News Overview Quick start Slow start Version History FAQ Author/Contact License Thanks Links Trackback
News(2013-04-20) ezjail 3.3 is out. Besides several bug fixes, it allows to install ezjails in alternative zpool, copes with auto-configure interface syntax for IP addresses better and properly supports the new distribution server layout. Refer to the Version history for details. On a side note, the project home page was brushed and polished.
(2012-09-23) ezjail 3.2.3 is out. The 3.2.2 introduced an inconvenient bug that prevented ezjail-admin update to find /usr/src.
(2012-09-19) ezjail 3.2.2 is out. This release contains minor fixes in zfs code.
(2007-03-22) A mailing list has been created. An archive can be found here. Please subscribe to post.
OverviewA Jail in FreeBSD-speak is one or more tasks with the same kernel Jail-ID, bound on zero or more IP addresses, having the same chroot-environment. One usecase of the FreeBSD Jail Subsystem is to provide virtual FreeBSD-systems within a Host-system. ezjail is about making this as easy as possible, aiming for minimum system resource usage. All further references to the term Jail are to a virtual FreeBSD-system consisting of a host name, an IP-address and a Jail root.
The jail(8) man page outlines the way to create Jails, however, when
you need several Jails, complete Jail Directory Trees quickly use much of your valuable hard disc space. ezjail avoids this by
using FreeBSDs nullfs feature. Most of the base system (/bin, /boot, /sbin,
/lib, /libexec, /rescue, /usr/{bin, include, lib, libexec, ports, sbin, share, src}) only exists in one copy in the Host-system and is being
mounted read only into all Jails via nullfs. Those Jails are quite slim (around 2mb each) and only consist of some soft links into the
basejail mount point and non-shared directories like /etc, /usr/local, etc.
The ezjail approach offers lots of advantages:
Quick startTo set up your first very simple ezjail, just install ezjail from sysutils/ezjail port or via pkg_add -r ezjail and enable it by setting ezjail_enable=YES in your in your /etc/rc.conf. Assuming your network interface is em0, just type (as root):
ezjail-admin install
ezjail-admin create example.com 'em0|10.0.0.2'
ezjail-admin start example.com and you're done. Get a shell in your new jail with the
ezjail-admin console example.comcommand. As with any vanilla FreeBSD installation, you might probably need to touch /etc/ and maybe copy your host's /etc/resolv.conf.
Slow startezjail comes with some sane defaults, but can be configured globally and per jail using the config file /usr/local/etc/ezjail.conf (copy the sample from /usr/local/etc/ezjail.conf.sample) and the per-jail config files under /usr/local/etc/ezjail/ (those are created automatically with the jails and managed by the ezjail-admin config command).
ezjail integrates nicely with zfs, ready to manage all jails in its own file system. So if your system has a zpool configured, tell ezjail to use zfs and which zpool to use for its house keeping:
ezjail_use_zfs=YESezjail_jailzfs variable to a file system that will be created by ezjail-admin install, (e.g. tank/ezjail)while you're at it, you can tell ezjail to create all future jails in their own file system (which defaults to be a child of ezjail_jailzfs)
ezjail_use_zfs_for_jails=YESnow the commands in the quick start example should set up a zfs hierarchy ready to use all the nifty features of zfs.
ezjail can help you with the otherwise tedious task of decorating the interior of new jails–those come as naked FreeBSD installations by default. A set of files to copy, packages to install and scripts to execute is called "flavour". ezjail comes with an example flavour called "example" that comes pre-tuned for the use in jails, with an appropriate rc.conf, make.conf, periodic.conf and /usr/local/etc/sudoers.
You are encouraged to copy the flavour and modify the contained script to suit your needs–flavours reside in the directory configured with the ezjail_flavours_dir variable, which defaults to /usr/jails/flavours. But just calling
ezjail-admin create -f example example.com 'em0|10.0.0.2'should do. Note, that the flavour script is being run the first time the jail starts, so calling
ezjail-admin console -f example.comis a nice idea. You can use the shell to further configure the new jail.
All jails share a read only mounted copy of the FreeBSD base system, in ezjail this is called basejail. The quick start section gave a glimpse on the most simple way to install just the basics, but no ports tree, no man pages (pre FreeBSD-9) and no sources. You can run the ezjail-admin install command with the options -P, -M and -S again to install these distribution packages without installing the base system again, or just call ezjail-admin install -spm from start. ezjail uses the portsnap command to provide (and later update) the ports tree. If you do not want to install the OS version running in the host system, call
ezjail-admin install -r 2.2.8-RELEASEIf you want to install your base system from source, use the ezjail-admin setup command (also called ezjail-admin update); assuming you have already built your world for the host system, you would just call
ezjail-admin setup -i to run a make installworld from your source directory, which defaults to /usr/src. To run a make buildworld before the installworld, call
ezjail-admin setup -b For binary installations, ezjail uses the freebsd-update tool to keep the basejail up to date,
ezjail-admin update -ushould do the trick.
Before the dawn of zfs, simple means to set limits on jails, like quotas, were hard to achieve. ezjail's answer were image jails, file backed "memory" disc images containing an ufs with the jail's content. When geom appeared with the very useful gbde and geli crypto layers for geom, encrypting image jails became possible. ezjail would handle creating and later attaching and detaching those images for you.
Now simple image jails are not as hot anymore and personally I would recommend using geli to encrypt the provider for your zpool to apply proper crypto to all your jails. Still, there may be valid use cases for image jail. Call
ezjail-admin create -i -s 2G example.com 10.0.0.2to create a two gigabyte md-image with an ufs file system and install the jail inside. To configure the jail without starting it, use the attach and detach subcommands of ezjail-admin config, like this
ezjail-admin config -i attach example.com
cd /usr/jails/example.com
… do your thing …
ezjail-admin config -i detach example.comShould the file system need some love, e.g. after a spontanous reboot or system crash, call
ezjail-admin config -i fsck example.comto tidy up the mess–it ain't zfs, after all. By default ufs soft updates are enabled, so background fsck should occur for minor wrinkles, when an image jail jail starts.
To create encrypted image jails, use the -c switch and either pass bde or eli and follow the instructions on screen:
ezjail-admin create -c eli -i 16G example.com 10.0.0.3Note, that ezjail creates image jails by filling them from /dev/zero or /dev/random, for performance reasons (reduce seeks with this file system inside a file system hack) and for security reasons (do not leak information about which blocks have been written for crypto jails), so creating huge image jails may take a while. Also note, that crypto jails would block the boot process (unless the passphrase is provided via a file or some fetch magic via stdin). So they are being marked as attachblocking and not started during boot time. You need to start them using ezjail-admin startcrypto.
To get further details about all the options for ezjail-admin and all knobs and bolts, I recommend the excellent man pages: ezjail-admin, an overview over ezjail and the ezjail config file.
Version HistorySince ezjail is useful under FreeBSD only, you might want to install it from ports sysutils/ezjail. A cvsweb is available
at ezjail cvsweb, plus there is a fresh checkout. The most current version is
available via cvs. Use cvs -d :pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co ezjail with an empty passwort to check it out. Just
type sudo make install to install it. Older versions may be found here (checksums in tooltips):
ezjail_portscvsroot is gone.jail_JAIL_parameters when changing jail options. Thanks to Виталий Владимирович.freebsd-update install until no more update steps are necessary. Previously upgrades were not installed completely, as freebsd-update uses several passes.chflags -R noschg when deleting image jails. The whole file system is being thrown away, anyway. Thanks to tomster.-f option is requested.ezjail_use_zfs_for_jails="YES" in your ezjail.conf to do that. V3.2 ezjail-3.2.tar.bz2 (2012-01-07)ezjail_archives under ezjail_jaildir. Before it defaulted to the current directory./usr/games/ has gone.rc.d/ezjail.sh script has been renamed to rc.d/ezjail in accordance to FreeBSD guide lines.ezjail-admin to start Jails, checks now are properly extended to all versions of the (one|force|...) prefixes. V3.1 ezjail-3.1.tar.bz2 (2010-02-26)ezjail.conf that is applied to any new Jail.ezjail_jaildir. They now use mktemp to get a unique one. V3.0 ezjail-3.0.tar.bz2 (2008-09-26)create -a option – can be used to take (automated) backups of your jails and
reinstall them.jexec into a Jail identified by its Jail name. It can also
bring up non-running jails if run with the -f switch.-b (buildworld, installworld), -i
(installworld only) or (as a new option) -u to use freebsd-update to update your base jail.find .s its stuff. Using '*' never found dot-files and could have led to a "too many parameters" situation.lib32 packag on amd64 platforms when doing ezjail-admin
install.sudo now checks permissions on its sudoers file and stops, if it is not 0440. Fixed ezjails Makefile to install
sudoers to default flavour. (However, if you already installed ezjail, you might want to manually chmod 0440
${ezjail_flavours}/default/usr/local/etc/sudoers and all corresponding sudoers files in all jails.) V2.1. ezjail-2.1.tar.bz2 (2007-07-31)sendmail_submit_enable, sendmail_outbound_enable and
sendmail_msp_queue_enable in the default-flavour rc.conf to allow
easier fine-grained control for sendmail.newfs won't be mistaken as used.fetch rather than
cron from my ezjail-admin update -P./etc/rc.d/jail./etc/periodic.conf now makes all periodic scripts log to files instead
of sending mails. Most often this is what you want in your jails. V2.0.1 ezjail-2.0.1.tar.bz2 (2006-07-24)DESTDIR was ignored for sub targets in an ezjail-admin update -p under certain circumstances. See this report for more details. Thanks go to Simon L. Nielsen.tr parameters in the form [:alnum:] which were expanded to
the files : a l n u and m, if existing. Also an apparent bug in tr was
circumvented which incorrectly replaced A-Z to a-z in certain LANG settings. Thanks agains to Simon L. Nielsen.ezjail_ftphost was ignored when specified in PREFIX/etc/ezjail.conf. Thanks to Edwin Groothuis. V2.0 ezjail-2.0.tar.bz2 (2006-05-31)cd /usr/ports/sysutils/ezjail; make install; ezjail-admin install; ezjail-admin create test.com
10.1.1.1 on a vanilla FreeBSD server, i.e. without installing /usr/src.rcorder on its config file list located in
PREFIX/etc/ezjail/ before processing them. That way you can manually construct a dependency tree and for example start your
name server Jail first and your data base-Jail before your web server Jail. However, some basic knowledge in bourne shell and the rcorder command is
required. Beware of circles.test_org.norun to
temporary exclude it from auto run process.ezjail_uglyperlhack (defaults to YES) which creates a soft link
from /usr/bin/perl to /usr/local/bin/perl in the base jail. This is useful since perl was expelled from
base system in FreeBSD 5 but still many scripts rely on #!/usr/bin/perl./usr/games and /usr/libdata have now become part of the basejail. Someone please kick me
for missing that until now. Saves another 100k in newjail. Hopefully I got them all by now ;) Thanks to Vivek Khera. V1.3.1 ezjail-1.3.1.tar.bz2 (2006-03-13)jail_list from rc.conf as it should due to a legacy name space clash. This led to
no ezjail being started at system startup when some non-ezjail-Jails exist in the system. Thanks to Cryx.fulljail to be created and refines the error message in case the user wants to
create basejail, newjail or flavours. V1.3 ezjail-1.3.tar.bz2 (2006-02-16)/boot and /rescue have now become part of the basejail. Someone please kick me for missing
that until now. New jails now are < 2 MB in size. V1.2 ezjail-1.2.tar.bz2 (2006-02-10)cvs co or cvs up of ports in the basejail by
providing the -p or -P option./lib and /libexec have now become part of the basejail. Someone please kick me for missing
that until now.tr -c [:alnum:] _, thanks go to Gunjin.PREFIX is provided now. Installing to / seems not too useful and should not be default. V1.1 ezjail-1.1.tar.bz2 (2005-10-26)#/bin/sh to #!/bin/sh, thanks go to Alex Samorukov.$PREFIXes$basejail/usr itself, since cpio creates missing intermediate
directories in 0700 which is bad V1.0 ezjail-1.0.tar.bz2 (2005-10-14) V0.1 ezjail-0.1.tar.bz2 (2005-09-26) V0.0 - Not packaged (2005-09-04) FAQ
/usr/local/etc/rc.d/ezjail start JAILNAMEjls. Unlike the command
jail which leaves you with an interactive shell in your Jail, rc.d/ezjail is an rc-script. It is most commonly meant
to run at system startup and shutdown where entering an interactive shell would interrupt the boot process. If you want an interactive shell in your Jail after
starting it, use the command ezjail-admin console JAILNAME.ezjail_enable="YES" to
rc.conf./var/log/jail_JAILNAME_console.log. Most commonly you'll find reasons for your jails startup failure there.ezjail_root.work/-directories,
this might reveal attack vectors to the host system. A problem like ignoring ro flags when
mounting from fstab may give you an idea why I consider that boundary essential to system security.WRKDIRPREFIX none of the Jails can access, you might follow these instructions to mount ports via nullfs. Another way of doing this is to mv
/usr/ports/ /usr/jails/basejail/usr/ports/; ln -s /usr/jails/basejail/usr/ports /usr/ports; in host system. ezjail will not offer this
as an option./etc/ and /var/. It is being recreated everytime you ezjail-admin
update. So it is not meant to be modified by the user to distribute settings to all Jails to be created. A Flavour on the other hand is
set up by the user, contains all non-sharable files not in the base system that you think belongs to a newly created Jail (usually stuff in
/usr/local/ and your settings in /etc/). You may have several Flavours each customized for a certain job:
an httpd-Flavour, a shell-server only Flavour, a full featured bamp-server and so on. Flavours are never modified by ezjail, the template should not be
modified by the user.ezjail-admin restore-able ezjail archives./legacyjail Basically you only need to create an empty directory
/legacyjail/basejail/ and call ezjail-admin create -x -r /legacyjail JAILNAME JAILIP and your Jail
enjoys all of ezjails starting/stopping capabilities../legacyjail with the path to your Jail).
cd /legacyjail
mkdir OLDBASE
for dir in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/libexec usr/ports usr/sbin usr/src usr/share; do
mv ${dir} OLDBASE/; ln -s /basejail/${dir} ${dir}
done/etc/localtime to the appropriate time zone file, in my case:
/usr/share/zoneinfo/Europe/Berlin.rm -rf
them as root. How do I get a clean start?man
chflags for more details. However, to reset everything to a state with no jails and no files lurking around use the following lines, on kern secure level 0, as root, on a standard ezjail.conf :
chflags -R noschg /usr/jails/
rm -rf /usr/jails/
rm -rf /usr/local/etc/ezjail/
rm /etc/fstab.*
ezjail_jailzfs.
Author/Contact Licenseezjail is considered beer ware.
Thanks...are due to:
Links TrackbacksThanks for spreading the word go to
