# My "Thin" Jail Configuration



## Farhan Khan (Apr 24, 2018)

Hi all, wanted to get a review of my jail configuration. In short, I created a "base" jail and am read-only null-mounting the other jail's static files to it.

Three predicates:

/etc/rc.conf will create a bridge0 at startup and add re0 (the public internet) to it.
/usr/jail/base is a FreeBSD 11.1 base.txz
The IPv6 gateway is 2001:db8::1 and addresses at 2001:db8::${id} (RFC 3849) and legacy IP is 192.168.10.${id}/24
My /etc/jail.conf is as follows:


```
test {
  $id             = "9";
  $ipaddr4        = "192.168.10.${id}";
  $ipaddr6        = "2001:db8::${id}";
  $mask           = "255.255.255.0";
  $gw4            = "192.168.10.1";
  $gw6            = "2001:db8::1";
  vnet;
  vnet.interface  = "epair${id}b";

  exec.prestart = "ifconfig epair${id} create up";
  exec.prestart += "ifconfig bridge0 addm epair${id}a up";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/bin /usr/jail/${name}/bin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/sbin /usr/jail/${name}/sbin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/sbin /usr/jail/${name}/usr/sbin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/bin /usr/jail/${name}/usr/bin";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/lib /usr/jail/${name}/usr/lib";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/lib32 /usr/jail/${name}/usr/lib32";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/include /usr/jail/${name}/usr/include";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/usr/share /usr/jail/${name}/usr/share";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/lib /usr/jail/${name}/lib";
  exec.prestart += "mount_nullfs -o ro /usr/jail/base/boot /usr/jail/${name}/boot";

  exec.start += "/sbin/ifconfig lo0 127.0.0.1 up";
  exec.start += "/sbin/ifconfig epair${id}b inet ${ipaddr4} netmask ${mask} up";
  exec.start += "/sbin/ifconfig epair${id}b inet6 ${ipaddr6} prefixlen 64";
  exec.start += "/sbin/route add default ${gw4}";
  exec.start += "/sbin/route -6 add default ${gw6}";
  exec.start += "/bin/sh /etc/rc";

  exec.poststop = "ifconfig bridge0 deletem epair${id}a";
  exec.poststop += "ifconfig epair${id}a destroy";
  exec.poststop += "umount /usr/jail/base/bin";
  exec.poststop += "umount /usr/jail/base/sbin";
  exec.poststop += "umount /usr/jail/base/usr/sbin";
  exec.poststop += "umount /usr/jail/base/usr/bin";
  exec.poststop += "umount /usr/jail/base/usr/lib";
  exec.poststop += "umount /usr/jail/base/usr/lib32";
  exec.poststop += "umount /usr/jail/base/usr/include";
  exec.poststop += "umount /usr/jail/base/usr/share";
  exec.poststop += "umount /usr/jail/base/lib";
  exec.poststop += "umount /usr/jail/base/boot";

  host.hostname = "${name}.home.network";
  path = "/usr/local/jail/${name}";
  persist;
  enforce_statfs = 2;
  allow.mount;
  allow.mount.tmpfs;
}
```

This way, all jails use the same /usr/jail/base, which reduces redundancy of a lot of files.

Thoughts? Other things I should null-mount? Easier ways to do this? Bad idea?


----------



## Bobi B. (Apr 24, 2018)

Just FYI: sysutils/ezjail mostly does the same, but uses symlinks instead of that many nullfs(5) mounts. Take a look.



Farhan Khan said:


> /usr/jail/base is a FreeBSD 11.1 base.txz


Remember to freebsd-update(8) base! (ezjail takes care for this, as well).


----------



## Farhan Khan (Apr 24, 2018)

I could also do symlinks, but I thought those do not work in a jail?

Also, I didn't understand the second part of your response?


----------



## Bobi B. (Apr 24, 2018)

Farhan Khan said:


> I could also do symlinks, but I thought those do not work in a jail?


Take a look how ezjail places directories and symbolic links in a jail root file system tree. They work fine, as long as you conform to chrooted directory hierarchy and mounts.


Farhan Khan said:


> Also, I didn't understand the second part of your response?


base.txz on FreeBSD installation media is unpached one, meaning it lacks bug-fixes and security updates. You get FreeBSD `11.1-RELEASE`, instead of `11.1-RELEASE-p9` (patch-level 9) that is current, updated version.


----------



## SirDice (Apr 24, 2018)

Most of the mounting can be done using a /etc/fstab.<jailname> and enabling `mount.fstab`:

```
mount.fstab
             An fstab(5) format file containing filesystems to mount before
             creating a jail.
```


----------



## michael_hackson (Apr 26, 2018)

I used this guide: http://srobb.net/nullfsjail.html
teamed up with the handbook.

It was plain easy and so far so good.


----------

