Running ventrillo in freebsd jail
How to run Ventrollo in a FreeBSD jail on single IP..
Contents |
What is it?
A user requested a ventrillo voice chat daemon on a server I administer. The initial problem to me was the server has several IPs, and we did not want it tying up all of them for the daemon. The software is also closed source and hard to evaluate from a security standpoint. So I thought to run the software in a freebsd jail. This would allow for assigning a single IP, and provide some additional security by being in the jail. This page documents how to do it.
I'm tempted to rant on and on about the horrible windows mentality that seems to seep from ventrillo's server design, i mean they coulda provided for chrooting, binding to specific host/port, and setuid from the start, but jaja... lets get on with it. :p
Also this is a wiki, if you see any errors or places that can be improved feel free to do so. thank you. ^^
Requirements
Well FreeBSD obviously, this documentation if for FreeBSD 7.x with Linux compatibility enabled. The reason for using Linux compat mode is because the freebsd specific version of ventrillo requires outdated versions of libstdc++.
- FreeBSD 7.x (other versions may work, but i've not tested them)
- Linux Compatibility mode enabled
- Ventrillo for linux (ventrilo_srv-3.0.3-Linux-i386.tar.gz was used here)
- basic knowledge of FreeBSD administration proceedures. :P
How to
- create a user account to run the daemon using the 'adduser' command. For this example we will assume the username is ventuser
adduser
- transfer the tar.gz file to your server and place into the newly created user's home dir
- cd to the newuser's dir
cd /home/ventuser- unpack the archive and change into the newly ventsrv dir
tar -zxf ventrilo_srv-3.0.3-Linux-i386.tar.gz cd ventsrv
this will create a directory called: ventsrv
- Add libs required for the jail (note the libexec portions may not be necessary)
mkdir lib cp -R /usr/compat/linux/lib/* lib/ mkdir libexec cp /libexec/ld-elf.so.1 libexec/
- edit the ventrillo_srv.ini file with yer favorite text editor. This howto will not go into the details of this, they are well documented elsewhere
Okai, now we must create the script to launch Ventrillo.
- Open a text editor on the server and copy/paste the text from the startup script below. Save this file as ventstart.sh or something. The script may be placed anywhere, but some common sense locations include /usr/local/etc/rc.d/ if you desire it to start automagically at boot. ^_^
- edit ventstart.sh or whatever you called it for whatever username and ip you decided on.
- Make the script executable
chmod 755 ventstart.sh
YAY! \^_^/ Unless you screwed up or I forgot something everything should be ready to go... To start the daemon manually type:
ventstart.shThe server should start with no error messages. To verify type:
sockstat | grep ventwhich should produce output something like
ventuser ventrilo_s 17955 4 tcp4 204.16.1.55:3784 *:* ventuser ventrilo_s 17955 5 udp4 204.16.1.55:3784 *:*
The startup script
#/usr/local/bin/bash VENPATH=/home/ventuser/ventsrv VENUSER=ventuser VENIP=204.16.1.55 echo "Starting ventrillo... ^_^" jail -u ce0 $VENPATH $VENUSER $VENIP ventrilo_srv & echo "delaying for jail/ventrillo startup" sleep 3 PID=`cat $VENPATH/ventrilo_srv.pid` renice -6 $PID echo -en "ventrillo started pid: $PID ip: $VENIP\n"
