jails Issue while following the handbook to create a Thin Jail using NullFS

M.E. · Nov 17, 2023

I am trying to create my first Jail, my host system is FreeBSD 13.2 and uses UFS. I am aiming to create thin jails for my workstation as my disk space is limited.

It is my understanding that Chapter 17 of the Handbook, that covers the manual creation of Jails covers this case.

I include the steps I follow mirroring the handbook, including some listing of the files and the error I get.
I do also have some questions regarding the procedure:

a) At step 3, when the handbook creates the template using 13.2-RELEASE-base, what is the purpose of the template folder (/usr/local/jails/templates/13.2-RELEASE-base/)?
b) At step 3, what is the difference between /usr/local/jails/templates/13.2-RELEASE-base and /usr/local/jails/templates/13.2-RELEASE-skeleton? what are the purpose of each one?
c) What is the fstab file actually doing? (in this particular context, what are we mounting and why).

1. Create the folder structure

Code:

# mkdir /usr/local/jails/
# mkdir /usr/local/jails/media
# mkdir /usr/local/jails/templates
# mkdir /usr/local/jails/containers

2. Create the configuration file

Code:

# vim /etc/jail.conf.d/thinjail.conf
thinjail {

        # STARTUP/LOGGING
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
        exec.consolelog = "/var/log/jail_console_${name}.log";

        # PERMISSIONS
        allow.raw_sockets;
        exec.clean;
        mount.devfs;

        # HOSTNAME/PATH
        host.hostname = "${name}";
        path = "/usr/local/jails/containers/thinjail";

        # NETWORK
        ip4.addr = 192.168.178.202;
        interface = em0;

}

3. Create a Thin Jail using NullFS

Code:

# mkdir /usr/local/jails/templates/13.2-RELEASE-base
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE-base --unlink
# cp /etc/resolv.conf /usr/local/jails/templates/13.2-RELEASE-base/etc/resolv.conf
# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE-base/etc/localtime
# freebsd-update -b /usr/local/jails/templates/13.2-RELEASE-base/ fetch install

Code:

# mkdir /usr/local/jails/templates/13.2-RELEASE-skeleton
# mkdir -p /usr/local/jails/templates/13.2-RELEASE-skeleton/home
# mkdir -p /usr/local/jails/templates/13.2-RELEASE-skeleton/usr
# mv /usr/local/jails/templates/13.2-RELEASE-base/etc /usr/local/jails/templates/13.2-RELEASE-skeleton/etc
# mv /usr/local/jails/templates/13.2-RELEASE-base/usr/local /usr/local/jails/templates/13.2-RELEASE-skeleton/usr/local
# mv /usr/local/jails/templates/13.2-RELEASE-base/tmp /usr/local/jails/templates/13.2-RELEASE-skeleton/tmp
# mv /usr/local/jails/templates/13.2-RELEASE-base/var /usr/local/jails/templates/13.2-RELEASE-skeleton/var
# mv /usr/local/jails/templates/13.2-RELEASE-base/root /usr/local/jails/templates/13.2-RELEASE-skeleton/root
# cd /usr/local/jails/templates/13.2-RELEASE-base/
# mkdir skeleton
# ln -s skeleton/etc etc
# ln -s skeleton/home home
# ln -s skeleton/root root
# ln -s skeleton/usr/local usr/local
# ln -s skeleton/tmp tmp
# ln -s skeleton/var var

4. Create the actual jail
It is my understanding that the actual Jail is under containers.

Code:

# mkdir /usr/local/jails/containers/thinjail
# cp -R /usr/local/jails/templates/13.2-RELEASE-skeleton /usr/local/jails/containers/thinjail
# mkdir -p /usr/local/jails/thinjail-nullfs-base
# vim /etc/jail.conf.d/thinjail.conf
thinjail {

        # STARTUP/LOGGING
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
        exec.consolelog = "/var/log/jail_console_${name}.log";

        # PERMISSIONS
        allow.raw_sockets;
        exec.clean;
        mount.devfs;

        # HOSTNAME/PATH
        host.hostname = "${name}";
        path = "/usr/local/jails/containers/thinjail";

        # NETWORK
        ip4.addr = 192.168.178.202;
        interface = em0;


       # MOUNT
       mount.fstab = "/usr/local/jails/thinjail-nullfs-base.fstab";

}
# vim /usr/local/jails/thinjail-nullfs-base.fstab
/usr/local/jails/templates/13.2-RELEASE-base  /usr/local/jails/thinjail-nullfs-base/ nullfs   ro          0 0
/usr/local/jails/containers/thinjail     /usr/local/jails/thinjail-nullfs-base/skeleton nullfs  rw  0 0

At this point the jail shall be created and can be started using:

Code:

# service jail onestart thinjail
Starting jails: cannot start jail  "thinjail":
jail: thinjail: mount.devfs: /usr/local/jails/containers/thinjail/dev: No such file or directory
.

I was recommended to create dev at cd /usr/local/jails/templates/13.2-RELEASE-base/, but the jail could not starte.

balanga · Nov 17, 2023

Steps 2 and 4 look very similar...

M.E. · Nov 17, 2023

balanga said:
Steps 2 and 4 look very similar...

I can not see any similarity.
At step 4 the mount.fstab is added to the jail.conf, maybe that is what you describe as similarity.
These steps are as covered in the Handbook.

balanga · Nov 17, 2023

M.E. said:
I can not see any similarity.
At step 4 the mount.fstab is added to the jail.conf, maybe that is what you describe as similarity.
These steps are as covered in the Handbook.

Why can't the mount.fstab step be added in step 2. That is the only difference that I can see.

Not sure what I'm missing...

M.E. · Nov 17, 2023

balanga said:
Why can't the mount.fstab step be added in step 2. That is the only difference that I can see.

Not sure what I'm missing...

I do not see any reason to split that either, but I have preserved the original steps found in the handbook. That is totally unrelated to the issue found though.

HexagonWin · Feb 21, 2024

I'm having the exact same issue with 14.0. Have you solved this problem?

Emrion · Feb 21, 2024

It's a very complicated way to do and I think it lacks several soft links for a perfect functioning. I could expose later the way ezjail does thin jails.

For now, I can be wrong, but I have the impression that the last line of fstab is incorrect. I will try:

Code:

/usr/local/jails/thinjail-nullfs-base/skeleton   /usr/local/jails/containers/thinjail   nullfs  rw  0 0

HL1234 · Mar 8, 2024

I have this done in /etc/jail.conf hope that helps:

$parentdir = "<directory where all jails life>";

# default values that will be used by all jails
# (unless overridden in a jail configuration)

# Commands to execute when the jail is started or stopped.
# These commands are executed inside the jail.
exec.start = "/bin/sh /etc/rc"; # Start command: start a full FreeBSD userland
exec.stop = "/bin/sh /etc/rc.shutdown"; # Stop command

# Don't import any environment variables when connecting
# from the host system to the jail (except ${TERM})
exec.clean = "true";

# Mount a devfs filesystem on /dev inside the jail.
mount.devfs; # Mount devfs inside the jail
devfs_ruleset = "6"; # devfs ruleset

# Give each jail it's own SYSV IPC message, semaphore and shared memory primitives.
sysvmsg = "new";
sysvsem = "new";
sysvshm = "new";

# Jail named "jailname" for FreeBSD Template OS
jailname { ... }

in /etc/devs.rules

# Devices usually found in a jail.
# (copy from /etc/defaults/devfs.rules)
[devfsrules_for_jails=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide

the jail has started.