/dev/random in jails

Christopher Cowart ccowart at rescomp.berkeley.edu
Thu Jul 19 04:49:13 UTC 2007

On Wed, Jul 18, 2007 at 09:41:35PM -0700, Tech Valley Internet - Tony Kivits wrote:
>At 08:42 PM 7/18/2007, Christopher Cowart wrote:
>>On Wed, Jul 18, 2007 at 08:34:21PM -0700, Tech Valley Internet - 
>>Tony Kivits wrote:
>>>At 07:32 PM 7/18/2007, Christopher Cowart wrote:
>>>>On Wed, Jul 18, 2007 at 06:30:50PM -0700, Tech Valley Internet -
>>>>Tony Kivits wrote:
>>>>> I am attempting to run portions (if not all) of the software called
>>>>> HSphere inside of jailed subsystems of FreeBSD.  I am able to create
>>>>> the jails no problem but the devices /dev/random and /dev/urandom are
>>>>> not created automatically in the jail despite the fact that a handful
>>>>> of other devices are mounted correctly when the jail is created.
>>>>> Is there a specific reason for these devices not being created in a
>>>>> jail or is there a way to create these devices so that they will be
>>>>> available inside a jail?
>>>>We run bind instances in FreeBSD jails. This is how we get /dev/random:
>>>>| # /etc/devfs.rules:
>>>>| [devfsrules_thin_jail=100]
>>>>| add include $devfsrules_hide_all
>>>>| add include $devfsrules_unhide_basic
>>>>| # /etc/rc.conf:
>>>>| jail_cachingdns_devfs_enable="YES"
>>>>| jail_cachingdns_devfs_ruleset="devfsrules_thin_jail"
>>> Thanks Chris,
>>> So if my jail is called "cp", the only thing that I would have to
>>> change from your scripts would be replace to replace "cachingdns" 
>>with "cp"?
>>Yes. Are you configuring the jail via /etc/rc.conf already? Are you
>>using the rc script /etc/rc.d/jail to start your jails?
>>My complete config from /etc/rc.conf is:
>>| # Enable jails
>>| jail_enable="YES"
>>| jail_list="cachingdns"
>>| # Caching-nameserver jail
>>| jail_cachingdns_hostname="ns1.example.com"
>>| jail_cachingdns_ip=""
>>| jail_cachingdns_interface="bge0"
>>| jail_cachingdns_rootdir="/var/jails/caching-dns"
>>| jail_cachingdns_exec="/usr/local/sbin/named"
>>| jail_cachingdns_devfs_enable="YES"
>>| jail_cachingdns_devfs_ruleset="devfsrules_thin_jail"
>>You can replace cachingdns with cp or whatever else you want. You can
>>also create multiple jails with different names.
>>I don't know if you're following the typical FreeBSD jail documentation
>>which gives you a complete FreeBSD installation inside the jail. Given
>>that I only need to run named, I have not done that.
>>Are you trying to run a complete FreeBSD install that allows user logins
>>inside your jail? Or are you simply trying to jail a single process? My
>>example above jails the single process named, and does not have an OS
>>install inside the jail's root.
> I am doing a complete OS inside the jail and am starting it through 
> the rc.conf.

The default devfs ruleset for jails (devfsrules_jail, found in
/etc/defaults/devfs.rules) should work fine for you then. Perhaps try
specifying that ruleset explicitly?

> I have modified the devfs.rules so that they are now passing random 
> and urandom as devices.  But the installation software is still 
> reporting that /dev/random is not working properly.  Do you know of a 
> way that I can test /dev/random to see if it is actually working?

$ ls -l caching-dns/dev/random
crw-rw-rw-  1 root wheel 0, 8 Jul  3 18:08 caching-dns/dev/random

$ dd if=/dev/random bs=1 count=12 2>/dev/null | openssl base64
Should give you a base64 encoding of some random data (base64 to prevent
it from messing up your terminal) if /dev/random is working.

Chris Cowart
Lead Systems Administrator
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070719/460cb0e4/attachment.pgp

More information about the freebsd-questions mailing list