# Jail tutorials?



## gentoobob (Mar 19, 2012)

I just set up a jail (my first time) using the FreeBSD handbook documentation.  I am now left with a jail that cannot access the network/internet or ports tree. Is there a tutorial or documentation that has a way of setting up your jail to be a normal system setup that does NOT use ezjail? I've found tutorials on setting up jails with ezjail but I didn*'*t use ezjail, I used FreeBSD's documentation and I want to continue building this hands on so I learn the ins and outs.  

Any help would be great.  

Thanks,


----------



## UNIXgod (Mar 19, 2012)

If I remember correctly you still need to add resolv.conf and set up a NAT if you only have one IP address available to you (*I* used pf() but there are other ways to do it).

Also take the time to grok Application of Jails

*O*ther sources to look at is the man page jail().
*O*lder tutorial:
http://www.freebsddiary.org/jail-6.php and
http://onlamp.com/pub/a/bsd/2003/09/04/jails.html

*O*ther useful utilities that you can use in your scripts are jls() and jexec().


----------



## gentoobob (Mar 19, 2012)

Great! Thanks.  Yea I saw I'm missing rc.conf, resolv.conf, etc.  I did add a resolv.conf but not a NAT.  

I will look over whatever you sent me.  Thanks!


----------



## UNIXgod (Mar 19, 2012)

rc.conf() is not automatic with installation of jails. Though I understand how one may assume it would be as the file was generated when you were in sysinstall() when you installed FreeBSD.

From the rc.conf man page:


> ```
> DESCRIPTION
> The file rc.conf contains descriptive information about the local host
> name, configuration details for any potential network interfaces and
> ...



A general note. Though it's important to go through the process that you currently are by hand. In the long run you'll end up wanting to automate the creation of jails via your own custom scripts.


----------



## gentoobob (Mar 19, 2012)

Good detail.  

I'm surprised there is not a more informational documentation on creating jails by hand and not by ezjail.  I'm just finding tid bits here and there.  

Yes, templates would be good.  For now I'm just doing this on my own at home, making a WWW and mail jail.  

Thanks for the information!


----------



## athos (Mar 19, 2012)

Hello, one of the many things that get me curious about FreeBSD is jails, I discovered them in a Defcon video.

As far as I can remember, it was pretty much a nice tutorial for jails, here's the link:

http://www.youtube.com/watch?v=77TcnLOaRr0


----------



## gentoobob (Mar 19, 2012)

Awesome, thanks.  I will definitely check it out.  

I'm blogging about my setup anyways so I will put together a nice document.  I actually just looked through a FreeBSD book I had and it gives me the details I needed.  I'm surprised how much lack of information was in the FreeBSD docs.  Definitely could use more.  

Thanks again!


----------



## UNIXgod (Mar 19, 2012)

gentoobob said:
			
		

> Awesome, thanks.  I will definitely check it out.
> 
> I'm blogging about my setup anyways so I will put together a nice document.  I actually just looked thru a FreeBSD book I had and it gives me the details I needed.  I'm surprised how much lack of information was in the FreeBSD docs.  Definitely could use more.
> 
> Thanks again!



It's bit of an advanced subject. The user needs to understand several stacks example: FreeBSD, networking, and use cases (i.e. slim jailed processes as well as fat jails for sandboxing).

Since it's really meant for customization for administrators to build into their systems it makes sense that the handbook is a bit terse and to the point. To be honest I'm surprised it even mentions ezjail at all.


----------



## gentoobob (Mar 20, 2012)

UNIXgod said:
			
		

> It's bit of an advanced subject.



I agree.  

Thanks for all the help!


----------



## UNIXgod (Mar 20, 2012)

gentoobob said:
			
		

> I agree.
> 
> Thanks for all the help!



No problem. Feel free to ask more questions if you get stuck. I've been there and know how discouraging it is when something doesn't work. In fact I remember being exactly in the same place you are and getting analysis and informed on irc. It's all about passing it forward.

BTW just in case you may be interested. There is a "beta" project currently in the works called VIMAGE. I haven't used it yet but others may be able to comment. From what I understand it will allow us to create jails within jails as a side effect there is also work to make ipfw() and pf() compatible in the jails as well.

This project should open up more exotic used for FreeBSD. I imagine those who use FreeBSD for hosting services have an eye on the project as it can be used to separate users from the system and also allow users to create new users as well to sandbox away from their own jails those users themselves could go on to create their own sandboxes and carry around their own versions of preferred software and so on.

If your interested in seeing if vimage works you can run `# make lint` in your kernel conf directory which will create a proper LINT file as well as the vimage kernel config which really just sucks in GENERIC while adding vimage to the kernel.

As the current zfs version on FreeBSD 9 has dedup available I'd imagine a proper set up system with the proper hardware requirements to run zfs with dedup with jails set up with a working vimage would be a very nice server for an office where many developer can build, experiment, and deploy many projects with included inside networking all on one single box.

Congrats on tackling FreeBSD jails. It's one of the finer and more interesting and unique parts of of FreeBSD.


----------



## gentoobob (Mar 21, 2012)

I will definitely get back with you for any questions.  You seem very resourceful.  

The jail inside of a jail seems crazy but I'm sure there is a need for that kind of control. If I get the chance to play around with it soon, I'll let you know when I take a gander at it.


----------



## gentoobob (Mar 22, 2012)

Hey UNIXgod, one thing you might be able to help me on is devfs rules for the jail.  How does that work?  I cant find any good literature on that. Do I *cp* the devfs rules file from the ../defaults folder to the jail and rename it? Any pointers on that?

BTW, I've managed to do pretty well on my first jail. Got ports installed, apache22, mysql, and wordpress.  not too shabby.    My next one will be postfix.


----------



## UNIXgod (Mar 22, 2012)

gentoobob said:
			
		

> Hey UNIXgod, one thing you might be able to help me on is devfs rules for the jail.  How does that work?  I cant find any good literture on that.
> Do I cp the devfs rules file from the ../defaults folder to the jail and rename it?
> Any pointers on that?


`% man 8 jail`
type /devfs inside the pager to locate the documentation.



> ```
> EXAMPLES
> Setting up a Jail Directory Tree
> To set up a jail directory tree containing an entire FreeBSD distribu-
> ...






			
				gentoobob said:
			
		

> btw, I've managed to do pretty well on my first jail.
> Got ports installed, apache22, mysql, and wordpress.  not too shabby.
> 
> My next one will be postfix.



Sounds like your making you way. Congrats again!

Might I suggest making your database a separate jail. Generally the web server and database server is two separate "servers". From a security standpoint if one gets hacked (i.e. wordpress exploit on the apache side... the database is safe ... or other way around in case of sql injection).


----------



## gentoobob (Mar 22, 2012)

Yeah, I read that about the devfs rules.  I guess I'm a little confused because some people in their rc.conf make up a different name for the ruleset.  

I thought about making the database a separate jail; good point.  Definitely will do that.


----------

