• disable syslogd's network access with -ss flags

  sysrc syslogd_flags="-ss"

• bind sshd to specific IP

  /etc/ssh/sshd_config

  ListenAddress 10.0.0.1

To Do:

sysrc jail_enable="YES"
service jail enable

/etc/jail.conf

$j="/jails";
path="$j/$name";
host.hostname="$name.domain.com";
 
mount.devfs;
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
 
#BASE {
#	ip4.addr="10.0.0.70";
#       path="/jails/BASE"
#}

zfs create -o quota=30G zroot/jails/BASE
cd /usr/src
make installworld DESTDIR=/jails/BASE
make distribution DESTDIR=/jails/BASE

• grab the base and lib32 tarballs for your FreeBSD version

  fetch https://download.freebsd.org/ftp/snapshots/amd64/12.2-PRERELEASE/base.txz
  fetch https://download.freebsd.org/ftp/snapshots/amd64/12.2-PRERELEASE/lib32.txz

• extract snapshot tarballs to jail path

  tar -xf base.txz -C /jails/BASE
  tar -xf lib32.txz -C /jails/BASE

touch /jails/BASE/etc/fstab /jails/BASE/etc/rc.conf
mkdir -p /jails/BASE/usr/local/etc/pkg/repos
cp /usr/local/etc/pkg/repos/FreeBSD.conf /jails/BASE/usr/local/etc/pkg/repos
cp /etc/localtime /jails/BASE/etc/
cp /etc/resolv.conf /jails/BASE/etc/
echo 'sendmail_enable="NO"' >> /jails/BASE/etc/rc.conf
echo 'ntpd_enable="NO"' >> /jails/BASE/etc/rc.conf
echo 'sshd_enable="YES"' >> /jails/BASE/etc/rc.conf

• jails don't use fstab, but some programs need it

  touch /jails/BASE/etc/fstab

• jails will probably be in same timezone as host

  cp /etc/localtime /jails/BASE/etc/

• don't need to configure dns servers

  cp /etc/resolv.conf /jails/BASE/etc/

• don't need sendmail

  echo "sendmail_enable="NO"" >> /jails/BASE/etc/rc.conf

• no need to run ntpd since jail cannot change time

  echo "ntpd_enable="NO"" >> /jails/BASE/etc/rc.conf

• enable sshd

  echo "sshd_enable="YES"" >> /jails/BASE/etc/rc.conf

pkg -j BASE install nano zsh git-lite python37 py37-pip
jexec -l BASE adduser
jexec -l -U sleepy BASE git clone https://gitlab.com/ikiryuta/dotfiles.git
jexec -l -U sleepy BASE /home/sleepy/dotfiles/install_links.sh
jexec -l BASE /home/sleepy/dotfiles/install_links.sh
jexec -l BASE chsh -s zsh
jexec -l -u sleepy BASE mkdir /home/sleepy/.ssh
cp ~sleepy/.ssh/authorized_keys_jails /jails/BASE/home/sleepy/.ssh/authorized_keys
jexec -l BASE chown -R sleepy:sleepy /home/sleepy/.ssh
jexec -l BASE chmod 700 /home/sleepy/.ssh
jexec -l BASE chmod 600 /home/sleepy/.ssh/authorized_keys

Snapshot the BASE jail

zfs snapshot zroot/jails/BASE@CLEAN_JAILS_BASE

• create new jail dataset

  zfs clone zroot/jails/BASE@2020-09-21_12.2-PRERELEASE_clean zroot/jails/python

• add entry to /etc/jail.conf for new jail

  /etc/jail.conf

  python {
  	ip4.addr="10.0.0.50";
  }

• add entry to /etc/rc.conf new jail ip alias

  /etc/rc.conf

  ifconfig_igb0_alias2="inet 10.0.0.50 netmask 255.255.255.0"

  or

  /etc/rc.conf

  ifconfig_igb0_aliases="inet 10.0.0.49-69 netmask 255.255.255.0"

assuming you have already built and installed world and kernel. Stop the running jail(s) first.

cd /usr/make
make installworld DESTDIR=/jails/path
mergemaster -iFU -D /jails/path

Script to automate the updates, just make sure to update the jails paths.

jails_update.sh

jails="/jails/postgres /jails/python /jails/nginx /jails/bitbot"
 
cd /usr/src
 
for jail in $jails
do
    make installworld DESTDIR=$jail
    mergemaster -iFU -D $jail
done

freebsd-update -b /jails/path fetch
freebsd-update -b /jails/path install

• create ZFS dataset with 20% reserve quota

  zfs create -o quota=300G -o mountpoint=/jails zroot/jails

• replace hardcoded jail paths with variable

  export jail=/jails/BASE
  echo $jail

• add UTF8 configuration to BASE jail
• need to create alias for jail ip on hosts network interface during jail creation.
  • using ifconfig for one-time use

    ifconfig igb0 alias 10.0.0.92 netmask 255.255.255.0

  • permanent using rc.conf

    /etc/rc.conf

    ifconfig_igb0_alias2="10.0.0.92 netmask 255.255.255.0"