LinuxDojo - Basic FreeBSD Jail How-To

Creating a Basic FreeBSD Jail: A Quick Start

FreeBSD Jails offer a super-efficient way to run isolated environments on your FreeBSD system. They're like lightweight containers, perfect for hosting web services, databases, or even ju st for secure experimentation without the overhead of a full virtual machine. This guide focuses on s etting up a simple, standalone jail.

What is a Basic Jail?

A "basic" or "thick" jail contains its own complete copy of the FreeBSD base system. T his provides strong isolation, as it has its own filesystem, IP address, and process table, separate from the host system. It's an excellent starting point for most use cases.

Important Note: This guide assumes you have root privileges and your host FreeBSD system is up-to-date. Replace placeholders like em0,

192.168.1.151, and the FreeBSD version (e.g., 14.3-RELEASE) with your specific environment's val
ues.



            Step-by-Step: Getting Your Basic Jail Running

            1. Enable the Jail Service on the Host
            First, configure your host FreeBSD system to enable the jail service and ensure jails 
start in parallel when the system boots.
            sudo sysrc jail_enable="YES"
sudo sysrc jail_parallel_start="YES"

            2. Create Jail Directories
            Set up the necessary directory structure where your jail's files will reside. We'll us
e /usr/local/jails as the base, with subdirectories for media and containers.
            sudo mkdir -p /usr/local/jails/media
sudo mkdir -p /usr/local/jails/containers

            3. Download and Extract the Base System
            Before downloading, determine your host's exact FreeBSD RELEASE version to ensure you 
download the correct `base.txz` file. Mismatched versions can lead to issues or "Not Found" errors.
            To check your host's version, run one of these commands:
            uname -KU
            Or:
            freebsd-version
            The output (e.g., `14.3-RELEASE-p0` or `1403000`) will tell you your RELEASE version (e.g., `14.3-RELEASE`).
            Then, download the FreeBSD base userland (the core operating system files for a jail) 
and then extract them into the jail's dedicated directory. Adjust the version in the URL (e.g., 
`14.3-RELEASE`) to match your host's output.
            # Example: For FreeBSD 14.3-RELEASE (amd64). Adjust vers
ion and architecture as needed.
sudo fetch https://download.freebsd.org/ftp/releases/amd64/amd64/14.3-RELEASE/base.txz -o /usr/local/jails/media/14.3-RELEASE-base.txz

# Create the specific directory for your new jail (e.g., 'mybasicjail')
sudo mkdir -p /usr/local/jails/containers/mybasicjail

# Extract the downloaded base system into the jail's directory
sudo tar -xf /usr/local/jails/media/14.3-RELEASE-base.txz -C /usr/local/jails/containers/mybasicjail --unlink

            4. Copy Essential Configuration Files
            For network resolution and correct timekeeping, copy the host's resolv.conf and localtime files into your new jail's /etc directory.

            sudo cp /etc/resolv.conf /usr/local/jails/containers/mybasicjail/etc/resolv.conf
sudo cp /etc/localtime /usr/local/jails/containers/mybasicjail/etc/localtime

            5. Configure the Jail in /etc/jail.conf.d/
            Define your jail's properties (hostname, path, IP, network interface, etc.) in a dedic
ated configuration file. It's good practice to place this in /etc/jail.conf.d/.
            # Create the directory if it doesn't exist
sudo mkdir -p /etc/jail.conf.d/

# Open the configuration file for editing (e.g., mybasicjail.conf)
sudo nano /etc/jail.conf.d/mybasicjail.conf
            Paste the following content, making sure to **adjust the IP address** (192.168.1
.151) to an unused one on your network and the **interface** (em0) to your host's
 active network interface:
            mybasicjail {
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_console_${name}.log";

  allow.raw_sockets; # Allows tools like 'ping' inside the jail
  exec.clean;
  mount.devfs;

  host.hostname = "${name}";
  path = "/usr/local/jails/containers/${name}";

  ip4.addr = 192.168.1.151; # <-- IMPORTANT: CHANGE THIS IP
  interface = em0;         # <-- IMPORTANT: CHANGE THIS INTERFACE (e.g., igb0, re0, en0)
}
            Save the file (Ctrl+S) and exit Nano (Ctrl+X).
            
                Check /etc/jail.conf: Ensure your main /etc/jail.
conf file includes definitions from the .d directory by checking for the line .include "/etc/jail.conf.d/*.conf";. Add it if it's missing.
            

            6. Start Your Jail
            With the configuration in place, you can now start your basic jail.
            sudo service jail start mybasicjail

            7. Access Your Jail
            To interact with your jail, you can get a shell inside it or execute specific commands
.
            # Get a root shell inside your jail
sudo jexec mybasicjail /bin/sh

# To exit the jail's shell, type:
exit

            Basic Jail Management Commands
            
                sudo jls: List all running jails with their JID, IP, hostname, and path.
                sudo service jail stop <jail_name>: Stop a specific jail.
                sudo service jail restart <jail_name>: Restart a specific jail.
                sudo jexec <jail_name_or_jid> <command>: Execute any command inside a running jail.
            

            You've now successfully set up a basic, functional FreeBSD jail! From here, you can in
stall packages (like a web server or database) and build out your isolated environment.