Admin... by accident!

You may have chosen to be an admin. I didn't!

FreeBSD Jails

by

The FreeBSD jails is a virtualization technology you may have skipped for too long. It is an operating system level virtualization and is one of the differential characteristics of FreeBSD from Linux. Solaris took it to the main corporate use with Zones and as it couldn’t be any other way the Illumos folks also play with it.

But what are the FreeBSD jails? Are some sort of chroot? Well… any time someone mentions chroot to a FreeBSD guy it can be a bit offensive but you are only allowed to think of them as chroot on steroids. What FreeBSD jails are and Solaris Zones are as well, is the OS capability of having different userlands hitting the same kernel. Obviously there is one “main” userland, which we can call the “host” and the rest of userlands can be considered the “guests”. Each of those userlands, from now on Jails, get its own network stack as well, it’s own directory tree, etc etc and its bound to itself, it can’t escape. Even the root user is confined into the jail, it can’t get out of it nor even grasp it’s been jailed.

Unlike other sorts of virtualization there is no performance penalty since all of those jails are hitting, using, the same kernel. And unlike other solutions there is not one kernel (the so called hypervisor) controlling the real hardware while there is another on top controlling the userland it is attached to at the same time it’s being lied about the hardware and who is really in control.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.

Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.

Mind Vultr supports FreeBSD on their VPS offer.

Ok, it’s not a chroot, nor it is some sort of Xen or KVM, it’s a jail. Got it. How can I build one, experiment with one, how do I get my hands on it? There are two main ways to do this. The hard way, which is not that hard but a bit more tedious and it takes some more time and the easy one. The hard one is very well described on the manual. One can get the necessary software from the installation disc and set a jail path where all the software but the kernel will be installed in. The alternative to this process is using tools such as CBSD, Ezjail or Iocage. I have used Ezjail and Iocage and both have been pretty handy and easy to use. Iocage is my preferred one but it is mandatory to use the ZFS file system in order to function so if you plan the use with UFS (the good old Unix File System) Ezjail becomes a good choice.

Iocage has just been rewritten with Python3 and it’s working great. With it the creation and managing of jails becomes easy and fast. The manual explains it all but here there are a few things you can do with it. Create, clone, import / export, configure, enable it to start at boot time, make templates, make snapshots of jails. Here below I paste the get all properties command so you get an idea of the things you can set with iocage.

albert@BSDVM:~ % sudo iocage get all nagios

CONFIG_VERSION:9

allow_chflags:0

allow_mount:0

allow_mount_devfs:0

allow_mount_nullfs:0

allow_mount_procfs:0

allow_mount_tmpfs:0

allow_mount_zfs:0

allow_quotas:0

allow_raw_sockets:1

allow_set_hostname:1

allow_socket_af:0

allow_sysvipc:0

available:readonly

basejail:no

boot:off

bpf:no

children_max:0

cloned_release:11.1-RELEASE

comment:none

compression:lz4

compressratio:readonly

coredumpsize:off

count:1

cpuset:off

cputime:off

datasize:off

dedup:off

defaultrouter:none

defaultrouter6:none

depends:none

devfs_ruleset:4

dhcp:off

enforce_statfs:2

exec_clean:1

exec_fib:0

exec_jail_user:root

exec_poststart:/usr/bin/true

exec_poststop:/usr/bin/true

exec_prestart:/usr/bin/true

exec_prestop:/usr/bin/true

exec_start:/bin/sh /etc/rc

exec_stop:/bin/sh /etc/rc.shutdown

exec_system_jail_user:0

exec_system_user:root

exec_timeout:60

host_domainname:none

host_hostname:nagios

host_hostuuid:nagios

host_time:yes

hostid:c1a25117-442b-4850-8bdb-12336647dea2

interfaces:vnet0:bridge0

ip4:new

ip4_addr:em0|192.168.1.104/24

ip4_saddrsel:1

ip6:new

ip6_addr:none

ip6_saddrsel:1

jail_zfs:off

jail_zfs_dataset:iocage/jails/nagios/data

jail_zfs_mountpoint:none

last_started:2018-01-02 23:52:28

login_flags:-f root

mac_prefix:02ff60

maxproc:off

memorylocked:off

memoryuse:off

mount_devfs:1

mount_fdescfs:1

mount_linprocfs:0

mount_procfs:0

mountpoint:readonly

msgqqueued:off

msgqsize:off

nmsgq:off

notes:none

nsemop:off

nshm:off

nthr:off

openfiles:off

origin:readonly

owner:root

pcpu:off

priority:99

pseudoterminals:off

quota:none

release:11.1-RELEASE-p6

reservation:none

resolver:/etc/resolv.conf

rlimits:off

securelevel:2

shmsize:off

stacksize:off

stop_timeout:30

swapuse:off

sync_state:none

sync_target:none

sync_tgt_zpool:none

sysvmsg:new

sysvsem:new

sysvshm:new

template:no

type:jail

used:readonly

vmemoryuse:off

vnet:off

vnet0_mac:none

vnet1_mac:none

vnet2_mac:none

vnet3_mac:none

wallclock:off

So, there are a few things you can set, touch, arrange, modify into a jail using Iocage. One thing you should be aware of is the firewall management is done at the host level, so the rules applied on the host are the ones being followed on the guests.

It all looks very nice and beautiful but there are a couple of known caveats although once they are known you can stay very comfortable and confident with the system. One is the lack of ping inside a jail. That is there is no access to raw sockets from within a jail. That can be “corrected” at the host level allowing raw sockets access. Mind this is like disabling a security feature and thus treat it as what it means. The second problem is an old UNIX thing still on FreeBSD. SysV IPC. Yes, still there. That means for example if you plan to run PostgreSQL into jails they have to have different UID’s or you may end up in trouble. If you are the only one running the box, meaning the host, both issues shouldn’t be a great deal specially taking them in account beforehand. But if you plan to host different parties on the same host take them more seriously and act accordingly. Now, yes, there are plans to correct both issues but they haven’t been implemented yet and there is some people trying to figure this out.

Now let’s play with the actual tool. I’ll use Iocage since it’s my preferred one but you can also play with other frameworks such as Ezjail or CBSD.

So the first thing you’ll do is install the iocage framework by issuing the following command.

albert@B590:~ % sudo pkg install py36-iocage-0.9.10

Some dependencies will be pulled as well. Once installed you have to activate it. To do so you have to remember iocage depends on the ZFS file system. So you have to activate iocage to the zfs pool you want to use. If you are working locally you will usually have one pool but maybe you have several of them.

albert@B590:~ % sudo zfs list

NAME USED AVAIL REFER MOUNTPOINT

zroot 7.52G 277G 88K /zroot

zroot/ROOT 585M 277G 88K none

zroot/ROOT/default 585M 277G 585M /

zroot/iocage 4.87G 277G 96K /iocage

zroot/iocage/download 260M 277G 88K /iocage/download

zroot/iocage/download/11.1-RELEASE 260M 277G 260M /iocage/download/11.1-RELEASE

zroot/iocage/images 1.42G 277G 1.42G /iocage/images

zroot/iocage/jails 2.26G 277G 88K /iocage/jails

zroot/iocage/jails/nagios 755M 277G 92K /iocage/jails/nagios

zroot/iocage/jails/nagios/root 755M 277G 755M /iocage/jails/nagios/root

zroot/iocage/log 96K 277G 96K /iocage/log

zroot/iocage/releases 961M 277G 88K /iocage/releases

zroot/iocage/releases/11.1-RELEASE 961M 277G 88K /iocage/releases/11.1-RELEASE

zroot/iocage/releases/11.1-RELEASE/root 961M 277G 961M /iocage/releases/11.1-RELEASE/root

zroot/iocage/templates 88K 277G 88K /iocage/templates

zroot/tmp 88K 277G 88K /tmp

zroot/usr 2.07G 277G 88K /usr

zroot/usr/home 1.42G 277G 1.42G /usr/home

zroot/usr/ports 663M 277G 663M /usr/ports

zroot/usr/src 88K 277G 88K /usr/src

zroot/var 604K 277G 88K /var

zroot/var/audit 88K 277G 88K /var/audit

zroot/var/crash 88K 277G 88K /var/crash

zroot/var/log 164K 277G 164K /var/log

zroot/var/mail 88K 277G 88K /var/mail

zroot/var/tmp 88K 277G 88K /var/tmp

albert@B590:~ %

So this zfs pool is called zroot. We now activate the pool by typing:

albert@B590:~ % sudo iocage activate zroot

ZFS pool 'zroot' successfully activated.

albert@B590:~

Before we create our first jail we’ll have to pull the sources for our jails. We’ll do this by:

albert@B590:~ % sudo iocage fetch

[0] 9.3-RELEASE (EOL)

[1] 10.1-RELEASE (EOL)

[2] 10.2-RELEASE (EOL)

[3] 10.3-RELEASE

[4] 10.4-RELEASE

[5] 11.0-RELEASE (EOL)

[6] 11.1-RELEASE

Type the number of the desired RELEASE

Press [Enter] to fetch the default selection: (11.1-RELEASE)

Type EXIT to quit:

You now choose the release you want to target. This will pull everything but the kernel and will probably be automatically updated at the base jail creation time. Of course you can have different versions so if you are a developer targeting different OS versions this is a safe way to play with your new creation.

Once the base jail/s are set on the system you can now create your first jail by issuing the following command:

albert@B590:~ % sudo iocage create -r 11.1-RELEASE --name article ip4_addr="em0|192.168.1.200/24"

Mind you have to specify the release you want the jail to be created from, the name can’t be skipped but then iocage will set a long string of numbers and letters as the jail id, and of course you want to set an ip. You can have a jail with no internet access if you wish to but I am afraid most of you will append a network stack to it.

The result:

albert@B590:~ % sudo iocage create -r 11.1-RELEASE --name article ip4_addr="re0|192.168.1.200/24"

Password:

article successfully created!

albert@B590:~ %

If you list the jails on this system:

albert@B590:~ % sudo iocage list

+-----+-------------+-------+--------------+---------------+

| JID | NAME | STATE | RELEASE | IP4 |

+=====+=============+=======+==============+===============+

| - | article | down | 11.1-RELEASE | 192.168.1.200 |

+-----+-------------+-------+--------------+---------------+

| - | nagios | down | 11.1-RELEASE | 192.168.1.104 |

+-----+-------------+-------+--------------+---------------+

| - | cabrasovietica | down | 11.1-RELEASE | 192.168.1.105 |

+-----+-------------+-------+--------------+---------------+

albert@B590:~ %

And now you can fire up the recently created jail:

albert@B590:~ % sudo iocage start article

* Starting article

+ Started OK

+ Starting services OK

albert@B590:~ %

If you list the jails again you’ll find it up and running.

albert@B590:~ % sudo iocage list

+-----+-------------+-------+--------------+---------------+

| JID | NAME | STATE | RELEASE | IP4 |

+=====+=============+=======+==============+===============+

| 1 | article | up | 11.1-RELEASE | 192.168.1.200 |

+-----+-------------+-------+--------------+---------------+

| - | nagios | down | 11.1-RELEASE | 192.168.1.104 |

+-----+-------------+-------+--------------+---------------+

| - | cabrasovietica| down | 11.1-RELEASE | 192.168.1.105 |

+-----+-------------+-------+--------------+---------------+

albert@B590:~ %

To access the jail you have to invoque the console argument into the iocage command.

albert@B590:~ % sudo iocage console article

FreeBSD 11.1-RELEASE-p4 (GENERIC) #0: Tue Nov 14 06:12:40 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/

Security Advisories: https://www.FreeBSD.org/security/

FreeBSD Handbook: https://www.FreeBSD.org/handbook/

FreeBSD FAQ: https://www.FreeBSD.org/faq/

Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/

FreeBSD Forums: https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/

directory, or can be installed later with: pkg install en-freebsd-doc

For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed: freebsd-version ; uname -a

Please include that output and any error messages when posting questions.

Introduction to manual pages: man man

FreeBSD directory layout: man hier

Edit /etc/motd to change this login announcement.

root@article:~ #

Now, is this a separate guest into a host? Let’s see this.

This is the network connection information from inside the jail:

root@article:~ # ifconfig

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>

ether 3c:97:0e:ea:72:91

hwaddr 3c:97:0e:ea:72:91

inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255

media: Ethernet autoselect (100baseTX <full-duplex>)

status: active

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

groups: lo

root@article:~ #

And this is the information from the host:

albert@B590:~ % ifconfig

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>

ether 3c:97:0e:ea:72:91

hwaddr 3c:97:0e:ea:72:91

inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255

inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255

nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

media: Ethernet autoselect (100baseTX <full-duplex>)

status: active

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2

inet 127.0.0.1 netmask 0xff000000

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

groups: lo

albert@B590:~ %

Notice the two ip addresses in the host but just one in the jail.

We’ll now install some software inside the jail. Software which won’t be installed in the host. I’ve chosen the Apache web server. I’ll fire it up and you’ll see.

First things first. This jail is like a recently installed FreeBSD box. So there are no packages, no nothing. So let’s get the packages info pulled or if you prefer the ports collection (if you don’t know the difference, packages are regular binaries already compiled to use and the ports collection is the FreeBSD sensible solution to pull source code from the original sources and then you compile it with your own options set).

root@article:~ # pkg update

The package management tool is not yet installed on your system.

Do you want to fetch and install it now? [y/N]: y

Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait...

Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done

[article] Installing pkg-1.10.3_1...

[article] Extracting pkg-1.10.3_1: 100%

Updating FreeBSD repository catalogue...

pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory

[article] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01

[article] Fetching packagesite.txz: 100% 6 MiB 1.5MB/s 00:04

Processing entries: 100%

FreeBSD repository update completed. 28747 packages processed.

All repositories are up to date.

root@article:~ #

Now let’s install the Apache web server.

root@article:~ # pkg install apache24

Updating FreeBSD repository catalogue...

FreeBSD repository is up to date.

All repositories are up to date.

The following 12 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:

apache24: 2.4.29

libnghttp2: 1.29.0

libxml2: 2.9.7

expat: 2.2.5

perl5: 5.24.3

pcre: 8.40_1

apr: 1.6.3.1.6.1

gdbm: 1.13_1

indexinfo: 0.3.1

readline: 7.0.3_1

gettext-runtime: 0.19.8.1_1

db5: 5.3.28_6

Number of packages to be installed: 12

The process will require 143 MiB more space.

34 MiB to be downloaded.

Proceed with this action? [y/N]: y

Once installed as you always do in FreeBSD you set it to fire up at booting time by typing the following which will write the correct sentence into the /etc/rc.conf file.

root@article:~ # sysrc apache24_enable="YES"

apache24_enable: -> YES

root@article:~ #

You can now start the Apache web server in the jail.

root@article:~ # service apache24 onestart

Performing sanity check on apache24 configuration:

AH00557: httpd: apr_sockaddr_info_get() failed for article

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Syntax OK

Starting apache24.

AH00557: httpd: apr_sockaddr_info_get() failed for article

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

root@article:~ #

Let’s find out its PID.

root@article:~ # ps aux | grep httpd

root 1496 0.0 0.1 75968 4192 - SsJ 16:01 0:00.01 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1497 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1498 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1499 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1500 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1501 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

root 1504 0.0 0.0 14828 1848 0 S+J 16:01 0:00.00 grep httpd

root@article:~ #

Can we see this processes from the host which means out of the jail? Yes we can:

albert@B590:~ % ps aux | grep httpd

root 1496 0.0 0.1 75968 4192 - SsJ 16:01 0:00.01 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1497 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1498 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1499 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1500 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1501 0.0 0.1 75968 4092 - IJ 16:01 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

albert 1508 0.0 0.0 14828 1836 0 S+ 16:02 0:00.00 grep httpd

albert@B590:~ %

This means we have complete control from what is happening in the jail from the host. But you may wonder… can I see some processes from one jail in another jail? Or even processes from the host? Let’s find out.

This is a recently created jail.

root@catalanrepublic:~ # hostname

catalanrepublic

root@catalanrepublic:~ #

Let’s see if mysql is running on it. Is it?

root@catalanrepublic:~ # ps aux | grep mysql

root 1764 0.0 0.0 10732 1412 0 R+J 16:22 0:00.00 grep mysql

root@catalanrepublic:~ #

Nope. It isn’t. Let’s install it. We’ll install the latest version but you can install MariaDB or PerconaDB as well.

root@catalanrepublic:~ # pkg install mysql80-server-8.0.2

Updating FreeBSD repository catalogue...

FreeBSD repository is up to date.

All repositories are up to date.

Updating database digests format: 100%

The following 6 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:

mysql80-server: 8.0.2

perl5: 5.24.3

libevent: 2.1.8

libedit: 3.1.20170329_2,1

mysql80-client: 8.0.2

liblz4: 1.8.0,1

Number of packages to be installed: 6

The process will require 243 MiB more space.

28 MiB to be downloaded.

Proceed with this action? [y/N]: y

….

Now it’s time to activate MariaDB for boot time.

root@catalanrepublic:~ # sysrc mysql_enable="YES"

mysql_enable: -> YES

root@catalanrepublic:~ #

Let’s start it up:

root@catalanrepublic:~ # service mysql-server onestart

Starting mysql.

root@catalanrepublic:~ #

Let’s complete the install by comitting the secure_installation thingie and then find the PID of the mysql daemon:

root@catalanrepublic:~ # ps aux | grep mysql

mysql 1847 0.0 0.1 13180 2252 - IsJ 16:27 0:00.06 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-file=/usr/local/etc/mysql

mysql 3123 0.0 10.6 1884092 430204 - IJ 16:27 0:00.70 /usr/local/libexec/mysqld --defaults-extra-file=/usr/local/etc/mysql/my.cnf -

root 3134 0.0 0.0 14828 1892 0 S+J 16:30 0:00.00 grep mysql

root@catalanrepublic:~ #

Now let’s change the jail and let’s see if we can see any of the processes in the catanrepublic jail from the article jail.

root@article:~ # ps aux | grep mysql

root 3149 0.0 0.0 14828 1860 0 S+J 16:32 0:00.00 grep mysql

root@article:~ #

Nope, we can’t. Let’s look from the host what we can see from the catalanrepublic jail.

albert@B590:~ % ps aux | grep mysql

88 1847 0.0 0.1 13180 2252 - IsJ 16:27 0:00.06 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-file=/usr/local/etc/m

88 3123 0.0 10.6 1884092 430204 - IJ 16:27 0:00.79 /usr/local/libexec/mysqld --defaults-extra-file=/usr/local/etc/mysql/my.c

albert 3152 0.0 0.0 14828 1836 0 S+ 16:32 0:00.00 grep mysql

albert@B590:~ %

And yes, we can see the mysql processes from inside the catalanrepublic jail.

Let’s find out if we can see the Apache web server processes in the article jail from the catalanrepublic one.

root@catalanrepublic:~ # ps aux | grep httpd

root 3190 0.0 0.0 14828 1892 0 S+J 16:35 0:00.00 grep httpd

root@catalanrepublic:~ #

No, again we can’t see processes from one jail in the other. But we can see them from the host.

We’ll now shift gears up and we’ll say… we are in the development cycle of some software and we have finished all the necessary steps to get it production ready. And it is now the moment to move it to the production boxes. You can start from scratch and build your infrastructure. But you can also export the jail from the development box from your development team and put it into the production boxes straight forward. How?

First thing stop the jail.

albert@B590:~ % sudo iocage stop article

* Stopping article

+ Running prestop OK

+ Stopping services OK

+ Removing jail process OK

+ Running poststop OK

albert@B590:~ %

Now we’ll export the jail which will create a file system snapshot (remember iocage needs the ZFS file system which comes very handy as you can see), then it will zip it into a file. You can transfer that file using a USB stick, a hard drive or send it through the network.

albert@B590:~ % sudo iocage export article

Exporting dataset: zroot/iocage/jails/article

Exporting dataset: zroot/iocage/jails/article/root

Preparing zip file: /iocage/images/article_2018-01-03.zip.

Exported: /iocage/images/article_2018-01-03.zip

albert@B590:~ %

So that’s it, less than two minutes later a zip file has been placed into the path /iocage/images/. We can now copy this file into a USB, HD or send it through the net. I’ll pull this from a VM I have in another box.

albert@BSDVM:~ % sftp 192.168.1.4:/iocage/images

Connected to 192.168.1.4.

Changing to: /iocage/images

sftp> dir

article_2018-01-03.sha256 article_2018-01-03.zip nagios_2018-01-01.zip cabrasovietica_2018-01-01.zip

sftp> get article_2018-01-03.zip

Fetching /iocage/images/article_2018-01-03.zip to article_2018-01-03.zip

/iocage/images/article_2018-01-03.zip 5% 31MB 4.2MB/s 02:03 ETA

After pulling this I will import this image zipped file in the other box. And I will reset the ip4_addr property so it works in the new host. I will work as if nothing had happened. Just remember any properties you have set in the original host may be susceptible to be corrected in the new host. For example the ip4_addr property may have to change because the interface name may be different. Or maybe you set a cpu and ram consumption limit in your development box but you want to move this jail into a bigger production host and these properties have to be risen up.

Let’s import the jail into the new host:

albert@BSDVM:/iocage/images % sudo iocage import article

Importing dataset: article

Importing dataset: article/root

Imported: article

albert@BSDVM:/iocage/images %

Let’s list the jails in this other system which happens to be a VM inside a Linux box.

albert@BSDVM:/iocage/images % sudo iocage list

+-----+-------------+-------+--------------+---------------+

| JID | NAME | STATE | RELEASE | IP4 |

+=====+=============+=======+==============+===============+

| - | article | down | 11.1-RELEASE | 192.168.1.200 |

+-----+-------------+-------+--------------+---------------+

| - | nagios | down | 11.1-RELEASE | 192.168.1.104 |

+-----+-------------+-------+--------------+---------------+

| - | barcelona down | 11.1-RELEASE | 192.168.1.105 |

+-----+-------------+-------+--------------+---------------+

albert@BSDVM:/iocage/images %

Let’s fire up the imported jail.

albert@BSDVM:~ % sudo iocage start article

* Starting article

+ Start FAILED

ifconfig: interface re0 does not exist

jail: /sbin/ifconfig re0 inet 192.168.1.200/24 alias: failed

albert@BSDVM:~

As mentioned before there might be slight differences in the jail properties. All you have to do is adjust them. In this case the ip4_addr is wrong since the network interface name is different.

albert@BSDVM:~ % sudo iocage get ip4_addr article

re0|192.168.1.200/24

albert@BSDVM:~ %

Our BSDVM host has a different interface, it’s em0 instead of re0. So we change this property.

albert@BSDVM:~ % sudo iocage set ip4_addr="em0|192.168.1.200/24" article

Property: ip4_addr has been updated to em0|192.168.1.200/24

albert@BSDVM:~ %

And we now fire up again the imported jail.

albert@BSDVM:~ % sudo iocage start article

* Starting article

+ Started OK

+ Starting services OK

albert@BSDVM:~ %

Let’s get into it.

albert@BSDVM:~ % sudo iocage console article

Last login: Wed Jan 3 16:32:06 on pts/0

FreeBSD 11.1-RELEASE-p4 (GENERIC) #0: Tue Nov 14 06:12:40 UTC 2017

Welcome to FreeBSD!

root@article:~ # hostname

article

root@article:~ # ps aux | grep httpd

root 1242 0.0 0.1 75968 4096 - SsJ 17:38 0:00.01 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1273 0.0 0.1 75968 3996 - IJ 17:38 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1274 0.0 0.1 75968 3996 - IJ 17:38 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1275 0.0 0.1 75968 3996 - IJ 17:38 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1276 0.0 0.1 75968 3996 - IJ 17:38 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

www 1277 0.0 0.1 75968 3996 - IJ 17:38 0:00.01 /usr/local/sbin/httpd -DNOHTTPACCEPT

root 1294 0.0 0.0 14828 1764 0 S+J 17:39 0:00.00 grep httpd

root@article:~ #

As you can see we have imported the jail and it’s working correctly. And you can also see the software we installed in it’s up and running as expected.

Conclusion. FreeBSD jails are a great tool for provisioning, process isolation, for development and production purposes without losing performance or giving control to other software layers. It simplifies administration with simple yet effective tooling and processes. An administrator can set a template jail or several templates so he/she can set up an environment for anyone needing it, be it a developer who needs to test something or a new production environment needed. It gives the administrator the power to administer several environments with enough flexibility and empowers him/her to manage the whole environment while the clients/users are isolated from each other. At the same time this isolation provides the desired security strength for the users and for the administration point of view. A developer can use FreeBSD jails to set his/her desired and controlled environment handing it over to the production folks or management in a way everybody is on the same page, while on the development process or fixing actual production issues. Jails can also be arranged to be deployed through scripts as service demand increases on peak moments or seasons.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.

Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.

Mind Vultr supports FreeBSD on their VPS offer.