Maxim_Kazmin - Fotolia
Set up BSD jails as a form of virtualization
Using the ezjail tool, you can easily create and install a BSD jail. Execute these simple commands to get started and take advantage of key ezjail features.
BSD jails are considered a classic way to implement secure, isolated user or service accounts that are restricted -- or jailed -- in regards to what they can access and do. You can easily create BSD jails by following this simple tutorial.
In a BSD jail, all the processes and tasks are run within the environment, making multiuser access more secure. BSD jails limit any damage a user might do to the environment, as each BSD jail has its own root user and configuration files.
When setting up a simple jailed environment on a FreeBSD 11 host, you can perform most of the commands via a remote secure shell session. However, FreeBSD requires you to create another user and add it to the wheel group so you can switch the user -- su -- to root.
To add the user to the wheel group, use the following command, changing stuart to the name of the desired user:
pw usermod stuart -G wheel
Now you should be able to log in as the desired user. To become the root user, issue the su - command. Making changes as the root user is much easier than manually typing all the commands in the console.
At this point, you can configure your BSD environment. Within a jailed environment, each jail is treated in isolation from everything else, and each user has his or her own copy of the binary files and documentation.
Install the ezjail tool
Creating jails used to be a complex process. As part of the more recent FreeBSD versions, there is a tool you can use to create and manage BSD jails. This tool is called ezjail.
To install ezjail, use the following commands:
make install clean
This will build the ezjail application and dependencies as shown in Figure A below:
Depending on host capabilities, it might take several minutes to build the ezjail software. Using ezjail also optimizes storage by reducing the need for multiple binary and layout copies for each jail. Rather, it creates a read-only copy locally and mounts that copy for all BSD jails to use.
To install ezjail correctly, issue the command below:
ezjail-admin install -sp
It will take several minutes to download and run through the setup requirements. There are alternate configurations for ezjail install, but for now, use this process to keep things simple.
Key ezjail features
You can easily upgrade BSD jails when a new FreeBSD version is released by executing the following command:
ezjail-admin update -P
To create the actual jail, use this command:
ezjail-admin create myvirtualhost 'em0|192.168.0.172'
Be sure to change the interface and IP address as needed. It should be an unused address.
Once you set up and configure the jail, it should respond the same way as any other server.
Next, ensure the ezjail service is enabled. You need to modify the rc.conf file. Do so using the command below:
echo 'ezjail_enable=YES' >> /etc/rc.conf
This command will add ezjail_enable=yes to the rc.conf file. Start the jail service by using the following command:
service ezjail start
This will also start it at boot time.
Some other useful features of ezjail are the ability to instantly slip into different BSD jails -- assuming you are root. Again, to move into the root role, use the su - command.
To get a console in the newly created jail, use the command below, substituting the BSD jail you created:
ezjail-admin console myvirtualhost
You can also set the jail root password while you're in there. Once inside, you can treat it exactly like any other FreeBSD system.
To stop and start BSD jails, use the following commands:
ezjail-admin stop myvirtualhost
ezjail-admin start mvirtualhost
To get a proper view of what's happening, use the jls command. This will display a lot of useful information about the running jail's status. To get more verbose information, use the following command:
Now you can create and destroy BSD jails at will.
There is a lot more to running a BSD jail than what is covered in this short tutorial. Inside each jail, you can configure it as though it is a separate stand-alone system. For example, it would make sense to install one jail for a DNS server and another jail for a web server. For more information, reference the erdgeist website.