October 15, 2018

How to Create a Jail on FreeBSD

FreeBSD Logo

You need to partition your system in several independent systems? With the framework ezjail you can create and modify jails on FreeBSD that have a virtual environment. A jail runs totally independent from the host system and can have its own files, processes and user accounts. There is no big difference to a real system but now you can securely separate your applications.

Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.

Install ezjail

Install ezjail from your ports directory.

cd /usr/ports/sysutils/ezjail
make install clean; rehash

Add the jail IP to your network device

Please replace jail-ip and jail-mask with your values. The network device bge may be different on your system.

ifconfig bge0 alias jail-ip netmask jail-mask

Add the jail IP to your rc.conf

Please replace jail-ip, jail-mask and host-ip with your values. The same with the network device bge.

vi /etc/rc.conf
ifconfig_bge0_alias0="inet jail-ip netmask jail-mask"

Install basejail

Get basejail from FTP.

ezjail-admin install

Bind the SSH Service to your host IP for security reasons

Please replace host-ip with your values.

vi /etc/ssh/sshd_config
ListenAddress host-ip
/etc/rc.d/sshd restart

Enable raw sockets

echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

Create a flavour

Create a initial configuration for a new jail.

cd /usr/jails/flavours
cp -Rp example/ custom
cp /etc/resolv.conf custom/etc/resolv.conf
vi custom/etc/rc.conf

network_interfaces="lo0"                # No network interfaces aside from the loopback device
kern_securelevel_enable="YES"           # Enable 'securelevel' kernel security
kern_securelevel="1"                    # See init(8)
rpcbind_enable="NO"                     # Disable RPC daemon
cron_flags="$cron_flags -J 15"          # Prevent lots of jails running cron jobs at the same time
syslogd_flags="-ss"                     # Disable syslogd listening for incoming connections
sendmail_enable="NONE"                  # Comppletely disable sendmail
clear_tmp_enable="YES"                  # Clear /tmp at startup

Stolen from: http://www.secure-computing.net/wiki/index.php/FreeBSD_jails_with_ezjail

Additional you can edit the ezjail.flavour file to do some advanced config stuff

vi custom/ezjail.flavour

Create a jail

Please replace stans_first_jail and jail-ip with your jail name and jail IP. The -f option uses the previously created flavour custom.

ezjail-admin create -f custom stans_first_jail jail-ip

Jails path: /usr/jails
Jails config path: /usr/local/etc/ezjail/stans_first_jail

Mount the ports from the host system

Please replace stans_first_jail with your jail name.

rm /usr/jails/stans_first_jail/usr/ports
mkdir /usr/jails/stans_first_jail/usr/ports
vi /etc/fstab.stans_first_jail
/usr/ports          /usr/jails/fstab.stans_first_jail/usr/ports     nullfs ro 0 0

Stolen from: http://wiki.bsdforen.de/howto/ezjail

Start all jails

ezjail-admin start

List the running jails


Log in to a jail from the host system

Read the jid from the previous jls output.

jexec jid csh

Remove a jail, -w removes all files

This command will completely remove a jail and its files. Please replace stans_first_jail with your jail name.

ezjail-admin delete -w stans_first_jail

Speak Your Mind