Little issue with Jails
Miroslav Lachman
000.fbsd at quip.cz
Tue Jul 11 17:20:02 UTC 2017
Software Information wrote on 2017/07/11 19:01:
> Hi All
> I am using FreeBSD 11 and have created a new jail using the following steps
>
> 1. make buildworld DESTDIR=/here/is/the/jail
> 2. make installworld DESTDIR=/here/is/the/jail
> 3. make distribution DESTDIR=/here/is/the/jail
> 4. mount -t devfs devfs /here/is/the/jail/dev
>
> I have the following in my host rc.conf
>
> jail_enable="YES" # Set to NO to disable starting of any jails
>
> jail_list="www" # Space separated list of names of jails
>
> Note: Jail names in jail_list should contain alphanumeric characters only.
>
> For each jail listed in jail_list, a group of rc.conf(5) settings, which
> describe the particular jail, should be added:
>
>
>
> jail_www_rootdir="/usr/jail/www" # jail's root directory
>
> jail_www_hostname="jailname.org" # jail's hostname
>
> jail_www_ip="IP_Address" # jail's IP address
>
> jail_www_devfs_enable="YES" # mount devfs in the jail
>
>
> On the host, I did sysctl security.jail.allow_raw_sockets=1
>
> In /etc/jail.conf, in the config section for that jail, I entered the
> line *allow.raw.sockets
> = 1 *
>
>
> and I also did an *echo 'security.jail.allow_raw_sockets=1' >>
> /etc/sysctl.conf *inside the jail.
>
>
>>From what I can tell, I should be able to ping inside the jail now but it
> still doesn't work. Does anyone see anything I may have left out?
I recommend you to use jail.conf only and do not set jail variables in
rc.conf. It is not good to mix these two.
Put jail_enable="YES" in to rc.conf and then this in to jail.conf:
## Typical static defaults:
## Use the rc scripts to start and stop jails. Mount jail's /dev.
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
mount.devfs;
devfs_ruleset = 4;
enforce_statfs = 1;
allow.set_hostname = 0;
allow.sysvipc = 0;
allow.raw_sockets = 0;
## Dynamic wildcard parameter:
## Base the path off the jail name.
path = "/usr/jail/$name";
exec.consolelog = "/var/log/jail/$name.console";
mount.fstab = "/etc/fstab.$name";
## Jail www
www {
host.hostname = "jailname.example.com";
ip4.addr = 10.10.10.10;
allow.raw_sockets = 1;
}
Then you can run this jail by command:
# service jail start www
Miroslav Lachman
More information about the freebsd-stable
mailing list