Here is the script to automatically start VIMAGE and non-VIMAGE jails during boot-up.
This script was updated to work with FreeBSD 11 and it may work with older releases. Please do let me know if there are further improvements that can be made and I'll update this post. Thanks!
You must know how to do the following:
1) Create jail
2) Customize and re-compile GENERIC kernel
3) VIMAGE is highly experimental and its not ready for production. Do it at your own risk.
You will need to edit /etc/rc.conf to include the following lines to start jail at boot. It is recommended to use ezjail for jail management since it offers excellent tools such as create, destroy, update and console. It simplifies managing jails.
I use FreeBSD's
Officially, ezjail does not support VIMAGE as its still highly experimental. You will need to add
This needs to be added to /etc/rc.conf. Firewall is not required.
Packet filterings for bridge to be used with firewall. You can ignore this as it is not required.
/etc/sysctl.conf
This is required for jail and VIMAGE to work correctly.
/etc/jail.conf
You can utilize firewall inside jail with VIMAGE but you will have to add the following lines to /etc/rc.conf inside jail. Use IPFW as its the only firewall that works well inside jail with VIMAGE. If you use different firewall such as PF inside jail and it will cause problems. That is why VIMAGE is highly experimental.
Revision History:
21/12/14 - Added 'route add default' and cleaned up the script
22/05/15 - Added firewall options to /etc/rc.conf
26/05/15 - Added ${path} to jail.conf
31/07/16 - Removed loopback interface. Added ipv6 support
26/09/16 - Updated jail.conf
20/10/16 - Updated the guide for FreeBSD 11
30/10/16 - Updated the mount point
This script was updated to work with FreeBSD 11 and it may work with older releases. Please do let me know if there are further improvements that can be made and I'll update this post. Thanks!
You must know how to do the following:
1) Create jail
2) Customize and re-compile GENERIC kernel
3) VIMAGE is highly experimental and its not ready for production. Do it at your own risk.
You will need to edit /etc/rc.conf to include the following lines to start jail at boot. It is recommended to use ezjail for jail management since it offers excellent tools such as create, destroy, update and console. It simplifies managing jails.
Code:
#ezjail_enable="YES" # This should be disabled and not supported under FreeBSD 11
jail_enable="YES"
I use FreeBSD's
service jail [start|stop|restart] [jail_name]
to start or stop jails at the command line.Officially, ezjail does not support VIMAGE as its still highly experimental. You will need to add
options VIMAGE
to /usr/src/sys/amd64/conf/GENERIC and re-compile the kernel.This needs to be added to /etc/rc.conf. Firewall is not required.
Code:
# Network configuration
ifconfig_igb0="inet 192.168.1.100 netmask 255.255.255.0"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm igb0"
# Jail
jail_enable="YES"
jail_list="jail1 jail2"
# Firewall - Enable this if want to use firewall inside host
#pf_enable="YES"
#pflog_enable="YES"
Packet filterings for bridge to be used with firewall. You can ignore this as it is not required.
/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
net.link.bridge.pfil_member=0 # Packet filter on the member interface
security.bsd.unprivileged_read_msgbuf=0
# This is only for routing tables if any
# (do not create default routing tables for all FIB's)
net.add_addr_allfibs=0
This is required for jail and VIMAGE to work correctly.
/etc/jail.conf
Code:
# Jail configuration - /etc/jail.conf
allow.mount;
allow.raw_sockets = "1";
allow.set_hostname = "0";
allow.sysvipc = "1";
host.hostname = "${name}.local";
path = "/jails/${name}";
mount = "/jails/basejail /jails/${name}/basejail nullfs ro 0 0"; # Use this mount for ezJail's jails
#mount.fstab = "/etc/fstab.${name}"; # Optional: mount external fstab files
mount.devfs;
mount.fdescfs;
mount.procfs;
devfs_ruleset = "4";
exec.clean;
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_${name}_console.log";
# Jail with VIMAGE
jail1 {
$if = "0"; # Jail ID number
$ip_addr = "192.168.1.101"; # Jail ipv4 address
$ip_route = "192.168.1.100"; # Gateway or host's ipv4 address
$ip6_addr = "fe00::1"; # Jail ipv6 address
$ip6_route = "fe00::"; # Gateway or host's ipv6 address
vnet;
vnet.interface = "epair${if}b";
exec.prestart = "ifconfig epair${if} create up";
exec.prestart += "ifconfig bridge0 addm epair${if}a";
exec.start = "/sbin/ifconfig epair${if}b inet ${ip_addr} up";
exec.start += "/sbin/ifconfig epair${if}b inet6 ${ip6_addr} up";
exec.start += "/sbin/route add default -gateway ${ip_route}";
exec.start += "/sbin/route add -inet6 default -gateway ${ip6_route}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop = "ifconfig epair${if}a destroy";
persist;
}
# Jail without VIMAGE
jail2 {
ip4.addr = "192.168.1.102"; # IP4 address
ip6.addr = "fe00::1"; # IP6 address (optional)
interface = "igb0"; # Network interface
mount += "/mnt/media1 /jails/jail2/mnt/media1 nullfs rw 0 0"; # This is optional to add more mounts for jail
mount += "/mnt/media2 /jails/jail2/mnt/media2 nullfs rw 0 0"; # This is optional to add more mounts for jail
}
You can utilize firewall inside jail with VIMAGE but you will have to add the following lines to /etc/rc.conf inside jail. Use IPFW as its the only firewall that works well inside jail with VIMAGE. If you use different firewall such as PF inside jail and it will cause problems. That is why VIMAGE is highly experimental.
Code:
# Jail Firewall - Enable this if want to use firewall inside jail
firewall_enable="YES"
firewall_type="open"
Revision History:
21/12/14 - Added 'route add default' and cleaned up the script
22/05/15 - Added firewall options to /etc/rc.conf
26/05/15 - Added ${path} to jail.conf
31/07/16 - Removed loopback interface. Added ipv6 support
26/09/16 - Updated jail.conf
20/10/16 - Updated the guide for FreeBSD 11
30/10/16 - Updated the mount point
Last edited: