Ezjail
(→Network) |
(→Configuring) |
||
Line 18: | Line 18: | ||
==Configuring== | ==Configuring== | ||
− | The custom configuration for each jail is in ''/usr/local/etc/ezjail/myjail'', and it it's jailed ''/etc'' directory. Pre-setup of jails can be configured in ''/usr/local/etc/ezjail.conf''. The text in these two files are similar except one lacks the the term '''export'''. | + | The custom configuration for each jail is in ''/usr/local/etc/ezjail/'''myjail''''', and it it's jailed ''/etc'' directory. Pre-setup of jails can be configured in ''/usr/local/etc/ezjail.conf''. The text in these two files are similar except one lacks the the term '''export'''. |
===Network=== | ===Network=== | ||
For the network to work, the '''alias''' line in ''rc.conf'' must match the ip address in ''/usr/local/etc/ezjail/'''myjail'''''. Also, the jailed ''/etc'' files ''resolv.conf'' and ''hosts'' must be functional: | For the network to work, the '''alias''' line in ''rc.conf'' must match the ip address in ''/usr/local/etc/ezjail/'''myjail'''''. Also, the jailed ''/etc'' files ''resolv.conf'' and ''hosts'' must be functional: | ||
− | Example | + | Example of commandline setup: |
% ifconfig wlan0 alias 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255 | % ifconfig wlan0 alias 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255 | ||
− | + | Example ''rc.conf'' : | |
− | + | ifconfig_wlan0_alias0="inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255" | |
− | + | #cloned_interfaces="${cloned_interfaces} lo1" | |
+ | ezjail_enable="YES" | ||
and initial jail set up from the commandline, which will correspond to ''/usr/local/etc/ezjail/'''myjail''''' : | and initial jail set up from the commandline, which will correspond to ''/usr/local/etc/ezjail/'''myjail''''' : | ||
% ezjail-admin create myjail 192.168.1.20 | % ezjail-admin create myjail 192.168.1.20 | ||
Line 36: | Line 37: | ||
===Accessing hardware=== | ===Accessing hardware=== | ||
− | To access /dev files from the jail, take a look at the following line in ''/usr/local/etc/ezjail/myjail'' : | + | To access /dev files from the jail, take a look at the following line in ''/usr/local/etc/ezjail/'''myjail''''' : |
export ezjail_devfs_ruleset="devfsrules_jail" | export ezjail_devfs_ruleset="devfsrules_jail" | ||
Revision as of 00:03, 8 March 2015
Ezjail is much easier to install and configure than using the sole program jail.
Contents |
Installing and updating
Install ezjail:
% cd /usr/ports/sysutils/ezjail % make install clean
Then create the basejail, manpages, source and ports tree in the basejail:
% ezjail-admin install -msp
In order to update the basejail through quick binary, and ports:
% ezjail-admin update -uP
For a better understanding of the options, type:
% man ezjail % man ezjail-admin
- Note: the -s flag has a different function when using the options install and update.
Configuring
The custom configuration for each jail is in /usr/local/etc/ezjail/myjail, and it it's jailed /etc directory. Pre-setup of jails can be configured in /usr/local/etc/ezjail.conf. The text in these two files are similar except one lacks the the term export.
Network
For the network to work, the alias line in rc.conf must match the ip address in /usr/local/etc/ezjail/myjail. Also, the jailed /etc files resolv.conf and hosts must be functional:
Example of commandline setup:
% ifconfig wlan0 alias 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255
Example rc.conf :
ifconfig_wlan0_alias0="inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255" #cloned_interfaces="${cloned_interfaces} lo1" ezjail_enable="YES"
and initial jail set up from the commandline, which will correspond to /usr/local/etc/ezjail/myjail :
% ezjail-admin create myjail 192.168.1.20 % cp /etc/resolv.conf /usr/jails/myjail/etc/
Your created jailname file in the directory /usr/local/etc/ezjail/ is where ping usage can be allowed:
export jail_jailname_parameters="allow.raw_sockets=1" # This allows network programs including ping to be used from the jail
Accessing hardware
To access /dev files from the jail, take a look at the following line in /usr/local/etc/ezjail/myjail :
export ezjail_devfs_ruleset="devfsrules_jail"
Now, take a look at the base-system's file /etc/defaults/devfs.rules for context, but don't edit it. In this file, [devfsrules_jail] refers to export ezjail_devfs_ruleset="devfsrules_jail" in the personalized devfs.rules file. To create custom rules, copy devfs.rules to the appropriate location then edit it, and individual rules may be added after [devfsrules_jail]
(accessing X display from jail not solved)
Filesystems
Jail uses the module nullfs; it may be quickloaded or compiled into the kernel:
% kldload nullfs % echo 'nullfs_load="YES"' >> /etc/rc.conf
options NULLFS
Starting
% ezjail-admin start
- restart, stop, startcrypto, and stopcrypto are other options
To see your jail and log in to it type:
% ezjail-admin list % ezjail-admin console myjail
Once inside the jail, configure your date, and network settings similarly to how its done in the root operating system.
From outside the jail, the program jexec may run a program from inside the jail:
% jexec myjail program
Archiving a jail
% ezjail-admin stop myjail % ezjail-admin archive myjail % ls /usr/jails/ezjail-archives/
See also
- Jail Facility - mentions ezjail alternative qjail
References
- BSD Now: Everything you need to know about Jails
- FreeBSD Handbook: Managing Jails with ezjail
- The FreeBSD Diary: ezjail - A jail administration framework
- filesystem documentation
- Network Administration with FreeBSD 7 (2008)