Host Your Own Services With FreeBSD Jails Part 2: Initial Jail Setup

FreeBSD

In previous post we have prepared our jail host to be jail-friendly. In this one we will set up our first jail.

All of my jails will reside under /usr/jails. This directory does not exist on vanilla FreeBSD installation so I'm going to create it:

# mkdir /usr/jails

It is time to install my first jail. As this jail will later on become my custom package repository I will name it pkg.example.org.

# env BSDINSTALL_DISTSITE="http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/12.1-RELEASE/" bsdinstall jail /usr/jails/pkg.example.org

Familiar bsdinstall wizard will:

  • ask for optional components to install (I de-select them all)
  • fetch and extract distribution files
  • ask for root password (it should be different from the one on jail host)
  • ask for any services to be started at boot time (I de-select them all)
  • ask to add any users (I add user marko with default UID of 1001, default group marko, additional groups wheel and operator, tcsh as shell, and strong password)

If anything went wrong we can start all over after we delete the jail:

# chflags -R noschg /usr/jails/pkg.example.org
# rm -rf /usr/jails/pkg.example.org

Assuming installation finished well, I will now create /etc/jail.conf with the following content:

path          = "/usr/jails/${host.hostname}";
exec.start    = "/bin/sh /etc/rc";
exec.stop     = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;

pkg_example_org {
  host.hostname    = pkg.example.org;
  host.domainname  = example.org;
  ip4.addr         = 'lo1|127.0.1.11/32';
  # EDIT THIS # ip4.addr        += 'em0|192.0.2.11/32';
}

I am now ready to start my first jail:

# service jail onestart pkg.example.org

In order to start jails at host's boot time, we need to enable the feature in host's rc.conf:

# sysrc jail_enable="YES"

onestart is used for services which are not enabled in rc.conf. Once we enable them, we use start instead.

We can inspect all running hosts with jls command:

# jls
   JID  IP Address      Hostname                      Path
     1  127.0.1.11      pkg.example.org               /usr/jails/pkg.example.org

Assuming our jail is running, we can log in by passing jid and path to shell executable to jexec command:

# jexec 1 /bin/tcsh

I prefer to edit jail's sshd_config the same way as host's so that binds only to specified IP address:

# EDIT THIS # ListenAddress 192.0.2.11
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/sftp-server

Also, I am setting every newly created jail's rc.conf as follows:

clear_tmp_enable="YES"
cron_flags="$cron_flags -J 15"
syslogd_flags="-ss"
sshd_enable="YES"

We can exit jail and return to host by typing exit. After we restart the jail with service jail restart pkg.example.org, we can ssh into it and continue with its configuration and usage as usual.

Previous Post