FreeBSD (ez)jail howto

Table of Contents

Prepare the system
Create ezjail templates
Working with the jails

Prepare the system

by ross at 14:03:36 on February 23, 2013

In order to create jails you will need /usr/obj populated with the result of make buildworld.

Update /usr/src as usual then:

# chflags -R noschg /usr/obj/*
# rm -rf /usr/obj/*
# cd /usr/src
# make buildworld

Install ezjail on host system:

# cd /usr/ports/sysutils/ezjail
# make install clean

Add to /etc/rc.conf:

ezjail_enable="YES"

Prepare hostname and ip address for each jail

You have to options here:

  • Register a hostname for a spare address of one of your external interfaces with your DNS server.
  • Create an alias on local interface and organize access from outside using firewall forwarding or using a reverse proxy.

I will show the first approach here. If, for example, you have three Internet addresses on your interface (/etc/rc.conf):

ifconfig_re0="inet 1.2.3.4/24"
ifconfig_re0_alias0="inet 1.2.3.5/24"
ifconfig_re0_alias1="inet 1.2.3.6/24"

You can use the first one for the host system and the aliases for the jails.

Most of the daemons on the host system bind to 0.0.0.0 by default, i.e. to all the ip addresses available. This means that they also use the ip addresses asigned to jails. Obviously if you want sshd in your jail, for example, you have to reconfigure sshd on the host to bind to specific host ip address and sshd of the jail to bind to jail ip only.

Sysctl variables

Refer to jail(8) for description of sysctl variables available.

For example, to allow ping from inside the jail use (on the host):

# sysctl security.jail.allow_raw_sockets=1

Restart the jails after changing the variable.

 

Comments