4/20/2020 Bsd Jails Tutorial
Installing A FreeBSD 7.0 DNS Server With BINDThistutorial showshow to set up a FreeBSD based server that offers DNS services. Thistutorial is written for the 64-bit version of FreeBSD, but should applyto the 32-bit version.
![]()
Since system administration is a difficult task, many tools have been developed to make life easier for the administrator. These tools often enhance the way.
WarningThis section describes installing and using jails on FreeNAS ®version 11.2 or later. Any jails created with a previous version ofFreeNAS ® must be managed with the.Jails are a lightweight, operating-system-level virtualization.One or multiple services can run in a jail, isolating those servicesfrom the host FreeNAS ® system.
FreeNAS ® uses theutility for jailmanagement. Jails are also used as the basis for FreeNAS ®.The main differences between a user-created jail and a plugin are thatplugins are preconfigured and usually provide only a single service.By default, jails run theoperating system. These jails are independent instances of FreeBSD.The jail uses the host hardware and runs on the host kernel, avoidingmost of the overhead usually associated with virtualization. The jailinstalls FreeBSD software management utilities so FreeBSD packages orports can be installed from the jail command line. This allows forFreeBSD ports to be compiled and FreeBSD packages to be installed fromthe command line of the jail.It is important to understand that users, groups, installed software,and configurations within a jail are isolated from both the FreeNAS ®host operating system and any other jails running on that system.During creation, set the VNET option to providethe jail with an independent networking stack. The jail is then ableto broadcast an IP address, which is required by some applications.The ability to create multiple jails offers flexibilityregarding software management.
For example, an administrator canchoose to provide application separation by installing differentapplications in each jail, to create one jail for all installedapplications, or to mix and match how software is installed into eachjail. Jail StorageA must be created before using jails. Make sure the pool has enough storage for all theintended jails and plugins. TheJailsscreen displays a message and button to CREATE POOL if nopools exist on the FreeNAS ® system.Multiple pools can be activated to store iocage jails and plugins. Aftera pool is created, theJailspage displays an Activated Pool section. This shows whichpool and iocage dataset is active with FreeNAS ®.
Click CONFIGto view the option to choose another pool or dataset to activate withiocage. ACTIVATE another pool to refresh theJailslist with any jails that exist on the chosen pool or dataset.Jails and downloaded FreeBSD release files are stored in a dataset namediocage/.Notes about the iocage/ dataset:.
![]()
At least 10 GiB of free space is recommended. Cannot be located on a.automatically uses the first pool that is not a root pool for theFreeNAS ® system. A defaults.json file contains default settings used whena new jail is created.
![]()
The file is created automatically if notalready present. If the file is present but corrupted,iocage shows a warning and uses default settings frommemory. Each new jail installs into a new child dataset of iocage/.For example, with the iocage/jails dataset in pool1,a new jail called jail1 installs into a new dataset namedpool1/iocage/jails/jail1. FreeBSD releases are fetched as a child dataset into the/iocage/download dataset.
This datset is then extracted intothe /iocage/releases dataset to be used in jail creation. Thedataset in /iocage/download can then be removed withoutaffecting the availability of fetched releases or an existing jail. iocage/ datasets on activated pools are independent of eachother and do not share any data. 14.2.1 Jail Creation WizardThe wizard provides the simplest process to create and configurea new jail. Enter a Jail Name.
Jail names canonly contain alphanumeric characters ( Aa-Zz, 123),dashes ( -), and underscores ( ). Choose the versionof FreeBSD to install for this jail. Previously downloaded versionsdisplay (fetched) next to their entry in the list.Click NEXT to see a simplified list of networking options.The jail can be set to automatically configure IPv4 with DHCPand VNET or IPv4 and IPv6 can be configured manually.Multiple interfaces are supported in the IPv4 Address andIPv6 Address fields by entering a comma delimited list ofinterfaces, addresses, and netmask in the formatinterface ipaddress/netmask.Click NEXT to view a summary screen of the chosen jailoptions. Click SUBMIT to create the new jail.
After a fewmoments, the new jail is added to the primary jails list. 14.2.2 Creating a JailA usable jail can be quickly created by setting only the requiredvalues, the Jail Name and Release. Additionalsettings are in the Jail Properties,Network Properties, and Custom Propertiessections.shows the available options of the Basic Properties ofa new jail. Table 14.2.1 Basic Properties SettingValueDescriptionNamestringRequired. Jail names can only contain alphanumeric characters ( Aa-Zz, 123),dashes ( -), and underscores ( ).Releasedrop-down menuRequired.
Choose the version of FreeBSD to download and install for the jail. Previously downloadedversions of FreeBSD display (fetched) next to the entry in the list and do not need to befetched again.DHCP AutoconfigureIPv4checkboxAutomatically configure IPv4 networking with an independent VNET stack. VNET andBerkeley Packet Filter must also be checked. If not set, ensure the defined addressin IPv4 Address does not conflict with an existing address.VNETcheckboxUse VNET to emulate network devices for this jail and a create a fully virtualized per-jailnetwork stack. Seefor more details.Berkeley Packet FiltercheckboxUse the Berkeley Packet Filter to data link layers in a protocol independent fashion. Unset by defaultto avoid security vulnerabilities.
Seefor more details.IPv4 Interfacedrop-down menuChoose a network interface to use for this IPv4 connection.IPv4 AddressstringThis and the other IPv4 settings are grayed out if DHCP autoconfigure IPv4 is set.Configures the interface to use for network or internet access for the jail.Enter an IPv4 address for this IP jail. Example: 192.168.0.10.IPv4 Netmaskdrop-down menuChoose a subnet mask for this IPv4 Address.IPv4 Default RouterstringType none or a valid IP address. Setting this property to anything other than noneconfigures a default route inside a VNET jail.Auto Configure IPv6checkboxSet to use SLAAC (Stateless Address Auto Configuration) to autoconfigure IPv6 in the jail.IPv6 Interfacedrop-down menuChoose a network interface to use for this IPv6 connection.IPv6 AddressstringConfigures network or internet access for the jail.Type the IPv6 address for VNET and shared IP jails.Example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.IPv6 Prefixdrop-down menuChoose a prefix for this IPv6 Address.IPv6 Default RouterstringType none or a valid IP address.
Setting this property to anything other than noneconfigures a default route inside a VNET jail.NotesstringEnter any notes or comments about the jail.Auto-startcheckboxStart the jail at system startup.Similar to the, configuring the basic properties,then clicking SAVE is often all that is needed to quicklycreate a new jail. To continue configuring more settings, clickNEXT to proceed to the Jail Properties sectionof the form. Describes eachof these options.
Table 14.2.2 Jail Properties SettingValueDescriptiondevfsrulesetintegerNumber of theruleset to enforce when mounting devfs in the jail. The default value of 0 means no ruleset is enforced.Mounting devfs inside a jail is only possible when the allowmount andallowmountdevfs permissions are enabled and enforcestatfs is set to a value lowerthan 2.exec.startstringCommands to run in the jail environment when a jail is created. Example: sh /etc/rc.
Seefor more details.exec.stopstringCommands to run in the jail environment before a jail is removed and after any execprestop commandsare complete. Example: sh /etc/rc.shutdown.execprestartstringCommands to run in the system environment before a jail is started.execpoststartstringCommands to run in the system environment after a jail is started and after any execstartcommands are finished.execprestopstringCommands to run in the system environment before a jail is stopped.execpoststopstringCommands to run in the system environment after a jail is started and after any execstartcommands are finished.exec.cleancheckboxRun commands in a clean environment.
The current environment is discarded except for $HOME, $SHELL, $TERM and$USER.$HOME and $SHELL are set to the target login. $USER is set to the target login. $TERM is imported from thecurrent environment.
The environment variables from the login class capability database for thetarget login are also set.exectimeoutintegerThe maximum amount of time in seconds to wait for a command to complete. If a command is still running after theallotted time, the jail is terminated.stoptimeoutintegerThe maximum amount of time in seconds to wait for the jail processes to exit after sending a SIGTERM signal.This happens after any execstop commands are complete. After the specified time, the jail isremoved, killing any remaining processes.
If set to 0, no SIGTERM is sent and the jail is immeadility removed.execjailuserstringEnter either root or a valid username. Inside the jail, commands run as this user.execsystemjailuserstringSet to True to look for the exec.jailuser in the systemfile instead of the jail passwd.execsystemuserstringRun commands in the jail as this user. By default, commands are run as the current user.mountdevfscheckboxMount afilesystem on the chrooted /dev directory and apply the ruleset in the devfsrulesetparameter to restrict the devices visible inside the jail.mountfdescfscheckboxMount anfilesystem in the jail /dev/fd directory.enforcestatfsdrop-downDetermine which information processes in a jail are able to obtain about mount points. The behaviorof multiple syscalls is affected:,and other similar compatibility syscalls.All mount points are available without any restrictions if this is set to 0.Only mount points below the jail chroot directory are available if this is set to 1.Set to 2, the default option only mount points where the jail chroot directory is located are available.childrenmaxintegerNumber of child jails allowed to be created by the jail or other jails under this jail. A limit of 0restricts the jail from creating child jails. Hierarchical Jails in theman page explains the finer details.loginflagsstringFlags to pass towhen logging in to the jail using the console function.securelevelintegerValue of the jail sysctl. A jailnever has a lower securelevel than the host system.
Setting this parameter allows a higher securelevel.If the host system securelevel is changed, jail securelevel will be at least as secure.Securelevel options are: 3, 2 (default), 1, 0, and -1.sysvmsgdrop-downAllow or deny access to SYSV IPC message primitives.Set to Inherit: All IPC objects on the system are visible to the jail.Set to New: Only objects the jail created using the private key namespace are visible. The system and parentjails have access to the jail objects but not private keys.Set to Disable: The jail cannot perform any sysvmsg related system calls.sysvsemdrop-downAllow or deny access to SYSV IPC semaphore primitives.Set to Inherit: All IPC objects on the system are visible to the jail.Set to New: Only objects the jail creates using the private key namespace are visible. The system and parentjails have access to the jail objects but not private keys.Set to Disable: The jail cannot perform any sysvmem related system calls.sysvshmdrop-downAllow or deny access to SYSV IPC shared memory primitives.Set to Inherit: All IPC objects on the system are visible to the jail.Set to New: Only objects the jail creates using the private key namespace are visible. The system and parentjails have access to the jail objects but not private keys.Set to Disable: The jail cannot perform any sysvshm related system calls.allowsethostnamecheckboxAllow the jail hostname to be changed withor.allowsysvipccheckboxChoose whether a process in the jail has access to System V IPC primitives.
Equivalent to settingsysvmsg, sysvsem, and sysvshm to Inherit.Deprecated in FreeBSD 11.0 and later! Use sysvmsg, sysvsem,and sysvshminstead.allowrawsocketscheckboxAllow raw sockets. Utilities likeandrequire raw sockets to operate inside a jail. When set, the source IP addresses are enforced to comply with theIP address bound to the jail, ignoring the IPHDRINCL flag on the socket.allowchflagscheckboxTreat jail users as privileged and allow the manipulation of system file flags.
14.3.1 Jail Overview Sectiondescribes each column. Table 14.3.1 Jail Overview Information Column NameDescriptionJailThe name of the jail.IPv4 AddressListing of configured IPv4 addresses. WarningModify the IP address information for a jail by using (Options) Edit instead of issuing the networkingcommands directly from the command line of the jail. Thisensures the changes are saved and will survive a jail or FreeNAS ®reboot. Table 14.3.2 Jail Option Menu Entry Descriptions OptionDescriptionEditUsed to modify the settings described in.A jail cannot be edited while it is running.
The settings cancan be viewed, but are read only.MountpointsOpen the Mount Points list. Select an existingmount point to Edit or click ADD to openthe Add Mount Point screen. A mount pointgives a jail access to storage located elsewhere on thesystem. A jail must be stopped before adding, editing, ordeleting a Mount Point.
Seefor more details.RestartStop and immediately start an up jail.StartStart a jail that has a current Status ofdown.StopStop a jail that has a current Status ofup.UpdateRunsto update the jail to the lateset patch level of theinstalled FreeBSD release.ShellAccess a root command prompt to interact with a jaildirectly from the command line. Type exit toleave the command prompt.DeleteDelete the jail, all of the jail’s contents, and allassociated. Back up the jail’s data,configuration, and programs first. There is no way torecover the contents of a jail after deletion! Jail Updates and UpgradesClick (Options)‣ Updateto update a jail to the most current patch level of the installedFreeBSD release. This does not change the release.To upgrade a jail to newer release of FreeBSD, stop the jail and click (Options)‣ Editfor the jail.
Open the Release drop-down menu, choose anewer RELEASE of FreeBSD, and click SAVE. Upgrading a jailcan take an extended amount of time, depending on connection speed andif the chosen RELEASE is already fetched on the system.
Root@jailexamp: # adduserUsername: jailuserFull name: Jail UserUid (Leave empty for default):Login group jailuser:Login group is jailuser. Invite jailuser into other groups? : wheelLogin class default:Shell (sh csh tcsh git-shell zsh rzsh nologin) sh: cshHome directory /home/jailuser:Home directory permissions (Leave empty for default):Use password-based authentication? yes:Use an empty password? (yes/no) no:Use a random password?
(yes/no) no:Enter password:Enter password again:Lock out the account after creation? no:Username: jailuserPassword:.Full Name: Jail UserUid: 1002Class:Groups: jailuser wheelHome: /home/jailuserHome Mode:Shell: /bin/cshLocked: noOK? (yes/no): yesadduser: INFO: Successfully added (jailuser) to the user database.Add another user? (yes/no): noGoodbye!root@jailexamp:After creating the user, set the jail root password to allow users touse su to gain superuser privileges.
To set the jail rootpassword, use passwd. Nothing is echoed back when usingpasswd. Additional StorageJails can be given access to an area of storage outside of the jail thatis configured on the FreeNAS ® system. It is possible to give a FreeBSDjail access to an area of storage on the FreeNAS ® system. This is usefulfor applications or plugins that store large amounts of data or if anapplication in a jail needs access to data stored on the FreeNAS ® system.For example, Transmission is a plugin that stores data using BitTorrent.The%brand$ external storage is added using themechanism, which links data that resides outside of the jail as astorage area within a jail.The Mount points section of a jail shows any added storageand allows adding more storage.
14.3.3 Adding Storage to a JailBrowse to the Source and Destination, where:. Source: is the directory or dataset on the FreeNAS ® systemwhich will be accessed by the jail. FreeNAS ® creates the directoryif it does not exist. This directory must reside outside of the poolor dataset being used by the jail.
This is why it is recommended tocreate a separate dataset to store jails, so the dataset holding thejails is always separate from any datasets used for storage on theFreeNAS ® system. Destination: Browse to an existing and empty directorywithin the jail to link to the Source storage area. It isalso possible to add / and a name to the end of the pathand FreeNAS ® automatically creates a new directory. New directoriescreated must be within the jail directory structure. Example:/mnt/iocage/jails/samplejail/root/new-destination-directory.Storage is typically added because the user and group accountassociated with an application installed inside of a jail needs toaccess data stored on the FreeNAS ® system. Before selecting theSource, it is important to first ensure that thepermissions of the selected directory or dataset grant permission tothe user/group account inside of the jail.
This is not the default, asthe users and groups created inside of a jail are totally separatefrom the users and groups of the FreeNAS ® system.The workflow for adding storage usually goes like this:.Determine the name of the user and group account used by theapplication. For example, the installation of the transmissionapplication automatically creates a user account namedtransmission and a group account also named transmission. Whenin doubt, check the files /etc/passwd (to find the useraccount) and /etc/group (to find the group account) insidethe jail. Typically, the user and group names are similar tothe application name. Also, the UID and GID are usually the sameas the port number used by the service.A media user and group (GID 8675309) are part of the basesystem. Having applications run as this group or user makes itpossible to share storage between multiple applications in asingle jail, between multiple jails, or even between the host andjails.On the FreeNAS ® system, create a user account and group accountthat match the user and group names used by the application inthe jail.Decide whether the jail will be given access to existing data ora new storage area will be allocated.If the jail accesses existing data, edit the permissions ofthe pool or dataset so the user and group accounts have thedesired read and write access. If multiple applications or jailsare to have access to the same data, create a new group and addeach needed user account to that group.If an area of storage is being set aside for that jail orindividual application, create a dataset.
Edit the permissions ofthat dataset so the user and group account has the desired readand write access.Use the jailMount points ‣ ADDto select the the Source of the data and theDestination where it will be mounted in the jail.To prevent writes to the storage, click Read-Only.After storage has been added or created, it appears in theMount points for that jail. In the example shown in,a dataset named pool1/smb-storage has been chosen as theSource as it contains the files stored on the FreeNAS ®system. The user entered/mnt/iocage/jails/samplejail/root/mounted as the directoryto be mounted in the Destination field. To users insidethe jail, this data will appear to be in the /root/mounteddirectory.
Installing FreeBSD PackagesThe quickest and easiest way to install software inside the jail is toinstall a FreeBSD package. FreeBSD packages are precompiled andcontain all the binaries and a list of dependencies required for thesoftware to run on a FreeBSD system.A huge amount of software has been ported to FreeBSD.
Most of thatsoftware is available as packages. One way to find FreeBSD software isto use the search bar at.After finding the name of the desired package, use thepkg install command to install it. For example, to installthe audiotag package, use the command pkg install audiotagWhen prompted, press y to complete the installation.
Messageswill show the download and installation status.A successful installation can be confirmed by querying the packagedatabase. Pkg info -l audiotagaudiotag-0.191:/usr/local/bin/audiotag/usr/local/share/doc/audiotag/COPYING/usr/local/share/doc/audiotag/ChangeLog/usr/local/share/doc/audiotag/README/usr/local/share/licenses/audiotag-0.191/GPLv2/usr/local/share/licenses/audiotag-0.191/LICENSE/usr/local/share/licenses/audiotag-0.191/catalog.mkIn FreeBSD, third-party software is always stored in/usr/local to differentiate it from the software that camewith the operating system. Binaries are almost always located in asubdirectory called bin or sbin and configurationfiles in a subdirectory called etc. Compiling FreeBSD PortsCompiling a port is another option. Compilingports offer these advantages:. Not every port has an available package. This is usually due tolicensing restrictions or known, unaddressed securityvulnerabilities.
Sometimes the package is out-of-date and a feature is needed thatonly became available in the newer version. Some ports provide compile options that are not available in thepre-compiled package. These options are used to add or removefeatures or options.Compiling a port has these disadvantages:.
It takes time. Depending upon the size of the application, theamount of dependencies, the speed of the CPU, the amount of RAMavailable, and the current load on the FreeNAS ® system, the timeneeded can range from a few minutes to a few hours or even to a fewdays. NoteAfter options have been set, the configuration screen isnormally not shown again. Use make config to display thescreen and change options before rebuilding the port withmake clean install clean.Many ports depend on other ports. Those other ports also haveconfiguration screens that are shown before compiling begins. Itis a good idea to watch the compile until it finishes and thecommand prompt returns.Installed ports are registered in the same package database that managespackages.
The pkg info can be used to determine which portswere installed. Starting Installed SoftwareAfter packages or ports are installed, they must be configured andstarted. Configuration files are usually in /usr/local/etc or asubdirectory of it. Many FreeBSD packages contain a sample configurationfile as a reference. Take some time to read the software documentationto learn which configuration options are available and whichconfiguration files require editing.Most FreeBSD packages that contain a startable service include astartup script which is automatically installed to/usr/local/etc/rc.d/.
After the configuration is complete, teststarting the service by running the script with the onestartoption. For example, with openvpn installed in the jail, thesecommands are run to verify that the service started. /usr/local/etc/rc.d/openvpn onestartStarting openvpn./usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpnRun tail /var/log/messages to see any error messagesif an issue is found. Most startup failures are related to amisconfiguration in a configuration file.After verifying that the service starts and is working as intended,add a line to /etc/rc.conf to start theservice automatically when the jail is started. The line tostart a service always ends in enable=”YES” and typically startswith the name of the software.
For example, this is the entry for theopenvpn service. # This script supports running multiple instances of openvpn.# To run additional instances link this script to something like#% ln -s openvpn openvpnfoo# and define additional openvpnfoo. variables in one of# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d /openvpnfoo## Below NAME should be substituted with the name of this script.
By default# it is openvpn, so read as openvpnenable. If you linked the script to# openvpnfoo, then read as openvpnfooenable etc.## The following variables are supported (defaults are shown).# You can place them in any of# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME## NAMEenable='NO'# set to YES to enable openvpnThe startup script also indicates if any additional parameters areavailable. Using iocageBeginning with FreeNAS ® 11.0, thecommand line utility is included for creating and managing jails.Click the Shell option to open the command line and beginusing iocage.iocage has several options to help users:. There is built-in help displayed by enteringiocage -help less.
Each subcommand also has help.Display help by adding the -help flag after the subcommandname. For example, iocage activate -help shows help forthe activate subcommand. The iocage manual page is accessed by typingman iocage less. The iocage project also has documentation available on.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |