# Jail setup from scratch



## CLUBTURBO (Nov 24, 2008)

Hello everyone.
I have been learning to setup jails!
I have found a few to work better then others.
I would like to ask if I could get some others in put
on how others may have set them up.

I have two PIII 1gHz box's I am using
1 dual PIII with 756 megs of mem.
1 with half gig of mem, both on a home LAN.

Thanks for your time


----------



## mousaka (Nov 24, 2008)

I like ezjail very much to setup jails.

I wouldn't use to many jails one your machines because of the amount of memory they have. I use two jails on my server at home:

First for internal services (samba, openldap)
Second for external services (egroupware, mysql, apache, dovecot)
With external I meaning services I (and others) can reach from the internet. I hope in case of an exploit only the external jail (and its data) is in danger.  

mousaka


----------



## SirDice (Nov 24, 2008)

I use 3.. One with apache, one with an irc daemon (both are accessible from the internet) and one I use for package building.


----------



## anomie (Nov 24, 2008)

Three jails on a work server: 

 httpd/ssl + dokuwiki
 developer area (perl and some other utilities)
 squid http proxy


----------



## nrg3k (Nov 25, 2008)

Is there a hard-limit or resource formula for building a massive jail server? i have a large system with 8 jails. The server has 8GB of RAM, 6TB RAID storage and dual quad-core CPUs.

DJM:>


----------



## danger@ (Nov 25, 2008)

don't know the type of JID, but that might be the only limiting factor...


----------



## mousaka (Nov 25, 2008)

Jail resources mostly depend on what you run in your jails respectivly their load. In my experience a process use the same resource in a jail as on the host system while generating minimal overhead compared to other "virtualization solutions".
Main problem might be spreading of resources (cpu time), as there is now easy way to limit jail resources to individual jails.

@nrg3k: your hardware is much more powerful than that one from the intial poster. For a fairly used webserver (Apache, PHP, MYSQL) 1G RAM and one cpu core might be a good start, which would give about 8 jails. 

mousaka


----------



## Erratus (Nov 26, 2008)

*What makes the difference?*



			
				CLUBTURBO said:
			
		

> Hello everyone.
> I have been learning to setup jails!
> I have found a few to work better then others.



Hi,

can you tell us the jails that you find working good?
And what is the difference to that ones which don't work out that good?

Erratus


----------



## SirDice (Nov 26, 2008)

Here's a little script I use to setup my jails. Most of it came from the man page. The make.conf/src.conf settings I found by trail and error.

```
#!/bin/sh

JNUM=1
HOST=build

IP=192.168.1.19$JNUM

D=/storage/FreeBSD/build

SRCCONF=/etc/src.conf.$HOST

cd /usr/src
make installworld DESTDIR=$D
cd etc
make distribution DESTDIR=$D
cd $D
ln -sf dev/null kernel

touch $D/etc/fstab

cat > $D/etc/resolv.conf <<RESOLV
search dicelan.home.
nameserver 192.168.1.1
RESOLV

cat > $D/etc/rc.conf <<RCCONF
hostname="$HOST.dicelan.home"
interfaces=""
syslogd_flags="-ss"
sendmail_enable="NONE"
sshd_enable="NO"
RCCONF

cp /etc/make.conf.clean $D/etc/make.conf
cp /root/.cshrc $D/root/.cshrc

mkdir $D/usr/ports
mkdir $D/tmp/build
```


```
WITHOUT_ACPI=       true    # do not build acpiconf(8) and related programs
WITHOUT_BOOT=       true    # do not build boot blocks and loader
WITHOUT_BLUETOOTH=  true    # do not build Bluetooth related stuff
WITHOUT_FORTRAN=    true    # do not build g77 and related libraries
WITHOUT_GDB=        true    # do not build GDB
WITHOUT_GPIB=       true    # do not build GPIB support
WITHOUT_I4B=        true    # do not build isdn4bsd package
WITHOUT_IPFILTER=   true    # do not build IP Filter package
WITHOUT_PF=         true    # do not build PF firewall package
WITHOUT_AUTHPF=     true    # do not build and install authpf (setuid/gid)
WITHOUT_KERBEROS=   true    # do not build and install Kerberos 5 (KTH Heimdal)
WITHOUT_LPR=        true    # do not build lpr and related programs
WITHOUT_MAILWRAPPER=true    # do not build the mailwrapper(8) MTA selector
WITHOUT_MODULES=    true    # do not build modules with the kernel
WITHOUT_SHAREDOCS=  true    # do not build the 4.4BSD legacy docs
WITHOUT_NETCAT=     true    # do not build netcat
#WITHOUT_NIS=        true    # do not build NIS support and related programs
WITHOUT_SENDMAIL=   true    # do not build sendmail and related programs
WITHOUT_USB=        true    # do not build usbd(8) and related programs
WITHOUT_VINUM=      true    # do not build Vinum utilities
WITHOUT_ATM=        true    # do not build ATM related programs and libraries
#WITHOUT_CRYPT=      true    # do not build any crypto code
WITHOUT_GAMES=      true    # do not build games (games/ subdir)
#WITHOUT_INFO=       true    # do not make or install info files
WITHOUT_MAN=        true    # do not build manual pages
WITHOUT_PROFILE=    true    # Avoid compiling profiled libraries

# BIND OPTIONS
WITHOUT_BIND=               true    # Do not build any part of BIND
WITHOUT_BIND_DNSSEC=        true    # Do not build dnssec-keygen, dnssec-signzone
WITHOUT_BIND_ETC=           true    # Do not install files to /etc/namedb
WITHOUT_BIND_LIBS_LWRES=    true    # Do not install the lwres library
WITHOUT_BIND_MTREE=         true    # Do not run mtree to create chroot directories
WITHOUT_BIND_NAMED=         true    # Do not build named, rndc, lwresd, etc.
```


----------



## nrg3k (Nov 26, 2008)

I started with jails before most of the docs were written, but now i see quite a few good websites. Here is one that i've used recently:

http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail

The two big time savers for me were knowing about setting unique addresses for software running on the master system (SSH, Apache, etc) so the parent doesn't take over all your extra IP addresses.. and also to build a template jail which you do builds in. I use this jail to make copies for subsequent new jails that i deploy later - just remember to unmount /dev from the template jail before copying it

DJM:>


----------



## mousaka (Nov 26, 2008)

nrg3k said:
			
		

> .. and also to build a template jail which you do builds in. I use this jail to make copies for subsequent new jails that i deploy later - just remember to unmount /dev from the template jail before copying it


Which are some of the features of the already mentioned ezjail utitlity.

mousaka


----------



## danger@ (Nov 28, 2008)

BTW, please check the following URL, it would be nice if you could provide some feedback:

http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000619.html


----------



## CLUBTURBO (Dec 4, 2008)

Thanks everyone!
I was just looking for the everyday usefullness of a jailed BSD system.
I have used Freebsd from about 5.4 or so.
Local Web server stuff mainly, oScommance alot too.
Osc is why I got in to Freebsd, my host ( aplus.net ) used it alot.
I do use a few Freebsd PC laying around for a few things.
Lots of  ports to play with & see what gives,

Thanks again


----------



## mator (Dec 9, 2008)

*ezjails and ports*

hello.

can someone tell me please, how do i use ports collection in jail created by ezjail-admin? 

```
# csup /root/ports-supfile
Connected to 195.14.50.21
Updating collection ports-all/cvs
 Checkout ports/.cvsignore
Updater failed: Cannot create directories leading to "/usr/ports/.cvsignore": File exists
# ls -ld /usr/ports 
lrwxrwxrwx  1 root  wheel  19 Dec  9 14:25 /usr/ports -> /basejail/usr/ports
# mkdir /basejail/usr/ports
mkdir: ports: Read-only file system
```

i don't have access to /basejail/usr/ports 
how to install ports into basejail ?

Thanks.


----------



## cajunman4life (Dec 9, 2008)

mator said:
			
		

> i don't have access to /basejail/usr/ports
> how to install ports into basejail ?



Same way you install them from the host system.

Log in to the jail, and run portsnap fetch extract.

Alternatively, you can mount your /usr/ports using nullfs from the host system so it appears in the jail.


----------



## Ole (Dec 9, 2008)

mator said:
			
		

> hello.
> 
> can someone tell me please, how do i use ports collection in jail created by ezjail-admin?
> 
> ...



I not know what proposed by original ez-jail author, but i doing:
1) (delete original symlink)


> rm -f /basejail/usr/ports


2) add string for mount /usr/ports from you "root" system though nullfs to jail:
/etc/fstab.<YOUR_JAIL_NAME>


> /usr/ports <full_path_to_jail>/usr/ports nullfs rw 0 0


3) make symlink for distfiles in jail:


> jexec <pidjail> /bin/csh
> mkdir /var/ports
> ln -s /usr/ports/distfiles /var/ports/distfiles


or without entering to jail:


> mkdir <full_path_to_jail>/var/ports
> ln -s <full_path_to_jail>/usr/ports/distfiles <full_path_to_jail>/var/ports



PS: With that you may update /usr/ports in master (portsnap fetch update; portsdb -uF; pkgdb -F) and after that working in jail (with running pkgdb -F after every update)


----------

