Project

General

Profile

Support #668

Updated by Daniel Curtis over 8 years ago

This is a guide on using ezjail to create a jail on FreeBSD 10. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 pkg update && pkg upgrade 
 </pre> 

 h2. Install Ezjail 

 * Install ezjail: 
 <pre> 
 pkg install ezjail 
 </pre> 

 * Create the base jail with the system sources and a ports tree: 
 <pre> 
 ezjail-admin install -p 
 </pre> 
 #* *NOTE*: To add system sources add the -s flag 

 * (Optional) Update the basejail with freebsd-update. Just run: 
 <pre> 
 freebsd-update fetch install 
 ezjail-admin update -u 
 </pre> 
 #* To upgrade a jail to a specific version: 
 <pre> 
 ezjail-admin update -U -s 11.0-RELEASE 
 mergemaster -U -D /usr/jails/jail.exameple.com 
 </pre> 

 * To update the base jail's ports tree, which all jails also have read-only access to: 
 <pre> 
 ezjail-admin update -P 
 </pre> 

 * Make an alias on my "em0" NIC. Replace "em0" with your network card name and your network settings: 
 <pre> 
 ifconfig em0 alias 192.168.100.5 netmask 0xffffff00 broadcast 192.168.100.255 
 </pre> 

 * Make an rc.conf entry to ensure the jail will be started at boot and gets the IP it needs: 
 <pre> 
 echo 'ifconfig_em0_alias0="inet 192.168.100.5 netmask 0xffffff00 broadcast 192.168.100.255"' >> /etc/rc.conf 
 echo 'ezjail_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Next, create the actual jail. Give it a hostname and the IP address from before: 
 <pre> 
 ezjail-admin create jail.example.com 192.168.100.5 
 </pre> 

 * Copy your resolv.conf to the jail so it can do DNS. 
 <pre> 
 cp /etc/resolv.conf /usr/jails/jail.example.com/etc/ 
 </pre> 

 * Finally, start the service: 
 <pre> 
 service ezjail start 
 </pre> 

 * Placing limits on jails is also possible. To only give the jail access to the first CPU core, you could do: 
 <pre> 
 ezjail-admin config -c 0 jail.example.com 
 </pre> 

 * See this page for more options on limiting jail resources. Finally, to check whether your jail is running, use the "jls" command: 
 <pre> 
 jls 
 </pre> 
 #* _Example output_: 
 <pre> 
 JID    IP Address          Hostname                Path 
   1    192.168.100.13      jail.example.com        /usr/jails/jail.example.com 
 </pre> 

 * From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system. 
 <pre> 
 ezjail-admin console jail.example.com 
 </pre> 

 * Moving jails between hosts is easy with minimal configuration changes. Stop the example jail and archive it to a file: 
 <pre> 
 ezjail-admin stop jail.example.com 
 ezjail-admin archive jail.example.com 
 </pre> 

 * The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place. 
 <pre> 
 scp jail.example.com.tar.gz offsite.example.com:/usr/jails/ezjail_archives 
 ezjail-admin create -a /usr/jails/ezjail_archives/jail_example_com.tar.gz jail.example.com 192.168.100.5 
 ezjail-admin start jail.example.com 
 </pre> 

 h2. Resources 

 * http://www.bsdnow.tv/tutorials/jails 
 * https://www.freebsd.org/doc/handbook/jails-ezjail.html 
 * https://wiki.freebsd.org/Jails

Back