In the following document these terms are used
$pool
refers to ZFS pool hosting the jail datasets. e.g.,zroot
$j
refers to the absolute path to the jail root. e.g.,/jails
$name
refers to the jail name both as a directory and a configuration in jail.conf
Root dataset: (only needed for initial setup)
zfs create -o mountpoint $j ${pool}${j}
Per jail chroot dataset: (and install a release)
zfs create ${pool}${j}/$name
tar -xpf /path/to/downloaded/12.1-RELEASE/base.txz -C $j/$name
Set root password within jail chroot, without starting the jail
chroot $j/$name
passwd
adduser
...etc.
Creating delegated dataset: (e.g., for poudriere) Create as unmounted and jailed, so mountpoint will be local to the running jail's chroot
zfs create -u -o mountpoint=/usr/local/poudriere -o jailed=on ${pool}${j}/$name/poudriere
In the jail's /usr/local/etc/poudriere.conf
use these settings:
Must substitute the $…
values to the values from /etc/jail.conf
:
i.e., ${ZPOOL}${ZROOTFS} matches the delegated dataset created above
ZPOOL=$pool
ZROOTFS=$j/$name/poudriere
Substitute @NAME@ appropriately to the name of the jail from /etc/jail.conf
(Other uses of '$' are real shell variables, so do not substitute)
# rc.conf
# offset cron for root jobs
cron_flags="${cron_flags} -J 15"
# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# Run secure syslog
syslogd_flags="-c -ss"
# Enable IPv6
ipv6_activate_all_interfaces="YES"
#hostname="@NAME@"
# DHCP
ifconfig_e0b_@NAME@="SYNCDHCP"
#dhclient_program="/usr/local/sbin/dual-dhclient"
#dhclient_program="/usr/local/sbin/dhclient"
#dhclient_flags="-q"
# Static IPs
#ifconfig_e0b_@NAME@="inet 192.168.10.100/24"
#ifconfig_e0b_@NAME@_ipv6="inet6 fd00::192:168:10:100/64"
# Static Routes
#defaultrouter="192.168.10.1"
#ipv6_defaultrouter="fd00::192:168:10:1"
# Enable Services
clear_tmp_enable="YES"
sshd_enable="YES"
Note: when using static IPs copy the host's /etc/resolv.conf into the jail and modify if necessary.
If not used the jail's /etc/fstab
can be empty or absent.
If used, this is placed in: $j/$name/etc/fstab
.
Example for Linux emulation in a jail: (maybe also need enable mount.procfs)
# Device Mountpoint FStype Options Dump Pass#
# linux support
linprocfs /compat/linux/proc linprocfs rw 0 0
tmpfs /compat/linux/dev/shm tmpfs rw,mode=1777 0 0
linsysfs /compat/linux/sys linsysfs rw 0 0
Allows null mounts to host file systems (be sure to update $j and $name in real file)
# Device Mountpoint FStype Options Dump Pass#
/usr/home/toor $j/$name/home/toor nullfs rw,noatime 0 0
/usr/home/other $j/$name/home/other nullfs ro,noatime 0 0
- allows jail access to /dev/bpf in order to use DHCP
- allows jail access to /dev/zfs in order to use zfs commands
# for jails to use fuse, zfs and DHCP
[devfsrules_jail=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide
add path 'bpf*' unhide
or if devfsrules_jail already exists in /etc/devfs.rules a simpler value is:
# for jails to use DHCP
[devfsrules_jail_extra=11]
add include $devfsrules_jail
add path 'bpf*' unhide
Create /etc/jail-update.conf
egrep -v '^(#.*)?$' /etc/freebsd-update.conf > /etc/jail-update.conf
Check the Components
line and remove kernel, possibly remove everything but world:
Components world