2023-02 upd: important announcement. Due to the loss of the main server (non-technical problems related to paying for hosting), the CBSD-related images (ISO, cloud images, jail images ...) will be unavailable indefinitely.
2020-10 upd: we reached the first fundraising goal and rented a server in Hetzner for development! Thank you for donating !
Operation with jail
Attention! Current pages describe CBSD version 13.0.x. If you are using an older version, please update first.
Attention! I apologize for the automatic translation of this text. You can improve it by sending me a more correct version of the text or fix html pages via GITHUB repository.
CREATING JAILS
commands: jcreate, jconstruct-tui
1 | % cbsd jconstruct-tui |
1 | % cbsd jcreate jconf= /path/to/conf .jconf |
The jail is created according to configuration file generated by cbsd jcreate jconf=path_to_cfg. For create configuration, use a command cbsd jconstruct (question-answer dialog mode), or dialog(1)-based interface: cbsd jconstruct-tui, or via WEB interface. When pkg.conf and repository configured properly, you can preset to new jail some packages mark them through pkglist menu. For safety reason recommended to use the official FreeBSD pkg repo or build your own package repository.
Please note: when repo unavailable, item pkglist in cbsd jconstruct-tui did not show anything.
Please note: multi-repo and and the ability to choose a specific repository from the list at the moment is missing, and will be used repository prescribed in pkg.conf of master host.
Attention! Because the list and choose of packages formed by pkg.conf of master machine, keep in mind that the content of the selected packages on the list will only work if the architecture and version of the jail equal with master node
If you do not use automation (Puppet, Ansible, own implementation for generation of jconf) to create environments and you have to create a container with different parameters, use the ability to create your own profile to override the default values. You can override any parameter - the proposed template for jail name, version, binding to a specific interface instead of 'auto', etc..
for creating config via dialog:
1 | % cbsd jconstruct-tui |
The same menu is available to create a jail when configuring CBSD via bsdconfig
Let it not scare you a small ;-) the number of settings in jconstruct-tui - here are displayed only the most important options, suitable for most people. If you need a more flexible configuration - please use cbsd jconfig after jail creation
If jconstruct-tui work correctly, on the exit the question for jail create will be asked. In a case positively answer, jcreate it will be executed on a new configuration automatically. Otherwise, the script will save configuration file (in $workdir/ftmp), on which it is possible to create a jail by hand.
Important:
When a new jail is created or obtaining from the repository, make it a rule ALWAYS change the user's password root in jail, even if you do not plan to run it ssh/ftp/rsh and similar services. If the jail is created with applytpl=0, by default /etc/{passwd,master.passwd,group} in the jail as the original "clean" files FreeBSD, so password of root user is empty. If jail created with applytpl=1 (it also refers to images from repository) $workdir/share/jail-skel files will be used as templates where root password is 'cbsd' in default CBSD installation. You can change default root password when new jail is created via edit of hash in skel master.passwd via:
% vipw -d ${workdir}/share/jail-skel/etc
commands, or specify alternative path to jail-skel dir in .jconf (jcreate tools) config
You can override the jailskeldir="$workdir/share/jail-skel", parameters which is stored in $workdir/etc/defaults/jail-freebsd-default.conf to specify an alternate template directory, which will overwrite the files in the original base files when creating jail. To do this, create a file jail-freebsd-XXXXX.conf in $workdir/etc and enter the value.:
See for details: Profiles for jail creation
DIALOG MENU OPTIONS
- profile - profile in which the parameters are set by default. Described above
- pkglist - Select package list for new jail
- jname - Short (one word) name of the jail
- host_hostname - FQDN for the jail environment
- ip4_addr - specify IP addresses (separated by commas if more than one) or 0 for vnet/bhyve environments
- ver - FreeBSD version for the base (10.1, 11.0 for RELEASE or 10, 11 for STABLE)
- baserw - mount copy of base via nullfs in read only (baserw=no) or populate own copy (baserw=yes) with write access
- mount_ports - mount /usr/ports dir from base system to jail (read only). To the environment can build ports (and not interfere with each other vorkdir) - reassigned WRKDIRPREFIX parameters to alternate location. Or, make sure that applytpl params is set to 1 - then CBSD does this automatically via WRKDIRPREFIX=/tmp in /etc/make.conf of the jail
- astart - Automatic start jail on the system boot
- interface - Specify uplink for jail (on what interface create/remove IP) or prohibit.
- applytpl - Automatically adjust the same settings of the jail (create /etc/hosts, change WRKDIRPREFIX, etc..)
- floatresolv - Automatically adjust /etc/resolv.conf from jnameserver IP (settings from initenv/initenv-tui)
- arch - Specify architecture of jail environment
- vnet - Enable or disable VIMAGE feature
Other methods of creating jail:
jcreate command, part 2
1 | % cbsd jconstruct |
1 | % cbsd jcreate jconf= /path/to/conf .jconf |
If DIALOG-based script jconstruct-tui for some reason did not come for create configuration of the new jails, you can use the script, dialogue like "question and answer" jconstruct
1 | % cbsd jconstruct |
Which specifies the same question as the tui-version. Also, the configuration can avoid the formation without additional interactive utilities, for example building systems that automatically create the necessary jails.
Example of a standard configuration for jcreate might look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | jname= "jail1" ; path= "/usr/jails/jails/jail1" ; host_hostname= "jail1.my.domain" ; ip4_addr= "10.0.0.24/24" ; mount_devfs= "1" ; allow_mount= "1" ; allow_devfs= "0" ; allow_nullfs= "0" ; mount_fstab= "/usr/jails/jails-fstab/fstab.jail1" ; arch= "amd64" ; mkhostsfile= "1" ; devfs_ruleset= "4" ; ver= "10.0" ; basename = "" ; slavenode= "0" ; baserw= "0" ; basename = "" ; mount_src= "0" ; mount_obj= "" ; mount_kernel= "0" ; mount_ports= "1" ; astart= "1" ; data= "/usr/jails/jails-data/jail1-data" ; vnet= "0" ; applytpl= "1" ; mdsize= "0" ; rcconf= "/usr/jails/jails-rcconf/rc.conf_jail1" ; floatresolv= "1" ; exec_start= "/bin/sh /etc/rc" ; exec_stop= "/bin/sh /etc/rc.shutdown" ; exec_poststart= "0" ; exec_poststop= "0" ; exec_prestart= "0" ; exec_prestop= "0" ; exec_master_poststart= "0" ; exec_master_poststop= "0" ; exec_master_prestart= "0" ; exec_master_prestop= "0" ; interface= "auto" ; jailskeldir= "${sharedir}/jail-skel" |
Note parameters arch and ver. Values of them may be "i386", "amd64" for arch and "9.2", "10.0", "10.1" "11" and so on, depending on the version of the base, which would you prefer for jail. Values native in these parameters force CBSD always take the version and architecture that is running the node, which makes the floating version. So, if you use a template with arch="native", ver="native" and switch from FreeBSD 10.2 to 11.0, it will use the 11.0 version of the base. If you want to fix a specific version - specify version instead native.
If you want to create jail with installed some packages from pkg repository, in this configuration must have an pkglist pointing to a file with a list of packages, for example:
1 | pkglist= "/tmp/newjail.txt" ; |
The /tmp/newjail.txt file might look like:
1 2 3 4 | mc lynx nginx-devel lsof |
cbsd jcreate remove file pointed by pkglist variables after jail create
Important:
When a new jail is created or obtaining from the repository, make it a rule ALWAYS change the user's password root in jail, even if you do not plan to run it ssh/ftp/rsh and similar services. If the jail is created with applytpl=0, by default /etc/{passwd,master.passwd,group} in the jail as the original "clean" files FreeBSD, so password of root user is empty. If jail created with applytpl=1 (it also refers to images from repository) $workdir/share/jail-skel files will be used as templates where root password is 'cbsd' in default CBSD installation. You can change default root password when new jail is created via edit of hash in skel master.passwd via:
% vipw -d ${workdir}/share/jail-skel/etc
commands, or specify alternative path to jail-skel dir in .jconf (jcreate tools) config
By default, the directory specified by jailskeldir will be used as source files that will be added (or they will be overwritten with standard files) into a jail automatically when applytpl=1. Accordingly, you can create any configuration templates and content environments that will be copied when creating a new jail.
Jail config
jconfig, jset commands
1 2 | % cbsd jconfig % cbsd jset |
Descriptions:
Cconfiguration parameters jail
Each CBSD jail stores the settings in SQLite3 database. In addition, $workdir/jails-fstab/ may have fstab files (see below). To change the settings of jail can serve cbsd jconfig command, which is runs the TUI menu to change basic settings:
Jails IP address
IP addresses that are bound to the jail sets in ip4_addr parameter. As an IP may serve as IPv4, and the IPv6 address. When starting and stopping jail, working with IP may take place in two modes:
- automatic on-the-fly creation of IP addresses for the jail at the time of launch + automatic removal from the interface IP when stopping
- the use of previously initialized IP addresses.
When for jails assigned to more than one address, they should be listed separated by commas without spaces. IP can include network prefix specified through IP/prefix. By default, aliases created with the prefix /32, that may not be appropriate if the jail uses a separate subnet from the network server — in this case, the correct /prefix is needed.
The parameter that controls this behavior pointed by interface parameter. When interface=0, jstart and jstop will not be called ifconfig alias and ifconfig -alias, respectively. If its value is auto or name of network nics, this command will be executed:
1 | % ifconfig interface ips alias |
and when jail stop:
1 | % ifconfig interface ips - alias |
Be careful with this option, if you have only one IP for server that is used and this IP is assigned to the same jail, when stopping jail, ip address of the server will be removed automatically that will make the server unavailable. In this case, you need to use:
1 | interface=0 |
For example, to run the configuration tool for the jail1, run:
1 | % cbsd jconfig jname=jail1 |
Mounting File Systems in jail
Each jail can have your fstab file, which lists the file systems that are mounted jail is startup. System records (they are managed by CBSD and edit this file inappropriately) are located in the file $workdir/jails-fstab/fstab.name and the same syntax to format the file system /etc/fstab with the exception that as a mount point is the path relative to the root jail, not the master system.
For user entries, you can use the file in the same directory with the extension .local. For example, if you want to make between jail1 and jail2 a shared directory (via nullfs), which physically located in the master node (e.g.: /usr/home/sharefs), the files $workdir/jails-fstab/fstab.jail1.local and $workdir/jails-fstab/fstab.jail2.local should have:
1 | /usr/home/sharefs /usr/home/sharefs nullfs rw 0 0 |
If you want to mount tmpfs to /tmp dir in jail1 (those actually in /usr/jails/jails/jail1/tmp), then the entry in the $workdir/jails-fstab/fstab.jail1.local should have:
1 | tmpfs /tmp tmpfs rw 0 0 |
both entries perform the same action as commands:
1 2 | mount -t nullfs -o rw /usr/home/sharefs /jailroot/usr/home/sharefs mount -t tmpfs -o rw tmpfs /jailroot/tmp |
If you want to mount into jail2 a directory from jail1, jail1 path should point to the directory containing the data jail1 (and their mount points ${workdir}/jails/jail1). For example entry $workdir/jails-fstab/fstab.jail2.local:
1 | /usr/jails/jails-data/jail1-data/usr/local/www /usr/local/www nullfs ro 0 0 |
Make the shared directory /usr/local/www between jail1 and jail2, but it will jail2 in read-only mode
There are flaws when mounting via mount -t /type/ does not work or mounting must be done in a non-standard way. In this case, use the 'external' reserved word, where the 'source' field will point to your external script, the output of which should be a mounted directory.
An example of such an entry in fstab.local:
/root/ntfs-3g.sh /usr/home/web/downloads external rw 0 0
and an example working script /root/ntfs-3g.sh for this entry: ntfs-3g.sh, which mounts an external USB drive directly into the container.
Presentation of ZFS file systems in jail
If you want to attach separate ZFS filesystems in jail (ie, want to be able to perform in jail zfs mount), ZFS dataset must list in $workdir/jails-fstab/fstab.$jname.local file with specifying the keyword zfs in FStype field. For example, if you want to present the file system ZFS: zroot/jail1_webfs for jail jail1 $workdir/jails-fstab/fstab.jail1.local must have:
1 | zroot /jail1_webfs /usr/home/web zfs rw 0 0 |
Note: mount point (/usr/home/web in this example) is not important
Note: jail must have allow_zfs paramaters set to 1, what can be done via cbsd jconfig jname=$jname
In fact, it makes CBSD execute commands:
1 2 | % zfs set jailed=on $FS % zfs jail $jname $FS |
when jail started and
1 2 | % zfs set jailed=off $FS % zfs unjail $jname $FS |
when stoped.
Change settings via the jset
Another possibility is to change certain parameters of the jail — use the command cbsd jset. Full list of possible arguments can be accessed through --help:
1 | % cbsd jget --help |
For example, to change ip of jail1:
1 | % cbsd jset jname=jail1 ip4_addr= "10.0.0.20/24,192.168.0.20/24" |
cbsd jconfig jname=jail2
cbsd jset
Custom scripts for starting and stopping action on jail
You can write your own scripts to be executed within the jail and in the master host on startup and shutdown of the environment. For this, the system directory of jail ( $workdir/jails-system/$jname/ ) have the following directories:
- master_poststart.d - scripts for executing in the master host after jail starts (Be careful, because the scripts are is not jailed)
- master_poststop.d - scripts for executiong in the master host after jail stops (Be careful, because the scripts are is not jailed)
- master_prestart.d - scripts for executing in master host before jail starts (Be careful, because the scripts are is not jailed)
- master_prestop.d - scripts for execution in master host after jail stops (Be careful, because the scripts are is not jailed)
- start.d - scripts for execution within jail when jail is starts. Analog of parameter exec.start from original jail.conf
- stop.d - scripts for execution within jail when jail is starts. Analog of parameter exec.stop from original jail.conf
- remove.d - (since CBSD 11.0.10) scripts for execution on remove command
Write scripts to the master_\* directories can be useful if at the start-stop jail you need to perform some action is not associated with content of environment - for example, create a ZFS snapshot, put rules in IPFW and etc.
In scripts, you can use CBSD variables, such as $jname, $path, $data, $ip4_addr, for example, by placing a script (with execute permission) in /usr/jails/jails-system/jail1/master_poststart.d/notify.sh:
1 2 | #!/bin/sh echo "Jail $jname started with $ip4_addr IP and placed on $path path" | mail -s "$jname started" root@example.net |
You will receive notification upon startup cells by email: root@example.net
The functionality of execution custom scripts and the availability of variables in environments can play a big role in the integration of CBSD and external applications, such as Consul
As an example of use, see the article Example of using CBSD/bhyve and ISC-DHCPD (Serve IP address in bhyve through pre/post hooks)
As an example of use, see the article Example of using CBSD/jail and Consul (Register/unregister jail's via pre/post hooks, in Consul)
Starting and stoping jail
jstart, jrestart, jorder commands
1 2 3 4 5 6 7 8 | % cbsd jstart jname=jail1 jail2 % cbsd jstart jail1 jail2 ... jailX % cbsd jstop jname=jail1 jail2 % cbsd jstop jail1 jail2 ... jailX % cbsd jrestart % cbsd jorder |
Running jails occurs at startup CBSD/server automatically if parameter astart (auto-start) corresponding jail set to 1. You can change this setting through cbsd jconfig or cbsd jset. When you stop the server or service cbsdd, all running jails will be stopped automatically.
Starting the jail manually by the command:
1 | % cbsd jstart jname=jail1 |
or
1 | % cbsd jstart jail1 |
or
1 | % cbsd jstart jail1 jail2 jail3 .. |
(to launch multiple jails by one command)
When ( You can change this behavior in cbsd initenv-tui ) parallel=0 and you try to launch/stoping a few jails, start/stop will be held consecutively. It is not always good, as any error triggered inside jails in the rc-scripts, which leads to a pause, can block start/stop next jails. In the case when parallel have a non-zero value, each next jails will be launched/stopped in N seconds after the previous one, where N — parallel value. After this timeout, no matter whether the previous jail o start fully and next jail will be started.
To stoping jail jstop must be used, with the same syntax and behavior:
1 | % cbsd jstop jname=jail1 |
or
1 | % cbsd jstop jail1 |
or
1 | % cbsd jstop jail1 jail2 jail3 .. |
(to stopping multiple jails by one command)
If the argument of the jstart/jstop/jrestart command is missing, will displays the corresponding list of all running or stopped jail for interactive selection
When the jail is started, it creates a lock file, a sign that the jail working via file ${jailsysdir}/${jname}/locked which records the name of the node. This feature is used when this jail presented several nodes, these jail are in the DFS (NFS, glusterfs, etc.) and any node is able to run it. This lock ensures that the presence of the same jail at the second node, it will not be launched.
With a large number of jails (particularly databases, with services such as MySQL, redis, cassandra, etc.), it should be borne in mind that the low value parallel (for example, less than 5 seconds) can generate a very intensive storage I/O load that can increase the amount of start-up time of all jails, than if they were run sequentially or higher timeout.
Additionally, when a shutdown command is running on the server with lots of jails/services that should be taken into consideration low timeout that defaults to perform rc.shutdown sequence. In this regard, the process init(8) can interrupt the rc-scripts on this timeout, resulting in abnormal shutdown jails. In this case, the database can lead to nonconservation or damage data. To avoid this, /etc/rc.conf master system should be adjusted parameter rcshutdown_timeout to a more reasonable value (default: 90 seconds)
In the absence of rcshutdown_timeout in the system /etc/rc.conf, cbsd initenv will put this option in its sole discretion automatically.
Also, keep in mind that when using the zfs features ($workdir/nc.inventory, the parameter zfsfeat=1), and the file system ZFS, at jstop, file system of jails will be unmounted and those catalog $workdir/jails-data/jail1-data will be empty. If in such a case when jail data is requires without running it, by the command zfs list You can see the name appropriate file system and run zfs mount fs.
Writing scripts executed on starting and stopping jail
Please read details on the Jail config
Priority launch of jails
In CBSD you can specify the sequence in which the jails will be started. Please read details on the jail starting order
Priority launch environments
Commands: jorder, jorder-tui, border, border-tui
1 | % cbsd jls display=jname,b_order |
Description:
Sometimes a jail/vm will require an already running service from another machine/jail before it is launched. Examples might be a database SQL or a running LDAP.
In this case, you can edit Boot Order (b_order in jail/vm settins)
By default, all environments are created with b_order set to 10 (which is defined in the profile and can be changed)
If you need jail2 to be launched before jail1, its value for b_order must be set to a lower one than that of the second jail.
You can display the current configuration with the command jls:
1 2 3 4 5 6 7 8 | % cbsd jls display=jname,b_order JNAME B_ORDER firefly 3 jail1 10 kde4 1 kdeold 9 spicy2 2 test 2 |
This sample configuration will launch kde4 first while jail1 will come up last
You can also display the sequence using the command jorder
1 | % cbsd jorder |
In what sequence jail printer - in this sequence they will run
To edit a launch sequence use jset or the TUI-editor jorder-tui
To edit bhyve priority, use the commands border or border-tui
Jail removal:
jremove command
1 | % cbsd jremove |
Description:
Removal of jail mentions all files anyway connected with a jail:
- a) fstab for current jail
- b) data directory or ZFS filesystem with jail data
- c) statistics and description for jail
- d) snapshots
in a case when jremove executed for jail in status On, it will be automatically stopped.
Example:1 | % cbsd jremove jail1 |
Jail renaming:
jrename command
1 | % cbsd jrename |
Description:
Renames a jail and modifies all relevant according to the new name. The command can only be executed on stopped jails.
jrename has the two following mandatory parameters:
- old — old name of the jail
- new — new name of the jail
Optional parameters:
- host_hostname — FQDN, new full hostname of jail
- ip4_addr — new IP address of the jail (if multiple IPs, separated by a comma with no spaces)
Example (renaming jail jail1 into jail50 with a FQDN and ip addresses change):
1 | % cbsd jrename old=jail1 new=jail50 host_hostname=jail50.my.domain ip4_addr=192.168.0.5 /24 |
Jail upgrade
Warning
Description:Upgrade procedure jail always carries certain risks in the form of disruption of service, therefore, make it a rule to always create backups of the jail. If you are running on ZFS file system, you can use the command cbsd jsnapshot for a frozen state of the jail before the start of work. For example:
1 | % cbsd jsnapshot mode=create jname=jail1 snapname=before_update |
and the end of work, if all ok, remove snap through:
1 | % cbsd jsnapshot mode=destroy jname=jail1 snapname=before_update |
If the file system is UFS, you can create an image of the jail through:
1 | % cbsd jexport jname=jail1 |
And in the case of success, remove the image jail1.img from $workdir/export directory. An upgrade jail CBSD, we assume only update files base FreeBSD. Upgrade procedure 3rd-party software in jails similar to upgrade in the non-jail system. You can update the database as between different versions of the system (eg from version 9.2 to FreeBSD 9.3 or FreeBSD 9.3 -> FreeBSD 10.1), and update the files within the same version. It should be remembered that the jails have two modes — baserw=1, when the base part of each jail — have their own copy located in the directory $workdir/jails-data/$jail, and baserw=0, when one and the same base dir ${workdir}/basejail/base_\*_\*_ver mounted to all jails.
jupgrade command
1 2 | % cbsd jupgrade % cbsd jconfig |
2023-02 upd: important announcement. Due to the loss of the main server (non-technical problems related to paying for hosting), the CBSD-related images (ISO, cloud images, jail images ...) will be unavailable indefinitely.
2020-10 upd: we reached the first fundraising goal and rented a server in Hetzner for development! Thank you for donating !
404: Page Not Found
Sorry, but this page «/de/workflow_cbsd.html» is not found! Please, use menu and go to the right page.
Generation of bootable ISO and USB Memstick from jail
jail2iso command
1 | % cbsd jail2iso |
The jail2iso script allows tirmomg a specified jail into bootable images for CD/DVD/Memstick media or the bhyve hypervisor. Despite jail2iso not being used by CBSD itself for its operation or jails, the script can be very useful for easy and comfortable creation of customized LiveCDs, and testing their configuration in a jail environment. This functionality can be useful when:
- Creating rescue-system with desired tools
- Building your own FreeBSD distribution
- Creating images for diskless servers/stations (eg booted from PXE, MicroSD, Flash, CD/DVD, etc.) and have mounted home directories or jails/data files from NFS/FibreChannel/iSCSI/InfiniBand.
- Transfering environment from jail to a bhyve image to make use of bhyve features
Script job for iso/memstick
- Creation of file hierarchy of next image consisting of mounted base and data of a jail
- Creation of MFS/UZIP of an image which will remain in memory. It is used generally for work acceleration in the LiveCD mode, allowing for "cache" often caused utilities and libraries, for example from / to /usr.
- Mount over MFS of hierarchy of data from file system of the media through nullfs/RO
- Mount through tmpfs over RO file system for modification in LiveCD mode.
If you need a number of directories reload when loading image in RW via tmpfs, before executing jail2iso you needs to be written to a file $systemdir/jail/tmpfsdir all the path. For example rescuebsd jail is a file: /usr/jails/jails-system/rescuebsd/tmpfsdir with content:
1 2 3 4 5 6 7 8 | /root /var/run /var/cache /var/db /var/spool /var/log /usr/home /usr/local/etc |
These entries are processed /etc/rc.d/tmpfsdir, which will save to the image by jail2iso. All contents of these files, which is on the jail, will be moved to tmpfs filesystem. As RW areas are mounted through TMPFS, the quantity of memory available to record will depend on quantity of RAM of servers on which LiveCD is started.
You may prefer to write your own /boot/loader.conf to created image. To do this, save the file loader.conf in the directory $systemdir/$jname/. Everything you write in this file will be added to loader.conf, generated jail2iso, which has the following mandatory entries:
1 2 3 4 5 | kern.ipc.shmmni=4096 kern.ipc.shmseg=4096 radeonkms_load= "YES" i915kms_load= "YES" linux_load= "YES" |
You can specify what type of image jail2iso is to create, ISO image with cd9960 for CD/DVD/VMs or Memstick, an image that you can burn to a USB Flash drive.
Script job for bhyve image
Since the image will be initially bhyve mode RW, it does not require the creation of RO image with UZIP and support tmpfsdir, so at this stage there is no formation of an image. The script will automatically create a fstab-entry to mount an appropriate device in bhyve machine and updates /etc/ttys as required instructions. When creating an image bhyve, use the parameter:
1 | % cbsd jail2iso ... freesize= |
Because without this option, create disk volume equal to the volume of evidence, without reserve. This will make the system broken, so through freesize= further specify the amount of free space in the image there after copying master data.
For more information
cbsd jail2iso is not controlled and does not limit the volume of the final result — they are limited only by your destination media:
For create ISO image use:
1 | % cbsd jail2iso media=iso .. |
For create memstick image use:
1 | % cbsd jail2iso media=memstick .. |
For create bhyve image use:
1 | % cbsd jail2iso media=bhyve freesize=XXg .. |
Directory where to save the image specified as an argument dstdir.
By default, the image will be have GENERIC kernel from $workdir/basejail/ directory. You can get this kernel via
1 | % cbsd repo action=get sources=kernel |
for your version of FreeBSD, or build it yourself through cbsd buildkernel. If the GENERIC kernel is not suitable as an argument name for jail2iso you can specify a different kernel if you have it.
In addition, to reduce the size of the final image, jail2iso a series of actions:
- removal .a-archive files in lib directories
- removing unnecessary data by file list
By default, this list is located in the $workdir/share/jail2iso-prunelist. You can correct them if you needed, or create your own, specifying the path to it as an argument prunelist
Example of creating memstick from jail1:
1 | % cbsd jail2iso media=memstic jname=jail dstdir= /tmp |
If the file /tmp/jail1.img created, it can be writte to a USB device via the command:
1 | dd if = /tmp/mc .img of= /dev/da0 bs= "10240" conv= "sync" |
, where /dev/da0 — is USB Flash storage.
Example of creating and launching bhyve image from jail1 with networks via interface em0:
1 2 3 4 5 6 7 8 9 | % cbsd jail2iso media=bhyve jname=jail1 dstdir= /tmp freesize=1g % kldload vmm % kldload if_tap % sysctl -w net.link.tap.up_on_open=1 % ifconfig tap0 create % ifconfig bridge0 create % ifconfig bridge0 addm em0 addm tap0 % ifconfig bridge0 up % sh /usr/share/examples/bhyve/vmrun .sh -d /tmp/jail1-10 .0_amd64.img vm1 |
where /tmp/jail1-10.0_amd64.img — result from jail2iso.
Searching for jail in node farm
jwhereis, jailmapdb commands
1 2 | % cbsd jwhereis % cbsd jailmapdb |
Should you manage more than one FreeBSD/cbsd node farm, you can generate a map with jail locations refering to the appropriate servers. The utility jlogin is used in order to search remote jails. This map can be used for a variety of tools, such as a custom admin panel, automatically documentating the farm, as well as a variety of services. For example, a Bacula jail can automatically search the map for new jails and create configuration for their backup; or when a jail migrates from one physical node to another the target host can be reconfigured with jails for backup without the need for manual interaction by the system administrator.
A few words about jail traffic counting
command: fwcounters
Currently, the easiest way to count traffic - use functional of ipfw count on the JID of necessary environment.
Necessary conditions for the implementation of this:
- loaded module ipfw.ko;
- mounted in CBSD (for example via cbsd initenv-tui) ipfw_enable parameters to 1;
- count the presence of the rules in ipfw before any other firewall rules.
CBSD starting and stopping the jails and removes automatically sets the rules for traffic jail, using a range of these rules settingCBSD (range by default fwcount_st="99" - fwcount_end="2000" )
In other words, if you want to count traffic and still have the ability to filter traffic, create filtering rules above 2000 and not taking rules from 99 to 2000.
Collect of traffic occurs 1 time per hour or when stopping the jail and stored in SQLite3 base, located in the system directory jail: $workdir/jails-system/$jname/traffic/YYYY-MM.sqlite, where YYYY, MM - year and month.
Example. Enjoying the traffic statistics for the jail kde4. meaning of the fields outgoing and incoming - in bytes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | root@home:/ # sqlite3 /usr/jails/jails-system/kde4/traffic/2014-09.sqlite SQLite version 3.8.6 2014-08-15 11:46:33 Enter ".help" for usage hints. sqlite> .schema traffic CREATE TABLE traffic ( dt TIMESTAMP DATE DEFAULT (datetime( 'now' , 'localtime' )) UNIQUE PRIMARY KEY, incoming integer, outgoing integer ); sqlite> select * from traffic order by dt desc limit 15; 2014-09-20 15:00:52|142704274|4958246 2014-09-20 14:00:51|163907026|25242205 2014-09-20 13:00:49|3894888|182821 2014-09-20 05:49:53|58329247|41769720 2014-09-20 05:00:23|24247445|3464945 2014-09-20 04:00:56|67749758|39433640 2014-09-20 02:28:36|11767628|438283 2014-09-20 02:00:57|115675943|10809029 2014-09-20 01:00:54|279397568|156221677 2014-09-20 00:00:51|223665101|6232876 2014-09-19 23:00:50|250122634|8619979 2014-09-19 22:00:49|221508227|6458218 2014-09-19 01:00:42|64715837|3443253 2014-09-19 00:00:38|109266525|8541659 2014-09-18 23:00:34|99594683|20380707 sqlite> |