jails Running Linux in a Jail

balanga · Oct 6, 2023

I see msgs about people running Linux in a Jail and have no idea about how to go about it.

Can someone suggest a guide? And does it apply to all Linux flavours, or just Debian and Ubuntu?

balanga · Oct 6, 2023

is this what I should refer to:-

LinuxJails - FreeBSD Wiki

or this:-

Linuxulator - FreeBSD Wiki

Holger · Oct 7, 2023

Maybe this helps?

Running Chrome in a dedicated Linux jail

As the title suggests, it's about running Google Chrome in a jail, but the generail principles outlined there should be useful also in other use-cases.

balanga · Oct 7, 2023

Many thanks Holger . I tried to incorporate your instructions into the following script:-

Bash:

#!/bin/sh

export JAILNAME="Linux"
export JAIL="/usr/jail/$JAILNAME"

mkdir -p $JAIL

for DIR in /dev/fd /dev/shm /tmp /proc /sys; do mkdir -p $JAIL/${DIR}; done

pkg install -y debootstrap
debootstrap --arch=amd64 --no-check-gpg focal $JAIL

cat <<EOF > $JAIL/etc/fstab
 devfs           $JAIL/dev      devfs           rw                      0       0
 tmpfs           $JAIL/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0
 fdescfs         $JAIL/dev/fd   fdescfs         rw,linrdlnk             0       0
 linprocfs       $JAIL/proc     linprocfs       rw                      0       0
 linsysfs        $JAIL/sys      linsysfs        rw                      0       0
 /tmp            $JAIL/tmp      nullfs          rw                      0       0
EOF

cat <<EOF >> /etc/jail.conf
$JAILNAME {
    host.hostname="$JAILNAME";
    ip4.addr= 192.168.1.111;
    path="$JAIL";
    allow.raw_sockets=1;
    exec.start='/bin/true';
    exec.stop='/bin/true';
    persist;
    mount.fstab="$JAIL/etc/fstab";
}
EOF

kldload linux64
sysrc +=kld_list linux64
sysrc jail_enable=YES

service jail start Linux
jls
jexec Linux /bin/bash

This seems to work, but I get the following when entering the jail:-

Code:

root@X1:/etc# jexec Linux /bin/bash
groups: cannot find name for group ID 0
groups: cannot find name for group ID 5
I have no name!@Linux:/#

Looks like I'm missing something... Any idea what I've overlooked?

cmoerz · Oct 7, 2023

It appears your jail does not have a hostname and you might be missing /etc/group?

balanga · Oct 7, 2023

cmoerz said:
It appears your jail does not have a hostname and you might be missing /etc/group?

root@X1:/# cat /etc/jail.conf:-

Code:

Linux {
    host.hostname="Linux";
    ip4.addr= 192.168.1.111;
    interface = wlan0;
    path="/usr/jail/Linux";
    allow.raw_sockets=1;
    exec.start='/bin/true';
    exec.stop='/bin/true';
    persist;
    mount.fstab="/usr/jail/Linux/etc/fstab";
}

service jail start Linux
Starting jails: Linux.

jls

Code:

   JID  IP Address      Hostname                      Path
     1  192.168.1.108   openwrt                       /usr/jail/openwrt
     2  192.168.1.109   FreeBSD                       /usr/jail/FreeBSD
     3  192.168.1.110   mfsbsd                        /usr/jail/mfsbsd
     5  192.168.1.111   Linux                         /usr/jail/Linux

As for users and groups, I have no idea how they should be dealt with in a jail. Does the jail inherit the values from the host or should the jail have its own? I didn't see any reference for handling these in the guide I followed.

balanga · Oct 8, 2023

According to Holger's guiide, there is no mention of Configuring Linux Binary Compatibility so am not sure if this is required or not. Also I have no /compat/linux. What creates is such a directory?

And where does the Linux jail get its users defined?

cmoerz · Oct 8, 2023

The linux jail gets its groups from /etc/group within its directory root. So, if you install your linux environment under /jail/linux, then it's going to be under /jail/linux/etc/group. /compat/linux is not required for that. That's used not for linux jails but for linux compatibility in the host system.

You need to have linux compatibility turned on, otherwise it won't work. I.e. sysrc linux_enable=YES && service linux start. This ensures that all required linuxkpi kernel modules are loaded for the compatibility layer to be available.

Chapter 12. Linux Binary Compatibility

FreeBSD provides binary compatibility with Linux, allowing users to install and run most Linux binaries on a FreeBSD system without having to first modify the binary

docs.freebsd.org

If you use i.e. debootstrap, this should all be set up out of the box. See https://wiki.freebsd.org/LinuxJails

If your posts up there are from your system: what's under /usr/jails/Linux and /usr/jails/Linux/etc/group in particular? Watch the uppercase L there.

Holger · Oct 8, 2023

balanga said:
…
As for users and groups, I have no idea how they should be dealt with in a jail. Does the jail inherit the values from the host or should the jail have its own? I didn't see any reference for handling these in the guide I followed.

I always use adduser(8) and explicitly create users in a jail. I.e.

Code:

jexec my-jail sh
adduser myuser

balanga · Oct 8, 2023

cmoerz said:
The linux jail gets its groups from /etc/group within its directory root. So, if you install your linux environment under /jail/linux, then it's going to be under /jail/linux/etc/group. /compat/linux is not required for that. That's used not for linux jails but for linux compatibility in the host system.

/usr/jail/Linux/etc/group is missing from the jail's filesystem. The rest looks fine though.

cmoerz said:
You need to have linux compatibility turned on, otherwise it won't work. I.e. sysrc linux_enable=YES && service linux start. This ensures that all required linuxkpi kernel modules are loaded for the compatibility layer to be available.

Chapter 12. Linux Binary Compatibility

FreeBSD provides binary compatibility with Linux, allowing users to install and run most Linux binaries on a FreeBSD system without having to first modify the binary

docs.freebsd.org

If you use i.e. debootstrap, this should all be set up out of the box. See https://wiki.freebsd.org/LinuxJails

If your posts up there are from your system: what's under /usr/jails/Linux and /usr/jails/Linux/etc/group in particular? Watch the uppercase L there.

I installed sysutils/debootstrap but then ran debootstrap --arch=amd64 --no-check-gpg focal /usr/jail/Linux.

According to https://wiki.freebsd.org/LinuxJails I should have run debootstrap bionic /compat/ubuntu

Maybe I created problems for myself by naming my jail Linux instead of ubuntu like all the examples show.

I think I will start again from scratch.

Does debootstrap install /etc/group?

Khatkumar · Saturday at 8:03 AM

balanga said:
is this what I should refer to:-

LinuxJails - FreeBSD Wiki

or this:-

Linuxulator - FreeBSD Wiki

If you want to run an entire Linux system inside a jail, check the LinuxJails page on the FreeBSD Wiki. That’s the guide you’re looking for. The Linuxulator page is more about the underlying compatibility layer itself. For jails, Debian/Ubuntu are the best supported, though other Linux flavors may work with more tinkering.”

Khatkumar · Saturday at 8:10 AM

balanga said:

Many thanks Holger . I tried to incorporate your instructions into the following script:-

Bash:

#!/bin/sh

export JAILNAME="Linux"
export JAIL="/usr/jail/$JAILNAME"

mkdir -p $JAIL

for DIR in /dev/fd /dev/shm /tmp /proc /sys; do mkdir -p $JAIL/${DIR}; done

pkg install -y debootstrap
debootstrap --arch=amd64 --no-check-gpg focal $JAIL

cat <<EOF > $JAIL/etc/fstab
 devfs           $JAIL/dev      devfs           rw                      0       0
 tmpfs           $JAIL/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0
 fdescfs         $JAIL/dev/fd   fdescfs         rw,linrdlnk             0       0
 linprocfs       $JAIL/proc     linprocfs       rw                      0       0
 linsysfs        $JAIL/sys      linsysfs        rw                      0       0
 /tmp            $JAIL/tmp      nullfs          rw                      0       0
EOF

cat <<EOF >> /etc/jail.conf
$JAILNAME {
    host.hostname="$JAILNAME";
    ip4.addr= 192.168.1.111;
    path="$JAIL";
    allow.raw_sockets=1;
    exec.start='/bin/true';
    exec.stop='/bin/true';
    persist;
    mount.fstab="$JAIL/etc/fstab";
}
EOF

kldload linux64
sysrc +=kld_list linux64
sysrc jail_enable=YES

service jail start Linux
jls
jexec Linux /bin/bash

This seems to work, but I get the following when entering the jail:-

Code:

root@X1:/etc# jexec Linux /bin/bash
groups: cannot find name for group ID 0
groups: cannot find name for group ID 5
I have no name!@Linux:/#

Looks like I'm missing something... Any idea what I've overlooked?

The “I have no name!” prompt happens because your jail’s /etc/passwd and /etc/group don’t have entries for UID 0 and GID 0/5.

Easiest fix: inside the jail run:

apt-get update
apt-get install passwd

That will populate the missing files.

Or, if you just want to patch it manually, add these lines:

/usr/jail/Linux/etc/passwd

root:x:0:0:root:/root:/bin/bash

/usr/jail/Linux/etc/group

root:x:0:
tty:x:5:

After that you’ll get a proper root@Linux:/# prompt instead of “I have no name!”.

Khatkumar · Saturday at 8:18 AM

balanga said:
root@X1:/# cat /etc/jail.conf:-

Code:

Linux { host.hostname="Linux"; ip4.addr= 192.168.1.111; interface = wlan0; path="/usr/jail/Linux"; allow.raw_sockets=1; exec.start='/bin/true'; exec.stop='/bin/true'; persist; mount.fstab="/usr/jail/Linux/etc/fstab"; }

service jail start Linux
Starting jails: Linux.

jls

Code:

JID IP Address Hostname Path 1 192.168.1.108 openwrt /usr/jail/openwrt 2 192.168.1.109 FreeBSD /usr/jail/FreeBSD 3 192.168.1.110 mfsbsd /usr/jail/mfsbsd 5 192.168.1.111 Linux /usr/jail/Linux

As for users and groups, I have no idea how they should be dealt with in a jail. Does the jail inherit the values from the host or should the jail have its own? I didn't see any reference for handling these in the guide I followed.

You’re seeing “I have no name!” because your jail’s Linux root filesystem is missing proper user/group info. A FreeBSD jail does not inherit users from the host — it needs its own /etc/passwd and /etc/group.

Quick fix:

1. Inside the jail, run:

apt-get update
apt-get install passwd

This populates /etc/passwd and /etc/group.

2. Or manually add the minimal entries:

/usr/jail/Linux/etc/passwd:

root:x:0:0:root:/root:/bin/bash

/usr/jail/Linux/etc/group:

root:x:0:
tty:x:5:

3. Make sure Linux compatibility is enabled on the host:

sysrc linux_enable=YES
service linux start

Restart the jail and enter it again:

service jail stop Linux
service jail start Linux
jexec Linux /bin/bash

You should now see a proper prompt and groups/id will work correctly.

Khatkumar · Saturday at 8:22 AM

balanga said:
According to Holger's guiide, there is no mention of Configuring Linux Binary Compatibility so am not sure if this is required or not. Also I have no /compat/linux. What creates is such a directory?

And where does the Linux jail get its users defined?

The /compat/linux directory doesn’t appear automatically — it’s created when you install the FreeBSD Linux compatibility base.

You need to install it (choose a version, e.g., Ubuntu Focal) and enable Linux compatibility on the host:

pkg install emulators/linux_base-focal
sysrc linux_enable=YES
service linux start

After this, /compat/linux will exist. It’s required for running Linux binaries inside your jail — without it, the Linux jail can’t fully function.

So yes, even if Holger’s guide doesn’t mention it, you must configure Linux Binary Compatibility for the jail to work correctly.

Khatkumar · Saturday at 8:28 AM

cmoerz said:
The linux jail gets its groups from /etc/group within its directory root. So, if you install your linux environment under /jail/linux, then it's going to be under /jail/linux/etc/group. /compat/linux is not required for that. That's used not for linux jails but for linux compatibility in the host system.

You need to have linux compatibility turned on, otherwise it won't work. I.e. sysrc linux_enable=YES && service linux start. This ensures that all required linuxkpi kernel modules are loaded for the compatibility layer to be available.

Chapter 12. Linux Binary Compatibility

FreeBSD provides binary compatibility with Linux, allowing users to install and run most Linux binaries on a FreeBSD system without having to first modify the binary

docs.freebsd.org

If you use i.e. debootstrap, this should all be set up out of the box. See https://wiki.freebsd.org/LinuxJails

If your posts up there are from your system: what's under /usr/jails/Linux and /usr/jails/Linux/etc/group in particular? Watch the uppercase L there.

Just to clarify a few points:

1. The “I have no name!” messages come from missing or incomplete /etc/passwd and /etc/group inside the jail’s root (/usr/jail/Linux/etc/). The jail does not inherit users/groups from the host. Minimal entries should include:

/usr/jail/Linux/etc/passwd:
root:x:0:0:root:/root:/bin/bash

/usr/jail/Linux/etc/group:
root:x:0:
tty:x:5:

2. /compat/linux is not required for a Linux jail. That directory is for running Linux binaries on the host using the Linuxulator; the jail itself only needs a proper Linux userland (e.g., debootstrap Debian/Ubuntu) and Linux compatibility enabled.

3. Make sure Linux compatibility is enabled on the host so that the jail can run Linux binaries:

sysrc linux_enable=YES
service linux start

This ensures the required linuxkpi kernel modules are loaded.
4. After confirming /etc/passwd and /etc/group inside the jail, restart it:

service jail stop Linux
service jail start Linux
jexec Linux /bin/bash

You should now get a proper prompt and groups/id will work correctly.

Quick check: inside /usr/jail/Linux/etc/group — make sure the file exists and contains the needed entries. Uppercase “L” matters: /usr/jail/Linux is not the same as /usr/jail/linux.