FreeBSD jails: system tuning

So, we’ve seen how to create a native jail using FreeBSD’s toolset. Meaning we have a brand-new system to configure!

Jail characteristics

Some jail-related specificities:

• each jail runs with the host’s FreeBSD kernel;
• as a result, a jail cannot run a newer OS version than the host system;
• network is shared with the host by default, though the creation of vnet jails allows for virtualizing the entire network stack;
• a number of actions are performed from the host and are either impossible or redundant within each jail; this is obviously the case for anything hardware-related, such as physical disks’ management;
• one may want to share & centralize a number of operations such as logs;
• one may want to access some parts of the host’s filesystem from within a jail;

Jail configuration

Basic Setup

Let’s copy /etc/resolv.conf & /etc/localtime from the host into the jail, so that it can issue DNS requests, and most importantly be on time ;)

Let’s populate /etc/rc.conf with a few basic variables:

syslogd_flags="-ss"
cron_flags="-J 60"

Edit: since sendmail was removed from base, all previous sendmail related entries in rc.conf can safely be removed; it was about time!

Users

Let’s:

• assign a password to root via passwd root;
• create a standard user alice;

One can use adduser, but the pw will also do:

pw user add -n alice \
            -G wheel,staff \
            -d /home/alice -m \
            -s /usr/local/bin/zsh
            -c 'Alice is (vi)king' \

As a reminder:

• -n defines the login name;
• -G wheel,staff : adds alice to additional admin groups;
• -d sets the home directory;
• -m creates and set up her homedir;
• -s /usr/local/bin/zsh sets her login shell to zsh;
• -c defines the user name/comment;

Automatic checks & notifications

We don’t want each system to spam us with emails that are mostly relevant to the host, and/or related to the system components it solely controls (disks, networking), do we?

For a more peaceful life, let’s disable automatic checks and related email notifications in /etc/periodic.conf:

# Based on https://gist.github.com/dlangille/ce60ac76b69f267a3f1de33495a338fc
# after reviewing /etc/defaults/periodic.conf I have decided
# to disable these items in jails

daily_status_disks_enable="NO"
daily_status_network_enable="NO"
daily_status_uptime_enable="NO"

# not needed on jails
daily_ntpd_leapfile_enable="NO"

# let the jail host do these
security_status_chksetuid_enable="NO"
security_status_neggrpperm_enable="NO"
security_status_chkuid0_enable="NO"

# I don't run these in my jails
security_status_ipfwdenied_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipfwlimit_enable="NO"
security_status_ipf6denied_enable="NO"
security_status_tcpwrap_enable="NO"

# positives
weekly_whatis_enable="YES"
weekly_locate_enable="YES"

Similarly, the following line in /etc/crontab can be commmented out:

1,31 0-5 * * * root adjkerntz -a

For reference

Further reading & examples:

• Learning Notes on FreeBSD Jails
• FreeBSD Periodic Scripts

Mounting

Per jail fstab

Each jail can have its own fstab on the host, so we can mount portions of the host system into the jail using nullfs mounts, either with write permissions on, or in read-only mode.

On the host, let’s add the following in /etc/jail.conf

mount.fstab = "/etc/fstab.$name";

We’ll see how to populate this file with sharing ports from the host system, but the same methodology applies for sharing any directory.

Note: this is much differenet and more selective than sharing and delegating entire ZFS datasets, which is covered in a companion article.

Shared ports

We may wanna compile ports from within the jails, without having to download the entire ports tree to each jail instance. Therefore, we’ll maintain a ports repository on the host and mount it as readonly in the jails, while creating a local structure inside each jail to compile ports without modifying the host source!

export jailname="template"
mkdir /usr/local/jails/$jailname/usr/ports/
mkdir -p /usr/local/jails/$jailname/var/ports/{distfiles,packages}
mkdir /usr/ports/distfiles

After making sure we’ve added the previously mentionned relevant section to /etc/jail.conf on the host, let’s now create /etc/fstab.template (on the host as well):

# Device             Mountpoint                                    FStype  Opt. Dump Pass#
/usr/ports           /usr/local/jails/template/usr/ports           nullfs  ro   0    0
/usr/ports/distfiles /usr/local/jails/template/var/ports/distfiles nullfs  rw   0    0

Note: /usr/ports is mounted ro (readonly), but write permissions have to be enabled (rw) on /usr/ports/distfiles though.

Back inside the jail, let’s fill /etc/make.conf with:

WRKDIRPREFIX=           /var/ports
DISTDIR=                /var/ports/distfiles
PACKAGES=               /var/ports/packages

We shall now be able to use ports from within the jail, while enjoying resource sharing, because ecology is sexy!

Reference:

• FreeBSD: Mount /usr/ports Inside Jail