Skip to main content.

Everything you need to know about Jails

2013-10-16

Live demo in BSD Now Episode 007 | Originally written by TJ for bsdnow.tv | Last updated: 2014/03/05

NOTE: the author/maintainer of the tutorial(s) is no longer with the show, so the information below may be outdated or incorrect.

Virtualization is a big part of security these days. Why dedicate an entire machine to one specific service when you can make a virtual machine? The other option is to just run the one service alongside the rest on the same machine. If someone breaks into it, however, they could potentially access lots of private things you don't want them to see. Virtual machines mostly solve this isolation issue, but they have some drawbacks. The main problem is overhead. There are speed penalties when running things in a VM. Disk I/O, emulated NICs, CPU overhead - everything comes at a cost. However, on modern hardware with VT-x, the CPU performance has become a lot better.

Jails are isolated virtual instances of FreeBSD that all run off the same kernel. There's no performance hit at all, even with the network stack and disk I/O. If someone breaks into your jail and gets root, they're locked to that filesystem. There are also lots of other forceful limits in place, so check out the documentation for more info. You can deploy hundreds of jails on the same system with little resources; they use almost no extra RAM aside from the applications you run within them.

There is a really great utility called ezjail for creating, updating and managing jails. You can still do things the traditional way, but ezjail makes things so much more.. ez. Let's get started by installing it from ports or pkgng.

# cd /usr/ports/sysutils/ezjail
# make install clean

The way ezjail works is like this: it first creates a "base" jail, which all the jails will use. It makes a full, isolated FreeBSD userland and then mounts that (read-only) in your real jails. By doing things this way, you only have one jail to keep up to date. It also saves a lot of disk space by not extracting the whole userland every time you want a new jail. Making new ones after you have the base jail in place takes a matter of seconds. You can even "archive" the jails to easily transfer them between machines. To create the base jail (with the system sources and a ports tree), we simply do:

# ezjail-admin install -sp

Jails can be installed into ZFS datasets or even (possibly encrypted) sparse files and memory disks. Both of those options provide a good way to limit disk space that the jail has access to. You can also install by building world or installing from an already-built world using the -b and -i flags. This is useful if you want to run -STABLE or -CURRENT in a jail. Assuming you've stayed with the -RELEASE branch, you can update the basejail with freebsd-update. Just run:

# ezjail-admin update -u

To update the base jail's ports tree, which all jails also have read-only access to, run:

# ezjail-admin update -P

See the /usr/local/etc/ezjail.conf sample file for more options. Your jail(s) can run on the same IP address as the host without (many) problems, but I recommend giving them each their own IP. We'll make an alias on my "em0" NIC. Replace "em0" with your network card name and your network settings. An rc.conf entry ensures our jail will be started at boot and gets the IP it needs.

# ifconfig em0 alias 192.168.1.13 netmask 0xffffff00 broadcast 192.168.1.255
# echo 'ifconfig_em0_alias0="inet 192.168.1.13 netmask 0xffffff00 broadcast 192.168.1.255"' >> /etc/rc.conf
# echo 'ezjail_enable="YES"' >> /etc/rc.conf

Next, create your actual jail. Give it a hostname and the IP address from before. Copy your resolv.conf to the jail so it can do DNS. Finally, start the service.

# ezjail-admin create bsdnow.tv 192.168.1.13
# cp /etc/resolv.conf /usr/jails/bsdnow.tv/etc/
# service ezjail start

Placing limits on jails is also possible. To only give the jail access to the first CPU core, you could do:

# ezjail-admin config -c 0 bsdnow.tv

See this page for more options on limiting jail resources. Finally, to check whether your jail is running, use the "jls" command:

# jls

   JID  IP Address      Hostname       Path
     1  192.168.1.13    bsdnow.tv      /usr/jails/bsdnow.tv

From here, you can get a root shell in the jail and start setting things up as you would with a normal FreeBSD system.

# ezjail-admin console bsdnow.tv

Last login: Sun Dec 29 03:08:29 on pts/17
FreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013

Welcome to FreeBSD!

# 

You can easily move jails between hosts with minimal configuration changes. Let's stop our example jail and archive it to a file.

# ezjail-admin stop bsdnow.tv
# ezjail-admin archive bsdnow.tv

The archived file should appear in /usr/jails/ezjail_archives. You can securely transfer the file to another server, make a new basejail and put the archive in place.

# ezjail-admin create -a /usr/jails/ezjail_archives/bsdnow_tv.tar.gz bsdnow.tv 192.168.1.13
# ezjail-admin start bsdnow.tv

Some links for further reading:

Latest News

New announcement

2017-05-25

Hi, Mr. Dexter. Also, we understand that Brad Davis thinks there should be more real news....

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...


Episode 216: Software is storytelling

2017-10-18

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines EuroBSDcon Trip Report This is from Frank Moore, who has been supplying us with collections of links for the show and who we met at EuroBSDcon in Paris for the first time. Here is his trip report. My attendance at the...

Episode 215: Turning FreeBSD up to 100 Gbps

2017-10-11

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines Serving 100 Gbps from an Open Connect Appliance In the summer of 2015, the Netflix Open Connect CDN team decided to take on an ambitious project. The goal was to leverage the new 100GbE network interface technology just coming to...

Episode 214: The history of man, kind

2017-10-04

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines The Cost Of Open Sourcing Your Project Accusing a company of “dumping” their project as open source is probably misplaced – it’s an expensive business no-one would do frivolously. If you see an active move to change software licensing...

Episode 213: The French CONnection

2017-09-27

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines Recap of EuroBSDcon 2017 in Paris, France EuroBSDcon was held in Paris, France this year, which drew record numbers this year. With over 300 attendees, it was the largest BSD event I have ever attended, and I was encouraged by the higher than...