- To keep jail loopback traffic off the host's loopback network interface
lo0
, a second loopback interface is created by adding an entry to/etc/rc.conf
:The second loopback interfacelo1
will be created when the system starts. It can also be created manually without a restart:Jails can be allowed to use aliases of this secondary loopback interface without interfering with the host.Inside a jail, access to the loopback address127.0.0.1
is redirected to the first IP address assigned to the jail. To make the jail loopback correspond with the newlo1
interface, that interface must be specified first in the list of interfaces and IP addresses given when creating a new jail.Give each jail a unique loopback address in the127.0.0.0
/8
netblock. - Install sysutils/ezjail:
- Enable ezjail by adding this line to
/etc/rc.conf
: - The service will automatically start on system boot. It can be started immediately for the current session:
-p
causes the ports tree to be retrieved with portsnap(8) into the basejail. That single copy of the ports directory will be shared by all the jails. Using a separate copy of the ports directory for jails isolates them from the host. The ezjailFAQ explains in more detail: http://erdgeist.org/arts/software/ezjail/#FAQ.- To Populate the Jail with FreeBSD-RELEASEFor a basejail based on the FreeBSD RELEASE matching that of the host computer, use
install
. For example, on a host computer running FreeBSD 10-STABLE, the latest RELEASE version of FreeBSD -10 will be installed in the jail): - To Populate the Jail with
installworld
The basejail can be installed from binaries created bybuildworld
on the host withezjail-admin update
.In this example, FreeBSD 10-STABLE has been built from source. The jail directories are created. Theninstallworld
is executed, installing the host's/usr/obj
into the basejail.The host's/usr/src
is used by default. A different source directory on the host can be specified with-s
and a path, or set withezjail_sourcetree
in/usr/local/etc/ezjail.conf
.
Tip:
The basejail's ports tree is shared by other jails. However, downloaded distfiles are stored in the jail that downloaded them. By default, these files are stored in /var/ports/distfiles
within each jail. /var/ports
inside each jail is also used as a work directory when building ports.
Tip:
The FTP protocol is used by default to download packages for the installation of the basejail. Firewall or proxy configurations can prevent or interfere with FTP transfers. The HTTP protocol works differently and avoids these problems. It can be chosen by specifying a full URL for a particular download mirror in /usr/local/etc/ezjail.conf
:
See Section A.2, “FTP Sites” for a list of sites.
ezjail-admin create
. In these examples, the lo1
loopback interface is used as described above.- Create the jail, specifying a name and the loopback and network interfaces to use, along with their IP addresses. In this example, the jail is named
dnsjail
.Tip:
Most network services run in jails without problems. A few network services, most notably ping(8), use raw network sockets. In jails, raw network sockets are disabled by default for security. Services that require them will not work.
Occasionally, a jail genuinely needs raw sockets. For example, network monitoring applications often use ping(8) to check the availability of other computers. When raw network sockets are actually needed in a jail, they can be enabled by editing the ezjail configuration file for the individual jail,
/usr/local/etc/ezjail/
. Modify thejailname
parameters
entry:
Do not enable raw network sockets unless services in the jail actually require them.
- Set the
root
PasswordConnect to the jail and set theroot
user's password: - Time Zone ConfigurationThe jail's time zone can be set with tzsetup(8). To avoid spurious error messages, the adjkerntz(8) entry in
/etc/crontab
can be commented or removed. This job attempts to update the computer's hardware clock with time zone changes, but jails are not allowed to access that hardware. - DNS ServersEnter domain name server lines in
/etc/resolv.conf
so DNS works in the jail. - Edit
/etc/hosts
Change the address and add the jail name to thelocalhost
entries in/etc/hosts
. - Configure
/etc/rc.conf
Enter configuration settings in/etc/rc.conf
. This is much like configuring a full computer. The host name and IP address are not set here. Those values are already provided by the jail configuration.
Tip:
Some ports must be built with special options to be used in a jail. For example, both of the network monitoring plugin packages net-mgmt/nagios-plugins and net-mgmt/monitoring-plugins have a JAIL
option which must be enabled for them to work correctly inside a jail.
9.3-RELEASE
to the current version of the host system:/usr/src
into the basejail and create a new /usr/src
in the jail as a mountpoint. Mount the host computer's /usr/src
read-only on the jail's new /usr/src
mountpoint:mergemaster
. Then exit the jail console:/usr/src
:stop
and start
:config
:archive
to create a .tar.gz
archive of a jail. The file name is composed from the name of the jail and the current date. Archive files are written to the archive directory, /usr/jails/ezjail_archives
. A different archive directory can be chosen by setting ezjail_archivedir
in the configuration file.restore
. A new jail can be created from the archive, providing a convenient way to clone existing jails.wwwserver
:wwwserver-clone
from the archive created in the previous step. Use the em1
interface and assign a new IP address to avoid conflict with the original:- The jail will be called
dns1
. - The jail will use IP address
192.168.1.240
on the host'sre0
interface. - The upstream ISP's DNS servers are at
10.0.0.62
and10.0.0.61
. - The basejail has already been created and a ports tree installed as shown in Section 14.6.2, “Initial Setup”.
/etc/rc.conf
:/etc/resolv.conf
so ports can be downloaded:/usr/local/etc/namedb/named.conf
.options
section already in the file:listen-on
setting to accept DNS queries from other computers on the network:forwarders
section. The original file contains:/*
and */
lines. Enter the IP addresses of the upstream DNS servers. Immediately after the forwarders
section, add references to the trusted
ACL defined earlier:/etc/rc.conf
:/etc/resolv.conf
: