Roland's homepage

My random knot in the Web

Creating a virtual server on FreeBSD with a jail

After Virtualbox crashed my machine, I decided to try my hand at building a virtual server using FreeBSD's jail facility.

First, I created a directory to serve as the root directory for my jail;

slackbox# mkdir -p /usr/local/var/jails/192.168.0.100

Then I built the FreeBSD base system, so I could install it in the jail. Were I to build multiple jails, I'd probably use ezjail.

slackbox# cd /usr/src
slackbox# make buildworld
slackbox# mount -u -o exec /tmp
slackbox# make installworld DESTDIR=/usr/local/var/jails/192.168.0.100
slackbox# make distribution DESTDIR=/usr/local/var/jails/192.168.0.100
slackbox# du -csm /usr/local/var/jails/192.168.0.100/
184 /usr/local/var/jails/192.168.0.100/

An empty /etc/fstab file is needed because the filesystems on the host are already mounted. Mounting filessystems in jails is disallowed by default. This can be changed by supplying the parameter allow.mount=1 to the jail command.

slackbox# touch /usr/local/var/jails/192.168.0.100/etc/fstab

The jail will need some device nodes. The following is a way to create them.

slackbox# mount -t devfs devfs /usr/local/var/jails/192.168.0.100/dev
slackbox# devfs -m /usr/local/var/jails/192.168.0.100/dev ruleset 4
slackbox# devfs -m /usr/local/var/jails/192.168.0.100/dev rule applyset

Also you don't want to have a actual kernel, so just link it to /dev/null.

slackbox# cd /usr/local/var/jails/192.168.0.100/boot/kernel; ln -sf ../../dev/null kernel

Some files need to be set up in the jail;

slackbox# cat /usr/local/var/jails/192.168.0.100/etc/rc.conf
# /etc/rc.conf
# Local configuration for server.erewhon.net
# Hostname and ip-adres are set by the jail.
# Only expose the basic necessary devices in a jail.
devfs_system_ruleset="devfsrules_jail"
# Quell warnings about network interfaces.
network_interfaces=""
# Run the secure shell daemon.
sshd_enable="YES"
# Do not run sendmail
sendmail_enable="NO"
# Do not run the port mapper.
rpcbind_enable="NO"

slackbox# cat /usr/local/var/jails/192.168.0.100/etc/resolv.conf
search erewhon.net
nameserver 10.0.0.150

Now it is time to start the jail for the first time.

slackbox# ifconfig rl0 inet alias 192.168.0.100/32
slackbox# cd /usr/local/var/jails/192.168.0.100
slackbox# jail /usr/local/var/jails/192.168.0.100 server.erewhon.net 192.168.0.100 /bin/csh

In the jail, sysinstall(8) is used to set the root password. Additionally, I've added a user named 'rsmith' as a member of the wheel group, and with /bin/tcsh as default shell.

After use, the jail is destroyed by logging out of the started program. To completely remove everything associated with the jail, unmount the devfs instance and remove the alias from the network interface.

To start up a virtual server in the jail, run;

slackbox# ifconfig rl0 inet alias 192.168.0.100/32
slackbox# mount -t devfs devfs /usr/local/var/jails/192.168.1.1/dev
slackbox# cd /usr/local/var/jails/192.168.0.100
slackbox# jail /usr/local/var/jails/192.168.0.100 server.erewhon.net 192.168.0.100 /bin/sh /etc/rc

To close a jail, use jail -r to kill all processes in the jail. Then unmount the devfs instance used in the jail, and remove the alias from the network device.