Skip to main content.

Everything you need to know about Jails

2013-10-16

Live demo in BSD Now Episode 007 | Originally written by TJ for bsdnow.tv | Last updated: 2014/03/05

NOTE: the author/maintainer of the tutorial(s) is no longer with the show, so the information below may be outdated or incorrect.

Virtualization is a big part of security these days. Why dedicate an entire machine to one specific service when you can make a virtual machine? The other option is to just run the one service alongside the rest on the same machine. If someone breaks into it, however, they could potentially access lots of private things you don't want them to see. Virtual machines mostly solve this isolation issue, but they have some drawbacks. The main problem is overhead. There are speed penalties when running things in a VM. Disk I/O, emulated NICs, CPU overhead - everything comes at a cost. However, on modern hardware with VT-x, the CPU performance has become a lot better.

Jails are isolated virtual instances of FreeBSD that all run off the same kernel. There's no performance hit at all, even with the network stack and disk I/O. If someone breaks into your jail and gets root, they're locked to that filesystem. There are also lots of other forceful limits in place, so check out the documentation for more info. You can deploy hundreds of jails on the same system with little resources; they use almost no extra RAM aside from the applications you run within them.

There is a really great utility called ezjail for creating, updating and managing jails. You can still do things the traditional way, but ezjail makes things so much more.. ez. Let's get started by installing it from ports or pkgng.

# cd /usr/ports/sysutils/ezjail
# make install clean

The way ezjail works is like this: it first creates a "base" jail, which all the jails will use. It makes a full, isolated FreeBSD userland and then mounts that (read-only) in your real jails. By doing things this way, you only have one jail to keep up to date. It also saves a lot of disk space by not extracting the whole userland every time you want a new jail. Making new ones after you have the base jail in place takes a matter of seconds. You can even "archive" the jails to easily transfer them between machines. To create the base jail (with the system sources and a ports tree), we simply do:

# ezjail-admin install -sp

Jails can be installed into ZFS datasets or even (possibly encrypted) sparse files and memory disks. Both of those options provide a good way to limit disk space that the jail has access to. You can also install by building world or installing from an already-built world using the -b and -i flags. This is useful if you want to run -STABLE or -CURRENT in a jail. Assuming you've stayed with the -RELEASE branch, you can update the basejail with freebsd-update. Just run:

# ezjail-admin update -u

To update the base jail's ports tree, which all jails also have read-only access to, run:

# ezjail-admin update -P

See the /usr/local/etc/ezjail.conf sample file for more options. Your jail(s) can run on the same IP address as the host without (many) problems, but I recommend giving them each their own IP. We'll make an alias on my "em0" NIC. Replace "em0" with your network card name and your network settings. An rc.conf entry ensures our jail will be started at boot and gets the IP it needs.

# ifconfig em0 alias 192.168.1.13 netmask 0xffffff00 broadcast 192.168.1.255
# echo 'ifconfig_em0_alias0="inet 192.168.1.13 netmask 0xffffff00 broadcast 192.168.1.255"' >> /etc/rc.conf
# echo 'ezjail_enable="YES"' >> /etc/rc.conf

Next, create your actual jail. Give it a hostname and the IP address from before. Copy your resolv.conf to the jail so it can do DNS. Finally, start the service.

# ezjail-admin create bsdnow.tv 192.168.1.13
# cp /etc/resolv.conf /usr/jails/bsdnow.tv/etc/
# service ezjail start

Placing limits on jails is also possible. To only give the jail access to the first CPU core, you could do:

# ezjail-admin config -c 0 bsdnow.tv

See this page for more options on limiting jail resources. Finally, to check whether your jail is running, use the "jls" command:

# jls

   JID  IP Address      Hostname       Path
     1  192.168.1.13    bsdnow.tv      /usr/jails/bsdnow.tv

From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system.

# ezjail-admin console bsdnow.tv

Last login: Sun Dec 29 03:08:29 on pts/17
FreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013

Welcome to FreeBSD!

# 

You can easily move jails between hosts with minimal configuration changes. Let's stop our example jail and archive it to a file.

# ezjail-admin stop bsdnow.tv
# ezjail-admin archive bsdnow.tv

The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place.

# ezjail-admin create -a /usr/jails/ezjail_archives/bsdnow_tv.tar.gz bsdnow.tv 192.168.1.13
# ezjail-admin start bsdnow.tv

Some links for further reading:

Latest News

New announcement

2017-05-25

We understand that Michael Dexter, Brad Davis, and George Rosamond think there should be more real news....

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...


Episode 275: OpenBSD in stereo

2018-12-05

Direct Download:MP3 AudioVideo Headlines DragonflyBSD 5.4 released DragonFly version 5.4 brings a new system compiler in GCC 8, improved NUMA support, a large of number network and virtual machine driver updates, and updates to video support. This release is 64-bit only, as with previous releases. The details of all commits...

Episode 274: Language: Assembly

2018-11-28

Direct Download:MP3 AudioVideo Headlines Assembly language on OpenBSD amd64+arm64 This is a short introduction to assembly language programming on OpenBSD/amd64+arm64. Because of security features in the kernel, I have had to rethink a series of tutorials covering Aarch64 assembly language on OpenBSD, and therefore this will serve as a placeholder-cum-reminder....

Episode 273: A thoughtful episode

2018-11-21

Direct Download:MP3 AudioVideo Headlines Some thoughts on NetBSD 8.0 NetBSD is a highly portable operating system which can be run on dozens of different hardware architectures. The operating system's clean and minimal design allow it to be run in all sorts of environments, ranging from embedded devices, to servers, to workstations....

Episode 272: Detain the bhyve

2018-11-14

Direct Download:MP3 AudioVideo Headlines The byproducts of reading OpenBSD netcat code When I took part in a training last year, I heard about netcat for the first time. During that class, the tutor showed some hacks and tricks of using netcat which appealed to me and motivated me to learn the...