FreeBSD Jails with EZJail

The last post was a success in that a jail was created and everything worked fine and as expected. However, before I go charging off to the server store and configuring my production server, I’m going to do a bit more research in to the ongoing deployment and maintenance. The EZJail port in the collection claims to make deployment and maintenance, er, ‘EZ’, so I’m giving that a trial on a fresh server install. Also I’d be happier when FreeBSD 9 is fully released rather than the RC1 version I’m using now for testing.


We need to do the same prep as before for the server, see the last post for details, but in short, lock down the sshd daemon and the syslog daemon if it’s a fresh install like mine is. Then it’s off to /usr/src for a make buildworld:

# in /etc/ssh/sshd_config, change the Listen address

# in /etc/rc.conf, add

service syslogd restart
service sshd restart

# Now the tedious bit...
cd /usr/src
make buildowrld

Time passes

A lot more time passes.

Wow, I really need a faster machine for doing this sort of thing! ….

Lets install EZjail before I retire…

# cd /usr/ports/sysutils/ezjail
# make install

Initial Setup

First task is to create a base jail which is the template for other jails. part of the process is a buildpworld which if you have followed the instructions you do not want to do again! We want the ports included so our jail clients can install software.

# ezjail-admin update -i -p

A few minutes later and there is a /usr/jails directory with the following content:

# cd /usr/jails/
# ls -lah
total 20
drwxr-xr-x   5 root  wheel   512B Nov  4 20:30 .
drwxr-xr-x  17 root  wheel   512B Nov  4 20:28 ..
drwxr-xr-x   9 root  wheel   512B Nov  4 20:30 basejail
drwxr-xr-x   3 root  wheel   512B Nov  4 20:30 flavours
drwxr-xr-x  12 root  wheel   512B Nov  4 20:30 newjail

Interestingly we can make pre defined templates with the ‘flavours’ and whats more re-assuring is, that its spelt correctly! Anyway, we’ll come back to that later. There is also another file to note that is /usr/local/etc/ezjail.conf.example which I’ll copy (I like to keep an original) now to remove the example part:

# pwd
# cp ezjail.conf.sample ezjail.conf

Deploying our first jail

Now we’ll create our first jail – totally vanilla:

# ezjail-admin create
Warning: IP not configured on a local interface.
Warning: Some services already seem to be listening on all IP, (including
  This may cause some confusion, here they are:
root     sshd       1300  4  tcp4   *:22                  *:*
root     syslogd    1045  7  udp4   *:514                 *:*

That ip easy to fix..

# ifconfig bge0 alias

I’ll edit the /etc/rc.conf to make the alias survive a reboot. The sshd and syslogd is fixed as per the last post by adding syslogd_flags="-b" to /etc/rc.conf and modifying the Listen address in /etc/ssh/sshd_config.
Before we can power on the jail, we need to add this to the /etc/rc.conf:

# echo 'ezjail_enable="YES"' >> /etc/rc.conf

Now we can start the jail up and confirm with jls by:

# /usr/local/etc/rc.d/ start
 ezjailConfiguring jails:.
Starting jails:
jtest# jls
   JID  IP Address      Hostname                      Path
     1         /usr/jails/

As before, we need to add the basic stuff in like sshd_enable, some resolvers, initial user account, root password, etc. etc. etc. Whilst doing this I came across this problem…

# ping
ping: socket: Operation not permitted

I did the usual hawking of config files, rebooting and so on, but it transpires that the security.jail.allow_raw_sockets is set at zero which stops this working. So we need to reset this value ON THE HOST SYSTEM and restart the jail:

# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1
# /usr/local/etc/rc.d/ restart
Stopping jails:
Configuring jails:.
Starting jails:
# jls
   JID  IP Address      Hostname                      Path
     6         /usr/jails/
# jexec 6 /bin/sh
# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=245 time=41.766 ms
64 bytes from icmp_seq=1 ttl=245 time=47.647 ms

That all works, but I wanted to ensure it was still set after a reboot, so on the host machine:

# echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

My test reboot confirms this is all working.

Deleting a Jail

The next task is to delete the jail, seems like a waste but I want to use the ‘flavours’ to roll out lots of jails with pretty much the same config and pre-installed values.

# ezjail-admin delete -w
Error: Jail appears to be still running.
  'ezjail-admin stop' it first or use 'ezjail-admin delete -f' to force stop.
# /usr/local/etc/rc.d/ stop
Stopping jails:
# ezjail-admin delete -w
rm: /usr/jails/ Operation not permitted
rm: /usr/jails/ Directory not empty
rm: /usr/jails/ Directory not empty

This does not look good! Is the jail still there?

# jls
   JID  IP Address      Hostname                      Path
# ezjail-admin list
STA JID  IP              Hostname                       Root Directory
--- ---- --------------- ------------------------------ ------------------------
jtest# cd /usr/jails/
# ls
basejail		flavours		newjail

Ok the jail is gone, but I have a directory remaining….

# rm -r
override r-xr-xr-x  root/wheel schg for y
rm: Operation not permitted
rm: Directory not empty
rm: Directory not empty

The directory does not want to be deleted. It appears to have the immutable flag set, so we’ll remove it and start again.

# cd /usr/jails/
# chflags -R noschg empty/
# rmdir empty/
# cd /usr/jails
# rm -r
This entry was posted in FreeBSD Administration and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *