Howto: quick setup of jail on ZFS using ezjail with PF NAT/

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#1
July 26, 2014 update: different configuration for new pkg tool
Oct 20, 2016 update: FreeBSD 11.0 and /etc/jail.conf

Following scenario is presented:

Code:
                   /----------- our host --------------\
--{ internet } --- [ 192.0.2.1 ] ---jail--- [ 10.6.6.6 ]
where:

em0 is an egress interface (internet facing)
lo666 is a custom loopback interface (host only)

192.0.2.1 is a public IP address on em0
10.6.6.6 is a jail IP address on lo666

Goal is to create a jail where simple WWW service is running.

Prerequisites:

  • Installed sysutils/ezjail either from ports or from pre-built repository
  • ZFS pool where jail dataset will be created; pool zpool is used here

The /etc/rc.conf
Enable PF, ZFS, ezjail and IP forwarding. Create and configure lo666 interface. Lines in question from /etc/rc.conf:

Code:
cloned_interfaces="lo666"
ifconfig_lo666_alias0="inet 10.6.6.6 netmask 255.255.255.255"

gateway_enable="YES"

pf_enable="YES"
ezjail_enable="YES"
zfs_enable="YES"
Bring the interface up. In 9.0-RELEASE it's enough to do:

# ifconfig lo666 create

This creates the interface and assigns the alias from /etc/rc.conf. In case IP address is not up, bring it up manually:

# ifconfig lo666 alias 10.6.6.6 netmask 255.255.255.255 up

Enable IP forwarding:
# sysctl net.inet.ip.forwarding=1

Setup PF
Only the NAT part of the PF is shown here, configuration of PF is not subject of this howto.
/etc/pf.conf:

Code:
ext_if="em0"
jail_if="lo666"

IP_PUB="192.0.2.1"
IP_JAIL_WWW="10.6.6.6"

NET_JAIL="10.6.6.0/24"

PORT_WWW="{80,443}"

scrub in all

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# WWW
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW

# demo only, passing all traffic
pass out
pass in
Check /etc/pf.conf for any mistakes:

# pfctl -nf /etc/pf.conf
If no error is shown, start the firewall.

# /etc/rc.d/pf start

Verify the firewall is enabled, check the NAT rules (ALTQ warnings can be safely ignored).

# pfctl -e
Code:
pfctl: pf already enabled
# pfctl -sn
Code:
nat pass on em0 inet from 10.6.6.0/24 to any -> 192.0.2.1
rdr pass on em0 inet proto tcp from any to 192.0.2.1 port = http -> 10.6.6.6
rdr pass on em0 inet proto tcp from any to 192.0.2.1 port = https -> 10.6.6.6
Configure ezjail
By default all jails are stored under /usr/jails directory. However I'll use /local/jails in my setup.

First create a ZFS dataset:

# zfs create -o mountpoint=/local/jails zpool/jails
# chmod 700 /local/jails && chown root:wheel /local/jails

Main ezjail configuration is stored under /usr/local/etc/ezjail.conf. Uncomment and set at least these parameters:

Code:
ezjail_jaildir=/local/jails
ezjail_ftphost=ftp.sk.freebsd.org
ezjail_use_zfs="YES"
ezjail_jailzfs="zpool/jails"
Use the ftp host closest to you.
There are several options how to install the base. Here I'll just fetch the base from FTP, see the ezjail-admin(8) for details.

# ezjail-admin install

Minimum userland - basejail - has been fetched. You can see it on separate dataset:

# zfs list
Code:
zpool                  333M  1.63G    31K  none
zpool/jails            332M  1.63G    47K  /local/jails
zpool/jails/basejail   330M  1.63G   330M  /local/jails/basejail
zpool/jails/newjail   1.70M  1.63G  1.70M  /local/jails/newjail
I plan to create more than one jail, I don't want to set all system settings manually for each and every one of them. There's where jail flavor comes in place.
happycamper.local is my domain, I'll use the name happycamper for a flavor.

# mkdir -p /local/jails/flavours/happycamper/etc/rc.d
# cd /local/jails/flavours/happycamper/etc
# vi rc.conf
Code:
sshd_enable="YES"
syslogd_flags="-ss"
# cp -p /etc/resolv.conf .
# cp -p /local/jails/flavours/example/etc/rc.d/ezjail.flavour.example rc.d/ezjail.flavour.happycamper

Flavors are stored under $jailroot/flavours directory ($jailroot == /local/jails). I've created rc.conf and resolv.conf files - these will be copied to new jail with happycamper flavor.

For the demonstration I want to create custom group, user and install screen package. This is done upon first jail startup by ezjail.flavour script.

In vi editor I have replaced all "example" words by "happycamper". All examples are shown there, easy to understand. In FreeBSD 10 there's a new package management. There are no more pkg_* commands.

Prior to FreeBSD 10 you can use the following flavor config:
Code:
pw group add users
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw user add martin -g users -G wheel -s /bin/csh -d /home/martin -m -H 0

chown -R martin:users /home/martin

pkg_add -r screen
If you are running FreeBSD 10 and later:
Code:
pw group add users
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw user add martin -g users -G wheel -s /bin/csh -d /home/martin -m -H 0

chown -R martin:users /home/martin
# don't ask - just do
export ASSUME_ALWAYS_YES=YES
pkg bootstrap
pkg install screen
Now I'm finally ready to create new jail with a flavor.

# ezjail-admin create -f happycamper -c zfs www 10.6.6.6
Code:
ZFS: create the jail filesystem
/local/jails/www/.
/local/jails/www/./etc
/local/jails/www/./etc/rc.d
/local/jails/www/./etc/rc.d/ezjail.flavour.happycamper
/local/jails/www/./etc/rc.conf
/local/jails/www/./etc/resolv.conf
5 blocks
Start the jail

Prior to FreeBSD 11.0 following is sufficient:

# /usr/local/etc/rc.d/ezjail start www
Code:
Configuring jails:.
Starting jails: www.
It might take a second or two as the flavor script is executed upon first start; it does remove itself afterward. To check the jail status:

# jls
Code:
   JID  IP Address      Hostname                      Path
     2  10.6.6.6        www                           /local/jails/www
To access the jail ezjail-admin command can be used:

# ezjail-admin console www

Now the apache can be installed and configured, jail itself is ready.

FreeBSD 11.0
With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails with ezjail-admin is no longer possible. It's required to have jails defined in /etc/jail.conf. We can still use ezjail-admin to set them up. A little bit of manual work is needed here.

You could also have look at Remington's Thread 49561/ for additional information. Reading jail.conf(5) is a good start to get more detailed information.

Our per jail configuration is stored under /usr/local/etc/ezjail/ directory. Each file represents configuration for a certain jail.

Similar to ezjail configuration directory we'll create a new directory where per-jail configuration will be kept. As jail(8) is a command from FreeBSD base we'll use the directory in /etc/, -- /etc/jail. In our example we don't need much, but we do need to mount our userland (basejail).

/etc/jail/fstab.www:
Code:
/local/jails/basejail   /local/jails/www/basejail         nullfs  0 0
/etc/jail.conf configuration:
Code:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

mount.fstab           = "/etc/jail/fstab.${name}";
mount.devfs;
mount.fdescfs;
mount.procfs;

devfs_ruleset         = "4";

path = "/local/jails/$name";

www {
        host.hostname = "www";
        ip4.addr = "10.6.6.6";
}
One important change is that the devfs_ruleset is being addressed by number and not by name (as you can find in the ezjail jail configuration).

Last change is to update /etc/rc.conf . We don't want to start ezjail, we need jail(8) instead:
Code:
# ezjail_enable="YES"   #disabled on FreeBSD 11.0
jail_enable="YES"
And finally we can start our jails:
# /etc/rc.d/jail start
 
Last edited:

fred974

Daemon

Thanks: 34
Messages: 1,506

#3
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Hi,
This is a fab tutorial!
Just a clarification.. when you create the user/groups, you typed
Code:
pw user add
pw group add
Should it read
Code:
pw useradd
pw groupadd
I don't know if it is a typo or the way it was ment to be.
 
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#4
Re: Howto: quick setup of jail on ZFS using ezjail with PF

@fred974 Thanks. It was meant to be pw user add. I checked the man page and it indeed says useradd. But for years I've been using pw user add.
It's maybe because of what pw says:

Code:
$ pw group
usage:
  pw group [add|del|mod|show|next] [help|switches/values]
$
So both commands are OK.
 
Last edited by a moderator:

oxyaxion

New Member


Messages: 16

#5
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Hi,

Thx Thanks for this great tutorial, I have some questions I would like to do something approximately similar but with some particularity. I have some HTTP host and a varnish-proxy.

Internet IP public address <----> Box <----> (192.168.x.x) BSD-Host + PF <----> (10.x.x.x) Jail-Varnish-http-proxy routing -----> www-jails-1 (10.x.x.x) or www-jails-2 (10.x.x.x) or www-jails-2 (10.x.x.x)

Do you think this configuration is actually possible?
varnish-http is obsiously routing http request.
I know how to configure varnish but I don't know how to configure PF to this king of configuration.
I'm a little confuse with routing and firewalling configuration.
 
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#6
Re: Howto: quick setup of jail on ZFS using ezjail with PF

@oxyaxion
Sorry, I don't fully understand your diagram (what's the difference between "box" and "BSD-Host") and don't know where is which service running.
But think of it this way - service which is needed to be reachable from outside has to be in PF - the very same way this howto is showing how to reach the webserver (if I got your diagram right and FreeBSD has its own public IP).
Depending on your drop rules, you might need to enable traffic from/to jail networks.

I suggest you start with pass in/pass out rules, add the rdr rule and see if that's working. If yes, you can start with drop rules.
 
Last edited by a moderator:

oxyaxion

New Member


Messages: 16

#7
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Sorry for the bad diagramm, and thanks for your reponse.

The "box" is my Internet compagny ADSL Router, the BSD host is my physical-server.

The BSD host has a private IP in my LAN : 192.168.x.x , and the jails http has 10.x.x.x network.

I know how to setup "simple" NAT with my ADSL Router , IF "HTTP:80 NAT to Varnish-proxy" with a 192.168.x.x IP (with no PF firewalling).

But if i want more firewalling with the BSD PF, ALL the HTTP packets are in destination of the BSD Host and the BSD is doing the NAT ( 192.168.x.x -> varnish-proxy 10.x.x.x and this one dispatch to the good http host) not the ADSL Router.

In fact i would like to use the PF setting for routing my paquet not my ADSL internet Box ;)
 

oxyaxion

New Member


Messages: 16

#8
Re: Howto: quick setup of jail on ZFS using ezjail with PF

I have resolved my IP / Internet jails connection problem with this line in the pf.conf :beergrin

Code:
nat pass on bge0 from lo888:network to any -> (bge0)
bge0 is my physical ethernet card.

But now I don't understand why my personnal flavour look like no used in the jail creation .. (user are not created ...).

Code:
pw groupadd users
echo -n 'passwordofthedeath' |\
pw useradd mathieu -g users -G wheel -s /usr/local/bin/bash -d /home/mathieu -m -H 0
chown -R mathieu:users /home/mathieu
I had add user creation like your tutorial ... but :

Code:
root@cube-box:~ # ezjail-admin create -f jailsource -c zfs test-1 10.8.8.8
/usr/jails/test-1/.
/usr/jails/test-1/./etc
/usr/jails/test-1/./etc/rc.conf
/usr/jails/test-1/./etc/shells
/usr/jails/test-1/./etc/resolv.conf
/usr/jails/test-1/./etc/localtime
/usr/jails/test-1/./etc/ezjail.flavour.jailsource
/usr/jails/test-1/./etc/rc.d
11 blocks
find: /usr/jails/test-1/pkg/: No such file or directory
Warning: Some services already seem to be listening on all IP, (including 10.8.8.8)
  This may cause some confusion, here they are:
root     syslogd    838   6  udp6   *:514                 *:*
root     syslogd    838   7  udp4   *:514                 *:*
jailsource is my personnal flavour, with my personnal user : mathieu (I have follow your example for first configuration)

Inside the jail :

Code:
root@test-1:~ # cat /etc/passwd | grep mathieu
Nothing .. :\

By the way pkg_add look like "deprecated" in the FreeBSD 10.0 and jail flavour example seems use it ...
The probleme is if you want use "pkg" for the first time, the system ask you for migration so you can't write it in the script flavour ... a patch will fix it maybe ?
 
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#9
Re: Howto: quick setup of jail on ZFS using ezjail with PF

@oxyaxion Hm, that's interesting - there's a mistake in the tutorial now. I can't tell whether it was there from the beginning or maybe something 'got lost' during editing/forums migration. Thanks for pointing that out.

Flavor has to be in rc.d/ as it is executed upon first jail startup (it does remove itself during its execution). Current step-by-step guide stores it in etc/ which is not correct.

Yop, FreeBSD 10 does not have pkg_add any more.

I've updated the tutorial to reflect these changes.
 
Last edited by a moderator:

fred974

Daemon

Thanks: 34
Messages: 1,506

#10
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Hi @matoatlantis

I am trying to create a jail flavour on FreeBSD 10 but I keep getting the following error message:
Code:
root@kryten:~ # vi /local/jails/flavours/jailflavor/etc/rc.d/ezjail.flavour.jailflavor
root@FreeBSD:~ # ezjail-admin create -f jailflavor -c zfs testjail 192.168.0.145
/local/jails/testjail/.
/local/jails/testjail/./usr
/local/jails/testjail/./usr/local
/local/jails/testjail/./usr/local/etc
/local/jails/testjail/./usr/local/etc/sudoers
/local/jails/testjail/./etc
/local/jails/testjail/./etc/motd
/local/jails/testjail/./etc/rc.d
/local/jails/testjail/./etc/rc.d/ezjail.flavour.jailflavor
/local/jails/testjail/./etc/resolv.conf
/local/jails/testjail/./etc/syslog.conf
/local/jails/testjail/./etc/periodic.conf
/local/jails/testjail/./etc/rc.conf
15 blocks
find: /local/jails/testjail/pkg/: No such file or directory
I don't understand why I get
Code:
'find: /local/jails/testjail/pkg/: No such file or directory'
Here is my /jails/flavours/jailflavor/etc/rc.d/ezjail.flavour.jailflavor
Code:
#!/bin/sh
#
# BEFORE: DAEMON
# PROVIDE: ezjail.jailflavor.config
# ezjail flavour jailflavor
#

. /etc/rc.subr

name=ezjail.flavour.jailflavor
start_cmd=flavour_setup

flavour_setup() {

# Remove traces of ourself
# N.B.: Do NOT rm $0, it points to /etc/rc
##########################
  rm -f "/etc/rc.d/ezjail.flavour.jailflavor"

# Groups
#########
#
pw groupadd -q -n webadmin -g 1001
pw groupadd -q -n dbadmin -g 1002
pw groupadd -q -n mailadmin -g 1003

# Users
########
#
# give root a known password
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' | pw usermod -n root -H 0
pw usermod root -p 01 01 01

# create webadmin user
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n webadmin -u 1001 -c "System Administrator" -g webadmin -G wheel -s /bin/csh -d /home/webadmin -m -H 0
pw usermod webadmin -p 01 01 01

# create dbadmin user
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n dbadmin -u 1002 -c "Database Administrator" -g dbadmin -G wheel -s /bin/csh -d /home/dbadmin -m -H 0
pw usermod dbadmin -p 01 01 01

# create mailadmin user
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n mailadmin -u 1003 -c "Mail Administrator" -g mailadmin -G wheel -s /bin/csh -d /home/mailadmin -m -H 0
pw usermod mailadmin -p 01 01 01

# Files
########
#
chown -R webadmin:webadmin /home/webadmin
chown -R dbadmin:dbadmin /home/dbadmin
chown -R mailadmin:mailadmin /home/mailadmin

# Postinstall
##############
#
# Create all.log and console.log (chmod all.log, too)
touch /var/log/all.log && chmod 0600 /var/log/all.log
touch /var/log/console.log

# Packages
###########
#
#

export ASSUME_ALWAYS_YES=YES
pkg bootstrap

# install sudo
pkg install sudo

# install vim-lite
pkg instal vim-lite


# Updating The Ports Collection
portsnap fetch extract

# Install Portmaster
make -C /usr/ports/ports-mgmt/portmaster BATCH=yes OPTIONS_FILE_SET="BASH ZSH" install
echo "# Enable PKGNG as new package format"
echo 'WITH_PKGNG="yes"' >> /etc/make.conf
echo "# convert our /var/db/pkg database to the new pkg format"
pkg2ng

# Install TMUX Terminal Multiplexer
make -C /usr/ports/sysutils/tmux BATCH=yes OPTIONS_FILE_SET="BACKSPACE LIBEVENT2" OPTIONS_FILE_UNSET="LIBEVENT_STATIC" install clean

# Install git
make -C /usr/ports/devel/git BATCH=yes OPTIONS_FILE_SET="CONTRIB CURL CVS ETCSHELLS ICONV NLS P4 PERL" OPTIONS_FILE_UNSET="GITWEB GUI HTMLDOCS SVN" install clean

}
run_rc_command "$1"
When I jexec 1 tcsh, I cal see that all the users and groups has been created and /var/log/console.log was created.
So basically the script doesn't execute any of the following code:
Code:
# Packages
###########
#
#

export ASSUME_ALWAYS_YES=YES
pkg bootstrap

# install sudo
pkg install sudo

# install vim-lite
pkg instal vim-lite


# Updating The Ports Collection
portsnap fetch extract

# Install Portmaster
make -C /usr/ports/ports-mgmt/portmaster BATCH=yes OPTIONS_FILE_SET="BASH ZSH" install
echo "# Enable PKGNG as new package format"
echo 'WITH_PKGNG="yes"' >> /etc/make.conf
echo "# convert our /var/db/pkg database to the new pkg format"
pkg2ng

# Install TMUX Terminal Multiplexer
make -C /usr/ports/sysutils/tmux BATCH=yes OPTIONS_FILE_SET="BACKSPACE LIBEVENT2" OPTIONS_FILE_UNSET="LIBEVENT_STATIC" install clean

# Install git
make -C /usr/ports/devel/git BATCH=yes OPTIONS_FILE_SET="CONTRIB CURL CVS ETCSHELLS ICONV NLS P4 PERL" OPTIONS_FILE_UNSET="GITWEB GUI HTMLDOCS SVN" install clean
When I copy the script to a jail and run it, I have no problem. Could you please help?

Thank you,
Fred
 
Last edited by a moderator:
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#11
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Hi Fred,

Starting from some ezjail version I see that error too. I guess it's a feature that does install the binary packages automatically upon startup from the /pkg directory.
The following code in ezjail-admin produces the error:

Code:
   781        # if the packages are links and not files we have to copy them now
   782        find "${ezjail_rootdir}/pkg/" -type l -exec cp -r -f {} {}.ezjail \; -exec mv {}.ezjail {} \;
   783
You can safely ignore it.

Hard to say why you can't see the packages installed. Do you see the changes in /etc/make.conf you do in that flavor script (do you see WITH_PKGNG in your jail make.conf)? If so I'd suspect the problem in the pkg2ng installation.
 

fred974

Daemon

Thanks: 34
Messages: 1,506

#12
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Hi @matoatlantis
This my the /etc/make.conf inside the jail that get created
Code:
WRKDIRPREFIX=           /var/ports
DISTDIR=                /var/ports/distfiles
PACKAGES=               /var/ports/packages
INDEXDIR=               /var/ports
WITH_PKGNG="yes"
How do I solve the problem in the pkg2ng installation?
Is the way I wrote the package installation from port correct?

Thank you.
 
Last edited by a moderator:
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#13
Re: Howto: quick setup of jail on ZFS using ezjail with PF

I don't know, not from top of my head. But as you know script is being executed (users are created, make.conf gets customized).

Maybe something gets wrong when pkg2ng is executed ? I'd go with trial-error approach here. Remove all lines after portsnap (maybe even including that line). Create the jail and check the output. If all is ok include pkg2ng and do another check - does it break something ? If not continue ..
 

fred974

Daemon

Thanks: 34
Messages: 1,506

#14
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Thank you @matoatlantis, I'll tinker around and post my finding if I ever work it out:)
 
Last edited by a moderator:

fred974

Daemon

Thanks: 34
Messages: 1,506

#15
Re: Howto: quick setup of jail on ZFS using ezjail with PF

I removed all lines from
Code:
# Updating The Ports Collection
and all the packages did get installed.

Could you advise on how could I run portsnap fetch extract in my jailflour so it doesn't need user interaction?
 
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#16
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Did you check what it asked for (run it manually from jail)? I personally don't use the ports per jail as I consider that waste of space (I'm using mostly shared ports, either via NFS or nullfs mount).

But back to your problem: check what is/usr/ports in the jail; by default:

Code:
 # ll /usr/ports
lrwxr-xr-x  1 root  wheel  19 Jul 26 13:30 /usr/ports@ -> /basejail/usr/ports
#
Which is the location you can't write by default. You can either tell portsnap to use other location (check the man page) or you could remove the symlink (from host) and create the /usr/ports in jail.
 

fred974

Daemon

Thanks: 34
Messages: 1,506

#17
Re: Howto: quick setup of jail on ZFS using ezjail with PF

Hi @matoatlantis

Yes run it manually from jail is ok. The only reason why I want each jail to have the port is that because when I update the package using portmaster on the host, I also pick up all the packages installed in the jails and mess things up.

Below is what I normally do to install the jail:
Code:
ezjail-admin create -f jailflavor -c zfs webjail 192.168.0.145
echo 'ListenAddress 192.168.0.145' >> /local/jails/webjail/etc/ssh/sshd_config
rm -rf /local/jails/webjail/usr/ports
mkdir -p /local/jails/webjail/usr/ports
mount_nullfs -o rw /usr/ports /local/jails/webjail/usr/ports
echo '/usr/ports     /local/jails/webjail/usr/ports  nullfs     rw       0       0' >> /etc/fstab.webjail
/usr/local/etc/rc.d/ezjail start webjail
My hope was to create the full webjail by using the jail flavour but I guess its not a big deal as I could run the script from inside the jails.
 
Last edited by a moderator:
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#18
Re: Howto: quick setup of jail on ZFS using ezjail with PF

If you look into your jail log (/var/log/jail_$JAILNAME_console.log) you'll see why:
Code:
portsnap fetch should not be run non-interactively.
Run portsnap cron instead
When you look at /usr/sbin/portsnap
Code:
    51	  --interactive -- interactive: override auto-detection of calling process
    52	                  (use this when calling portsnap from an interactive, non-
    53	                  terminal application AND NEVER ELSE).
you'll see how to force it.

I must say this is not the best way to go. You are querying portsnap servers each time you are starting a new jail. That can be awfully a lot.

To modify the setup you could do:

Remove the symlink in newjail setup (assumption: we're never going to use the basejail link)
Code:
# cd newjail/usr
# ll ports
lrwxr-xr-x  1 root  wheel  19 Jul 26 13:30 ports@ -> /basejail/usr/ports
# rm ports
Update the flavor config:
Code:
portsnap --interactive fetch extract
But I don't recommend to go this way.
 

andrewm659

Active Member

Thanks: 4
Messages: 128

#20
So I am trying to follow your howto on this, my question is, do I need to use PF for this? I am doing this on my home network and it will not be forward facing to the Internet.

I am really just at the point of setting up the virtual interface or cloned_interface and it's not working.
 

andrewm659

Active Member

Thanks: 4
Messages: 128

#21
Code:
root@FBSD10:~ # cat /etc/rc.conf
hostname="FBSD10.borg.priv"
ifconfig_em0="inet 10.150.1.71 netmask 255.255.255.0"
defaultrouter="10.150.1.1"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ezjail_enable="YES"
ifconfig_em0_alias0="inet 10.150.1.90 netmask 255.255.255.0 broadcast 10.150.1.255"
jail_enable="YES"
gateway_enable="YES"
zfs_enable="YES"
root@ASM-FBSD10:~ # ifconfig em0_alias0 create
ifconfig: SIOCIFCREATE2: Invalid argument
root@FBSD10:~ #
 
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#22
So I am trying to follow your howto on this, my question is, do I need to use PF for this? I am doing this on my home network and it will not be forward facing to the Internet.

I am really just at the point of setting up the virtual interface or cloned_interface and it's not working.
When using my tutorial here, yes, you do need to have port redirection (here I use PF). Depending on your setup you may not need to have PF/filtering at all when setting up jails.

The error you showed is due to incorrect ifconfig syntax. create is to be used only when the interface is created. On the fly an alias can be added by ifconfig em0 alias 10.150.1.90 netmask 255.255.255.0.
 

royskatt

New Member


Messages: 10

#23
Since I don't want to use ZFS, could anyone please tell me the UFS equivalent of

Code:
zfs create -o mountpoint=/local/jails zpool/jails
chmod 700 /local/jails && chown root:wheel /local/jails
?

Thank you!
 
OP
OP
_martin

_martin

Aspiring Daemon

Thanks: 142
Messages: 728

#24
Since I don't want to use ZFS, could anyone please tell me the UFS equivalent of

Code:
zfs create -o mountpoint=/local/jails zpool/jails
chmod 700 /local/jails && chown root:wheel /local/jails
?

Thank you!
As you said you are using UFS, so you just create directory and set the permissions.

mkdir /local/jails && chmod 700 /local/jails && chown root:wheel /local/jails
 

ANx

New Member


Messages: 6

#25
FreeBSD 11.0
With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails with ezjail-admin is no longer possible. It's required to have jails defined in /etc/jail.conf. We can still use ezjail-admin to set them up. A little bit of manual work is needed here.
Hi _martin, thank you for this great tutorial. I'm currently using RELEASE-11.1 and successfully followed your tutorial. One thing noted while following this tutorial is that /usr/jails/flavour/etc/rc.d/ezjail.flavour.jailflavor can no longer contain dots on name, I used underscore instead and it worked.

One question related with the above quoted part: ezjail-admin seems to work for both creating and accessing jail console. If you still have patience, please help me understand why I need to take particular actions for 11 and above (being above my assumption).

Happy new year Everyone.

Regards,
ANx
 
Top