How to configure a VPL jail system 1.2

Note: These instructions are suitable for the CentOS 5.3 operating system and xinetd, in other cases may not be adequate.

The jail system

The jail system is composed of two elements. One is responsible for preparing the fake jail file system at machine startup time and the other is the xmlrpc service that responds to execution requests.

There are two configuration files that control the system. The "/etc/vpl/vpl-xmlrpc-jail.conf" file define the jail file system path, the prisoners users ID range, the resource limits. "/etc/xinetd.d/vpl-xmlrpc-jail" is the xinetd service configuration file and sets the service port, the allowed machines, arguments for the server, etc.

File "/etc/vpl/vpl-xmlrpc-jail.conf"

The text file "/etc/vpl/vpl-xmlrpc-jail.conf is formed by one options on each line. The option format is "option=value" with no space after o before "=". Lines beginning with "#" are comments. The options that can be set are the follows:

  • "MIN_PRISONER_UGID" [> 1000]: Used to set the initial number of user ID in prison. Example value 10000.
  • "MAX_PRISONER_UGID" [<= 65534]: Used to set the final number of user ID in prison. Example value 20000. The system will create users for prison from "MIN_PRISONER_UGID" to "MAX_PRISONER_UGID. There should be no real users in this range. In each run is randomly used one of these users.
  • "JAILPATH" Determines the path to the directory where the fake jail file system is created.
  • "MAXTIME" [optional]: Maximum time in seconds of an execution request.
  • "MAXFILESIZE" [optional]: Maximum size in bytes of each file.
  • "MAXMEMORY" [optional]: Maximum Memory in bytes usable in a task.
  • "MAXPROCESSES" [optional]: Maximum number of concurrent processes running.

The execution of a task involves a previous request to check the availability of the server, this request come with the maximum resources needed for the task. If the value requested exceeds the limits ( "MAXTIME, MAXFILESIZE, MAXMEMORY and MAXPROCESSES") the task is rejected.

File "/etc/xinetd.d/vpl-xmlrpc-jail"

The most common parameters used are:

  • only_from. Sets the machines or networks that are allowed to make requests.
  • cps. Set he maximum number of connections per second. If this limit is reached, the service is retired for the given seconds.
  • instances. Defines the maximum number of instances for a service.
  • per_source. Defines the maximum number of instances for a service per source IP address.
  • port. Define the port that will use the service. For example 52000.
  • server_args. Sets the parameters to pass on the command line to the server. The vpl-xmlrpc-jail server accepts 2 arguments:

"-uri path". Sets the path to add the URL of the server. If we had a server named "localhost" the URL to use in requests would be "http://localhost:port/path. The default is "/RPC. This parameter can be used as key, because if not used in the URL the request is not heeded.
"-d #". Sets the debugging level, a greater number means more information in the system logs.

For more details, see the manual of the xinetd configuration files, running "man xinetd.conf.


The firewall

Once you set the port where the vpl-xmlrpc-jail service is provided, you need to configure your firewall to allow its use. You may use "system-config-securitylevel-tui" to configure the firewall.


VirtualBox Settings

To provide the vpl-xmlrpc-jail service to outside, VirtualBox may use port forwarding. VirtualBox allows ports on the host machine will be redirected to the virtual machine. For example: to set the port 52000 of the virtual machine is seen as the port 53000 on the host machine, you can run the following instructions.

VBoxManage setextradata "jail"
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/jailservice/Protocol" TCP
VBoxManage setextradata "jail"
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/jailservice/GuestPort" 52000
VBoxManage setextradata "jail"
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/jailservice/HostPort" 53000

with new VirtualBox version

VBoxManage modifyvm "jail" --natpf1 "jailservice,tcp,,53000,,52000"

where "jail" is the virtual machine name, "pcnet" is the type of network card in the virtual machine and "jailservice" is a name that defines the service. The setting will take effect the next time the machine restart.

If you want to set the machine so that it can not be changed, stop the machine and run the following instruction

VBoxManage modifyhd /root/jaildisk.vdi settype immutable

with new VirtualBox version

VBoxManage modifyhd /root/jaildisk.vdi --type immutable

where "/root/jaildisk.vdi" is the name of the file that represents the hard disk of the virtual machine.

To start the machine automatically at the beginning of the host machine, add the following line to the file "/etc/rc.local".

VBoxHeadless --vrdp off --startvm jail &

where "jail" is the virtual machine name.

For more details, see the manual of VirtualBox.


Configuring Xen

By default, the network in Xen virtual machines is supplied by a bridge. This makes virtual machines appear on the network like another machine, so there is no need for port forwarding.

To make the machine immutable is necessary to change the configuration file "/etc /xen/jail", where "jail" is the name of the virtual machine. The modification is to change the machine disk definition. The disk definition look like:

disk = [ "file:/root/jail.img,hda,w", ",hdc:cdrom,r" ]
change the "w" after the name of the file with "r"
disk = [ "file:/root/jail.img,hda,r", ",hdc:cdrom,r" ]

You may also put the file that represents the disk in read-only mode.

To start the virtual machine automatically every time you start the host machine, copy the file "/etc/xen/jail" to directory "/etc/xen/auto".