pavement

Ezjail

From FreeBSDwiki
Revision as of 21:50, 28 October 2015 by Sidetone (Talk | contribs)
Jump to: navigation, search

Ezjail is much easier to install and configure than using the sole program jail.

Contents

Installing and updating

Install ezjail:

% cd /usr/ports/sysutils/ezjail
% make install clean

Then create the basejail, manpages, source and ports tree in the basejail:

% ezjail-admin install -msp

In order to update the basejail through quick binary, and ports:

% ezjail-admin update -uP

For a better understanding of the options, type:

% man ezjail
% man ezjail-admin
  • Note: the -s flag has a different function when using the options install and update.

Configuring

The custom configuration for each jail is in /usr/local/etc/ezjail/myjail, and it it's jailed /etc directory. Pre-setup of jails can be configured in /usr/local/etc/ezjail.conf. The text in these two files are similar except one lacks the the term export.

Network

For the network to work, the alias line in rc.conf must match the ip address in /usr/local/etc/ezjail/myjail. Also, the jailed /etc files resolv.conf and hosts must be functional:

Example rc.conf :

ifconfig_wlan0_alias0="inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255"
#cloned_interfaces="${cloned_interfaces} lo1"
ezjail_enable="YES"

and initial jail set up from the commandline, which will correspond to /usr/local/etc/ezjail/myjail :

% ezjail-admin create myjail 192.168.1.20
% cp /etc/resolv.conf /usr/jails/myjail/etc/

Your created jailname file in the directory /usr/local/etc/ezjail/ is where ping usage can be allowed:

export jail_jailname_parameters="allow.raw_sockets=1"  # This allows network programs including ping to be used from the jail

Accessing hardware

The line

export ezjail_devfs_ruleset="devfsrules_jail"

in /usr/local/etc/ezjail/myjail , refers to

[devfsrules_jail]

in /etc/defaults/devfs.rules .

To create custom rules, create /etc/devfs.rules , which will override defaults. Create a [devfsrules_jail] section header, that matches the header in /etc/defaults/devfs.rules .

To access the X display from jail, xorg-nestserver must be installed in the host system.

Filesystems

Jail uses the module nullfs; it may be quickloaded or compiled into the kernel:

% kldload nullfs
% echo 'nullfs_load="YES"' >> /etc/rc.conf
options   NULLFS

Starting

% ezjail-admin start
  • restart, stop, startcrypto, and stopcrypto are other options

To see your jail and log in to it type:

% ezjail-admin list
% ezjail-admin console myjail

Once inside the jail, configure your date, and network settings similarly to how its done in the root operating system.

From outside the jail, the program jexec may run a program from inside the jail:

% jexec myjail program

Archiving a jail

% ezjail-admin stop myjail
% ezjail-admin archive myjail
% ls /usr/jails/ezjail-archives/

See also

  • Jail Facility - mentions ezjail alternative qjail
  • poudriere - used to easily make packages from ports inside a jail

References

Personal tools