Personal tools
You are here: Home Hobbies Computers FreeBSD Jails and EZJail
Affiliate Links
Smarthome, Inc.

 

OneCall: Your Home Theater, Digital Camera, and HDTV Experts

 

 

J&R_120x60

 

Camping World
 

Jails and EZJail

Using FreeBSD Jails and EZJail.

Preface

Although you can maintain your FreeBSD jails manually and there are quite a few tutorials around, I found that I liked the implementation done through EZJails.

(Note: Revised/Corrected after implementing a new environment w/FreeBSD v7.0 amd64 & ezjail v3)

(Note: Revised/Corrected after implementing w/FreeBSD v7.3 source upgrade and general lessons learned)

 

Installation

Only the EZJail port needs to be installed:

cd /usr/ports/sysutils/ezjail
make clean
make install
make clean

 

Configuration

There is only one configuration file for EZJail (ezjail.conf) which is completely documented, and although everything I use is defaults I prefer to uncomment such parameters in case the defaults should change during a port upgrade.  Therefore, copy the sample configuration file and editting according to your preferences:

cd /usr/local/etc
cp ezjail.conf.sample ezjail.conf
vi ezjail.conf

The following is my ezjail.conf file:

# ezjail.conf
#

ezjail_jaildir=/usr/jails
ezjail_jailtemplate=${ezjail_jaildir}/newjail
ezjail_jailbase=${ezjail_jaildir}/basejail
ezjail_sourcetree=/usr/src
# ezjail_portscvsroot=:pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs
# ezjail_ftphost=ftp.freebsd.org
ezjail_uglyperlhack="YES"

ezjail_mount_enable="YES"
ezjail_devfs_enable="YES"
# ezjail_devfs_ruleset="devfsrules_jail"
ezjail_procfs_enable="YES"
ezjail_fdescfs_enable="YES"

#

Finally we need to enable the userland ezjail.sh script to run by adding the following line to /etc/rc.conf:

ezjail_enable="YES"

 

Initialize the Base Jail

Before any jails can be created we need to initialize the base jail and update the ports collection within the base jail:

ezjail-admin update -i -p

(Note:  The "-i" parameter assumes you update your system through the buildworld process and have left the build tree in place)

 

EZJail Flavour Configuration

I copy the existing "default" flavour and create my own "standard" flavour:

cd /usr/jails/flavours
cp -R default standard
cd standard
vi ezjail.flavour

Then I add a default user with a known password (admin) and portmaster is also installed:

echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n admin -u 1001 -s /bin/sh -m -d /home/admin -G wheel -c 'Admin User' -H 0

# Add to the bottom of the file
cd /usr/ports/ports-mgmt/portmaster && make install && make clean

Next I edit the the rc.conf file to enable sshd access when the jails are created:

cd etc
vi rc.conf

The following is my rc.conf file:

# No network interfaces in jails
network_interfaces=""

# Prevent rpc
rpcbind_enable="NO"

# Prevent loads of jails doing their cron jobs at the same time
cron_flags="$cron_flags -J 15"

# Prevent syslog to open sockets
syslogd_flags="-ss"

# Prevent sendmail to try to connect to localhost
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Bring up sshd, it takes some time and uses some entropy on first startup
sshd_enable="YES"

Now create a resolv.conf file:

vi resolv.conf

The following is my resolv.conf file:

domain  kingsquarry.net
nameserver      192.168.1.51
nameserver      192.168.1.21

 

Creating/Starting a Jail

Finally you can create the first jail using the flavour created above but we must also add the desired IP alias to the network card first (lnc0 in this instance, but others include em0, lagg0, etc):

ifconfig lnc0 192.168.1.50 netmask 255.255.255.255 alias
ezjail-admin create -f standard www.kingsquarry.net 192.168.1.50
/usr/local/etc/rc.d/ezjail.sh start www.kingsquarry.net

Once the jail is started it's critical that we login and perform a couple clean-up tasks (setting root's password and finishing the sendmail configuration):

ssh 192.168.1.50 -l admin
passwd   <- Change your password
su -
passwd   <- Give a password for the root account
cd /etc/mail
make install-submit-cf
/etc/rc.d/sendmail restart
exit
exit

Since we've disabled the sendmail solution we'll need to redirect all command-line generated mail to our real server, besides jails cannot talk on the localhost address (127.0.0.1).  First, we need to create the submit file:

cd /etc/mail
make install-submit-cf

Edit the mc file (fqdn.submit.mc) created by running the above command and change the existing "FEATURE(`msp'...):

dnl FEATURE(`msp', `[127.0.0.1]')dnl
FEATURE(`msp', `[your.mail.server.here.net]')dnl

Save the above changes and once again execute the following:

make install-submit-cf

Finally, make sure your eMail server is configured properly to receive eMail from and, possibly, to recieve eMail directed to this host.

Logout of the jail, returning to the host BSD session and, if needed, add the alias to the /etc/rc.conf file:

ifconfig_lnc0_alias0="192.168.1.50 netmask 0xffffffff"

 

Conclusion

You should now have a base Jail with associated flavor for creating some initial items.  If you have a constant DNS setup then adding resolv.conf to the standard flavour would be a nice time saver.

 

Document Actions
« July 2009 »
July
SunMonTueWedThuFriSat
1234
567891011
12131415161718
19202122232425
262728293031