MediaWiki:Welcome to the Howto page/FreeBSD/Jails

From wiki
Jump to: navigation, search

Introduction


A FreeBSD jail can be thought of as an expanded chroot environment; in a sense it is as though a new instance of an operating system has been installed inside the "host" system which is virtually true up to a point. It can quite closely be compared to Solaris Zones with some major differences in that they have to be created manually or using a utility called ezjail which needs to be installed as an extra.


A jail comprises of 4 major components:

  • A Directory Subtree
  • A Hostname
  • An IP Address
  • A Command


The directory subtree is basically the root of the jail similar to the root of a chroot jail. The difference however is that it contains a basic operating system environment encapsulated in the BSD buildworld environment.

As an example:


Jail root: /usr/jail/myjail/

Directory subtree: /usr/jail/myjail/../...


The hostname is the hostname or FQDN of the jail which should be in the format of host.domain.com.

The IP address is the IPv4 or IPv6 of the host embedded inside the jail.

The command is essentially an executable that runs inside the jail, such as binary application or shell script. This is relative however to the root directory environment of the jail and also the type of the specific jail environment.


Creating a Jail


The basic procedure for creating a jail is as follows:

#setenv D /path/to/jail
#mkdir -p $D 
#cd /usr/src 
#make buildworld 
#make installworld DESTDIR=$D
#make distribution DESTDIR=$D
#mount -t devfs devfs $D/dev 


Note

In order to get the buildworld environment to compile all sources must be selected upon installation of the Distribution set. See: Install for further details under the Configuration heading... simply select the [src] check box for all sources to be installed.


In order to enable the jail these settings must be put into /etc/rc.conf:

jail_enable="YES"
jail_list="jail1 jail2 jail3"
jail_jail1_rootdir="/path/to/jail1"
jail_jail1_hostname="jail1.domain.com"
jail_interface="em0"
jail_jail1_ip="10.11.1.1"
jail_jail1_devfs_enable="YES"
[...]
jail_jail3_rootdir="/path/to/jail3"
jail_jail3_hostname="jail3.domain.com"
jail_interface="em0"
jail_jail3_ip="10.11.1.3"
jail_jail3_devfs_enable="YES"


In order to view the jail use the: jls command from a root shell.

# jls
   JID  IP Address      Hostname                      Path
     1  10.11.1.100   jail1.domain.com              /var/jail/jail1
     2  10.11.1.101   jail2.domain.com              /var/jail/jail2
     3  10.11.1.110   jail3.domain.com              /var/jail/jail3
     4  10.11.1.115   jail4.domain.com              /var/jail/jail4
     5  10.11.1.125   jail5.domain.com              /var/jail/jail5
     9  10.11.1.130   jail6.domain.com              /mnt/zfs/jail/jail6
    11  10.11.1.140   jail7.domain.com              /mnt/zfs/jail/jail7


To control the jails, issue: /etc/rc.d/jail *start/stop/restart jail1

  • where either start, stop, or restart will be issued


Example:

/etc/rc.d/jail start jail1


To then login to the jail issue the jls command to find out which number correlates to the particular jail of interest then use the jexec command to gain access followed by the JID and then the shell type:

jexec 1 tcsh