FreeBSD jails: Difference between revisions

FreeBSD jails are a process isolation tool on FreeBSD (surprising though it may seem) that extends chroot(8) in wonderful ways.

Essential reading

• FreeBSD Handbook chapter 17: Jails and Containers
• Jail vnet by Examples, by Oliver Cochard-Labbé

Basic configuration

/etc/jail.conf

## Don't import host env vars
exec.clean;
 
## Start/stop jails
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
 
## Allow fdescfs and procfs (for services like Plex)
mount.devfs;
allow.mount.fdescfs;
allow.mount.procfs;
 
## Standard hostnames and locations based on jail name
path="/jail/${name}";
host.hostname="${name}.host.lan";
mount.fstab="/etc/fstab.${name}";

/etc/jail.conf.d/jailname.conf

jailname {
  ## Example
  ip4.addr="10.10.10.1"
   
  ## Required for Postgres
  allow.sysvipc=1;
   
  ## Required by some services
  mount.fdescfs;
  mount.procfs;
}

Quick and dirty jails with loopback networking

Enable IP forwarding

# sysctl net.inet.ip.forwarding=1
# echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf

Configure loopback interface

# sysrc cloned_interfaces="lo1"
# sysrc ipv4_addrs_lo1="10.10.10.1-9/29"

Configure pf

 ## pf.conf
 [...]
 nat pass on $EXT_IF from $NET_JAIL to any -> $EXT_IP
 rdr pass on $EXT_IF proto tcp from any to $EXT_IP port $WWW_PORT -> $WWW_JAIL
 [...]

Better vnet-based networking

#TODO here!

Better IPv6-based networking

#TODO here!