Kernel_Killer
March 14th, 2008, 12:25
Not too much different from the 6.x version, but some minor updates.

Original at Network Synapse (http://blog.networksynapse.net/index.php?/archives/17-FreeBSD-Jails-in-7.0-Revised.html).

In this tutorial, we are going to use our main interface as a switch. Each jail will be in the same collision domain, but they can be subnetted, or even put as their own networks. For now, we'll stick with the same network, and after this tutorial, you shouldn't have a problem changing the network to your needs.

First I'm going to set the IP to 10.0.0.86, and then run a jail off the main interface.



# ifconfig em0 10.0.0.86 255.255.255.255
# ifconfig em0 inet alias 10.0.0.88 netmask 255.255.255.255
# ifconfig em0

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::204:5aff:fe6f:1d0c%dc0 prefixlen 64 scopeid 0x1
inet 10.0.0.86 netmask 0xffffff00 broadcast 192.168.115.255
inet 10.0.0.88 netmask 0xffffffff broadcast 192.168.115.181
ether 00:04:5a:6f:1d:0c
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active



Ok. So now we have our main interface at 10.0.0.86 and our aliased IP at 10.0.0.88. Since we don't want any inetd services listening on the aliased IP, we need to add a line to the /etc/rc.conf file.


inetd_flags="-wW -a 10.0.0.86"



Now to make the jail. First make the directory you want the jail in.

# mkdir /usr/jail/server1



Then we make the virtual system.

# cd /usr/src
# make world DESTDIR=/usr/jail/server1
# cd etc
# make distribution DESTDIR=/usr/jail/server1

If we wanted to make a second jail, we could easily do so, without making world again:

# make distribution DESTDIR=/usr/jail/server2

As we continue on.... :

# cd /usr/jail/server1
# ln -sf /dev/null kernel



Once this is all done your jail is built and ready to be set. First, a few minor details to the setup.


# touch /usr/jail/server1/etc/fstab
# cat /etc/resolv.conf > /usr/jail/server1/etc/resolv.conf



So now we are ready to configure the jail for the first time. We start the jail with the jail command, like so:

# jail /usr/jail/server1 jail1.prison.com 10.0.0.88 /bin/sh



You will then be dropped to a new shell inside the jail. First, set your root password with 'passwd' or with 'sysinstall'. Also setup a user account to use when using SSH to enter. Make sure to also run 'newaliases' while in this environment, otherwise you will have issues with your jail starting with sendmail. Next, create and add the SSH enable line into your new /etc/rc.conf (in the jail).


sshd_enable="YES"



Once you have this done, type 'exit' to leave the jail. Now, we need to mount the proc and dev filesystems for our jail.

# mount -t procfs proc /usr/jail/server1/proc
# mount -t devfs dev /usr/jail/server1/dev
NOTE: If you are having trouble with SSH finding a console, make sure this is mounted



and now to start it all up:

# jail /usr/jail/server1 jail1.prison.com 10.0.0.88 /bin/sh /etc/rc



Now you should be able to ssh to your new jail, and start configuring the services you wish to run inside.

To double check that your jail is running, run 'jls'

# jls

JID IP Address Hostname Path
1 10.0.0.88 jail1.prision.com /usr/jail/server1



Well, now we have a fully functioning jail. Now we need to set it up so we don't have to start it manually. We are going to add a few more values to the rc.conf. You can probably put this anywhere in the rc.conf, but in good practice, you should put it behind main host specific entries (i.e. hostname, ifconfig, defaultroute, etc).


ifconfig_em0_alias0="inet 10.0.0.88 netmask 0xffffffff"
jail_enable="YES"
jail_list="jail1"
jail_socket_unixproute_only="YES"
jail_jail1_rootdir="/usr/jail/server1"
jail_jail1_hostname="jail.prison.com"
jail_jail1_ip="10.0.0.88"
jail_jail1_exec_start="/bin/sh /etc/rc"
jail_jail1_devfs_enable="YES"
jail_jail1_devfs_ruleset="devfsrules_jail"


Here we set the jail config name inside rc.conf, and the settings for that jail "jail_jail1*". We also set the global setting, "jail_socket_unixproute_only", to only allow TCP/IP to be used inside the jail.

Now, if we want to administer the jail without using SSH, we can always use the jexec command.


jexec <JID> <command>


# jexec 1 /bin/sh

This will drop you right into a Bourne in the jail (If it doesn't, run jls, and make sure the JID is correct). While we're in here, go ahead and run 'sysinstall', go to Configure, then Timezone to set your timezone. Now that we have the environment setup, you might want to start installing some ports. Before you go and drop the ports collection into your jail, why not make it to where you don't have to use all of that space? Drop out of your jail shell, if you are in one, to setup the ports from the main to the jail. Since symlinks do not work in a jail (and we don't want them to), login with your root user, or use sudo to create a ports dir, and mount a nullfs copy of the ports.

# mkdir /usr/jail/server1/usr/ports
# mount_nullfs /usr/ports /usr/jail/server1/usr/ports

If for any reason that you need to find processes in the jail, do a "ps ax | grep J" in a shell of the main system.

Now that we have the jail setup, let's say we did something wrong, and needed to stop the jail, and it wasn't started via the rc.conf file. First we need to find the pid's of the processes. Simply do:

# ps ax | grep J

This will list all the processes in a "J"ailed environment. Kill the processes, and now you can start your jail again correctly. Now, Let's say the jail was started by the rc.conf. This makes it quite a bit simpler. Remember, in the rc.conf examples above, we named the jail "jail1". We can stop the jail by doing:

# /etc/rc.d/jail stop jail1

We can also start the jail with this command as well:

# /etc/rc.d/jail start jail1

Now you should be all ready to go with your jail, and many more to come. Be sure that your network service applications in the jail are listening to the aliased IP, otherwise you might have issues connecting to the server with those services. In this sort of setup, you shouldn't have too much of a problem.

elmore
April 27th, 2008, 19:20
jail_jail1_devfs_enable="YES"
jail_jail1_devfs_ruleset="devfsrules_jail"

I just used this how-to for my first foray into jails. Nice, works great but you didn;t mention anything in the how-to about setting up devfs rules, yet you have the above in your how-to.

Anychance you could should your rules file, and or give us a good overview of setting up our own :)

Kernel_Killer
April 29th, 2008, 02:33
Absolutely, I will do that soon. I thought twice about adding those lines, and figured I would eventually make a second howto on the rules and such. Also, I have a PostGreSQL tut that will be up soon that takes advantage of these things.

cod3fr3ak
May 13th, 2008, 08:42
Wow KK, good writeup. I haven't used Freebsd for about 2 years. This is a very nice feature.

michael2l
May 30th, 2008, 13:52
Good stuff here. Has anybody played around with ezjails on 7.0?

cipixul
November 20th, 2008, 06:02
wow nice guess I'm outdated, just have to find some time for this