≡ Menu

Setup FreeBSD Jail With ezjail

How do I setup operating system-level virtualization that allows me to partition my FreeBSD-based server system into several independent mini-systems called jails.? I’d like to set one jail for mail and another for web server via 2 public IP address.

Each jail under FreeBSD virtual environment runs on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system. The easiest way to set, create and modify jails is using a framework called ezjail.

WARNING! You need to modify host server daemons to listen to only 127.0.0.1 or a single private or public IP such as 202.54.1.2. At least you need to modify sshd, syslogd and other services before you configure jails.

Sample Setup

server.nixcraft.net.in : FreeBSD host server running v7.2 with 202.54.1.2
smtpd.nixcraft.net.in : Mail server jail with 202.54.1.3
httpd.nixcraft.net.in : Web server jail with 202.54.1.4 

Step # 1: Update Your Host System

Make sure you are running updated kernel and base system. Use cvsup command to install the latest kernel and base system. See detailed > /etc/rc.conf

How do I start all Jails?

# /usr/local/etc/rc.d/ezjail.sh start

How do I stop all Jails?

# /usr/local/etc/rc.d/ezjail.sh stop

How do I restart all Jails?

# /usr/local/etc/rc.d/ezjail.sh restart
You can also start / stop / restart particular jail using the following syntax:
# /usr/local/etc/rc.d/ezjail.sh {start/stop/restart} jail-name
# /usr/local/etc/rc.d/ezjail.sh start httpd
# /usr/local/etc/rc.d/ezjail.sh stop smtpd.nixcraft.net.in

How Do I List All Jails?

Use jls command to lists all jails:
# jls
To display more verbose information including cpusets, jail state, multi-IP, etc. enter:
# jls -v

How Do I Login To My Jail From The Host Itself?

Use jexec command as follows to attach a console to jail:
# jexec jid csh
jid can be obtained using jls command. Connect to jail called smtpd.nixcraft.net.in with jid # 2:
# jexec 2 csh
Now, you can install any software and do work with jails. Update your /etc/resolv.conf file:
# vi /etc/resolv.conf
Install bash shell, enter:
# pkg_add -r -v bash
Install Apache 2.2 server:
# cd /usr/ports/www/apache22
# make install clean

How Do I Login Remotely (Directly) To Jail?

First, login using jexec command. Add the following line to jail /etc/rc.conf:
# echo 'sshd_enable="YES"' >> /etc/rc.conf
Open sshd_config file and update listen parameter to bind to jail IP only. Start OpenSSH server inside the jail:
# /etc/rc.d/sshd start
# sockstat -4

How Do I Upgrade FreeBSD Jail?

Simply run the following command:
# /usr/local/etc/rc.d/ezjail.sh stop
# ezjail-admin update -p -i
# /usr/local/etc/rc.d/ezjail.sh start

How Do I Upgrade Only Ports Tree?

No need to stop jails, just run the following to update ports tree for all jails:
# ezjail-admin update -P

Jail Log Files

The default jail console file is located at /var/log directory. For e.g. view log file for smtpd.nixcraft.net.in jail. enter:
# tail -f jail_smtpd_nixcraft_net_in_console.log
# grep 'error' jail_smtpd_nixcraft_net_in_console.log

How Do I Add Additional Jails?

Create httpd jail, enter:
# ezjail-admin create -r /jails/httpd.nixcraft.net.in httpd.nixcraft.net.in 202.54.1.4
# vi /usr/local/etc/ezjail/httpd_nixcraft_net_in
# /usr/local/etc/rc.d/ezjail.sh start httpd.nixcraft.net.in
# jls -v
# jexec id csh

How Do I Backup Jails?

Use tar, rsync or dump command to backup jail to other server or tape device. For e.g. tar command to backup smtpd.nixcraft.net.in to tape:
# tar -zcvf /dev/sa0 /jails/smtpd.nixcraft.net.in
You can also use dump command to backup all jails stored on /jails partition:
# /sbin/dump -0uLf /dev/sa0 /jails/
Later just dump incremental updates:
# /sbin/dump -1uLf /dev/sa0 /jails/

Recommend Readings:

  • FreeBSD Jail chapter from the official FreeBSD handbook.
  • man pages jexec, jls, jail, dump, restore

Sysadmin because even developers need heroes!!!

Share this tutorial on:
{ 11 comments… add one }
  • Valqk June 12, 2009, 11:56 am

    Just to share, I’ve written a command called
    jlog jailname. It makes jexec JID tcsh and logs you into the jail.
    There it is: Link

    p.s. I didn’t find my posts in mailing lists so I’ve posted in my blog. pls. feel free to delete this comment if you consider this as spam or something.

  • Shoaibi June 17, 2009, 1:41 pm

    @Vivek:
    Good going…

    @Valqk:
    thanks, I was thinking to create one after reading the article…

  • Dhenin Jean-Jacques March 22, 2010, 7:09 pm

    Appréciable. Merci beaucoup. Très utile.

  • cleroy61 September 6, 2010, 6:41 pm

    Hello,
    When I create a jail with ezjai, I can not access usr/ports from my jail to install nginx;

    jexec 2 cd /usr/ports/www/nginx && make install clean
    No such file or directory

    It does not exist in fact, how can I link to my jail?
    I’m out of my jail and I am a portsnap extract command
    and then an portsnap fetch update command, thinking I did not open the softwares worn.
    it is present but with the letter ‘l’ in front, preventing me from going there as a directory:

    lrwxr-xr-x 1 root wheel 19 Sep 5 11:12 ports -> /basejail/usr/ports

    Thanking you Sincerely Christophe

  • cleroy61 September 7, 2010, 7:17 pm

    I found answer through freeBSD forum ; the command is not enough

    portsnap fetch extract

    I tried this one after building the jail with ezjail-admin create

    portsnap -p /usr/jails/basejail/usr/ports/ fetch extract

    it’s OK now !

  • Broy January 22, 2011, 7:08 am

    Hello!
    I set up Ezjail in my FreeBSD 8.1 amd64 release-version. After successful installation,
    i did the ” ezjail-admin update -p -i ” command but unfortunately it shows some errors:
    ——————————————————–
    cd /usr/src; make -f Makefile.inc1 hierarchy
    cd /usr/src/etc; make distrib-dirs
    cd: can’t cd to /usr/src/etc
    *** Error code 2

    Stop in /usr/src.
    Error: The command ‘make installworld’ failed.
    Refer to the error report(s) above.
    ———————————————————-

    BTW, i recompiled and build my own kernel first before i install Ezjail. I’m suspecting why does error occurred its because of the new kernel configuration but that was only my presumption.

    Any help bout this?

    Thanks much!

  • Karl Blessing February 22, 2011, 10:56 pm

    Would it be possible to install a jail on a binary distribution. If I don’t have a source tree and I don’t wish to re-build the base system from cvsup but rather keep it easy with freebsd-update?

    • Karl Blessing February 23, 2011, 12:58 am

      I just went with pulling down the source tree, doing buildworld (But not installworld). Was just hoping there’d be a way to update the jails without having to rely on sources.

  • Namotco June 8, 2012, 9:41 pm

    /usr/local/etc/rc.d/ezjail.sh

    is now:

    /usr/local/etc/rc.d/ezjail

  • Michael July 11, 2012, 6:11 am

    Thanks Vivek for this.

    My question is how do I assign a set amount of disk space and RAM to each jail…. just like we do it on openvz for each virtual machine.

    For example I want jail 1 to have 20GB disk and say 256 MB RAM assigned. jail2 should have 100 GB disk and 1 GB RAM etc. How does one do this?

    • jpd August 4, 2012, 1:59 pm

      You need to kompile kernel with quota enabled and then use quota to specify disk limitations. Dunno if RAM limitations have been implemented yet (doubt it).

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , , , , , , , , ,