Support #668
Updated by Daniel Curtis almost 7 years ago
{{>toc}}
This is a guide on using ezjail to create a jail on FreeBSD 11.1-RELEASE.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade
</pre>
h2. Install Ezjail
* Install ezjail:
<pre>
pkg install ezjail
</pre>
* First, create the *base jail* with the ports tree:
<pre>
ezjail-admin install -p
</pre>
#* *NOTE*: To add system sources add the -s flag
<pre>
ezjail-admin install -sp
</pre>
* Next, create the *actual jail*, giving it a hostname and IP address:
<pre>
ezjail-admin create jail.example.com 'em0|192.168.100.5'
</pre>
#* *NOTE*: If using multiple interfaces for the jail, specify the IP address for each interface:
<pre>
ezjail-admin create jail.example.com 'em0|10.0.2.0/24,em1|192.168.100.5/24'
</pre>
* Copy your resolv.conf to the jail so it can do DNS.
<pre>
cp /etc/resolv.conf /usr/jails/jail.example.com/etc/
</pre>
* Start and enable the service at boot:
<pre>
sysrc ezjail_enable=YES
service ezjail start
</pre>
* Check whether your jail is running:
<pre>
jls
</pre>
#* _Example output_:
<pre>
JID IP Address Hostname Path
1 192.168.100.13 jail.example.com /usr/jails/jail.example.com
</pre>
* From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system.
<pre>
ezjail-admin console jail.example.com
</pre>
#* Start and enable the sshd service at boot:
<pre>
sysrc sshd_enable=YES
service sshd start
</pre>
h2. Updating Jails
* Update the basejail with freebsd-update:
<pre>
freebsd-update fetch install
reboot
ezjail-admin update -u
</pre>
* To upgrade a jail to a specific version, in this case 11.0-RELEASE:
<pre>
ezjail-admin update -U -s 11.0-RELEASE
mergemaster -U -D /usr/jails/jail.example.com
</pre>
* To update the base jail's ports tree, which +all jails also have read-only access to+:
<pre>
ezjail-admin update -P
</pre>
h2. Migrating Jails
* Moving jails between hosts is easy with minimal configuration changes. Stop the example jail and archive it to a file:
<pre>
ezjail-admin stop jail.example.com
ezjail-admin archive jail.example.com
</pre>
* The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place.
<pre>
scp jail.example.com.tar.gz offsite.example.com:/usr/jails/ezjail_archives
ezjail-admin create -a /usr/jails/ezjail_archives/jail_example_com.tar.gz jail.example.com 192.168.100.5
ezjail-admin start jail.example.com
</pre>
h2. Enabling SysV IPC
*WARNING*: Enabling SysV IPC is defeats the purpose of separating jails; however in some cases it simply must be enabled, like setting up PostgreSQL in a jail. More information can be found "here":https://www.freebsd.org/doc/en/books/arch-handbook/jail-restrictions.html
* Enable SystemV IPC
<pre>
echo 'security.jail.sysvipc_allowed=1' >> /etc/sysctl.conf
reboot
</pre>
h3. Per Jail
* Edit the ezjail config for the jail:
<pre>
vi /usr/local/etc/ezjail/jail_example_com
</pre>
#* And modify the jail parameters to add the @allow.sysvipc=1@ configuration:
<pre>
export jail_jail_example_com_parameters=”allow.sysvipc=1″
</pre>
* Restart the jail:
<pre>
ezjail-admin restart jail.example.com
</pre>
h3. Every Jail
* Enable every jail installed on the host to use sysvipc:
<pre>
sysrc jail_sysvipc_allow=YES
</pre>
* Restart the jail:
<pre>
service ezjail restart
</pre>
h2. Enable Raw Sockets
To allow jails the ability to ping, raw sockets must be enabled.
* Enable Raw Sockets:
<pre>
echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf
reboot
</pre>
* Edit the ezjail config for the jail:
<pre>
vi /usr/local/etc/ezjail/jail_example_com
</pre>
#* And modify the jail parameters to add the @allow.sysvipc=1@ configuration:
<pre>
export jail_jail_example_com_parameters="allow.raw_sockets=1"
</pre>
* Restart the jail:
<pre>
service ezjail restart
</pre>
h2. No IP Address Set On Jail
This happened to me on 11.1-STABLE.
* Edit the jail config:
<pre>
vi /usr/local/etc/ezjail/jail_example_com
</pre>
#* And add the following line to the config:
<pre>
export jail_jail_interface="em0"
</pre>
h2. Resources
* http://www.bsdnow.tv/tutorials/jails
* https://www.freebsd.org/doc/handbook/jails-ezjail.html
* https://wiki.freebsd.org/Jails
* https://www.freebsd.org/doc/en/books/arch-handbook/jail-restrictions.html
* http://www.clausconrad.com/blog/running-postgresql-9-3-in-an-ezjail
* https://forums.freebsd.org/threads/36507/