Running a chrooted BIND in a FreeBSD Jail

(N.B. – This document was originally written in 2006; I have not verified that it remains applicable to FreeBSD in 2008.)

Running a chrooted BIND server within a FreeBSD jail requires mounting its devfs outside of the jail; this document provides an RCng start stop script to do that.

Attempting to start BIND using the stock RCng script in a FreeBSD jail results in the following error:

> sudo /etc/rc.d/named start
mount_devfs: Operation not permitted
/etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on /var/named/dev
devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted
devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted
Starting named.

The reason for this is that you are unable to mount and manipulate the devfs for the chroot within the jail itself; it must be done in the parent of the jail. To do this at boot, the script below can be used.

#!/bin/sh

# PROVIDE: jailedchrootdevfs
# REQUIRE: rcconf mountcritremote
# BEFORE: jail
# KEYWORD: nojail

. /etc/rc.subr

name="jailed-chroot-devfs"
start_cmd='start'
stop_cmd=':'
#rc_debug=1

jailed_named_chrootdir='/u1/jail/192.168.1.234/var/named'
start()
{
umount ${jailed_named_chrootdir}/dev 2>/dev/null
devfs_domount ${jailed_named_chrootdir}/dev devfsrules_hide_all
devfs -m ${jailed_named_chrootdir}/dev rule apply path null unhide
devfs -m ${jailed_named_chrootdir}/dev rule apply path random unhide
}

load_rc_config $name
run_rc_command "$1"

Next, within the jail, edit /etc/rc.d/named to comment out the equivalent lines to those above, found within the chroot_autoupdate() function:

*** named Thu Feb 23 12:34:41 2006
--- ../../../../../etc/rc.d/named Thu Nov 3 00:12:06 2005
***************
*** 58,67 ****

# Mount a devfs in the chroot directory if needed
#
! #umount ${named_chrootdir}/dev 2>/dev/null
! #devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
! #devfs -m ${named_chrootdir}/dev rule apply path null unhide
! #devfs -m ${named_chrootdir}/dev rule apply path random unhide

# Copy local timezone information if it is not up to date.
#
--- 58,67 ----

# Mount a devfs in the chroot directory if needed
#
! umount ${named_chrootdir}/dev 2>/dev/null
! devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
! devfs -m ${named_chrootdir}/dev rule apply path null unhide
! devfs -m ${named_chrootdir}/dev rule apply path random unhide

# Copy local timezone information if it is not up to date.
#

Notes on the RCng script:

• Specifiying that the RCng script run BEFORE: jail ensures that the directory is mounted before the jail starts up, and starts its BIND process.
• The devfs commands in start() are adapted from the /etc/rc.d/namedscript.
• /etc/rc.subr contains the devfs_domount subroutine; load_rc_config $name is required to load the devfs variables it needs to work.

Other notes:

• You will need to set the security.jail.allow_raw_sockets sysctl to 1 to allow named to open a UDP socket.