Little issue with Jails

Miroslav Lachman 000.fbsd at quip.cz
Tue Jul 11 17:20:02 UTC 2017 

Software Information wrote on 2017/07/11 19:01:
> Hi All
> I am using FreeBSD 11 and have created a new jail using the following steps
>
> 1. make buildworld DESTDIR=/here/is/the/jail
> 2. make installworld DESTDIR=/here/is/the/jail
> 3. make distribution DESTDIR=/here/is/the/jail
> 4. mount -t devfs devfs /here/is/the/jail/dev
>
> I have the following in my host rc.conf
>
> jail_enable="YES"   # Set to NO to disable starting of any jails
>
> jail_list="www"     # Space separated list of names of jails
>
> Note: Jail names in jail_list should contain alphanumeric characters only.
>
> For each jail listed in jail_list, a group of rc.conf(5) settings, which
> describe the particular jail, should be added:
>
>
>
> jail_www_rootdir="/usr/jail/www"     # jail's root directory
>
> jail_www_hostname="jailname.org"  # jail's hostname
>
> jail_www_ip="IP_Address"           # jail's IP address
>
> jail_www_devfs_enable="YES"          # mount devfs in the jail
>
>
> On the host, I did sysctl security.jail.allow_raw_sockets=1
>
> In /etc/jail.conf, in the config section for that jail, I entered the
> line *allow.raw.sockets
> = 1 *
>
>
> and I also did an *echo 'security.jail.allow_raw_sockets=1' >>
> /etc/sysctl.conf *inside the jail.
>
>
>>From what I can tell, I should be able to ping inside the jail now but it
> still doesn't work. Does anyone see anything I may have left out?

I recommend you to use jail.conf only and do not set jail variables in 
rc.conf. It is not good to mix these two.

Put jail_enable="YES" in to rc.conf and then this in to jail.conf:

## Typical static defaults:
## Use the rc scripts to start and stop jails.  Mount jail's /dev.
exec.start = "/bin/sh /etc/rc";
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean;
exec.system_user   = "root";
exec.jail_user     = "root";
mount.devfs;
devfs_ruleset      = 4;
enforce_statfs     = 1;
allow.set_hostname = 0;
allow.sysvipc      = 0;
allow.raw_sockets  = 0;

## Dynamic wildcard parameter:
## Base the path off the jail name.
path            = "/usr/jail/$name";
exec.consolelog = "/var/log/jail/$name.console";
mount.fstab     = "/etc/fstab.$name";

## Jail www
www {
         host.hostname     = "jailname.example.com";
         ip4.addr          = 10.10.10.10;
         allow.raw_sockets = 1;
}


Then you can run this jail by command:

# service jail start www


Miroslav Lachman

More information about the freebsd-stable mailing list