BSD Start
FreeBSD knowledge starts here

Managing FreeBSD jails with ezjail

Creating and managing FreeBSD jails can be automated and simplified using Dirk Engling’s ezjail framework.

ezjail is available as the sysutils/ezjail port or the binary package:

pkg install ezjail

Enable ezjail in /etc/rc.conf:

ezjail_enable="YES"

Enable ZFS support in /usr/local/etc/ezjail.conf:

ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="tank/ezjail"

Install ezjail environment:

ezjail-admin install -p

Later the basejail ports can be updated:

ezjail-admin update -P

ezjail allows to automatically configure jails after they are created (e.g. create /etc/resolv.conf) using concept of flavours.

Let’s create “default” flavour and put /etc/resolv.conf there:

mkdir -p /usr/jails/flavours/default/etc
cp /etc/resolv.conf /usr/jails/flavours/default/etc

We can also setup /usr/jails/flavours/default/etc/rc.conf:

# No network interfaces in jails
network_interfaces=""

# Prevent rpc
rpcbind_enable="NO"

# Prevent loads of jails doing their cron jobs at the same time
cron_flags="$cron_flags -J 15"

# Prevent syslog to open sockets
syslogd_flags="-ss"

# Disable sendmail
sendmail_enable="NONE"

And /usr/jails/flavours/default/etc/periodic.conf:

daily_output="/var/log/daily.log"
weekly_output="/var/log/weekly.log"
monthly_output="/var/log/monthly.log"
daily_status_security_output="/var/log/daily_status_security.log"
daily_status_network_enable="NO"
daily_status_security_ipfwlimit_enable="NO"
daily_status_security_ipfwdenied_enable="NO"
weekly_whatis_enable="NO"       # our jails are read-only /usr

Each jail should have its own IP address. If we have only one external IP then we should setup internal IP addresses that can be assigned to jails.

Create additional network interface in /etc/rc.conf:

cloned_interfaces="${cloned_interfaces} lo1"
ifconfig_lo1="inet 10.0.0.1/24"
ifconfig_lo1_alias0="inet 10.0.0.2/24"
ifconfig_lo1_alias1="inet 10.0.0.3/24"

And initialize it:

service netif cloneup

Then setup PF in /etc/pf.conf:

# Internal network interface
int_if="lo1"
# Jails subnet
localnet="10.0.0.0/24"

# Enable NAT for jails subnet
nat on $ext_if from $localnet to any -> ($ext_if)
# Redirect HTTP to the jail address
rdr pass on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.1

# Allow all incoming traffic on internal network interface
pass in on $int_if

And reload PF config:

pfctl -vf /etc/pf.conf

Create a new jail:

ezjail-admin create -f default testjail 10.0.0.1

List all jails managed by ezjail:

ezjail-admin list

Start the jail:

ezjail-admin start testjail

Attach console to the jail:

ezjail-admin console testjail

Stop the jail:

ezjail-admin stop testjail

comments powered by Disqus

Recent Articles

1. Managing FreeBSD jails with ezjail Oct 8
2. Rotate Nginx logs in FreeBSD Oct 5
3. Setup PHP 5.6 with Nginx Oct 4
4. Vi Improved in FreeBSD Oct 2
5. Installing and configuring Nginx Sep 29
6. FreeBSD and time zones Sep 29
7. Protect SSH with SSHGuard Sep 28
8. Setting up PF firewall in FreeBSD 10 Sep 27

Tags

1. security (2)
2. pf (3)
3. syslog (1)
4. nginx (3)
5. vim (1)
6. php (1)
7. jail (1)
8. zfs (1)

By Date

1. Oct 2014 (4)
2. Sep 2014 (4)

This work is licensed under a Creative Commons Attribution 4.0 International License.