Setting up quick minimal Jail on FreeBSD (ZFS)

  • Set mount point:

    • Create a directory/tank for jail (for using as datasets)
    • Mount the tank on a particular dataset
  • Setup jail:

    • Extract the base.txz tarball into jail dir
    • Set jail timezone, dns servers, hostname in rc.conf (of jail)
    • Configure jail parameters in jail.conf
    • Allow RAW sockets to ping inside jail (careful)
    • Create the jail
    • Start the jail service
    • jexec into particular JID (see man jls)

Prototype:

# terminal session>
$ export JAILDIR="/usr/local/jails"
$ sudo mkdir -p $JAILDIR
$ sudo zfs create -o mountpoint=$JAILDIR zroot/jails
$ sudo zfs create zroot/jails/$JAILNAME
$ sudo tar -xf base.txz -C $JAILDIR/$JAILNAME
$ su -c "cat /etc/resolv.conf > $JAILDIR/etc/resolv.conf"
$ su -c "cat /etc/localtime > $JAILDIR/etc/localtime"
$ su -c "echo hostname=hostname_for_jail >> $JAILDIR/etc/rc.conf"
$ su -c "security.jail.allow_raw_sockets=1 >> $JAILDIR/etc/sysctl.conf"
  • Setup jail.conf
# /etc/jail.conf

allow.raw_sockets = 1;
mount.devfs;
allow.mount.nullfs;
allow.mount.tmpfs;
allow.mount.devfs;
allow.mount.fdescfs;
allow.mount.fusefs;
allow.mount.procfs;
allow.mount.linprocfs;
allow.mount.linsysfs;

# Global settings applied to all jails.
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

# The jail definition for talon1
talon1 {
    host.hostname = $JAILNAME;              # Hostname
    path = "$JAILDIR/$JAILNAME";            # Path to the jail
    interface = "eth0";                     # Network interface name
    ip4.addr = 192.168.xxx.xxx;             # IP Address assigned
}
  • Enter into the jail
# terminal session>
$ sudo jail -c $JAILNAME
$ jls
$ sudo service jail onestart
$ sudo freebsd-update -b "$JAILDIR/$JAILNAME" fetch install
$ sudo service jail restart
$ sudo jexec -U $JAILUSER $JAILNAME

View the RAW markdown.