FreeBSD/Jails
From Devpit
Jails are a really neat feature of FreeBSD that allow a certain amount of virtualization, without requiring expensive emulation.
Jail Caveats
- Can not ping from inside a jail (securely)
- If running unpatched 6.1-RELEASE, Get a later revision of /etc/rc.d/jail (June 2006 or later) here: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.
General Jail Setup (FreeBSD 5+)
- man jail is most useful. At this time (07/2005), little documentation exists elsewhere for FreeBSD 5+ jails.
- Firstly, set up the host system to be "jail friendly". This entails making sure each service that is running is listening on a specific IP, not on all IPs. When you set up your jails, your host system will need an alias for each IP of each jail. If, say, sshd of the host system is listening on all IPs, then a jail will not be able to bind to that port. So, for each service running on the top level host, modify flags and configs of your daemons to listen only on their specific IP.
- cvsup source
cd /usr/src make buildworld mkdir /jails/jail1 # this can be anywhere make installworld distribution DESTDIR=/jails/jail1
- Then add the following to the host's /etc/rc.conf
# global jail section jail_enable="YES" jail_list="jail1" # space seperated list of jails jail_socket_unixiproute_only="NO" jail_sysvipc_allow="YES" # allow shared mem on all jails # this section is specific and necessary for each jail jail_jail1_rootdir="/jails/jail1" jail_jail1_hostname="jail1.claimlynx.com" jail_jail1_interface="xl0" # this must match the interface name jail_jail1_ip="10.0.0.200" # this should ''not'' be previously configured as an alias jail_jail1_procfs_enable="YES" jail_jail1_devfs_enable="YES" jail_jail1_devfs_ruleset="devfsrules_jail" jail_jail1_mount_enable="NO"
- Start the new jail with /etc/rc.d/jail start jail1
- jls will list jails
- jexec jailid /bin/sh will give you a shell in the new jail
- jail startup goes in the jail's /var/log/console.log
- jail_jail1_mount_enable allows you to have a /etc/fstab.jail1 specific fstab for each jail on the host system. Starting the jail will automatically mount these file systems.
- Check out nullfs and mount_nullfs for sharing data between jails.
