Project

General

Profile

Support #668

Create a Jail on FreeBSD

Added by Daniel Curtis about 9 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Curtis
Category:
Jails / Containers
Target version:
FreeBSD 11
Start date:
10/04/2015
Due date:
% Done:

100%

Estimated time:
1.00 h
Spent time:
3.00 h

Description

This is a guide on using ezjail to create a jail on FreeBSD 11.1-RELEASE.

Prepare the Environment

  • Make sure the system is up to date:
    pkg update && pkg upgrade

Install Ezjail

  • Install ezjail:
    pkg install ezjail
  • First, create the base jail with the ports tree:
    ezjail-admin install -p
    • NOTE: To add system sources add the -s flag
      ezjail-admin install -sp
  • Next, create the actual jail, giving it a hostname and IP address:
    ezjail-admin create jail.example.com 'em0|192.168.100.5'
    • NOTE: If using multiple interfaces for the jail, specify the IP address for each interface:
      ezjail-admin create jail.example.com 'em0|10.0.2.0/24,em1|192.168.100.5/24'
  • Copy your resolv.conf to the jail so it can do DNS.
    cp /etc/resolv.conf /usr/jails/jail.example.com/etc/
  • Start and enable the service at boot:
    sysrc ezjail_enable=YES
service ezjail start
  • Check whether your jail is running:
    jls
    • Example output:
      JID  IP Address        Hostname              Path
  1  192.168.100.13    jail.example.com      /usr/jails/jail.example.com
  • From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system.
    ezjail-admin console jail.example.com
    • Start and enable the sshd service at boot:
      sysrc sshd_enable=YES
service sshd start

Updating Jails

  • Update the basejail with freebsd-update:
    freebsd-update fetch install
reboot
ezjail-admin update -u
  • To upgrade a jail to a specific version, in this case 11.0-RELEASE:
    ezjail-admin update -U -s 11.0-RELEASE
mergemaster -U -D /usr/jails/jail.example.com
  • To update the base jail's ports tree, which all jails also have read-only access to:
    ezjail-admin update -P

Migrating Jails

  • Moving jails between hosts is easy with minimal configuration changes. Stop the example jail and archive it to a file:
    ezjail-admin stop jail.example.com
ezjail-admin archive jail.example.com
  • The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place.
    scp jail.example.com.tar.gz offsite.example.com:/usr/jails/ezjail_archives
ezjail-admin create -a /usr/jails/ezjail_archives/jail_example_com.tar.gz jail.example.com 192.168.100.5
ezjail-admin start jail.example.com

Enabling SysV IPC

WARNING: Enabling SysV IPC is defeats the purpose of separating jails; however in some cases it simply must be enabled, like setting up PostgreSQL in a jail. More information can be found here

  • Enable SystemV IPC
    echo 'security.jail.sysvipc_allowed=1' >> /etc/sysctl.conf
reboot

Per Jail

  • Edit the ezjail config for the jail:
    vi /usr/local/etc/ezjail/jail_example_com
    • And modify the jail parameters to add the allow.sysvipc=1 configuration:
      export jail_jail_example_com_parameters=”allow.sysvipc=1″
  • Restart the jail:
    ezjail-admin restart jail.example.com

Every Jail

  • Enable every jail installed on the host to use sysvipc:
    sysrc jail_sysvipc_allow=YES
  • Restart the jail:
    service ezjail restart

Enable Raw Sockets

To allow jails the ability to ping, raw sockets must be enabled.

  • Enable Raw Sockets:
    echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf
reboot
  • Edit the ezjail config for the jail:
    vi /usr/local/etc/ezjail/jail_example_com
    • And modify the jail parameters to add the allow.sysvipc=1 configuration:
      export jail_jail_example_com_parameters="allow.raw_sockets=1"
  • Restart the jail:
    service ezjail restart

No IP Address Set On Jail

This happened to me on 11.1-STABLE.

  • Edit the jail config:
    vi /usr/local/etc/ezjail/jail_example_com
    • And add the following line to the config:
      export jail_jail_interface="em0"

Resources

#1

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
  • Status changed from New to In Progress
  • % Done changed from 0 to 30
#2

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
  • Target version changed from FreeBSD 9 to FreeBSD 10
  • % Done changed from 30 to 50
#3

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#4

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
  • % Done changed from 50 to 70
#5

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
  • Status changed from In Progress to Resolved
  • % Done changed from 70 to 100
#6

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#7

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#8

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#9

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#10

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#11

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#12

Updated by Daniel Curtis about 9 years ago

  • Description updated (diff)
#13

Updated by Daniel Curtis about 9 years ago

  • Status changed from Resolved to Closed
#14

Updated by Daniel Curtis almost 9 years ago

  • Description updated (diff)
#15

Updated by Daniel Curtis almost 9 years ago

  • Description updated (diff)
#16

Updated by Daniel Curtis almost 7 years ago

  • Description updated (diff)
#17

Updated by Daniel Curtis almost 7 years ago

  • Description updated (diff)
  • Target version changed from FreeBSD 10 to FreeBSD 11
#18

Updated by Daniel Curtis almost 7 years ago

  • Description updated (diff)

Also available in: Atom PDF