ezjail with freebsd-update

I wrote this back in July 2013, but never published it. Might as well share it now.

Lately, I’ve been moving away from tracking FreeeBSD STABLE and more towards using freebsd-update(8).

Today, I’ll be setting up a jail, using ezjail and freebsd-update.

##############
NOTE: Please read the comments before you read the article.
##############

Installing

Installing ezjail is straight forward:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@tallboy:~] # cd /usr/ports/sysutils/ezjail
[root@tallboy:/usr/ports/sysutils/ezjail] # make install clean
=> ezjail-3.3.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
ezjail-3.3.tar.bz2                            100% of   34 kB  110 kBpsp
===> Fetching all distfiles required by ezjail-3.3 for building
===>  Extracting for ezjail-3.3
=> SHA256 Checksum OK for ezjail-3.3.tar.bz2.
===>  Patching for ezjail-3.3
===>  Configuring for ezjail-3.3
===>  Building for ezjail-3.3
===>  Installing for ezjail-3.3
===>   Generating temporary packing list
===>  Checking if sysutils/ezjail already installed
tmkdir -p /usr/local/etc/ezjail/ /usr/local/man/man5/ /usr/local/man/man7 /usr/local/man/man8 /usr/local/etc/rc.d/ /usr/local/bin/ /usr/local/share/examples/ezjail /usr/local/share/zsh/site-functions
cp -p ezjail.conf.sample /usr/local/etc/
cp -R -p examples/example /usr/local/share/examples/ezjail/
cp -R -p examples/nullmailer-example /usr/local/share/examples/ezjail/
cp -R -p share/zsh/site-functions/ /usr/local/share/zsh/site-functions/
sed s:EZJAIL_PREFIX:/usr/local: ezjail.sh > /usr/local/etc/rc.d/ezjail
sed s:EZJAIL_PREFIX:/usr/local: ezjail-admin > /usr/local/bin/ezjail-admin
sed s:EZJAIL_PREFIX:/usr/local: man8/ezjail-admin.8 > /usr/local/man/man8/ezjail-admin.8
sed s:EZJAIL_PREFIX:/usr/local: man5/ezjail.conf.5 > /usr/local/man/man5/ezjail.conf.5
sed s:EZJAIL_PREFIX:/usr/local: man7/ezjail.7 > /usr/local/man/man7/ezjail.7
chmod 755 /usr/local/etc/rc.d/ezjail /usr/local/bin/ezjail-admin
chown -R root:wheel /usr/local/man/man8/ezjail-admin.8 /usr/local/man/man5/ezjail.conf.5 /usr/local/man/man7/ezjail.7 /usr/local/share/examples/ezjail/
chmod 0440 /usr/local/share/examples/ezjail/example/usr/local/etc/sudoers
[ -f /usr/local/etc/ezjail.conf ] ||  /bin/cp -p /usr/local/etc/ezjail.conf.sample  /usr/local/etc/ezjail.conf
===>   Compressing manual pages for ezjail-3.3
===>   Registering installation for ezjail-3.3
===>  Cleaning for ezjail-3.3
[root@tallboy:/usr/ports/sysutils/ezjail] #

Installing the base jail

My first attempt at creating a base jail failed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# ezjail-admin install
Your system is 9.1-RELEASE-p4. Normally FTP-servers don't provide non-RELEASE-builds.
Querying your ftp-server... The ftp server you specified (ftp.freebsd.org) seems to provide the following builds:
total 8
lrwxr-xr-x  1 1006  1006   14 Feb 12 08:32 8.3-RELEASE -> ../8.3-RELEASE
drwxrwxr-x  2 1006  1006  512 May 22 12:59 9.1-RELEASE
drwxrwxr-x  4 1006  1006  512 Jun  7 15:07 ISO-IMAGES
Release to fetch [ 9.1-RELEASE-p4 ]:
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/snapshot/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/releases/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/snapshots/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access)
 
Could not fetch base from ftp://ftp.freebsd.org.
  Maybe your release (9.1-RELEASE-p4) is specified incorrectly or the host ftp.freebsd.org does not provide that release build.
  Use the -r option to specify an existing release or the -h option to specify an alternative ftp server.

Oh. Well. Ummm, that’s not useful.

Let’s try that again:

1
# ezjail-admin install -r 9.1-RELEASE

Much better. It downloaded and installed about 340MB:

1
2
3
4
5
6
[root@tallboy:/usr/jails] # du -ch -d 1 .
 48k    ./flavours
338M    ./basejail
2.7M    ./newjail
341M    .
341M    total

IP addresses

I will be creating one jail to host two websites, each of which will have a different IP address. Yes, a jail with two IP addresses. Sounds good to me.

The first step is making sure you have the IP addresses. Mine are statically assigned, and are specified in /etc/rc.conf like this:

1
2
ifconfig_em0_alias2="10.233.228.197 netmask 255.255.255.255"  # papers.example.org
ifconfig_em0_alias3="10.233.228.198 netmask 255.255.255.255"  # papers.example.net

Change the IP addresses and aliasX values to suit your situation. In my case, these are the 3rd and 4th IP addresses specified in this file. Yes, aliases are zero-based.

In my situation, I then manually added those IP addresses to the NIC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# ifconfig em0 alias 10.233.228.197 netmask 255.255.255.255
# ifconfig em0 alias 10.233.228.198 netmask 255.255.255.255
# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:25:90:94:11:9e
        inet 10.233.228.194 netmask 0xfffffff8 broadcast 10.233.228.199
        inet 10.233.228.195 netmask 0xffffffff broadcast 10.233.228.195
        inet 10.233.228.196 netmask 0xffffffff broadcast 10.233.228.196
        inet 10.233.228.197 netmask 0xffffffff broadcast 10.233.228.197
        inet 10.233.228.198 netmask 0xffffffff broadcast 10.233.228.198
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

Creating the jail

When creating a jail, you need to specify an IP address and a name. In my case, I’m specifying two IP addresses.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# ezjail-admin create papers 10.233.228.197,10.233.228.198
/usr/jails/papers/.
/usr/jails/papers/./bin
/usr/jails/papers/./boot
/usr/jails/papers/./dev
/usr/jails/papers/./etc
/usr/jails/papers/./etc/X11
...
[many things omitted from here]
...
/usr/jails/papers/./.profile
/usr/jails/papers/./.cshrc
/usr/jails/papers/./COPYRIGHT
/usr/jails/papers/./basejail
2867 blocks
Warning: Some services already seem to be listening on IP 10.233.228.197
  This may cause some confusion, here they are:
root     ntpd       3034  31 udp4   10.233.228.197:123   *:*
Warning: Some services already seem to be listening on all IP, (including 10.233.228.197)
  This may cause some confusion, here they are:
www      httpd      56307 3  tcp6   *:80                  *:*
www      httpd      56307 4  tcp4   *:80                  *:*
www      httpd      56306 3  tcp6   *:80                  *:*
www      httpd      56306 4  tcp4   *:80                  *:*
www      httpd      56305 3  tcp6   *:80                  *:*
www      httpd      56305 4  tcp4   *:80                  *:*
www      httpd      56304 3  tcp6   *:80                  *:*
www      httpd      56304 4  tcp4   *:80                  *:*
www      httpd      55861 3  tcp6   *:80                  *:*
www      httpd      55861 4  tcp4   *:80                  *:*
www      httpd      55860 3  tcp6   *:80                  *:*
www      httpd      55860 4  tcp4   *:80                  *:*
www      httpd      55859 3  tcp6   *:80                  *:*
www      httpd      55859 4  tcp4   *:80                  *:*
www      httpd      55858 3  tcp6   *:80                  *:*
www      httpd      55858 4  tcp4   *:80                  *:*
www      httpd      55857 3  tcp6   *:80                  *:*
www      httpd      55857 4  tcp4   *:80                  *:*
root     httpd      55856 3  tcp6   *:80                  *:*
root     httpd      55856 4  tcp4   *:80                  *:*
root     ntpd       3034  20 udp4   *:123                 *:*
root     ntpd       3034  21 udp6   *:123                 *:*
root     master     2998  12 tcp4   *:25                  *:*
root     sshd       1829  3  tcp6   *:22                  *:*
root     sshd       1829  4  tcp4   *:22                  *:*
root     bacula-fd  1826  3  tcp4   *:9102                *:*
root     perl5.14.2 1668  6  tcp4   *:4949                *:*
nobody   openvpn    1659  4  udp4   *:17152               *:*
root     syslogd    1389  8  udp6   *:514                 *:*
root     syslogd    1389  9  udp4   *:514                 *:*
Warning: Some services already seem to be listening on IP 10.233.228.198
  This may cause some confusion, here they are:
root     ntpd       3034  32 udp4   10.233.228.198:123   *:*
Warning: Some services already seem to be listening on all IP, (including 10.233.228.198)
  This may cause some confusion, here they are:
www      httpd      56307 3  tcp6   *:80                  *:*
www      httpd      56307 4  tcp4   *:80                  *:*
www      httpd      56306 3  tcp6   *:80                  *:*
www      httpd      56306 4  tcp4   *:80                  *:*
www      httpd      56305 3  tcp6   *:80                  *:*
www      httpd      56305 4  tcp4   *:80                  *:*
www      httpd      56304 3  tcp6   *:80                  *:*
www      httpd      56304 4  tcp4   *:80                  *:*
www      httpd      55861 3  tcp6   *:80                  *:*
www      httpd      55861 4  tcp4   *:80                  *:*
www      httpd      55860 3  tcp6   *:80                  *:*
www      httpd      55860 4  tcp4   *:80                  *:*
www      httpd      55859 3  tcp6   *:80                  *:*
www      httpd      55859 4  tcp4   *:80                  *:*
www      httpd      55858 3  tcp6   *:80                  *:*
www      httpd      55858 4  tcp4   *:80                  *:*
www      httpd      55857 3  tcp6   *:80                  *:*
www      httpd      55857 4  tcp4   *:80                  *:*
root     httpd      55856 3  tcp6   *:80                  *:*
root     httpd      55856 4  tcp4   *:80                  *:*
root     ntpd       3034  20 udp4   *:123                 *:*
root     ntpd       3034  21 udp6   *:123                 *:*
root     master     2998  12 tcp4   *:25                  *:*
root     sshd       1829  3  tcp6   *:22                  *:*
root     sshd       1829  4  tcp4   *:22                  *:*
root     bacula-fd  1826  3  tcp4   *:9102                *:*
root     perl5.14.2 1668  6  tcp4   *:4949                *:*
root     sshd       1575  3  tcp6   *:19541               *:*
root     sshd       1575  4  tcp4   *:19541               *:*
root     syslogd    1389  8  udp6   *:514                 *:*
root     syslogd    1389  9  udp4   *:514                 *:*

You may want to tidy up some of that… I did. I won’t go into details, but you need to inspect each application accordingly.

Website Pin Facebook
Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

2 thoughts on “ezjail with freebsd-update”

  1. Christopher Weimann

    I would have thought, from the comments, that freebsd-update would have been involved in this article somehow. It looks to me like you have a base jail that is 9.1-RELEASE and nothing is ever done to update it to -p4.

Leave a Comment