Setting up a (Debian) Linux jail on FreeBSD

[sody]

you also get the errors below ?

/compat/devuan/bin/chrome


[21224:102845:0218/234112.132650:ERROR:file_path_watcher_linux.cc(321)] inotify_init() failed: Function not implemented (38)

(chrome:21224): Gtk-WARNING **: 23:41:13.905: Unknown key gtk-applications-prefer-dark-theme in /root/.config/gtk-3.0/settings.ini

Gtk-Message: 23:41:14.184: Failed to load module "colorreload-gtk-module"

Gtk-Message: 23:41:14.185: Failed to load module "window-decorations-gtk-module"

[21224:102854:0218/234114.947955:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102854:0218/234114.963025:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102846:0218/234115.770664:ERROR:address_tracker_linux.cc(196)] Could not create NETLINK socket: Address family not supported by protocol (97)

[21224:102853:0218/234115.795018:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102853:0218/234115.795076:ERROR:bus.cc(397)] Failed to connect to the bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

[21224:102846:0218/234116.707297:ERROR:udev_watcher.cc(52)] Failed to initialize a udev monitor.

[21233:102862:0218/234117.094025:ERROR:address_tracker_linux.cc(196)] Could not create NETLINK socket: Address family not supported by protocol (97)

[21233:102864:0218/234117.094035:ERROR:file_path_watcher_linux.cc(321)] inotify_init() failed: Function not implemented (38)

[21224:21224:0218/234117.188257:ERROR:process_singleton_posix.cc(1100)] Failed to bind() /tmp/.com.google.Chrome.Pbohb3/SingletonSocket: No such file or directory (2)

[21224:21224:0218/234117.216008:ERROR:chrome_browser_main.cc(1305)] Failed to create a ProcessSingleton for your profile directory. This means that running multiple instances would start multiple browser processes rather than opening a new window in the existing process. Aborting now to avoid profile corruption.

I dont use jail for chrome so never tried interactive apps rather than server ones

 

[ZioMario]

I dont use jail for chrome so never tried interactive apps rather than server ones

which method do u use to run chrome ?

 

[sody]

which method do u use to run chrome ?

I don't

I mainly want to run apache httpd, php, mysql, exim, dovecot, bind,pure-ftpd services
so far all work but dovecot, bind,pure-ftpd. I sent email about bind (named) to the jail lists I hope someone wpuld be able to help.

Sami

 

[filthycasual]

This is driving me up the wall. When I get to the step where dpkg is setting up sysvinit it attempts to restart the computer. Instead of ignoring it or restarting the chroot or something else it restarts the main system! I can't get past this step because my computer keeps rebooting....

I have searched all over and cannot find a way to solve this. Renaming the files simply get them replaced upon attempting again. Making fake files and giving them the immutable flag causes dpkg to fail on sysvinit. I don't know what to do.... Can someone please help me?

 

[tyler19820201]

Sorry but i am a bit confused after reading the Handbook. Chroot and jailing are synonyms? Or technically are just similar but not the same?

 

[Remington]

Sorry but i am a bit confused after reading the Handbook. Chroot and jailing are synonyms? Or technically are just similar but not the same?

The both are similar but Jail is technically a chroot on steroids with much added security features.

One big difference is that root user can escape from chrooted environment but they cannot with Jail. Therefore, chroot isn't secure and not recommended to be used on a production server.

 

[filthycasual]

This is driving me up the wall. When I get to the step where dpkg is setting up sysvinit it attempts to restart the computer. Instead of ignoring it or restarting the chroot or something else it restarts the main system! I can't get past this step because my computer keeps rebooting....

I have searched all over and cannot find a way to solve this. Renaming the files simply get them replaced upon attempting again. Making fake files and giving them the immutable flag causes dpkg to fail on sysvinit. I don't know what to do.... Can someone please help me?

Turns out everything installed properly. Was able to boot a jail and everything. The output of dpkg -l | grep -v ii showed nothing or just base-files which is what made me think something went wrong.

 

[forquare]

Firstly, this is awesome - thank you so much to ShelLuser for the initial tutorial and also to zirias@ for some additional pointers. I've just finished setting up Devuan jail and am pleasantly surprised most things just seem to work.

However, I'm struggling with something regarding procfs:

root@mc:~# apt-get install openjdk-17-jre-headless
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
openjdk-17-jre-headless is already the newest version (17.0.8+7-1~deb12u1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up openjdk-17-jre-headless:amd64 (17.0.8+7-1~deb12u1) ...
the java command requires a mounted proc fs (/proc).
dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
 installed openjdk-17-jre-headless:amd64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 openjdk-17-jre-headless:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)

My fstab for this jail looks like this:

#Dev        Mountpoint            FS        Options            Dump    Check
linprocfs    /iocage/jails/mc/root/proc    linprocfs    rw,late            0    0
linsysfs    /iocage/jails/mc/root/sys    linsysfs    rw,late            0    0
tmpfs        /iocage/jails/mc/root/tmp    tmpfs        rw,late,mode=1777    0    0

And inside the jail I can see that there is stuff inside /proc:

root@mc:~# ls /proc
24553  24919  24927  cmdline  devices       loadavg  modules  mtab  partitions  self  swaps  uptime
24579  24924  bus    cpuinfo  filesystems  meminfo  mounts   net   scsi        stat  sys    version

Doing some searches around the internet, I can't find anything related to running a Linux Jail on FreeBSD, but similar issues seem to have cropped up in the past in WSL and similar projects...
Not sure if I've done something wrong, or missed something - anybody come across this before?

SOLVED:
There is a script associated with installing openJDK ( /var/lib/dpkg/info/openjdk-17-jre-headless\:amd64.postinst) which uses the /bin/mountpoint command - this seems to just check if the target file is a mount point and returns 0 if it is. Of course to my jail /proc isn't a mount point as far as the fail is concerned, so the /bin/mountpoint command returned a non-zero status and the script bailed.
So I removed /bin/mountpoint and symlinked it to /bin/true - this could come back to bite me in the future, but I'm happy enough for now!

 

[Alain De Vos]

Someone should make a package linux-devuan which installs devuan in the linuxator ...

 

[TengelLiu]

Hi all.
Can you help me with Devuan jail + vnet setup. I have several ordinary FreeBSD jails configured with vnet, bridge and epair. Following through tutorial I ended up with functional jail, but I cannot setup network in it. ifconfig and ip commands inside jail produce output like:

root@devuan:/# ifconfig epair15b 192.168.10.15 netmask 255.255.255.0
SIOCSIFADDR: Invalid argument
SIOCSIFFLAGS: Invalid argument
SIOCSIFNETMASK: Invalid argument

root@devuan:/# ifconfig eth0 192.168.10.15 netmask 255.255.255.0
SIOCSIFADDR: Invalid argument
SIOCSIFFLAGS: Invalid argument
SIOCSIFNETMASK: Invalid argument

root@devuan:/# ifconfig -a
eth0: flags=4162<BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 02:d3:4b:71:3c:0b  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo0: flags=4104<LOOPBACK,MULTICAST>  mtu 16384
        loop  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@devuan:/# ip a
Cannot open netlink socket: Address family not supported by protocol

Jail config is:

devuan {
    host.hostname = "devuan.example.com";
    $ip = 15;
    mount.fstab = "/usr/local/jails/devuan.fstab";

    exec.prestart = "ifconfig epair$ip create";
    exec.prestart += "ifconfig bridge0 addm epair${ip}a";
    exec.prestart += "ifconfig epair${ip}a up";

    exec.poststop = "ifconfig bridge0 deletem epair${ip}a";
    exec.poststop += "ifconfig epair${ip}a destroy";

    exec.start = "/etc/init.d/rc 3";
    exec.stop = "/etc/init.d/rc 0";
    exec.clean;

    vnet.interface = "epair${ip}b";
    vnet = "new";

    persist;
    mount.devfs;
    allow.mount;
    allow.mount.devfs;
}

Probably I am doing some stupid configuration mistake, but I am zero in linux, and slightly more than that in FreeBSD.

I run alpine with vnet in jail and use

exec.start += "/sbin/ip addr add 192.168.0.2/24 dev eth0";

exec.start += "/sbin/ip route add 0.0.0.0/0 via 192.168.0.1";

then the network working.