[HowTo] Setup Jail made simple

[dech]

Moin,
Since many people ask me on how to simplify the Setupprocess of a jail I have a few hints.

Code: Select all

Do what you whant.
Don't blame me if something f_* up.

# zfs create -o mountpoint=/jails zm/jails

# mkdir /jails/files
# mkdir /jails/proto

# cd /jails/files
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/`uname -m`/`uname -m`/`uname -r | cut -d- -f1-2`/base.txz


# cd /jails/files
# tar xvf base.txz -C /jails/proto
# cp /etc/resolv.conf /jails/proto/etc/

# jail -c path=/jails/proto \
name=proto \
host.hostname=proto.fantaranch.tld \
ip4.addr=192.168.1.112 \
interface=bge0 \
mount.devfs \
persist

see man jail for additional settings like mounting drives.
http://www.freebsd.org/cgi/man.cgi?query=jail&manpath=FreeBSD+9.1-RELEASE

# jls
JID  IP Address      Hostname                      Path
     1  192.168.1.112   proto.fantaranch.tld          /jails/proto

# jexec proto hostname
proto.fantaranch.tld

Autostart of "proto" jail

Open WebUI

- System|Advanced|Command scripts
- Add Command with "+" 
Command = /usr/sbin/jail -c path=/jails/proto name=proto host.hostname=proto.fantaranch.tld ip4.addr=192.168.1.112 interface=bge0 mount.devfs persist
Type = PostInit

[alexey123]

1. TheBrig extension have NAS4Free webgui for build and control jails more simple
2. Build jails on folder /jail (only one step from root) is not good idea. This way not will work stable. For example original Freebsd jail environment have path /usr/jail - 2 step from root.

[dech]

Moin,
1. Using a UI is just a matter of personal flavour.
1.1 Personally I like "The Warden" or ezjail. With the warden its also much more simple to jail a debian linux.
2. orginal FreeBSD has no default path. Please explain why it would not work stable? Using it since years this way.

dech

[raulfg3]

please , no jails wars here, both aproach are valid, one is better for power user that know what do ( dech ) and other is desinged to facilitate life to non power users (thebrig) alexey.

[dech]

Moin,
thats no jail war. I just like to know why using /jails as the root for the jails is bad idea.
Also the tool you use for creating jails is just a matter of personal flavour.

dech

[alexey123]

Moin,
1. Using a UI is just a matter of personal flavour.
1.1 Personally I like "The Warden" or ezjail. With the warden its also much more simple to jail a debian linux.

TheBrig have some functions as webmin module for jail. You can create and manage jails with webgui, your config stored into nas4free config.xml - so if you have zero problem with upgrade parent system.

2. orginal FreeBSD has no default path. Please explain why it would not work stable? Using it since years this way.

Because Freebsd security limits - sysctl security.jail.enforce_statfs =2 and set it to 0 === mount to /, or 1 === mount to /Folder is not recommended. I checked jail, building on ~ 15 motherboard, when it building on /jail it not start stable. Some users says about such behavior his jails.
See man http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8
Part examples/
It not have any example with path /jail.
As result security.jail.enforce_statfs =2 - you can not give to work symbolic links and mounts for path / or /Folder

When I created jails on machine with not stable start up bahvior, but jails was building on /mnt/jail or /usr/jail - it was work without problem

please , no jails wars here, both aproach are valid, one is better for power user that know what do ( dech ) and other is desinged to facilitate life to non power users (thebrig) alexey.

Raul, this is not jail war.
I was have problem with wiki-building jail, and anyone not help me. I begin to learn how it work - and as result we have TheBrig as is. It work on full and embedded version, jail start and shutdown procedures created for very strong way.
Jail is very good idea, but if dech wrote article about it, he need help for another users for understanding and edit article when another user find error

[dech]

Moin,
yes, your are right with the /jail path. Primary reason I dont notice it cause I use only NFS for my jails. This avoid most of the problems with mounts. When I wrote the wiki article I used nullfs cause people are more familar with this.

dech

[alexey123]

If you mount any for / , also over nfs, you need mount it as read only. This is not a way

If you inspect original freebsd etc/rc.d/jail file, you can find strings

# REQUIRE: LOGIN cleanvar
# BEFORE: securelevel

I was send request for change it for nas4free building.

[dech]

Moin,
the mounts are not in the servers root, they are under /jails/<jailname>/mountpoint