Setup FreeBSD Jail With ezjail

by on June 11, 2009 · 11 comments· LAST UPDATED February 20, 2011

in , ,

How do I setup operating system-level virtualization that allows me to partition my FreeBSD-based server system into several independent mini-systems called jails.? I'd like to set one jail for mail and another for web server via 2 public IP address.

Each jail under FreeBSD virtual environment runs on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system. The easiest way to set, create and modify jails is using a framework called ezjail.

WARNING! You need to modify host server daemons to listen to only 127.0.0.1 or a single private or public IP such as 202.54.1.2. At least you need to modify sshd, syslogd and other services before you configure jails.

Sample Setup

server.nixcraft.net.in : FreeBSD host server running v7.2 with 202.54.1.2
smtpd.nixcraft.net.in : Mail server jail with 202.54.1.3
httpd.nixcraft.net.in : Web server jail with 202.54.1.4

Step # 1: Update Your Host System

Make sure you are running updated kernel and base system. Use cvsup command to install the latest kernel and base system. See detailed tutorial about upgrading FreeBSD operating system.

Step # 2: Install ezjail

Type the following commands to install ezjail port which contains two scripts to easily create, manipulate and run FreeBSD jails.
# cd /usr/ports/sysutils/ezjail
# make install clean

ezjail Default File Locations

  1. /usr/jails/ : Default location to store base jail system template.
  2. /usr/jails/flavours/ : Customization for each jail can be done via flavours. For e.g. adding default /etc/resolv.conf file or updating existing /etc/make.conf can be done here.
  3. /usr/jails/basejail/ : Base jail will be exported and mounted as read only for each jail. This will save disk space.
  4. /usr/local/etc/rc.d/ezjail.sh : Stop / Start / Restart jails script.
  5. /usr/local/etc/ezjail.conf : Configuration file for ezjail script. contains settings that control the operation of the ezjail rc script. It is also read by the ezjail-admin utility to figure out where it should perform its actions.
  6. /usr/local/etc/ezjail/ : All your jail configuration files are stored here.

Step # 2: Create Base Jail Template

Type the following command to creates or updates ezjail's environment (aka basejail) from source, enter:
# ezjail-admin update -p -i
Where,

  • -p : Provide ports for jail.
  • -i : Do not run make world. This will save time and it will use existing buildworld done in step # 1.

If you do not have source in /usr/src and never run make buildword, than you can also install it from ftp servers, use ezjail-admin install command as follows:
# ezjail-admin install

Step # 3: Create SMTPD Mail Server Jail

Type the following command to create smtpd.nixcraft.net.in jail with 202.54.1.3 IP address at /jails/smtpd.nixcraft.net.in directory:
# ezjail-admin create -r /jails/smtpd.nixcraft.net.in smtpd.nixcraft.net.in 202.54.1.3

Update SMTPD Jail Config File

The default config file is located at /usr/local/etc/ezjail/smtpd_nixcraft_net_in. Open this file using vi text editor:
# vi /usr/local/etc/ezjail/smtpd_nixcraft_net_in
Set hostname and multiple IP address as required:

export jail_smtpd_nixcraft_net_in_hostname="smtpd.nixcraft.net.in"
export jail_smtpd_nixcraft_net_in_ip="202.54.1.3,10.21.51.12"

Save and close the file.

Step # 4: Turn On jail Service

Type the following command:
# echo 'ezjail_enable="YES"' >> /etc/rc.conf

How do I start all Jails?

# /usr/local/etc/rc.d/ezjail.sh start

How do I stop all Jails?

# /usr/local/etc/rc.d/ezjail.sh stop

How do I restart all Jails?

# /usr/local/etc/rc.d/ezjail.sh restart
You can also start / stop / restart particular jail using the following syntax:
# /usr/local/etc/rc.d/ezjail.sh {start/stop/restart} jail-name
# /usr/local/etc/rc.d/ezjail.sh start httpd
# /usr/local/etc/rc.d/ezjail.sh stop smtpd.nixcraft.net.in

How Do I List All Jails?

Use jls command to lists all jails:
# jls
To display more verbose information including cpusets, jail state, multi-IP, etc. enter:
# jls -v

How Do I Login To My Jail From The Host Itself?

Use jexec command as follows to attach a console to jail:
# jexec jid csh
jid can be obtained using jls command. Connect to jail called smtpd.nixcraft.net.in with jid # 2:
# jexec 2 csh
Now, you can install any software and do work with jails. Update your /etc/resolv.conf file:
# vi /etc/resolv.conf
Install bash shell, enter:
# pkg_add -r -v bash
Install Apache 2.2 server:
# cd /usr/ports/www/apache22
# make install clean

How Do I Login Remotely (Directly) To Jail?

First, login using jexec command. Add the following line to jail /etc/rc.conf:
# echo 'sshd_enable="YES"' >> /etc/rc.conf
Open sshd_config file and update listen parameter to bind to jail IP only. Start OpenSSH server inside the jail:
# /etc/rc.d/sshd start
# sockstat -4

How Do I Upgrade FreeBSD Jail?

Simply run the following command:
# /usr/local/etc/rc.d/ezjail.sh stop
# ezjail-admin update -p -i
# /usr/local/etc/rc.d/ezjail.sh start

How Do I Upgrade Only Ports Tree?

No need to stop jails, just run the following to update ports tree for all jails:
# ezjail-admin update -P

Jail Log Files

The default jail console file is located at /var/log directory. For e.g. view log file for smtpd.nixcraft.net.in jail. enter:
# tail -f jail_smtpd_nixcraft_net_in_console.log
# grep 'error' jail_smtpd_nixcraft_net_in_console.log

How Do I Add Additional Jails?

Create httpd jail, enter:
# ezjail-admin create -r /jails/httpd.nixcraft.net.in httpd.nixcraft.net.in 202.54.1.4
# vi /usr/local/etc/ezjail/httpd_nixcraft_net_in
# /usr/local/etc/rc.d/ezjail.sh start httpd.nixcraft.net.in
# jls -v
# jexec id csh

How Do I Backup Jails?

Use tar, rsync or dump command to backup jail to other server or tape device. For e.g. tar command to backup smtpd.nixcraft.net.in to tape:
# tar -zcvf /dev/sa0 /jails/smtpd.nixcraft.net.in
You can also use dump command to backup all jails stored on /jails partition:
# /sbin/dump -0uLf /dev/sa0 /jails/
Later just dump incremental updates:
# /sbin/dump -1uLf /dev/sa0 /jails/

Recommend Readings:

  • FreeBSD Jail chapter from the official FreeBSD handbook.
  • man pages jexec, jls, jail, dump, restore
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 11 comments… read them below or add one }

1 Valqk June 12, 2009 at 11:56 am

Just to share, I’ve written a command called
jlog jailname. It makes jexec JID tcsh and logs you into the jail.
There it is: Link

p.s. I didn’t find my posts in mailing lists so I’ve posted in my blog. pls. feel free to delete this comment if you consider this as spam or something.

Reply

2 Shoaibi June 17, 2009 at 1:41 pm

@Vivek:
Good going…

@Valqk:
thanks, I was thinking to create one after reading the article…

Reply

3 Dhenin Jean-Jacques March 22, 2010 at 7:09 pm

Appréciable. Merci beaucoup. Très utile.

Reply

4 cleroy61 September 6, 2010 at 6:41 pm

Hello,
When I create a jail with ezjai, I can not access usr/ports from my jail to install nginx;

jexec 2 cd /usr/ports/www/nginx && make install clean
No such file or directory

It does not exist in fact, how can I link to my jail?
I’m out of my jail and I am a portsnap extract command
and then an portsnap fetch update command, thinking I did not open the softwares worn.
it is present but with the letter ‘l’ in front, preventing me from going there as a directory:

lrwxr-xr-x 1 root wheel 19 Sep 5 11:12 ports -> /basejail/usr/ports

Thanking you Sincerely Christophe

Reply

5 cleroy61 September 7, 2010 at 7:17 pm

I found answer through freeBSD forum ; the command is not enough

portsnap fetch extract

I tried this one after building the jail with ezjail-admin create

portsnap -p /usr/jails/basejail/usr/ports/ fetch extract

it’s OK now !

Reply

6 Broy January 22, 2011 at 7:08 am

Hello!
I set up Ezjail in my FreeBSD 8.1 amd64 release-version. After successful installation,
i did the ” ezjail-admin update -p -i ” command but unfortunately it shows some errors:
——————————————————–
cd /usr/src; make -f Makefile.inc1 hierarchy
cd /usr/src/etc; make distrib-dirs
cd: can’t cd to /usr/src/etc
*** Error code 2

Stop in /usr/src.
Error: The command ‘make installworld’ failed.
Refer to the error report(s) above.
———————————————————-

BTW, i recompiled and build my own kernel first before i install Ezjail. I’m suspecting why does error occurred its because of the new kernel configuration but that was only my presumption.

Any help bout this?

Thanks much!

Reply

7 Karl Blessing February 22, 2011 at 10:56 pm

Would it be possible to install a jail on a binary distribution. If I don’t have a source tree and I don’t wish to re-build the base system from cvsup but rather keep it easy with freebsd-update?

Reply

8 Karl Blessing February 23, 2011 at 12:58 am

I just went with pulling down the source tree, doing buildworld (But not installworld). Was just hoping there’d be a way to update the jails without having to rely on sources.

Reply

9 Namotco June 8, 2012 at 9:41 pm

/usr/local/etc/rc.d/ezjail.sh

is now:

/usr/local/etc/rc.d/ezjail

Reply

10 Michael July 11, 2012 at 6:11 am

Thanks Vivek for this.

My question is how do I assign a set amount of disk space and RAM to each jail…. just like we do it on openvz for each virtual machine.

For example I want jail 1 to have 20GB disk and say 256 MB RAM assigned. jail2 should have 100 GB disk and 1 GB RAM etc. How does one do this?

Reply

11 jpd August 4, 2012 at 1:59 pm

You need to kompile kernel with quota enabled and then use quota to specify disk limitations. Dunno if RAM limitations have been implemented yet (doubt it).

Reply

Leave a Comment

Tagged as: , , , , , , , , , , ,

Previous Faq:

Next Faq: