FreeBSD jails with ezjail

From Secure Computing Wiki
Revision as of 07:19, 27 September 2007 by Ecrist (Talk | contribs) (New page: At work, we've decided to virtualize all of our FreeBSD production systems with jails. We're hoping this will help with upgrades and potential system failure, as we'll be to move virtual ...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

At work, we've decided to virtualize all of our FreeBSD production systems with jails. We're hoping this will help with upgrades and potential system failure, as we'll be to move virtual systems around, where neeeded, with relative ease.

While setting up jails with FreeBSD directly isn't a difficult task, there is one major limitation, if you're going to have multiple jails on the same host. The entire base system (/bin, /usr/bin, etc), needs to reside within each jail. Using a very well written set of shell scripts to help manage our jails, however, we're able to mount, with the help of nullfs in FreeBSD 6+, read-only, our entire base system.

Here, I'll describe in great detail the entire process I used to install ezjail, build our basejail, and create a flavour [sic] that meets our needs.

Build host system

Install/Update FreeBSD

To begin, we build out host FreeBSD system. This includes performing a full installation of FreeBSD 6.2, and doing all the updates. Whereas freebsd-update is a rather nice binary update tool, it is advisable to build/install directly from source, and you'll end up doing it for your jails anyways. You won't be saving yourself any time doing binary updates.

Install Common Ports

Once we have a basic install of FreeBSD, our network requires we install postfix with sasl to send email. This allows email to be sent to a user with a simpel 'mail <user>' and everything will get translated correctly. Along with setting up mail, continue with installing any ports that you'll need/want on all your jails, onto the base system. Individual jail ports, such as apache, mysql, etc, should not be installed at this time. Only ports you want on all jails should be installed.

We've installed the following ports:

  • sudo (security/sudo)
  • vim-lite (editors/vim-lite)
  • bash (shells/bash)
  • rsync (net/rsync)

Install ezjail

Now install the ezjail scripts from the FreeBSD ports tree at sysutils/ezjail. You will be left with an ezjail.sh script, an ezjail-admin.sh script, and an rc script in /usr/local/etc/rc.d. To enable our jails to start at system boot, we needed to add ezjail_enable="YES" to /etc/rc.conf:

echo 'ezjail_enable="YES"' >> /etc/rc.conf

Configure

There is a configuration file for ezjail in /usr/local/etc/ezjail.conf.sample, we want to move that to /usr/local/etc/ezjail.conf and edit the file. Make appropriate changes for your network. We run our own CVS mirror, so our file looks like this:

ezjail_jaildir=/usr/jails

# Location of the tiny skeleton jail template
ezjail_jailtemplate=${ezjail_jaildir}/newjail

# Location of the huge base jail
ezjail_jailbase=${ezjail_jaildir}/basejail

# Location of your copy of FreeBSD's source tree
ezjail_sourcetree=/usr/src

# In case you want to provide a copy of ports tree in base jail, set this to
# a cvsroot near you
ezjail_portscvsroot=:pserver:anoncvs@<our_local_CVS_mirror>:/home/ncvs

# This is where the install sub command defaults to fetch its packages from
ezjail_ftphost=<our_local_FTP_mirror>

# base jail will provide a soft link from /usr/bin/perl to /usr/local/bin/perl
# to accomodate all scripts using '#!/usr/bin/perl'...
ezjail_uglyperlhack="YES"

Change <our_local_FTP/CVS_mirror> for your correct values.

Build basejail

At this time, we should be ready to build our basejail!

Run the following command to build basejail within your configured jail home:

ezjail-admin update -i
  • The -i option above tells ezjail that we've already built-world (when we updated FreeBSD on the host system), so it simply does a make installworld to your jail home. Omitting the -i causes this process to take a considerable amount of time.

When this process is complete, you should have a directory structure similar to this in your jail home (/usr/jails by default):

drwxr-xr-x   5 root  wheel   512B Sep 26 14:57 .
drwxr-xr-x  18 root  wheel   512B Sep 25 13:11 ..
drwxr-xr-x   9 root  wheel   512B Sep 26 13:42 basejail
drwxr-xr-x   4 root  wheel   512B Sep 26 14:43 flavours
drwxr-xr-x  12 root  wheel   512B Sep 26 13:58 newjail

If yours checks out, we're ready to start building our localized flavour!

Building Our ezjail Flavour