After I setup my new FreeBSD (10.1-RELEASE) server, I decided to run each of the services I needed in it’s own jail. The easiest way to do this, is with iocage. This article should help you to get started with the most common functions of it.
To prepare your system for networking jails (allowing you to ping from within the jail, as well as making them behave like normal hosts in the network), edit your /etc/sysctl.conf file and add following lines:
# jail rules security.jail.sysvipc_allowed=1 security.jail.allow_raw_sockets=1
Then reboot your system… If you don’t want ro reboot, you can execute the following sysctl commands, so you can activate these rules without a reboot:
sysctl security.jail.sysvipc_allowed=1 sysctl security.jail.allow_raw_sockets=1
Anyway, just to be sure it will work, just reboot, except you know what you are doing.
For the rest of the article, I used the following tutorial (its more detailed and also explains what you are doing):
Now we are ready to install iocage:
pkg install iocage
The next step is to setup the default jail (download an image of FreeBSD). Type the following:
You will be asked some questions:
please select a pool for iocage jails [zroot]:
The default zpool in my system is named zroot, because I have a bootable RAIDZ-2 configuration of 5 disks. In your system it may be called whatever you named it in the installation. Anyway, just type the zpool, you prefer to install your iocage root.
Supported releases are: 10.1-RELEASE 10.0-RELEASE 9.3-RELEASE 9.2-RELEASE 9.1-RELEASE Please select a release [10.1-RELEASE]:
In my case, I prefer the default 10.1-RELEASE, just to have the same system like my host.
base.txz 100% of 63 MB 10 MBps 00m06s doc.txz 100% of 1395 kB 7014 kBps 00m01s lib32.txz 100% of 15 MB 10 MBps 00m01s Exctracting: base.txz Exctracting: doc.txz Exctracting: lib32.txz * Updating base jail.. Looking up update.FreeBSD.org mirrors... 5 mirrors found. Fetching metadata signature for 10.1-RELEASE from update5.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to 10.1-RELEASE-p6: /usr/src/crypto/openssl/util/mkbuildinf.pl The following files will be updated as part of updating to 10.1-RELEASE-p6: /bin/freebsd-version /lib/libc.so.7 /lib/libcrypto.so.7 /rescue/ /rescue/atmconfig /rescue/badsect ... ... /usr/share/openssl/man/man3/x509.3.gz /var/db/mergemaster.mtree Installing updates... install: /iocage/releases/10.1-RELEASE/root//usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory done.
After this, you can immediately create your first jail. In my case, I wanted to create a jail, where I can run my DNS resolve cache (the already installed local_unbound is doing it just fine for my small domain). So it is my DNS jail.
iocage create tag=dns.meschnet.de ip4_addr="bge0|192.168.2.60" defaultrouter=192.168.2.1 allow_sysvipc=1 allow_raw_sockets=1
Replace meschnet.de with your domain, bge0 with your network interface and 192.168.2.60 with a free IP in your network (the IP adress you wish that the jail should have). Also set the defaultrouter option to the IP address of your router.
When your jail is build, type in the following commands:
iocage set boot=on dns.meschnet.de iocage set priority=01 dns.meschnet.de iocage set hostname=dns.meschnet.de dns.meschnet.de
The first command activates your jail on boot.
The second command will set the priority of the jail when booting your machine. In my case, I want my dns to start before any other jail, so i give it a priority of 01.
The third command is setting the hostname of the jail. I wanted my dns jail to be the same like the tag.
To start the jail, type:
iocage start dns.meschnet.de
That’s it. Try to ping the IP address you have assigned to your jail. It should respond.
Now, you can login as root in the jail by simply typing:
iocage console dns.meschnet.de
You will notice, that you can handle the jail exactly like if it was a normal host or virtual machine. Just like being in the shell of another host. You can use pkg or /usr/local/ports the usual way and install things and stuff, start and stop services, or experiment whatever you want. When you type exit, you can logout from the jail and return to your host.
If you want to stop the jail, just give:
iocage stop dns.meschnet.de
Now your newly created jail is shut down. In this state, you can also delete your jail if you don’t need it anymore.
iocage destroy dns.meschnet.de
That’s simple, isn’t it?