FreeBSD jails

From Sasara
Revision as of 05:00, 27 September 2025 by Rubenerd (talk | contribs) (Created page with "'''FreeBSD jails''' are a process isolation tool on FreeBSD (surprising though it may seem) that extends <code>chroot(8)</code> in wonderful ways. ==Essential reading== * [https://docs.freebsd.org/en/books/handbook/jails/ FreeBSD Handbook chapter 17: Jails and Containers] * [https://freebsdfoundation.org/wp-content/uploads/2020/03/Jail-vnet-by-Examples.pdf Jail vnet by Examples, by Oliver Cochard-Labbé] ==Basic configuration== ===/etc/jail.conf=== ## Don't impo...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

FreeBSD jails are a process isolation tool on FreeBSD (surprising though it may seem) that extends chroot(8) in wonderful ways.

Essential reading

Basic configuration

/etc/jail.conf

## Don't import host env vars
exec.clean;
 
## Start/stop jails
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
 
## Allow fdescfs and procfs (for services like Plex)
mount.devfs;
allow.mount.fdescfs;
allow.mount.procfs;
 
## Standard hostnames and locations based on jail name
path="/jail/${name}";
host.hostname="${name}.host.lan";
mount.fstab="/etc/fstab.${name}";

/etc/jail.conf.d/jailname.conf

jailname {
  ## Example
  ip4.addr="10.10.10.1"
   
  ## Required for Postgres
  allow.sysvipc=1;
   
  ## Required by some services
  mount.fdescfs;
  mount.procfs;
}

Quick and dirty jails with loopback networking

Enable IP forwarding

# sysctl net.inet.ip.forwarding=1

Configure loopback interface

# sysrc cloned_interfaces="lo1"
# sysrc ipv4_addrs_lo1="10.10.10.1-9/29"

Configure pf

 ## pf.conf
 [...]
 nat pass on $EXT_IF from $NET_JAIL to any -> $EXT_IP
 rdr pass on $EXT_IF proto tcp from any to $EXT_IP port $WWW_PORT -> $WWW_JAIL
 [...]

Better vnet-based networking

#TODO here!

Better IPv6-based networking

#TODO here!

Retrieved from "https://www.sasara.moe/w/index.php?title=FreeBSD_jails&oldid=448"