How to create Jail in FreeBSD

Operating system virtualization is the most effective way to utilize your system resources, jails let you setup isolated mini-systems. Jails are explains well in handbook however, from practical standpoint of view, the presented material is incomplete. Here we will setup few scrips that follow handbook's 'Application of Jails' article and enhance with few missing features. Let note preliminary requirements:

1. Name: j0.dev.local
2. Ip Address: 192.168.10.41
3. Network Interface: em0

You need synchronize source and build world. Ensure you have cpdup installed:

make install clean -sC /usr/ports/sysutils/cpdup

Creating the Template

All process of creating template is explained here. The automated script per referenced article below (file jail-once.sh):

#!/bin/sh

D=/usr/home/j

# 0
# [ -d "$D" ] && chflags -R noschg $D && rm -rf $D/*

# 1
mkdir -p $D/mroot $D/skel
cd /usr/src
make -s installworld DESTDIR=$D/mroot

# 2
cd $D/mroot
mkdir -p usr/ports usr/src

# 3
mkdir $D/skel/home $D/skel/usr-X11R6 $D/skel/distfiles
mv etc tmp var root $D/skel
mv usr/local $D/skel/usr-local

# 4
mergemaster -t $D/skel/var/tmp/temproot -D $D/skel -i
cd $D/skel
rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev

# 5
cd $D/mroot
mkdir s
ln -s s/etc etc
ln -s s/home home
ln -s s/root root
ln -s ../s/usr-local usr/local
ln -s ../s/usr-X11R6 usr/X11R6
#ln -s ../../s/distfiles usr/ports/distfiles
ln -s s/tmp tmp
ln -s s/var var

# 6
cp /etc/make.conf $D/skel/etc/
cat <<EOF >> $D/skel/etc/make.conf
WRKDIRPREFIX?=/s/portbuild
DISTDIR=/s/distfiles
EOF

cp /etc/resolv.conf $D/skel/etc/
cat <<EOF >> $D/skel/etc/rc.conf
sshd_enable="NO"
sendmail_enable="NONE"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
EOF

Enable daemon (file /etc/rc.conf):

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list=""

Jails are permitted to use raw sockets, e.g. download anything from internet, etc.:

sysctl security.jail.allow_raw_sockets=1

Issue the following command to make your changes permanent:

echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

Creating Jails

Here is a script for creating jails (file jail-create.sh):

#!/bin/sh

D=/usr/home/j
S=/usr/home/js

# 0
#[ -d "$D/$1" ] && rm -rf $D/$1
#[ -d "$S/$1" ] && chflags -R noschg $S/$1 && rm -rf $S/$1

# 1
if [ -z "`cat /etc/fstab | grep $D/$1`" ]; then
    cat <<EOF >> /etc/fstab
# jail: $1
$D/mroot   $D/$1  nullfs  ro  0   0
/usr/ports $D/$1/usr/ports  nullfs  ro  0   0
/usr/src   $D/$1/usr/src    nullfs  ro  0   0
$S/$1   $D/$1/s  nullfs  rw  0   0
EOF
fi

# 2
if [ -z "`cat /etc/rc.conf | grep $1_rootdir`" ]; then
    cat <<EOF >> /etc/rc.conf
jail_$1_hostname="$1"
jail_$1_ip="CHANGE ME"
jail_$1_rootdir="$D/$1"
jail_$1_devfs_enable="YES"
EOF
fi

# 3
mkdir $D/$1

# 4
if [ ! -d "$S/$1" ]; then
    mkdir -p $S/$1
    cpdup $D/skel $S/$1
fi

You can create a jail by the following command:

sh jail-create.sh j0

Create network alias:

ifconfig em0 alias 192.168.10.41 netmask 255.255.255.255

Update /etc/rc.conf to make your changes permanent, add jail name to jail_list and set jail ip address:

ifconfig_em0_alias0="inet 192.168.10.41/32"
jail_list="j0"
jail_j0_ip="192.168.10.41"

Mount jail file system:

mount -a -t nullfs

You should be ready to start your first FreeBSD jail now:

/etc/rc.d/jail start j0

List available jails or step into the jail and set password:

jls
jexec 1 csh
passwd

More information about this can be found in the jail(8) manual page.