Personal tools
You are here: Home Hobbies Computers FreeBSD Jails and EZJail

Jails and EZJail

Using FreeBSD Jails and EZJail.

Preface

Although you can maintain your FreeBSD jails manually and there are quite a few tutorials around, I found that I liked the implementation done through EZJails. 

 

Installation

Only the EZJail port needs to be installed:

cd /usr/ports/sysutils/ezjail
make clean
make install
make clean

 

Configuration

There is only one configuration file for EZJail (ezjail.conf) which is completely documented, and although everything I use is defaults I prefer to uncomment such parameters in case the defaults should change during a port upgrade.  Therefore, copy the sample configuration file and editting according to your preferences:

cd /usr/local/etc
cp ezjail.conf.sample ezjail.conf
vi ezjail.conf

The following is my ezjail.conf file:

# ezjail.conf
#

ezjail_jaildir=/usr/jails
ezjail_jailtemplate=${ezjail_jaildir}/newjail
ezjail_jailbase=${ezjail_jaildir}/basejail
ezjail_sourcetree=/usr/src
# ezjail_portscvsroot=:pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs
# ezjail_ftphost=ftp.freebsd.org
ezjail_uglyperlhack="YES"

ezjail_mount_enable="YES"
ezjail_devfs_enable="YES"
# ezjail_devfs_ruleset="devfsrules_jail"
ezjail_procfs_enable="YES"
ezjail_fdescfs_enable="YES"

#

Finally we need to enable the userland ezjail.sh script to run by adding the following line to /etc/rc.conf:

ezjail_enable="YES"

 

Initialize the Base Jail

Before any jails can be created we need to initialize the base jail and update the ports collection within the base jail:

ezjail-admin update -i -p

 

EZJail Flavour Configuration

Next I copy the existing "default" flavour and create my own "standard" flavour:

cd /usr/jails/flavours
cp -R default standard
cd standard
vi ezjail.flavour

The only change I really make to ezjail.flavour is to add a user upon jail startup with a known default password ('admin' in this instance):

echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n admin -u 1001 -s /bin/sh -m -d /home/admin -G wheel -c 'Jeff Doolittle' -H 0

Next I edit the the rc.conf file to enable sshd access when the jails are created:

cd etc
vi rc.conf

The following is my rc.conf file:

# No network interfaces in jails
network_interfaces=""

# Prevent rpc
rpcbind_enable="NO"

# Prevent loads of jails doing their cron jobs at the same time
cron_flags="$cron_flags -J 15"

# Prevent syslog to open sockets
syslogd_flags="-ss"

# Prevent sendmail to try to connect to localhost
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Bring up sshd, it takes some time and uses some entropy on first startup
sshd_enable="YES"

Since we've disabled the sendmail solution we'll need to redirect all command-line generated mail to our real server, besides jails cannot talk on the localhost address (127.0.0.1).  Change the existing "FEATURE(`msp'...) line in the /etc/mail/freebsd.submit.mc:

# FEATURE(`msp', `[127.0.0.1]')dnl
FEATURE(`msp', `[mail.kingsquarry.net]')dnl

 

Creating/Starting a Jail

Finally you can create the first jail using the flavour created above but we must also add the desired IP alias to the network card first (lnc0 in this instance):

ifconfig lnc0 192.168.1.50 netmask 255.255.255.255 alias
ezjail-admin create -f standard www.kingsquarry.net 192.168.1.50
/usr/local/etc/rc.d/ezjail.sh start www.kingsquarry.net

Once the jail is started it's critical that we login and perform a couple clean-up tasks (setting root's password and finishing the sendmail configuration):

ssh 192.168.1.50 -l admin
passwd   <- Change your password
su -
passwd   <- Give a password for the root account
cd \etc\mail
make install-submit-cf
\etc\rc.d\sendmail restart
exit
exit
And finally we need to make one change to the /etc/rc.conf file to always add the alias since EZJail is configured to automatically start our jail on startup:
cd /etc
vi rc.conf

Add the following line to rc.conf:

ifconfig_lnc0_alias0="192.168.1.50 netmask 0xffffffff"

 

Conclusion

You should now have a base Jail with associated flavor for creating some initial items.  If you have a constant DNS setup then adding resolv.conf to the standard flavour would be a nice time saver.

 

Document Actions