Building a Jail in FreeBSD or NetBSD for a hosting environment

Daniel jahilliya at
Mon Feb 27 22:55:51 PST 2006

Hey Nick,

On 2/28/06, Nick Larsen <larsen.nick at> wrote:
> Hey Members,
> I have done a little research on Jails and setting them up, and managed to
> get one going at one stage and managed to somehow destroy it.
> I'm new to Jails, and I would like to use a real jail then just using a
> chroot jail.
> Where I work, we use the Ensim software for hosting, and I find that very
> pricey and sluggish (and it runs on Fedora rather than Linux).
> They use a technique of chrooting sites and the sites users into an
> environment in /home/virtual/sitexxx/ I would like to be able to do the same
> (but with Jail), but not quite sure how to go about it. Last time I tried to
> `make world DESTDIR=/my/jail/path` it failed (cannot remember the details
> right now) but it this where I start?

Idealy, you will start with: man jail

It gives some decent instruction on howto build a jail, different
sysctl variables, and just some general info that is very useful.

Also: man jexec
jexec allows you to execute commands within a jail, without actually
having to be inside the jail itself. So, you can run commands within a
jail even if the jail is not running SSH (or telnet, rsh etc...) (you
don't need to login to the jail). This is an excellent feature because
it allows you to have a web server you can't exactly login to,
reducing the total amount of exposure to the server.


Attached is a couple of little scripts I put together sometime ago to
help in building jails and automating the whole custom bootable ISO.

The script will need modification to match your
FreeBSD version (was originally made for 5.3), so tuning the kernel
config it builds and changing a couple version numbers so it can grab
the bootable floppies should be no drama... on the otherhand I used the other day without any problems. -s /usr/src -d /destination/directory

It'll then create a copy of /etc/make.conf called /etc/make.conf.jail
and ask you to edit it with your editor, then it'll build away and
need no further input.

> Also do I need an individual IP for each jail? because each physical server
> will have 1 IP unless the customer requests a dedicated IP.

You can definately share IP addresses across jails, but each JAIL
cannot bind the same ports, for obvious reasons.

So you can't have two jails, with two webservers, both listening on
port 80, but you can definately have two jails with two webservers,
one listening on port 80, the other on any port that is unused that
you specify.

> Any help would be appreciated, and I have tried to research it but end up
> going round in circles.
> --
> Regards,
> Nick Larsen
> Wellington


More information about the freebsd-questions mailing list