FreeBSD 13.2 Jails

From CompleteNoobs
Revision as of 14:51, 5 May 2023 by AwesomO (talk | contribs) (Created page with " ==FreeBSD Jail Setup Manually== Creating a FreeBSD jail manually involves downloading and extracting the base package for the desired FreeBSD release. Here's a step-by-step guide on how to do this: ===Using OpenZFS=== '''OpenZFS''' is a very powerful and helpful File-System that can allow us to very easily '''create''', '''clone''', '''snapshot''', '''restore''', '''destroy''', '''backup''' and '''transfer''' are jails. ====Create a directory for the jail==== In...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Please Select a Licence from the LICENCE_HEADERS page
And place at top of your page
If no Licence is Selected/Appended, Default will be CC0

Default Licence IF there is no Licence placed below this notice! When you edit this page, you agree to release your contribution under the CC0 Licence

LICENCE: More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:

   the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
   moral rights retained by the original author(s) and/or performer(s);
   publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
   rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
   rights protecting the extraction, dissemination, use and reuse of data in a Work;
   database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
   other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers.

   No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
   Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
   Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
   Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.


FreeBSD Jail Setup Manually

Creating a FreeBSD jail manually involves downloading and extracting the base package for the desired FreeBSD release. Here's a step-by-step guide on how to do this:

Using OpenZFS

OpenZFS is a very powerful and helpful File-System that can allow us to very easily create, clone, snapshot, restore, destroy, backup and transfer are jails.

Create a directory for the jail

In this example my ZFS Pool is called nuc and my jails directory will be in a directory called pods which will contain my jails each in a separate sub directory like so /pods/{jail1,jail2,jail3}

  • Create a dataset for pods

sudo zfs create nuc/pods

  • You can check with zfs list to see your new dataset.

Set the mountpoint for the pods dataset

sudo zfs set mountpoint=/pods nuc/pods


Create a Template Jail Which you can clone

In this section, we will create an OpenZFS dataset called FreeBSD_13.2_Template to extract a base.txz Which we will snapshot , and then clone the template to create a new jail.

Create the 'FreeBSD_13.2_Template' dataset

sudo zfs create your_pool_name/path/FreeBSD_13.2_Template

Replace your_pool_name with the name of your ZFS pool.

  • Example:

sudo zfs create nuc/pods/FreeBSD_13.2_Template

Set the mountpoint for the template dataset

sudo zfs set mountpoint=/pods/FreeBSD_13.2_Template nuc/pods/FreeBSD_13.2_Template

Download the base.txz package for FreeBSD 13.2-RELEASE

fetch https://download.freebsd.org/ftp/releases/amd64/13.2-RELEASE/base.txz -o /tmp/base.txz

Extract the base.txz package to the 'FreeBSD_13.2_Template' dataset

tar -C /pods/FreeBSD_13.2_Template -xf /tmp/base.txz

Create a snapshot of the template dataset

sudo zfs snapshot nuc/pods/FreeBSD_13.2_Template@base_snapshot

Clone the template dataset to create a new jail dataset

sudo zfs clone nuc/pods/FreeBSD_13.2_Template@base_snapshot nuc/pods/mediawiki

Set the mountpoint for the jail dataset

sudo zfs set mountpoint=/pods/mediawiki nuc/pods/mediawiki

You now have a template dataset and a jail dataset based on that template.

How to snapshot and rollback your jails

Now, you have separate datasets for each jail, and you can create snapshots and rollbacks for each jail individually. For example, to create a snapshot for the mediawiki jail, you can run:

sudo zfs snapshot nuc/pods/mediawiki@snapshot_name

And to roll back to a snapshot for the mediawiki jail, you can run:

sudo zfs rollback nuc/pods/mediawiki@snapshot_name

Replace snapshot_name with a descriptive name for the snapshot. You can follow the same process for any other jails you create within the pods dataset.

Destroy/Delete Dataset/jail

If you need/want to delete the jail dataset, you can destroy it with the following command

First un-mount the mount point (if mounted)

  • Find if and where mounted with:

zfs list

Return out put:
nuc/pods/mediawiki                 0B   208G      503M  /pods/mediawiki

As we can see its mounted at /pods/mediawiki

  • ensure that no processes are currently using it.

You can use the fuser command followed by the path to the mount point to check for any processes that are using it.

  • For example: fuser /pods/mediawiki
  • Unmount /pods/mediawiki

sudo umount /pods/mediawiki

  • Now destroy the dataset

sudo zfs destroy nuc/pods/mediawiki

Replace nuc with the name of your ZFS pool.

  • If you want to also remove any snapshots of the dataset, you can add the -R option to the zfs destroy command.

For example, to delete the dataset and all its snapshots, run the following command:

zfs destroy -R nuc/pods/mediawiki

Using UFS

Create a directory

Create a directory that will serve as the root directory for your jail. Replace /var/pods with the desired path.

mkdir -pv /pods/mediawiki

  • We now have a directory called pods in which we will install are jailed FreeBSD instances
    • With sub-directory mediawiki in which we will install are jailed mediawiki server

Choose the desired FreeBSD release

  • Determine the FreeBSD release you want to use for your jail.

Search https://download.freebsd.org/ftp/releases/ For a 'base.txz of the version and appropriate architecture of FreeBSD you wish to install in a jail.

In this example, we'll use FreeBSD 13.2-RELEASE. Adjust the release version according to your needs.

Download the base package for the desired FreeBSD release. Use the fetch command to download the package directly from the FreeBSD website:

fetch https://download.freebsd.org/ftp/releases/amd64/13.2-RELEASE/base.txz -o /tmp/base.txz

  • Replace amd64 with the appropriate architecture if needed.

Extract the base package

Extract the downloaded base package into the jail's root directory:

tar -C /pods/mediawiki -xf /tmp/base.txz

jail configuration /etc/jail.conf

Create a configuration file for your jail. The following example assumes you're using the jail utility provided by FreeBSD:

Edit /etc/jail.conf and add the following jail configuration:

  • If /etc/jail.conf does not exist, create it with touch /etc/jail.conf

$EDITOR /etc/jail.conf

localwiki {
  host.hostname = "local.wiki";
  ip4.addr = 192.168.0.33;
  path = "/pods/mediawiki";
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.clean;
  mount.devfs;
}
  • Replace
    • localwiki to what you would like your jail called
    • host.hostname = "<the_host_name_for_jail>";
    • ip4.addr = <ip_address_for_jail_to_use>;
    • path = "</path/to/jail>";

Copy over your /etc/resolv.conf to jail

It is generally a good idea to copy the /etc/resolv.conf file from the host system to the jail's /etc/resolv.conf before starting the jail. This ensures that the jail has the same DNS resolver configuration as the host, allowing it to resolve domain names correctly.

/etc/resolv.conf is a configuration file used by the DNS resolver library on Unix-based systems, including FreeBSD. It contains information about the DNS nameservers and search domains to use when resolving domain names.

To copy the resolv.conf file from the host system to the jail, you can use the cp command:

cp /etc/resolv.conf /pods/mediawiki/etc/resolv.conf

Make sure to execute this command before starting the jail to ensure proper DNS resolution within the jail environment.

Start the jail

Start the jail using the jail utility:

jail -c localwiki

Replace localwiki with the name you chose in the jail configuration.

If you have firewall up - allow jail through firewall

IPFW Example:

# Allow incoming traffic for jail's IP (192.168.0.33)
ipfw -q add 00200 allow all from any to 192.168.0.33 in

# Allow outgoing traffic for jail's IP (192.168.0.33)
ipfw -q add 00210 allow all from 192.168.0.33 to any out

Access the jail

Enter the jail's environment with the jexec command:

jexec localwiki /bin/sh

  • Replace localwiki with your jail name

You'll now be inside your jail, and you can manage it like any other FreeBSD system.

Restart the jail

To restart the jail you turn it off and on again :)

sudo jail -r your_jail_name

sudo jail -c your_jail_name

  • or one line

sudo jail -r your_jail_name && sudo jail -c your_jail_name

Stop and remove the jail (optional)

If you want to stop and remove the jail, first exit the jail environment (if you're still inside) by typing exit. Then, stop the jail:

jail -r myjail

You can now remove the jail directory and its contents:

rm -rf /path/to/jail

Don't forget to remove the corresponding jail configuration from /etc/jail.conf.

By following these steps, you've manually created a FreeBSD jail by downloading and extracting the base package. You can now configure and manage the jail as needed.

Start Jails at reboot

  • To have all the jails start at reboot add the line jail_enable="YES" into rc.conf

sysrc jail_enable="YES"


Run commands in jail from Host

Start your jail, if it's not already running:

sudo service jail start your_jail_name

  • Or use jail

jail -c your_jail_name

Obtain the jail ID by listing the running jails

jls

Note the JID (Jail ID) for your specific jail from the output.

Update the pkg package manager inside the jail

sudo jexec JID pkg update

Replace JID with the jail ID you noted in Obtain the jail ID by listing the running jails.

  • Example (If JID = 1):

sudo jexec 1 pkg update

Install packages using the pkg command with jexec

sudo jexec JID pkg install package_name

Replace package_name with the desired package.

For example, to initialize pkg and install the nano text editor in a jail with a Jail ID of 1, you would run:

sudo jexec 1 pkg update

sudo jexec 1 pkg install nano

To run other commands inside the jail from the host, you can use the same jexec JID command pattern, replacing command with the desired command you want to run inside the jail.