Jails on FreeBSD 9.2 without Warden :)
I've been wanting to get a little deeper with Jails so I can learn the Jails system better - nothing wrong with Warden, but to learn more I need to "bypass the GUI". I went ahead and installed vanilla FreeBSD 9.2 and this is what it took to get the Jails system working. You'll note that getting the Jails started is really easy - things get a little more complicated with the Jails parameters as they seem to have changed between recent FreeBSD versions. Again, this guide only applies on 9.2 - I have no idea if this will keep on working in the future or not.
1. Install ezjail:
pkg_add -r ezjail
2. Set ezjail to start on boot:
echo 'ezjail_enable="YES"' >> /etc/rc.conf
3. Use ezjail-admin to get the base Jail installation - this will take a few minutes depending on your internet connection
ezjail-admin install -h ftp8.freebsd.org
4. Before we create the Jail we need to add the IP address as an alias to our network interface. In this case my network interface is em0 and the IP address I'm going to use is: 192.168.2.20 - replace accordingly with your network inteface and IP you need.
ifconfig em0 alias 192.168.2.20 netmask 255.255.255.0
5. Make sure that the above worked - check with ifconfig em0 again replacing em0 with your network interface - in my case the output is:
root@freebsd:~ # ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:06:7b:19
inet 192.168.2.14 netmask 0xffffff00 broadcast 192.168.2.255
inet 192.168.2.20 netmask 0xffffff00 broadcast 192.168.2.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
Note that the netmask is 0xffffff00 - equal to 255.255.255.0 as per here
6. Now we can create the jail - the command is really simple: ezjail-admin create jail1 192.168.2.20
jail1 - replace with the hostname you want to give your jail
192.168.2.20 - replace with the IP address you used to create the alias above
7. To check that it all worked, get a list of jails on the system with ezjail-admin list - in my case the output looks like this:
ezjail-admin list
STA JID IP Hostname Root Directory
--- ---- --------------- ------------------------------ ------------------------
DS N/A 192.168.2.20 jail1 /usr/jails/jail1
Note on the far left the STA which of course stands for state - the DS stands for "Directory tree based jail - Stopped" look at the manual page for the full states - copied here for convenience:
The first column is the status flag consisting of 2 or 3 letters. The
first letter is the type of jail:
D Directory tree based jail.
I File-based jail.
E Geli encrypted file-based jail.
B Bde encrypted file-based jail.
Z ZFS filesystem-based jail.
The second letter is the status of the jail:
R The jail is running.
A The image of the jail is mounted, but the jail is not run-
ning.
S The jail is stopped.
8. Before we go ahead and start this bad boy, there's one more thing we need to do - since the Jails do not come with a default /etc/resolv.conf we need to put one in place - the easiest solution is to copy the host's /etc/resolv.conf:
cp /etc/resolv.conf /usr/jails/jail1/etc/resolv.conf
In the above, you'll need to replace jail1 with the name of your Jail. 9. Now let's start the Jail with
ezjail-admin start jail1
In the above, you'll need to replace jail1 with the name of your Jail. The output will look like this:
ezjail-admin start jail1
Configuring jails:.
Starting jails: jail1.
To test if the above worked, let's look at the status of the Jail again and now it will be shown as running:
ezjail-admin list
STA JID IP Hostname Root Directory
--- ---- --------------- ------------------------------ ------------------------
DR 1 192.168.2.20 jail1 /usr/jails/jail1
As you can see the STA changed from DS to DR, which of course means it's running 10. Now to "connect" to the jail, we can use the ezjail-admin console command - use it like this:
ezjail-admin console jail1
In the above, you'll need to replace jail1 with the name of your Jail. 11. Now, most folks out there will probably test that the network works with the ping command - you're in for a surprise:
root@jail1:~ # ping www.freebsd.org
ping: socket: Operation not permitted
However if you try netcat:
nc -v -z www.freebsd.org 80
Connection to www.freebsd.org 80 port [tcp/http] succeeded!
In other words - you do have internet access but ping doesn't work - this is a known issue with Jails and there's a few fixes around: http://www.elfnet.org/2010/12/01/freebsd-jail-ping-socket-operation-permitted/ The above doesn't work for me on FreeBSD 9.2, so after some further investigation (google-fu) I found this forum post here: https://forums.freebsd.org/viewtopic.php?t=13272 The solution I got from there is: You need to add the following lines in the host's /etc/rc.conf:
jail_sysvipc_allow="YES"
jail_jail1_parameters="allow.raw_sockets=1 allow.sysvipc=1"
Note in the second line above: jail_jail1_parameters="allow.raw_sockets=1 allow.sysvipc=1", you'll need to replace the jail1 part with the name of your Jail. After you add that you need to restart the ezjail-admin service with service ezjail restart - You'll get output like this:
service ezjail restart
Stopping jails: jail1.
Configuring jails: sysvipc_allow=YES.
Starting jails: jail1.
Now login to the jail and try pinging again:
ezjail-admin console jail1
root@jail1:~ # ping www.freebsd.org
PING wfe0.ysv.freebsd.org (8.8.178.110): 56 data bytes
64 bytes from 8.8.178.110: icmp_seq=0 ttl=54 time=46.687 ms
64 bytes from 8.8.178.110: icmp_seq=1 ttl=54 time=41.449 ms
Much better!