Mercurial > docs
annotate FreeBSD/jails.md @ 13:8970cbf95e7e default tip @
FreeBSD: add mkdir command in poudriere.md
author | David Demelier <markand@malikania.fr> |
---|---|
date | Fri, 08 Sep 2017 09:35:44 +0200 |
parents | bab404096fd3 |
children |
rev | line source |
---|---|
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
1 FreeBSD jails howto |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
2 =================== |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
3 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
4 This guide will let you create your own jails for FreeBSD. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
5 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
6 In this guide, we will build jails from sources. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
7 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
8 What are jails? |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
9 --------------- |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
10 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
11 Jails are confined environments that run on host kernels. They are similar to |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
12 chroots but have much more features. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
13 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
14 Fetching source tree |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
15 -------------------- |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
16 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
17 In this guide we will assume that we are running FreeBSD 11.1-RELEASE, to fetch |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
18 the source tree, you need this following URL: |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
19 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
20 svn://svn.FreeBSD.org/base/releng/<VERSION> |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
21 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
22 In our case: |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
23 |
3
1fcfc84724ca
FreeBSD: use svnlite instead of svn in jails.md
David Demelier <markand@malikania.fr>
parents:
2
diff
changeset
|
24 svnlite co svn://svn.FreeBSD.org/base/releng/11.1 /usr/src |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
25 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
26 Customizing the build |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
27 --------------------- |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
28 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
29 The source tree can be built with and without a lot of options. This is tweaked |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
30 in the `src.conf(5)` file. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
31 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
32 Removing options will let you build lighter jails, for example I use the |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
33 following one: |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
34 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
35 # /etc/src.conf |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
36 WITHOUT_APM=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
37 WITHOUT_AMD=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
38 WITHOUT_AUTHPF=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
39 WITHOUT_BLUETOOTH=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
40 WITHOUT_CTM=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
41 WITHOUT_FLOPPY=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
42 WITHOUT_GAMES=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
43 WITHOUT_IPFILTER=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
44 WITHOUT_IPFW=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
45 WITHOUT_IPX=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
46 WITHOUT_NDIS=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
47 WITHOUT_OBJC=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
48 WITHOUT_PORTSNAP=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
49 WITHOUT_PPP=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
50 WITHOUT_PROFILE=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
51 WITHOUT_RESCUE=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
52 WITHOUT_WIRELESS=yes |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
53 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
54 See the manual page to know what they control. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
55 |
10 | 56 Add this option in `make.conf` to compile faster: |
57 | |
58 # /etc/make.conf | |
59 # Use 4 jobs (number of CPU core) | |
60 MAKE_JOBS=4 | |
61 | |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
62 Build the source |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
63 ---------------- |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
64 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
65 To build the source, use these commands: |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
66 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
67 cd /usr/src |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
68 make buildworld |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
69 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
70 Note: this only builds the source tree and does not install anything. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
71 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
72 The jail template |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
73 ----------------- |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
74 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
75 To avoid doing the same step again and again each time we build a jail, we will |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
76 create a template one that we will clone. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
77 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
78 We will create that jail in **/jails/template** dataset. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
79 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
80 zfs create zroot/jails |
10 | 81 |
82 warning: you may need to use `-o mountpoint=/jails` if you root dataset is not | |
83 parent of jails. | |
84 | |
2
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
85 zfs create zroot/jails/template |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
86 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
87 And now install everything in that template directory. |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
88 |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
89 cd /usr/src |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
90 make DESTDIR=/jails/template installworld |
68e126f0eed0
FreeBSD: add beginning of jails.md
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
91 make DESTDIR=/jails/template distribution |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
92 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
93 Bringing networking |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
94 ------------------- |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
95 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
96 There are two ways to provide networking in jails, you can use real address IP |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
97 or using virtual interfaces. We will do the latter option using 10.0.0.x |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
98 addresses. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
99 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
100 ### Create a lo1 interface |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
101 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
102 Add the following into your **/etc/rc.conf**: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
103 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
104 # /etc/rc.conf |
11 | 105 cloned_interfaces="lo1" |
106 pf_enable="YES" | |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
107 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
108 ### Enable NAT and pf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
109 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
110 Then we add NAT support using pf, add the following into **/etc/pf.conf**: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
111 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
112 Adjust **em0** to match your real interface. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
113 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
114 # /etc/pf.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
115 jails="10.0.0.0/24" |
11 | 116 |
7
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
117 set skip on { lo0, lo1 } |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
118 nat on em0 from $jails to any -> (em0) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
119 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
120 Now reboot or create your interface by hand. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
121 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
122 Jail configuration in jail.conf(5) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
123 ---------------------------------- |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
124 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
125 To configure jail, we will use the `jail.conf(5)` file located in |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
126 **/etc/jail.conf**. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
127 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
128 The file supports basic variables expansion for shorter jail definitions. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
129 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
130 ### Common configuration |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
131 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
132 The following will apply to all jail. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
133 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
134 # /etc/jail.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
135 mount.devfs="1"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
136 interface="lo1"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
137 exec.start="sh /etc/rc"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
138 exec.stop="sh /etc/rc.shutdown"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
139 path="/jails/$name"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
140 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
141 ### Example with template configuration |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
142 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
143 For each jail, I recommend using the same value for the jail directory |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
144 (**/jails/name**) and the jail id (in **/etc/rc.conf**). |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
145 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
146 Configure our template jail to assign a hostname and address. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
147 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
148 # /etc/jail.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
149 template { |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
150 ip4.addr="10.0.0.1"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
151 host.hostname="template.local"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
152 } |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
153 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
154 Enabling jails in rc.conf(5) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
155 ---------------------------- |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
156 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
157 If you want to start all jails, just keep `jail_list` empty, otherwise fill it |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
158 with the wanted list. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
159 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
160 # /etc/rc.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
161 jail_enable="yes" |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
162 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
163 Now start the jail template: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
164 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
165 service jail start template |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
166 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
167 If everything is correct you should get the following output: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
168 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
169 JID IP Address Hostname Path |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
170 1 10.0.0.1 template.local /jails/template |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
171 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
172 Customizing jail template |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
173 ------------------------- |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
174 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
175 Before cloning our template jail, first customize it by installing some packages |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
176 and change some settings. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
177 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
178 ### Install some packages |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
179 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
180 Note: each jail has its own package repository, you need to adjust |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
181 **jails/template/etc/pkg/** repository files if you want to use something else. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
182 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
183 pkg -j template install vim zsh |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
184 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
185 ### Change locales |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
186 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
187 We use **en_US.UTF-8** to enable UTF-8 support. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
188 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
189 vim /jails/template/etc/login.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
190 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
191 In the `default:` class, add the following options before `umask:`, like this: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
192 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
193 :ignoretime@:\ |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
194 :lang=en_US.UTF-8:\ |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
195 :charset=UTF-8:\ |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
196 :umask=022: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
197 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
198 Note: don't forget the antislash. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
199 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
200 Now run: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
201 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
202 jexec template cap_mkdb /etc/login.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
203 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
204 ### Change root password (optional) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
205 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
206 jexec template passwd |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
207 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
208 ### Change root shell (optional) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
209 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
210 jexec template pw usermod root -s /usr/local/bin/zsh |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
211 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
212 Template snapshot |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
213 ----------------- |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
214 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
215 Now that we have set some common configuration in our template jail, create a |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
216 snapshot that we will clone each time we want a new jail. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
217 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
218 ### Snapshot the template |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
219 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
220 zfs snapshot zroot/jails/template@11.1-20170829 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
221 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
222 You can list your snapshots like this: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
223 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
224 zfs list -t snapshot |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
225 NAME USED AVAIL REFER MOUNTPOINT |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
226 zroot/jails/template@11.1-20170829 0 - 23K - |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
227 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
228 Example: web server |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
229 ------------------- |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
230 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
231 Now that we have finished our template jail, let's create a new one for a basic |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
232 webserver. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
233 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
234 ### Clone the template |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
235 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
236 zfs clone zroot/jails/template@11.1-20170829 zroot/jails/www |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
237 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
238 ### Configure it in jail.conf(5) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
239 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
240 Add the following to the **/etc/jail.conf**: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
241 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
242 # /etc/jail.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
243 www { |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
244 host.hostname="www.local"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
245 ip4.addr="10.0.0.2"; |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
246 } |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
247 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
248 Start it using `service jail start www` |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
249 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
250 ### Enable port redirection |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
251 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
252 Web servers usually bind on ports 80 (HTTP) and 443 (HTTPS), configure the |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
253 **/etc/pf.conf** to redirect those ports to the jail. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
254 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
255 We use variables for better understanding. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
256 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
257 # /etc/pf.conf (whole file) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
258 jails="10.0.0.0/24" |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
259 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
260 jail_www="10.0.0.2" |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
261 ports_www="{ 80, 443 }" |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
262 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
263 nat on em0 from $jails to any -> (em0) |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
264 rdr pass on em0 proto tcp to port $ports_www -> $jail_www |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
265 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
266 Reload the rules |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
267 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
268 service pf reload |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
269 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
270 ### Install nginx |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
271 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
272 Install `www/nginx` in the www jail: |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
273 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
274 pkg -j www install nginx |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
275 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
276 Enable it in `rc.conf(5)` file. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
277 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
278 # /jails/www/etc/rc.conf |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
279 nginx_start="YES" |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
280 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
281 And start it. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
282 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
283 jexec www service start nginx |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
284 |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
285 Now, any attempt to connect to your machine should redirect to the nginx jail. |
c32b5c002aad
FreeBSD: complete the jails.md
David Demelier <markand@malikania.fr>
parents:
3
diff
changeset
|
286 |