Follow this doc:
To create it without reboot:
service netif cloneup.
cd /usr/ports/sysutils/ezjail & make install clean
service ezjail start.
To setup the base environment:
ezjail-admin install -p.
resolv.conf to jail's template so each newly created jail
is able to resolve domain names:
host> cp /etc/resolv.conf /usr/jails/newjail/etc/
Each jail must be asigned an IP. Traditionally in
ezjail, this is done
as part of jail creation:
ezjail-admin create dnsjail 'lo1|127.0.1.1,em0|192.168.1.50'
This would assign
dnsjail a private IP
127.0.1.1 on lo1, and an aliased IP
192.168.1.50. The latter is an alias IP the host OS creates. You can see
ifconfig em0 in the host. Also the host is accessible via this IP
in its LAN. For more information about IP aliasing, see virtual host.
Then in the jail, edit
hosts to change
127.0.1.1 and add
the jail's hostname to each entry. This is essential for it to access
But this is hard to manage, each network-talking jail needs an IP and you need to configure router for each of these IPs. Rather, it would be good if the jails can do networking through host's IP address. That's what the next section is about.
Networking through host's IP
Inspired by this post. It's done through NAT. You still need a pool of IPs but they don't need to be aliases to host's IP.
Note the range
192.168.60.1 ~ 192.168.60.9. I previously used
192.168.0.1-9 and I
lost network connection to my host.
host> service netif restart. And you should see the newly created
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO> ether ... inet 192.168.0.7 netmask 0xffffff00 broadcast 192.168.0.255 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet 192.168.60.1 netmask 0xfffffff8 inet 192.168.60.2 netmask 0xffffffff inet 192.168.60.3 netmask 0xffffffff inet 192.168.60.4 netmask 0xffffffff inet 192.168.60.5 netmask 0xffffffff inet 192.168.60.6 netmask 0xffffffff inet 192.168.60.7 netmask 0xffffffff inet 192.168.60.8 netmask 0xffffffff inet 192.168.60.9 netmask 0xffffffff nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> groups: lo
Now we use
pf to map traffics to and from jails.
pf by adding to
# Public IP address IP_PUB="<host's public IP>" # Packet normalization scrub in all # Allow outbound connections from within the jails nat on em0 from lo1:network to any -> (em0) # webserver jail at 192.168.60.2 rdr on em0 proto tcp from any to $IP_PUB port 443 -> 192.168.60.2 rdr on em0 proto tcp from any to $IP_PUB port 80 -> 192.168.60.2 # .. or map jail's host's 80 to jail's 8080: # rdr on em0 proto tcp from any to $IP_PUB port 80 -> 192.168.60.2 port 8080 # mailserver jail at 192.168.60.3 rdr on em0 proto tcp from any to $IP_PUB port 25 -> 192.168.60.3 rdr on em0 proto tcp from any to $IP_PUB port 587 -> 192.168.60.3 rdr on em0 proto tcp from any to $IP_PUB port 143 -> 192.168.60.3 rdr on em0 proto tcp from any to $IP_PUB port 993 -> 192.168.60.3
host> service pf start
Now creating a jail is simply:
ezjail-admin create <jail_name> <IP>
IP is one of those of
lo1's newly created, e.g.,
We can set up another interface
lo2 but without configuring NAT for its network, in that case
the jail is restricted to LAN access only:
cloned_interfaces="lo1 lo2" ipv4_addrs_lo1="192.168.60.1-9/29" # Set up NAT for them ipv4_addrs_lo2="192.168.70.1-9/29" # Don't set up NAT for them
I observed start of jail with LAN-only access is slower, maybe due to services requiring internet timed out during start.
Jail accessing file system outside of jail
This can be done by
nullfs_mount. Basically by mounting a part of the host file system
under the jail's root:
mkdir /usr/jails/<jail_name>/data mount -t nullfs -o ro /data /usr/jails/<jail_name>/data
Alternatively, add this to the jail-specific
/data /usr/jails/<jail_name>/data nullfs ro
However there's a [bug I'm currently investigating][nullfs_issue], where the mount yields inconsistent subfolders.
Working with jails:
ezjail-admin <start|stop|restart> <jail_name>
ezjail-admin delete [-w] <jail_name>
ezjail's per-jail configuration is in directory
ezjail's per-jail root is in
/usr/jails/<jail_name>directory. Here you can modify jail's settings that's created at creation, e.g., the IP.
- In jails you can't use
pingto test network connection, instead, use
telnet google.com 80.
- Root of a jail is at
Accessing mounted file systems from inside jail
Host file system can be mounted to jail by modifying
Inside the jail, the mounted file system has the same ACL as in the host. But
the owner/group are shown as IDs. If a user inside jail (e.g.,
www) wants to
access the file system, we must first create a user/group inside jail with the
corresponding owner/group ID. And give the target jail user the corresponding
ACL inside the jail. Example:
# /tmp/foo/ has 333:8000 jail> pw groupadd foo_group -g 8000 # create foo_group with ID 8000 inside jail jail> pw groupmod www -m foo_group # add jail user `www` to foo_group
host> netstat -r Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.0.1 UGS em0 hostname-bsd link#2 UH lo0 192.168.0.0/24 link#1 U em0 192.168.0.7 link#1 UHS lo0 192.168.60.1 link#3 UH lo1 192.168.60.2 link#3 UH lo1 192.168.60.3 link#3 UH lo1 192.168.60.4 link#3 UH lo1 192.168.60.5 link#3 UH lo1 192.168.60.6 link#3 UH lo1 192.168.60.7 link#3 UH lo1 192.168.60.8 link#3 UH lo1 192.168.60.9 link#3 UH lo1 Internet6: Destination Gateway Flags Netif Expire ::/96 hostname-bsd UGRS lo0 hostname-bsd link#2 UH lo0 ::ffff:0.0.0.0/96 hostname-bsd UGRS lo0 fe80::/10 hostname-bsd UGRS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 ff02::/16 hostname-bsd UGRS lo0