freebsd:jails
This is an old revision of the document!
Table of Contents
Setting up Host
- disable syslogd's network access with -ss flags
sysrc syslogd_flags="-ss"
- bind sshd to specific IP
- /etc/ssh/sshd_config
ListenAddress 10.0.0.1
To Do:
sysrc jail_enable="YES" service jail enable
- /etc/jail.conf
$j="/jails"; path="$j/$name"; host.hostname="$name.domain.com"; mount.devfs; exec.clean; exec.start="sh /etc/rc"; exec.stop="sh /etc/rc.shutdown"; #BASE { # ip4.addr="10.0.0.70"; # path="/jails/BASE" #}
Create zfs jail base
Create from source
zfs create -o quota=30G zroot/jails/BASE cd /usr/src make installworld DESTDIR=/jails/BASE make distribution DESTDIR=/jails/BASE
Create from release tarball
- grab the base and lib32 tarballs for your FreeBSD version
fetch https://download.freebsd.org/ftp/snapshots/amd64/12.2-PRERELEASE/base.txz fetch https://download.freebsd.org/ftp/snapshots/amd64/12.2-PRERELEASE/lib32.txz
- extract snapshot tarballs to jail path
tar -xf base.txz -C /jails/BASE tar -xf lib32.txz -C /jails/BASE
Configure zfs jail base
touch /jails/BASE/etc/fstab /jails/BASE/etc/rc.conf mkdir -p /jails/BASE/usr/local/etc/pkg/repos cp /usr/local/etc/pkg/repos/FreeBSD.conf /jails/BASE/usr/local/etc/pkg/repos cp /etc/localtime /jails/BASE/etc/ cp /etc/resolv.conf /jails/BASE/etc/ echo 'sendmail_enable="NO"' >> /jails/BASE/etc/rc.conf echo 'ntpd_enable="NO"' >> /jails/BASE/etc/rc.conf echo 'sshd_enable="YES"' >> /jails/BASE/etc/rc.conf
- jails don't use fstab, but some programs need it
touch /jails/BASE/etc/fstab
- jails will probably be in same timezone as host
cp /etc/localtime /jails/BASE/etc/
- don't need to configure dns servers
cp /etc/resolv.conf /jails/BASE/etc/
- don't need sendmail
echo "sendmail_enable="NO"" >> /jails/BASE/etc/rc.conf
- no need to run ntpd since jail cannot change time
echo "ntpd_enable="NO"" >> /jails/BASE/etc/rc.conf
- enable sshd
echo "sshd_enable="YES"" >> /jails/BASE/etc/rc.conf
install typical packages, add user, install dotfiles, copy keys.
pkg -j BASE install nano zsh git-lite python37 py37-pip jexec -l BASE adduser jexec -l -U sleepy BASE git clone https://gitlab.com/ikiryuta/dotfiles.git jexec -l -U sleepy BASE /home/sleepy/dotfiles/install_links.sh jexec -l BASE /home/sleepy/dotfiles/install_links.sh jexec -l BASE chsh -s zsh jexec -l -u sleepy BASE mkdir /home/sleepy/.ssh cp ~sleepy/.ssh/authorized_keys_jails /jails/BASE/home/sleepy/.ssh/authorized_keys jexec -l BASE chown -R sleepy:sleepy /home/sleepy/.ssh jexec -l BASE chmod 700 /home/sleepy/.ssh jexec -l BASE chmod 600 /home/sleepy/.ssh/authorized_keys
Snapshot the BASE jail
zfs snapshot zroot/jails/BASE@CLEAN_JAILS_BASE
Create jail
- create new jail dataset
zfs clone zroot/jails/BASE@2020-09-21_12.2-PRERELEASE_clean zroot/jails/python
- add entry to /etc/jail.conf for new jail
- /etc/jail.conf
python { ip4.addr="10.0.0.50"; }
- add entry to /etc/rc.conf new jail ip alias
- /etc/rc.conf
ifconfig_igb0_alias2="inet 10.0.0.50 netmask 255.255.255.0"
or
- /etc/rc.conf
ifconfig_igb0_aliases="inet 10.0.0.49-69 netmask 255.255.255.0"
Updating jails
using source
assuming you have already built and installed world and kernel. Stop the running jail(s) first.
cd /usr/make make installworld DESTDIR=/jails/path mergemaster -iUF -D /jails/path
jails_update.sh
Script to automate the updates, just make sure to update the jails paths.
- jails_update.sh
jails="/jails/postgres /jails/python /jails/nginx /jails/bitbot" cd /usr/src for jail in $jails do make installworld DESTDIR=$jail mergemaster -i -C -D $jail done
using freebsd-update binaries
freebsd-update -b /jails/path fetch freebsd-update -b /jails/path install
To Do
- create ZFS dataset with 20% reserve quota
zfs create -o quota=300G -o mountpoint=/jails zroot/jails
- replace hardcoded jail paths with variable
export jail=/jails/BASE echo $jail
- add UTF8 configuration to BASE jail
freebsd/jails.1602109562.txt.gz · Last modified: (external edit)