/etc/jail.conf documentation?

Ricky G ricky1252 at hotmail.com
Thu Oct 29 15:04:25 UTC 2015 

Saw this post and decided to share as well. When I started using jails I wanted the system to be easy and flexible. Reading the handbook, I liked this layout https://www.freebsd.org/doc/handbook/jails-application.html. I decided to make some scripts based on this layout and I also made some improvements based on problems I ran into using the layout.
Basically the scripts create a readonly base and duplicates the base setting to readonly. Upgrading is simple because you just recreate the base shutdown duplicate startup and the jails are updated. One side note that Id like to add is my use of mergemaster is the safe way which is a bit more work. (The scripts will do everything except create the base dataset). I still have some more work to do on these scripts with possible errors, but they work well for what I need them for. As for my jail.conf

host.hostname = "${name}";path = "/usr/jails/${name}";mount.fstab = "/etc/fstab.${name}";mount.devfs = "1";devfs_ruleset = "4";exec.consolelog = "/var/log/jail_${name}_console.log";interface  = "ue0";exec.start  = "/bin/sh /etc/rc";exec.stop  = "/bin/sh /etc/rc.shutdown";exec.clean;persist;
allow.raw_sockets = "1";allow.set_hostname = "0";
foo { ip4.addr  = "192.168.1.9/24";}
### For vnet ###bar { $if = "0"; $ip_addr  = "192.168.1.10/24"; $ip_route  = "192.168.1.1"; interface  = "bridge0"; vnet; vnet.interface = "epair${if}b"; exec.prestart  = "ifconfig bridge0 create"; exec.prestart  += "ifconfig epair${if} create up"; exec.prestart  += "ifconfig bridge0 addm epair${if}a"; exec.start  = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start  += "/sbin/ifconfig epair${if}b inet ${ip_addr} up"; exec.start  += "/sbin/route add default ${ip_route}"; exec.start  += "/bin/sh /etc/rc"; exec.stop  = "/bin/sh /etc/rc.shutdown"; exec.poststop  = "ifconfig bridge0 destroy"; exec.poststop  += "ifconfig epair${if}a destroy"; exec.clean; persist;}



$ cat update #!/usr/bin/env bashTEMPLATE_ZFS_DIR="tank/jails/template"TEMPLATE_NAME="main"TEMPLATE_DIR="/usr/jails/template"TEMPLATE_SNAPSHOT_NAME="now"JAIL_DIR="/usr/jails"JAIL_ZFS_DIR="tank/jails"JAILS=( $(jls | grep ${JAIL_DIR} | awk '{ print $3 }') )SRC="/usr/src"
ZFS_TEMPLATE="${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT="${ZFS_TEMPLATE}@${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE_OLD_SNAPSHOT="${ZFS_TEMPLATE}@old.$(openssl rand -hex 8)"TEMPLATE="${TEMPLATE_DIR}/${TEMPLATE_NAME}"SKEL="${TEMPLATE_DIR}/skel"
### Some error checking ###zfs list "${ZFS_TEMPLATE}" >& /dev/nullif [ $? -eq 1 ];then	echo "Template dataset ${ZFS_TEMPLATE} not found, or wrong Template name"	exit 1fiif [ $(zfs get mountpoint "${ZFS_TEMPLATE}" | awk '{ print $3 }' | tail -n 1) != "${TEMPLATE}" ]then	echo "Template dataset not mounted at ${TEMPLATE}"	exit 1fiif [ $(zfs get mounted "${ZFS_TEMPLATE}" | awk '{ print $3 }' | tail -n 1) != yes ]then	echo "Template dataset ${ZFS_TEMPLATE} not mounted"	exit 1fi### Destroy old template ###zfs set readonly=off "${ZFS_TEMPLATE}"chflags -R 0 "${TEMPLATE}"rm -r "${TEMPLATE}"/*cd "${SKEL}"rm -R media root etc mnt tmp var
### Create new template ###cd ${SRC}make installworld DESTDIR="${TEMPLATE}"if [ $? -eq 1 ]then	echo "${SRC} Needs to be compiled. Run make buildworld."	exit 1fimake distribution DESTDIR="${TEMPLATE}"
### Recreate skel ###cd "${TEMPLATE}"for skel in media root etc mnt tmp vardo 	mv "${TEMPLATE}"/"${skel}" "${SKEL}"/done
if [ -f /etc/resolv.conf ]then	cp /etc/resolv.conf "${SKEL}"/etc/fiprintf 'hostname=""\nsendmail_enable="NO"\nsendmail_submit_enable="NO"\nsendmail_outbound_enable="NO"\nsendmail_msp_queue_enable="NO"' > "${SKEL}"/etc/rc.conf### Create links for new template ###for link in etc home mnt media root tmp vardo	ln -s s/${link} "${TEMPLATE}"/${link}doneln -s ../s/home "${TEMPLATE}"/usr/homeln -s ../s/usr-X11R6 "${TEMPLATE}"/usr/X11R6mkdir "${TEMPLATE}"/s
### Finish template by setting readonly=on ###zfs set readonly=on "${ZFS_TEMPLATE}"
### Move old template to a new name if it exists ###zfs list "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 0 ];then	zfs rename "${TEMPLATE_SNAPSHOT}" "${TEMPLATE_OLD_SNAPSHOT}"fi
### Create snapshot of the new template ###zfs snapshot "${TEMPLATE_SNAPSHOT}"### Updating jails that are currently running ###for jail in ${JAILS[@]};do	if [ $(jls | grep ${jail} | awk '{ print $4 }') == "${JAIL_DIR}"/"${jail}" ]	then		cd /usr/src		mergemaster -t "${JAIL_DIR}"/"${jail}"/var/tmp/temproot -D "${JAIL_DIR}"/"${jail}"/s -i -F		cd "${JAIL_DIR}"/"${jail}"/s		rm -r .cshrc .profile COPYRIGHT bin boot dev lib libexec proc rescue sbin sys usr		cd /usr/src		jail -r "${jail}"		zfs destroy -f "${JAIL_ZFS_DIR}"/"${jail}"		zfs clone -o readonly=on -o mountpoint="${JAIL_DIR}"/"${jail}" "${TEMPLATE_SNAPSHOT}" "${JAIL_ZFS_DIR}"/"${jail}"		jail -c "${jail}"	else		FAILED+="${jail} "	fidone
### Destroy old template ###zfs destroy "${TEMPLATE_OLD_SNAPSHOT}"if [ -n "${FAILED}" ]then	printf "The following jails failed to update due to incorrect mountpoint... ${FAILED}\n"fiecho "Update Finished"



$ cat duplicate #!/usr/bin/env bashTEMPLATE_ZFS_DIR="tank/jails/template"TEMPLATE_NAME="main"TEMPLATE_DIR="/usr/jails/template"TEMPLATE_SNAPSHOT_NAME="now"JAIL_DIR="/usr/jails"JAIL_ZFS_DIR="tank/jails"
ZFS_TEMPLATE="${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT="${ZFS_TEMPLATE}@${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE="${TEMPLATE_DIR}/${TEMPLATE_NAME}"SKEL="${TEMPLATE_DIR}/skel"
echo What will the jail name be?read -e JAIL_NAMEecho What will the ip4 address be? ie 192.168.1.1/24?read -e IP4zfs list "${ZFS_TEMPLATE}" >& /dev/nullif [ $? -eq 1 ];then	echo "Incorrect template" 	exit 1fizfs list "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 1 ];then	echo "Snapshot not found" 	exit 1fi
JAIL="${JAIL_ZFS_DIR}/${JAIL_NAME}"JAIL_ZFS_DATA="${TEMPLATE_ZFS_DIR}/${JAIL_NAME}"JAIL_ZFS_DATA_LOCAL="${TEMPLATE_ZFS_DIR}/${JAIL_NAME}-local"JAIL_DATA="${TEMPLATE_DIR}/${JAIL_NAME}"JAIL_FSTAB="${JAIL_DIR}/${JAIL_NAME}"
zfs clone -o readonly=on -o mountpoint="${JAIL_FSTAB}" "${TEMPLATE_SNAPSHOT}" "${JAIL}"if [ $? -eq 1 ];then	echo "clone failed"	exit 1fiecho "clone successful"zfs create -o recordsize=1M -o compression=lz4 -o mountpoint="${JAIL_DATA}" "${JAIL_ZFS_DATA}"zfs create -o recordsize=1M -o compression=lz4 -o canmount=noauto "${JAIL_ZFS_DATA_LOCAL}"cp -Ra "${SKEL}"/* "${JAIL_DATA}"/umount "${JAIL_DATA}"rmdir "${JAIL_DATA}"zfs set canmount=noauto "${JAIL_ZFS_DATA}"printf "${JAIL_ZFS_DATA} ${JAIL_FSTAB}/s\tzfs\trw 0 0\n${JAIL_ZFS_DATA_LOCAL} ${JAIL_FSTAB}/usr/local\t zfs\trw 0 0" > /etc/fstab."${JAIL_NAME}"printf "\n${JAIL_NAME} {\n ip4.addr = \"${IP4}\";\n}" >> /etc/jail.conf

More information about the freebsd-questions mailing list