pavement

Ezjail

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(References: add)
 
(18 intermediate revisions by one user not shown)
Line 1: Line 1:
Ezjail is much easier to install and configure than using the sole program [[jails|jail]].
+
{{port|sysutils/ezjail}} is a simplified way to install and configure [[jails]].
  
 
==Installing and updating==
 
==Installing and updating==
Line 9: Line 9:
 
  % ezjail-admin install -msp
 
  % ezjail-admin install -msp
  
In order to update the base through quick binary, and ports:
+
In order to update the basejail through quick binary, and ports:
 
  % ezjail-admin update -uP
 
  % ezjail-admin update -uP
  
Line 15: Line 15:
 
  % man ezjail
 
  % man ezjail
 
  % man ezjail-admin
 
  % man ezjail-admin
* Note: the -s flag has a different function when using the options '''install''' and '''update'''.  
+
* Note: the {{code|-s}} flag has a different function when using the options {{cmd|install}} and {{cmd|update}}.  
  
 
==Configuring==
 
==Configuring==
% ifconfig wlan0 alias 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255
+
The custom configuration for each jail is in {{file|/usr/local/etc/ezjail/''myjail''}}, and it it's jailed {{file|/etc}} directory. Pre-setup of jails can be configured in {{file|/usr/local/etc/ezjail.conf}}. The text in these two files are similar except one lacks the the term {{code|export}}.
To enable ezjail and its network connection, add to ''rc.conf'':
+
% ifconfig_wlan0_alias0="inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255"
+
% cloned_interfaces="${cloned_interfaces} lo1"
+
% ezjail_enable="YES"
+
  
 +
===Network===
 +
For the network to work, the {{code|alias}} line in {{file|rc.conf}} must match the ip address in {{file|/usr/local/etc/ezjail/''myjail''}}. Also, the jailed {{file|/etc/}} files {{file|resolv.conf}} and {{file|hosts}} must be functional:
 +
 +
Example {{file|rc.conf}}:
 +
ifconfig_wlan0_alias0="inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255"
 +
#cloned_interfaces="${cloned_interfaces} lo1"
 +
ezjail_enable="YES"
 +
and initial jail set up from the commandline, which will correspond to {{file|/usr/local/etc/ezjail/''myjail''}}:
 
  % ezjail-admin create myjail 192.168.1.20
 
  % ezjail-admin create myjail 192.168.1.20
 
  % cp /etc/resolv.conf /usr/jails/myjail/etc/
 
  % cp /etc/resolv.conf /usr/jails/myjail/etc/
  
Your created jailname file in the directory ''/usr/local/etc/ezjail/'' is where options can be set:
+
Your created jailname file in the directory {{file|/usr/local/etc/ezjail/}} is where {{cmd|ping}} usage can be turned on:
 
  export jail_jailname_parameters="allow.raw_sockets=1"  # This allows network programs including ping to be used from the jail
 
  export jail_jailname_parameters="allow.raw_sockets=1"  # This allows network programs including ping to be used from the jail
 +
 +
===Accessing hardware===
 +
The line {{code|export ezjail_devfs_ruleset<nowiki>=</nowiki>"devfsrules_jail"}} in {{file|/usr/local/etc/ezjail/''myjail''}}, refers to {{code|[devfsrules_jail]}} in {{file|/etc/defaults/devfs.rules}}.
 +
 +
To create custom rules, create {{file|/etc/devfs.rules}}, which will override defaults. Create a {{code|[devfsrules_jail]}} section header, that matches the header in {{file|/etc/defaults/devfs.rules}}.
 +
 +
To access the X display from jail, use the {{cmd|Xnest}} command from {{port|x11-servers/xorg-nestserver}}. See {{man|Xnest|1}} for information.
  
 
===Filesystems===
 
===Filesystems===
Line 39: Line 50:
 
==Starting==
 
==Starting==
 
  % ezjail-admin start
 
  % ezjail-admin start
* '''restart''', '''stop''', '''startcrypto''', and '''stopcrypto''' are other options
+
* {{cmd|restart}} and {{cmd|stop}} are other options.
  
 
To see your jail and log in to it type:
 
To see your jail and log in to it type:
 
  % ezjail-admin list
 
  % ezjail-admin list
  % ezjail-admin console myjail
+
  % ezjail-admin console ''myjail''
 
Once inside the jail, configure your date, and network settings similarly to how its done in the root operating system.
 
Once inside the jail, configure your date, and network settings similarly to how its done in the root operating system.
 +
 +
From outside the jail, the program {{cmd|jexec}} may run a program from inside the jail:
 +
% jexec ''myjail'' program
  
 
==Archiving a jail==
 
==Archiving a jail==
Line 50: Line 64:
 
  % ezjail-admin archive myjail
 
  % ezjail-admin archive myjail
 
  % ls /usr/jails/ezjail-archives/
 
  % ls /usr/jails/ezjail-archives/
 
==Accessing hardware==
 
To access /dev files from the jail, adjust the following line in ''/usr/local/etc/devfs.rules'' in the base-system, or in /etc/devfs.rules inside the jail:
 
ezjail_devfs_ruleset="devfsrules_jail"
 
Individual rules may be added after [devfsrules_jail] inside the jail's ''/etc/devfs.rules'' file.
 
 
Take a look at the base-system's file ''/etc/defaults/devfs.rules'' for context, but don't edit it. In this file, '''[devfsrules_jail]''' refers to '''ezjail_devfs_ruleset="devfsrules_jail"''' in the personalized ''devfs.rules'' file.
 
  
 
==See also==
 
==See also==
 
* [[Jail Facility]] - mentions ezjail alternative ''qjail''
 
* [[Jail Facility]] - mentions ezjail alternative ''qjail''
 +
* [[poudriere]] - used to easily make packages from ports inside a jail
  
 
==References==
 
==References==
 
* [http://www.bsdnow.tv/tutorials/jails BSD Now: Everything you need to know about Jails]
 
* [http://www.bsdnow.tv/tutorials/jails BSD Now: Everything you need to know about Jails]
 
* [https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html FreeBSD Handbook: Managing Jails with ezjail]
 
* [https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html FreeBSD Handbook: Managing Jails with ezjail]
 +
* [http://www.freebsddiary.org/ezjail.php The FreeBSD Diary: ezjail - A jail administration framework]
 
* filesystem documentation
 
* filesystem documentation
 
* Network Administration with FreeBSD 7 (2008)
 
* Network Administration with FreeBSD 7 (2008)

Latest revision as of 03:58, 1 November 2015

sysutils/ezjail is a simplified way to install and configure jails.

Contents

[edit] Installing and updating

Install ezjail:

% cd /usr/ports/sysutils/ezjail
% make install clean

Then create the basejail, manpages, source and ports tree in the basejail:

% ezjail-admin install -msp

In order to update the basejail through quick binary, and ports:

% ezjail-admin update -uP

For a better understanding of the options, type:

% man ezjail
% man ezjail-admin
  • Note: the -s flag has a different function when using the options install and update.

[edit] Configuring

The custom configuration for each jail is in /usr/local/etc/ezjail/myjail, and it it's jailed /etc directory. Pre-setup of jails can be configured in /usr/local/etc/ezjail.conf. The text in these two files are similar except one lacks the the term export.

[edit] Network

For the network to work, the alias line in rc.conf must match the ip address in /usr/local/etc/ezjail/myjail. Also, the jailed /etc/ files resolv.conf and hosts must be functional:

Example rc.conf:

ifconfig_wlan0_alias0="inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255"
#cloned_interfaces="${cloned_interfaces} lo1"
ezjail_enable="YES"

and initial jail set up from the commandline, which will correspond to /usr/local/etc/ezjail/myjail:

% ezjail-admin create myjail 192.168.1.20
% cp /etc/resolv.conf /usr/jails/myjail/etc/

Your created jailname file in the directory /usr/local/etc/ezjail/ is where ping usage can be turned on:

export jail_jailname_parameters="allow.raw_sockets=1"  # This allows network programs including ping to be used from the jail

[edit] Accessing hardware

The line export ezjail_devfs_ruleset="devfsrules_jail" in /usr/local/etc/ezjail/myjail, refers to [devfsrules_jail] in /etc/defaults/devfs.rules.

To create custom rules, create /etc/devfs.rules, which will override defaults. Create a [devfsrules_jail] section header, that matches the header in /etc/defaults/devfs.rules.

To access the X display from jail, use the Xnest command from x11-servers/xorg-nestserver . See Xnest(1) for information.

[edit] Filesystems

Jail uses the module nullfs; it may be quickloaded or compiled into the kernel:

% kldload nullfs
% echo 'nullfs_load="YES"' >> /etc/rc.conf
options   NULLFS

[edit] Starting

% ezjail-admin start
  • restart and stop are other options.

To see your jail and log in to it type:

% ezjail-admin list
% ezjail-admin console myjail

Once inside the jail, configure your date, and network settings similarly to how its done in the root operating system.

From outside the jail, the program jexec may run a program from inside the jail:

% jexec myjail program

[edit] Archiving a jail

% ezjail-admin stop myjail
% ezjail-admin archive myjail
% ls /usr/jails/ezjail-archives/

[edit] See also

  • Jail Facility - mentions ezjail alternative qjail
  • poudriere - used to easily make packages from ports inside a jail

[edit] References

Personal tools