I wrote this back in July 2013, but never published it. Might as well share it now.
Lately, I’ve been moving away from tracking FreeeBSD STABLE and more towards using freebsd-update(8).
Today, I’ll be setting up a jail, using ezjail and freebsd-update.
##############
NOTE: Please read the comments before you read the article.
##############
Installing
Installing ezjail is straight forward:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | [root@tallboy:~] # cd /usr/ports/sysutils/ezjail [root@tallboy:/usr/ports/sysutils/ezjail] # make install clean => ezjail-3.3.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch http://erdgeist.org/arts/software/ezjail/ezjail-3.3.tar.bz2 ezjail-3.3.tar.bz2 100% of 34 kB 110 kBpsp ===> Fetching all distfiles required by ezjail-3.3 for building ===> Extracting for ezjail-3.3 => SHA256 Checksum OK for ezjail-3.3.tar.bz2. ===> Patching for ezjail-3.3 ===> Configuring for ezjail-3.3 ===> Building for ezjail-3.3 ===> Installing for ezjail-3.3 ===> Generating temporary packing list ===> Checking if sysutils/ezjail already installed tmkdir -p /usr/local/etc/ezjail/ /usr/local/man/man5/ /usr/local/man/man7 /usr/local/man/man8 /usr/local/etc/rc.d/ /usr/local/bin/ /usr/local/share/examples/ezjail /usr/local/share/zsh/site-functions cp -p ezjail.conf.sample /usr/local/etc/ cp -R -p examples/example /usr/local/share/examples/ezjail/ cp -R -p examples/nullmailer-example /usr/local/share/examples/ezjail/ cp -R -p share/zsh/site-functions/ /usr/local/share/zsh/site-functions/ sed s:EZJAIL_PREFIX:/usr/local: ezjail.sh > /usr/local/etc/rc.d/ezjail sed s:EZJAIL_PREFIX:/usr/local: ezjail-admin > /usr/local/bin/ezjail-admin sed s:EZJAIL_PREFIX:/usr/local: man8/ezjail-admin.8 > /usr/local/man/man8/ezjail-admin.8 sed s:EZJAIL_PREFIX:/usr/local: man5/ezjail.conf.5 > /usr/local/man/man5/ezjail.conf.5 sed s:EZJAIL_PREFIX:/usr/local: man7/ezjail.7 > /usr/local/man/man7/ezjail.7 chmod 755 /usr/local/etc/rc.d/ezjail /usr/local/bin/ezjail-admin chown -R root:wheel /usr/local/man/man8/ezjail-admin.8 /usr/local/man/man5/ezjail.conf.5 /usr/local/man/man7/ezjail.7 /usr/local/share/examples/ezjail/ chmod 0440 /usr/local/share/examples/ezjail/example/usr/local/etc/sudoers [ -f /usr/local/etc/ezjail.conf ] || /bin/cp -p /usr/local/etc/ezjail.conf.sample /usr/local/etc/ezjail.conf ===> Compressing manual pages for ezjail-3.3 ===> Registering installation for ezjail-3.3 ===> Cleaning for ezjail-3.3 [root@tallboy:/usr/ports/sysutils/ezjail] # |
Installing the base jail
My first attempt at creating a base jail failed:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | # ezjail-admin install Your system is 9.1-RELEASE-p4. Normally FTP-servers don't provide non-RELEASE-builds. Querying your ftp-server... The ftp server you specified (ftp.freebsd.org) seems to provide the following builds: total 8 lrwxr-xr-x 1 1006 1006 14 Feb 12 08:32 8.3-RELEASE -> ../8.3-RELEASE drwxrwxr-x 2 1006 1006 512 May 22 12:59 9.1-RELEASE drwxrwxr-x 4 1006 1006 512 Jun 7 15:07 ISO-IMAGES Release to fetch [ 9.1-RELEASE-p4 ]: fetch: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access) fetch: ftp://ftp.freebsd.org/pub/FreeBSD/snapshot/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access) fetch: ftp://ftp.freebsd.org/pub/FreeBSD/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access) fetch: ftp://ftp.freebsd.org/releases/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access) fetch: ftp://ftp.freebsd.org/snapshots/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access) fetch: ftp://ftp.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/amd64/9.1-RELEASE-p4/base.txz: File unavailable (e.g., file not found, no access) Could not fetch base from ftp://ftp.freebsd.org. Maybe your release (9.1-RELEASE-p4) is specified incorrectly or the host ftp.freebsd.org does not provide that release build. Use the -r option to specify an existing release or the -h option to specify an alternative ftp server. |
Oh. Well. Ummm, that’s not useful.
Let’s try that again:
1 | # ezjail-admin install -r 9.1-RELEASE |
Much better. It downloaded and installed about 340MB:
1 2 3 4 5 6 | [root@tallboy:/usr/jails] # du -ch -d 1 . 48k ./flavours 338M ./basejail 2.7M ./newjail 341M . 341M total |
IP addresses
I will be creating one jail to host two websites, each of which will have a different IP address. Yes, a jail with two IP addresses. Sounds good to me.
The first step is making sure you have the IP addresses. Mine are statically assigned, and are specified in /etc/rc.conf like this:
1 2 | ifconfig_em0_alias2="10.233.228.197 netmask 255.255.255.255" # papers.example.org ifconfig_em0_alias3="10.233.228.198 netmask 255.255.255.255" # papers.example.net |
Change the IP addresses and aliasX values to suit your situation. In my case, these are the 3rd and 4th IP addresses specified in this file. Yes, aliases are zero-based.
In my situation, I then manually added those IP addresses to the NIC:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # ifconfig em0 alias 10.233.228.197 netmask 255.255.255.255 # ifconfig em0 alias 10.233.228.198 netmask 255.255.255.255 # ifconfig em0 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO> ether 00:25:90:94:11:9e inet 10.233.228.194 netmask 0xfffffff8 broadcast 10.233.228.199 inet 10.233.228.195 netmask 0xffffffff broadcast 10.233.228.195 inet 10.233.228.196 netmask 0xffffffff broadcast 10.233.228.196 inet 10.233.228.197 netmask 0xffffffff broadcast 10.233.228.197 inet 10.233.228.198 netmask 0xffffffff broadcast 10.233.228.198 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active |
Creating the jail
When creating a jail, you need to specify an IP address and a name. In my case, I’m specifying two IP addresses.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | # ezjail-admin create papers 10.233.228.197,10.233.228.198 /usr/jails/papers/. /usr/jails/papers/./bin /usr/jails/papers/./boot /usr/jails/papers/./dev /usr/jails/papers/./etc /usr/jails/papers/./etc/X11 ... [many things omitted from here] ... /usr/jails/papers/./.profile /usr/jails/papers/./.cshrc /usr/jails/papers/./COPYRIGHT /usr/jails/papers/./basejail 2867 blocks Warning: Some services already seem to be listening on IP 10.233.228.197 This may cause some confusion, here they are: root ntpd 3034 31 udp4 10.233.228.197:123 *:* Warning: Some services already seem to be listening on all IP, (including 10.233.228.197) This may cause some confusion, here they are: www httpd 56307 3 tcp6 *:80 *:* www httpd 56307 4 tcp4 *:80 *:* www httpd 56306 3 tcp6 *:80 *:* www httpd 56306 4 tcp4 *:80 *:* www httpd 56305 3 tcp6 *:80 *:* www httpd 56305 4 tcp4 *:80 *:* www httpd 56304 3 tcp6 *:80 *:* www httpd 56304 4 tcp4 *:80 *:* www httpd 55861 3 tcp6 *:80 *:* www httpd 55861 4 tcp4 *:80 *:* www httpd 55860 3 tcp6 *:80 *:* www httpd 55860 4 tcp4 *:80 *:* www httpd 55859 3 tcp6 *:80 *:* www httpd 55859 4 tcp4 *:80 *:* www httpd 55858 3 tcp6 *:80 *:* www httpd 55858 4 tcp4 *:80 *:* www httpd 55857 3 tcp6 *:80 *:* www httpd 55857 4 tcp4 *:80 *:* root httpd 55856 3 tcp6 *:80 *:* root httpd 55856 4 tcp4 *:80 *:* root ntpd 3034 20 udp4 *:123 *:* root ntpd 3034 21 udp6 *:123 *:* root master 2998 12 tcp4 *:25 *:* root sshd 1829 3 tcp6 *:22 *:* root sshd 1829 4 tcp4 *:22 *:* root bacula-fd 1826 3 tcp4 *:9102 *:* root perl5.14.2 1668 6 tcp4 *:4949 *:* nobody openvpn 1659 4 udp4 *:17152 *:* root syslogd 1389 8 udp6 *:514 *:* root syslogd 1389 9 udp4 *:514 *:* Warning: Some services already seem to be listening on IP 10.233.228.198 This may cause some confusion, here they are: root ntpd 3034 32 udp4 10.233.228.198:123 *:* Warning: Some services already seem to be listening on all IP, (including 10.233.228.198) This may cause some confusion, here they are: www httpd 56307 3 tcp6 *:80 *:* www httpd 56307 4 tcp4 *:80 *:* www httpd 56306 3 tcp6 *:80 *:* www httpd 56306 4 tcp4 *:80 *:* www httpd 56305 3 tcp6 *:80 *:* www httpd 56305 4 tcp4 *:80 *:* www httpd 56304 3 tcp6 *:80 *:* www httpd 56304 4 tcp4 *:80 *:* www httpd 55861 3 tcp6 *:80 *:* www httpd 55861 4 tcp4 *:80 *:* www httpd 55860 3 tcp6 *:80 *:* www httpd 55860 4 tcp4 *:80 *:* www httpd 55859 3 tcp6 *:80 *:* www httpd 55859 4 tcp4 *:80 *:* www httpd 55858 3 tcp6 *:80 *:* www httpd 55858 4 tcp4 *:80 *:* www httpd 55857 3 tcp6 *:80 *:* www httpd 55857 4 tcp4 *:80 *:* root httpd 55856 3 tcp6 *:80 *:* root httpd 55856 4 tcp4 *:80 *:* root ntpd 3034 20 udp4 *:123 *:* root ntpd 3034 21 udp6 *:123 *:* root master 2998 12 tcp4 *:25 *:* root sshd 1829 3 tcp6 *:22 *:* root sshd 1829 4 tcp4 *:22 *:* root bacula-fd 1826 3 tcp4 *:9102 *:* root perl5.14.2 1668 6 tcp4 *:4949 *:* root sshd 1575 3 tcp6 *:19541 *:* root sshd 1575 4 tcp4 *:19541 *:* root syslogd 1389 8 udp6 *:514 *:* root syslogd 1389 9 udp4 *:514 *:* |
You may want to tidy up some of that… I did. I won’t go into details, but you need to inspect each application accordingly.
I would have thought, from the comments, that freebsd-update would have been involved in this article somehow. It looks to me like you have a base jail that is 9.1-RELEASE and nothing is ever done to update it to -p4.
I think you have found the reason why this article was not published back when it was first written.