Jailing Tranmission Bittorrent

[Anonymous]

Moin,
somone in our IRC channel asked me if it is possible to run transmission on 8.x. Since it is not installed by default and adding php is a pain i have put it in a jail. I did this just for fun without spending too much time on securing it.

alcatraz.tar

Based on:

Code:

[HowTo] Setup A Jail Ontop of FreeNAS 8.x  

This is a Quick 'n Dirty HowTo for more information checkout 
  - http://en.wikipedia.org/wiki/FreeBSD_jail
  - http://www.freebsd.org/doc/handbook/jails.html

Note about my Setup:
  Host
  - teufelchen.fantaranch.tld
  - 192.168.1.10
  - teufelchen#
  Jail
  - alcatraz.fantaranch.tld
  - 192.168.1.30
  - alcatraz#

  Filesystem Layout
    - tank		my zpool, /mnt/tank
    - tank/freebsd	FreeBSD related files
    - tank/alcatraz	dataset for the jail

Here We Go

SSH into your FreeNAS and become root. The datasets can be created on the WebUI, for demonstration i will use commandline only.

teufelchen# zfs create tank/freebsd
teufelchen# zfs create tank/alcatraz

Download the FreeBSD Base-Files

In this case via rsync from a german server. The strange commandsysntax makes sure that the correct files for your Version and Architecture are downloaded.

teufelchen# cd /mnt/tank/freebsd/
teufelchen# rsync -av ftp.de.freebsd.org::FreeBSD/releases/`uname -m`/`uname -r | cut -d- -f1-2`/base/ `uname -r | cut -d- -f1-2`_`uname -m`_base
receiving incremental file list
created directory 8.2-RELEASE_amd64_base
./
CHECKSUM.MD5
CHECKSUM.SHA256
base.aa
base.ab
[...]
base.mtree
install.sh

sent 925 bytes  received 60508876 bytes  661309.30 bytes/sec
total size is 60498897  speedup is 1.00


Extract the files into your new jails root directory.

teufelchen# cd 8.2-RELEASE_amd64_base/
teufelchen# cat base.?? | tar --unlink -xpzf - -C /mnt/tank/alcatraz/


Now we need todo some changes to /etc/rc.conf. You can reboot at any point and the original FreeNAS freenas file will be restored.


Mount / read write to allow changes

teufelchen# mount -urw /

Append the necessary settings to your rc.conf

teufelchen# cat << ! >> /etc/rc.conf
? ### jail related settings ###
? jail_enable="YES"
? jail_list="alcatraz"
? jail_alcatraz_rootdir="/mnt/tank/alcatraz"
? jail_alcatraz_hostname="alcatraz.fantaranch.tld"
? jail_alcatraz_ip="192.168.1.30"
? jail_alcatraz_interface="alc0"
? jail_alcatraz_devfs_enable="YES"
? jail_alcatraz_mount_enable="YES"
? jail_alcatraz_fstab="/mnt/tank/freebsd/fstab.alcatraz"
? !


Create a fstab file for your jail, here you can place any filesystem to mount the fstab style.

teufelchen# touch /mnt/tank/freebsd/fstab.alcatraz

Set a DNS, here OpenDNS

teufelchen# echo "nameserver 208.67.222.222" >> /mnt/tank/alcatraz/etc/resolv.conf

And set the timezone

teufelchen# cp /etc/localtime /mnt/tank/alcatraz/etc/


Now you can start your jail.

teufelchen# /etc/rc.d/jail start
Configuring jails:.
Starting jails: alcatraz.fantaranch.tld.

List running jails, the JID (JailID) is necessary to enter the jail.

teufelchen# jls 
   JID  IP Address      Hostname                      Path
    14  192.168.1.30    alcatraz.fantaranch.tld       /mnt/tank/alcatraz
teufelchen# jexec 14 csh

Now you can follow any FreeBSD/Jail related docs.

alcatraz#

Tip:
checkout
teufelchen# sysctl -a | grep jail
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 1
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0

 

[dannyb78]

very interesting tip, this is usefull not only for transmission but for general testing purposes too!!

there's a way to force transmission to use a path stored in the host freenas installation (not in the jail)? or it's best practice share a folder in jailed system?

 

[wase]

noob!

sorry for being a noob, have had ubuntu for years, now on mac... :o
made it perfectly to the point of getting the base files for BSD, i have the 8.0.1-RC1-amd64 (7508) of freeness and FreeBSD 8.2-RELEASE-p2, but what should i put in instead of the ´ ?

 

[ProtoSD]

You may want to take a look at this thread. A command line version of Transmission has been added, so this jailing method may be pointless unless you plan to keep using official releases only.

Transmission-pre-installed-since-8r7661

And this post:

Changes-to-images-coming-soon-nightly-torrents-and-note-about-multimedia-support