Project

General

Profile

Support #668

Create a Jail on FreeBSD

Added by Daniel Curtis over 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Jails / Containers
Target version:
Start date:
10/04/2015
Due date:
% Done:

100%

Estimated time:
1.00 h
Spent time:

Description

This is a guide on using ezjail to create a jail on FreeBSD 11.1-RELEASE.

Prepare the Environment

  • Make sure the system is up to date:
    pkg update && pkg upgrade
    

Install Ezjail

  • Install ezjail:
    pkg install ezjail
    
  • First, create the base jail with the ports tree:
    ezjail-admin install -p
    
    • NOTE: To add system sources add the -s flag
      ezjail-admin install -sp
      
  • Next, create the actual jail, giving it a hostname and IP address:
    ezjail-admin create jail.example.com 'em0|192.168.100.5'
    
    • NOTE: If using multiple interfaces for the jail, specify the IP address for each interface:
      ezjail-admin create jail.example.com 'em0|10.0.2.0/24,em1|192.168.100.5/24'
      
  • Copy your resolv.conf to the jail so it can do DNS.
    cp /etc/resolv.conf /usr/jails/jail.example.com/etc/
    
  • Start and enable the service at boot:
    sysrc ezjail_enable=YES
    service ezjail start
    
  • Check whether your jail is running:
    jls
    
    • Example output:
      JID  IP Address        Hostname              Path
        1  192.168.100.13    jail.example.com      /usr/jails/jail.example.com
      
  • From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system.
    ezjail-admin console jail.example.com
    
    • Start and enable the sshd service at boot:
      sysrc sshd_enable=YES
      service sshd start
      

Updating Jails

  • Update the basejail with freebsd-update:
    freebsd-update fetch install
    reboot
    ezjail-admin update -u
    
  • To upgrade a jail to a specific version, in this case 11.0-RELEASE:
    ezjail-admin update -U -s 11.0-RELEASE
    mergemaster -U -D /usr/jails/jail.example.com
    
  • To update the base jail's ports tree, which all jails also have read-only access to:
    ezjail-admin update -P
    

Migrating Jails

  • Moving jails between hosts is easy with minimal configuration changes. Stop the example jail and archive it to a file:
    ezjail-admin stop jail.example.com
    ezjail-admin archive jail.example.com
    
  • The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place.
    scp jail.example.com.tar.gz offsite.example.com:/usr/jails/ezjail_archives
    ezjail-admin create -a /usr/jails/ezjail_archives/jail_example_com.tar.gz jail.example.com 192.168.100.5
    ezjail-admin start jail.example.com
    

Enabling SysV IPC

WARNING: Enabling SysV IPC is defeats the purpose of separating jails; however in some cases it simply must be enabled, like setting up PostgreSQL in a jail. More information can be found here

  • Enable SystemV IPC
    echo 'security.jail.sysvipc_allowed=1' >> /etc/sysctl.conf
    reboot
    

Per Jail

  • Edit the ezjail config for the jail:
    vi /usr/local/etc/ezjail/jail_example_com
    
    • And modify the jail parameters to add the allow.sysvipc=1 configuration:
      export jail_jail_example_com_parameters=”allow.sysvipc=1″
      
  • Restart the jail:
    ezjail-admin restart jail.example.com
    

Every Jail

  • Enable every jail installed on the host to use sysvipc:
    sysrc jail_sysvipc_allow=YES
    
  • Restart the jail:
    service ezjail restart
    

Enable Raw Sockets

To allow jails the ability to ping, raw sockets must be enabled.

  • Enable Raw Sockets:
    echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf
    reboot
    
  • Edit the ezjail config for the jail:
    vi /usr/local/etc/ezjail/jail_example_com
    
    • And modify the jail parameters to add the allow.sysvipc=1 configuration:
      export jail_jail_example_com_parameters="allow.raw_sockets=1" 
      
  • Restart the jail:
    service ezjail restart
    

No IP Address Set On Jail

This happened to me on 11.1-STABLE.

  • Edit the jail config:
    vi /usr/local/etc/ezjail/jail_example_com
    
    • And add the following line to the config:
      export jail_jail_interface="em0" 
      

Resources

Also available in: Atom PDF