If you're interested in virtual machines and FreeBSD, the jail system is the most economical way to go. There is a utility called EZJail written by Dirk Engling that makes jail setup easy, using the service jail model, the most economical way of doing it. Service jails are upgradeable in one place, and share locked down binaries.
These are my notes on setting up a single ezjail on a FreeBSD system. They're pretty much copped off what you'd find on the internet and FreeBSD docs (links above) but contain some other notes.
You'll need a working FreeBSD system with a built source tree - meaning you've made world and the /usr/obj directory is loaded with built binaries. In this installation, EZjail will require you to install this /usr/obj tree into a base jail that will be shared amongst all jails you create. In addition, ports tree will also be installed, but when you use ports in each jail, distfiles downloaded will be unique to each jail.
Let's start.
First, install EZJAIL:
# pkg install ezjail
Make sure EZjail is started at boot in your /etc/rc.conf
# vi /etc/rc.conf
ezjail_enable="YES"
If you have a source tree, enter the following. If you don't have the source tree, check out FreeBSD EZjail docs
# ezjail-admin update -i -p
Next, take a look at the name of your interface by running:
> ifconfig -a
You should see something like this:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 00:18:f3:05:42:bf
inet 192.168.88.13 netmask 0xffffffff broadcast 192.168.88.13
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
The short-name of the ethernet interface is what we want, and it is in the left column: re0
The actual name will depend upon your ethernet hardware.
For out jail name, We will just use alpha.
Next, you'll need to know the IP address and hostname of the jail you want to create.
Generally, you'll choose an IP address in your internal network from a range of addresses your router will allow free access to. The jails don't use DHCP. They piggy-back off the main host's interface, and as long as the router allows addresses in that range to pass packets, they can call themselves anything thing they like with respect to the IP4 address. Since our router IP Pool gives permission for free use on the internal network for addresses 192.168.88.10-255, we will choose 192.168.88.10 as our jail IP. Each jail you create will have to manage this, making sure it doesn't conflict with addresses already allocated. EZjail also uses custom loopback addresses to allow communication off-router. The loopbacks should loosely match the IP address of the jail.
- So Where
re0is the name of your host primary interface - and where
10is the last quad of the jail ip address - and where
alphais the hostname of the jail
run:
# ezjail-admin create alpha 'lo1|127.0.0.10,rl0|192.168.88.10'
NOTE: The loopback IP should end in the same quad as the internal IP4 address. The lo1 interface is added for the exclusive use of Ezjail to coordinate all the loopbacks from all the jails.
Here is another example for a jail called junk created on free quad 12 of the same host:
# ezjail-admin create junk 'lo1|127.0.0.12,rl0|192.168.88.12'
If you look in /usr/jails you will see the base jail and alpha jail. Currently, EZjail per-jail configuration files are created automatically for each jail you make, and are located in /usr/local/etc/ezjail/<jailname>. Also, the jail config gets deleted if you choose to delete the jail. May as well learn how to do that now.
Delete a jail:
# ezjail-admin stop <jailname>
# ezjail-admin delete <jailname>
# chflags -R noschg /usr/jails/<jailname>
# rm -rfv /usr/jails/<jailname>
# (remove any corresponding entry from /etc/hosts)
To expand on that, ezjail-admin has the following commands to start, stop and login to a jail as root from the host:
Start a jail: # ezjail-admin start <myjail>
Stop a jail: # ezjail-admin stop <myjail>
Console jail: # ezjail-admin console <myjail>
Back to making the alpha jail. Since you'll probably want to use stuff like ping inside the jail, you will have to add the following line to the alpha configuration file in /usr/local/etc/ezjail/alpha:
# export jail_alpha_parameters="allow.raw_sockets=1"
At this point the jail is ready to start, so run:
# ezjail-admin start alpha
You can check the state of running jails on the host with:
> jls
Since we do not have ssh access yet, we have to login to the running jail via the console:
# ezjail-admin console alpha
This will bring us in the jail as root.
Perform the following steps to get the system basically usable:
Add a user:
# adduser
Set root password:
# passwd
Set time zone:
# tzsetup
Set nameserver to your router or other caching nameserver:
# vi /etc/resolv.conf
nameserver 192.168.88.1
nameserver 192.168.88.2
Comment out adjkernz in /etc/crontab
# sudo vi /etc/crontab
# 1,31 0-5 * * * root adjkerntz -a
Setup the custom loopback and jail name in /etc/hosts:
::10 localhost alpha.my.domain
127.0.0.10 localhost alpha.my.domain
192.168.88.10 alpha.my.domain alpha
Add items to /etc/rc.conf (don't set hostname or ip)
# vi /etc/rc.conf
sshd_enable="YES"
Add sudo and any other packages:
# pkg install sudo
# visudo
seconduser ALL=(ALL) ALL