My "Thin" Jail Configuration

Hi all, wanted to get a review of my jail configuration. In short, I created a "base" jail and am read-only null-mounting the other jail's static files to it.

Three predicates:
  • /etc/rc.conf will create a bridge0 at startup and add re0 (the public internet) to it.
  • /usr/jail/base is a FreeBSD 11.1 base.txz
  • The IPv6 gateway is 2001:db8::1 and addresses at 2001:db8::${id} (RFC 3849) and legacy IP is 192.168.10.${id}/24
My /etc/jail.conf is as follows:

Code:
test {
  $id             = "9";
  $ipaddr4        = "192.168.10.${id}";
  $ipaddr6        = "2001:db8::${id}";
  $mask           = "255.255.255.0";
  $gw4            = "192.168.10.1";
  $gw6            = "2001:db8::1";
  vnet;
  vnet.interface  = "epair${id}b";

  exec.prestart = "ifconfig epair${id} create up";
  exec.prestart += "ifconfig bridge0 addm epair${id}a up";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/bin /usr/jail/${name}/bin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/sbin /usr/jail/${name}/sbin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/sbin /usr/jail/${name}/usr/sbin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/bin /usr/jail/${name}/usr/bin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/lib /usr/jail/${name}/usr/lib";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/lib32 /usr/jail/${name}/usr/lib32";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/include /usr/jail/${name}/usr/include";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/share /usr/jail/${name}/usr/share";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/lib /usr/jail/${name}/lib";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/boot /usr/jail/${name}/boot";

  exec.start += "/sbin/ifconfig lo0 127.0.0.1 up";
  exec.start += "/sbin/ifconfig epair${id}b inet ${ipaddr4} netmask ${mask} up";
  exec.start += "/sbin/ifconfig epair${id}b inet6 ${ipaddr6} prefixlen 64";
  exec.start += "/sbin/route add default ${gw4}";
  exec.start += "/sbin/route -6 add default ${gw6}";
  exec.start += "/bin/sh /etc/rc";

  exec.poststop = "ifconfig bridge0 deletem epair${id}a";
  exec.poststop += "ifconfig epair${id}a destroy";
  exec.poststop += "umount /usr/jail/base/bin";
  exec.poststop += "umount /usr/jail/base/sbin";
  exec.poststop += "umount /usr/jail/base/usr/sbin";
  exec.poststop += "umount /usr/jail/base/usr/bin";
  exec.poststop += "umount /usr/jail/base/usr/lib";
  exec.poststop += "umount /usr/jail/base/usr/lib32";
  exec.poststop += "umount /usr/jail/base/usr/include";
  exec.poststop += "umount /usr/jail/base/usr/share";
  exec.poststop += "umount /usr/jail/base/lib";
  exec.poststop += "umount /usr/jail/base/boot";

  host.hostname = "${name}.home.network";
  path = "/usr/local/jail/${name}";
  persist;
  enforce_statfs = 2;
  allow.mount;
  allow.mount.tmpfs;
}

This way, all jails use the same /usr/jail/base, which reduces redundancy of a lot of files.

Thoughts? Other things I should null-mount? Easier ways to do this? Bad idea?
 
I could also do symlinks, but I thought those do not work in a jail?

Also, I didn't understand the second part of your response?
 
I could also do symlinks, but I thought those do not work in a jail?
Take a look how ezjail places directories and symbolic links in a jail root file system tree. They work fine, as long as you conform to chrooted directory hierarchy and mounts.
Also, I didn't understand the second part of your response?
base.txz on FreeBSD installation media is unpached one, meaning it lacks bug-fixes and security updates. You get FreeBSD 11.1-RELEASE, instead of 11.1-RELEASE-p9 (patch-level 9) that is current, updated version.
 
Most of the mounting can be done using a /etc/fstab.<jailname> and enabling mount.fstab:
Code:
     mount.fstab
             An fstab(5) format file containing filesystems to mount before
             creating a jail.
 
Back
Top