Support #668
Updated by Daniel Curtis almost 7 years ago
This is a guide on using ezjail to create a jail on FreeBSD 11.1-RELEASE. 10. h2. Prepare the Environment * Make sure the system is up to date: <pre> pkg update && pkg upgrade </pre> h2. Install Ezjail * Install ezjail: <pre> pkg install ezjail </pre> * First, create the *base jail* with the ports tree: <pre> ezjail-admin install -p </pre> #* *NOTE*: To add system sources add the -s flag <pre> ezjail-admin install -sp </pre> * Next, create the *actual jail*, giving it a hostname and IP address: <pre> ezjail-admin create jail.example.com 'em0|192.168.100.5' </pre> #* *NOTE*: If using multiple interfaces for the jail, specify the IP address for each interface: <pre> ezjail-admin create jail.example.com 'em0|10.0.2.0/24,em1|192.168.100.5/24' </pre> * Copy your resolv.conf to the jail so it can do DNS. <pre> cp /etc/resolv.conf /usr/jails/jail.example.com/etc/ </pre> * Start and enable the service at boot: <pre> sysrc ezjail_enable=YES echo 'ezjail_enable="YES"' >> /etc/rc.conf service ezjail start </pre> * Check whether your jail is running: <pre> jls </pre> #* _Example output_: <pre> JID IP Address Hostname Path 1 192.168.100.13 jail.example.com /usr/jails/jail.example.com </pre> * From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system. <pre> ezjail-admin console jail.example.com </pre> #* Start and enable the sshd service at boot: <pre> sysrc sshd_enable=YES echo 'sshd_enable="YES"' >> /etc/rc.conf service sshd start </pre> h2. Updating Jails * Update the basejail with freebsd-update: <pre> freebsd-update fetch install reboot ezjail-admin update -u </pre> * To upgrade a jail to a specific version, in this case 11.0-RELEASE: <pre> ezjail-admin update -U -s 11.0-RELEASE mergemaster -U -D /usr/jails/jail.example.com </pre> * To update the base jail's ports tree, which +all jails also have read-only access to+: <pre> ezjail-admin update -P </pre> h2. Migrating Jails * Moving jails between hosts is easy with minimal configuration changes. Stop the example jail and archive it to a file: <pre> ezjail-admin stop jail.example.com ezjail-admin archive jail.example.com </pre> * The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place. <pre> scp jail.example.com.tar.gz offsite.example.com:/usr/jails/ezjail_archives ezjail-admin create -a /usr/jails/ezjail_archives/jail_example_com.tar.gz jail.example.com 192.168.100.5 ezjail-admin start jail.example.com </pre> h2. Enabling SysV IPC *WARNING*: Enabling SysV IPC is defeats the purpose of separating jails; however in some cases it simply must be enabled, like setting up PostgreSQL in a jail. More information can be found "here":https://www.freebsd.org/doc/en/books/arch-handbook/jail-restrictions.html * Enable SystemV IPC <pre> echo 'security.jail.sysvipc_allowed=1' >> /etc/sysctl.conf reboot </pre> h3. Per Jail * Edit the ezjail config for the jail: <pre> vi /usr/local/etc/ezjail/jail_example_com </pre> #* And modify the jail parameters to add the @allow.sysvipc=1@ configuration: <pre> export jail_jail_example_com_parameters=”allow.sysvipc=1″ </pre> * Restart the jail: <pre> ezjail-admin restart jail.example.com </pre> h3. Every Jail * Enable every jail installed on the host to use sysvipc: <pre> sysrc jail_sysvipc_allow=YES echo 'jail_sysvipc_allow="YES"' >> /etc/rc.conf </pre> * Restart the jail: <pre> service ezjail restart </pre> h2. Enable Raw Sockets To allow jails the ability to ping, raw sockets must be enabled. * Enable Raw Sockets: <pre> echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf reboot </pre> * Edit the ezjail config for the jail: <pre> vi /usr/local/etc/ezjail/jail_example_com </pre> #* And modify the jail parameters to add the @allow.sysvipc=1@ configuration: <pre> export jail_jail_example_com_parameters="allow.raw_sockets=1" </pre> * Restart the jail: <pre> service ezjail restart </pre> h2. No IP Address Set On Jail This happened to me on 11.1-STABLE. * Edit the jail config: <pre> vi /usr/local/etc/ezjail/jail_example_com </pre> #* And add the following line to the config: <pre> export jail_jail_interface="em0" </pre> h2. Resources * http://www.bsdnow.tv/tutorials/jails * https://www.freebsd.org/doc/handbook/jails-ezjail.html * https://wiki.freebsd.org/Jails * https://www.freebsd.org/doc/en/books/arch-handbook/jail-restrictions.html * http://www.clausconrad.com/blog/running-postgresql-9-3-in-an-ezjail * https://forums.freebsd.org/threads/36507/