
2 jail1 /usr/jails/jail1
3 jail2 /usr/jails/jail2
# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 08:00:27:93:ce:1e
inet 192.168.1.32 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:af:ae:e8:ed:0a
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000
member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
groups: bridge
nd6 options=1<PERFORMNUD>
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:fa:12:43:bd:0a
inet6 fe80::fa:12ff:fe43:bd0a%epair1a prefixlen 64 scopeid 0x4
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:8a:09:cb:8a:0a
inet6 fe80::8a:9ff:fecb:8a0a%epair2a prefixlen 64 scopeid 0x5
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
jail1にログインし、ネットワーク接続を確認する
# qjail console jail1
FreeBSD 12.0-RELEASE-p2 GENERIC
Welcome to your FreeBSD jail.
jail1 /root >ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:fa:12:43:bd:0b
inet 192.168.1.41 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::fa:12ff:fe43:bd0b%epair1b prefixlen 64 scopeid 0x2
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
基本システム編おわり
これまでで、ホストの基本システムの構築が完了した。次節からは、jail内の設定として、外向き・内向き用のサーバをインストールしていく。