FreeBSD Experiment 1: Jails

Posted on

In my preparations for removing ESXi, I tried creating a simple jail on my test box helios. As part of my purpose is to learn as much as possible, I decided against using a tool like ezjail in favor of doing it “by hand.” While the FreeBSD Handbook has some information on creating jails without using additional tools, pretty much every other document I found suggested using ezjail. There’s a chance I’ll revisit ezjail in the future, as it seems to have some helpful features like having a “base jail” so you only need one copy of the FreeBSD base system, but for now I’d like to do as much as possible without additional tools.

My goal for this experiment was to set up a simple web server (nginx) inside a jail. To start, I edited /etc/jail.conf to contain the following:

www {
  host.hostname = www.local;
  ip4.addr = 10.0.2.202;
  path = "/usr/jail/www";
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
}

Next, I used bsdinstall(8) to install the base system instead of compiling from source:

root@helios:~ # bsdinstall jail /usr/jail/www

I then added jail_enable="YES" to /etc/rc.conf and started the jail:

root@helios:~ # service jail start www

This took a few seconds to complete, and then the jail showed up when I ran jls:

root@helios:~ # jls
   JID  IP Address      Hostname                      Path
     1  10.0.2.202      www.local                     /usr/jail/www

I was able to enter the jail:

root@helios:~ # jexec www /bin/sh
#

But I seem not to have Internet connectivity, as attempting to use pkg-ng fails:

# pkg install nginx
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

Running ifconfig inside the jail shows that I do not seem to have an IP address, nor can I seem to communicate with any hosts. Interestingly when I attempt to ping my gateway, I get the message:

ping: ssend socket: Operation not permitted

Clearly there’s something I’ve not yet figured out.

Previous Post:
Notes on setting up a FreeBSD home server
Next Post:
How does DHCP work?
More in FreeBSD: