Migrating from Qjail to ezjail

7 minute read

I was using qjail on my freebsd system but I’m migrating to ezjail.

The reason for this is that the port is marked as RESTRICTED. Since it seems to be a fork from ezjail without respecting the copyright and license https://lists.freebsd.org/pipermail/freebsd-jail/2013-March/002149.html.

Backup

Move the existing jails to old_jails

Move the existing jails zfs filesystem aside just in case we need to migrate back

root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails zroot/usr/jails
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails/staffs zroot/usr/jails/staffs
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails/stafmail zroot/usr/jails/stafmail
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails/stafdb zroot/usr/jails/stafdb
root@rataplan:/usr/ports/sysutils/ezjail # zfs rename zroot/usr/jails zroot/usr/old_jails

Stop the running jails

Stop the jails that are still running.

root@rataplan:/usr/local/etc # qjail stop
Jail stopped successfully. stafmail
Jail stopped successfully. staffs
Jail already stopped.      stafdb

ezjail setup

Installing ezjail

The installation of ezjail is pretty straightforward…

root@rataplan:/root # cd /usr/ports/sysutils/ezjail/
root@rataplan:/usr/ports/sysutils/ezjail # make install clean
===>  Installing for ezjail-3.2.3
===>   Generating temporary packing list
===>  Checking if sysutils/ezjail already installed
mkdir -p /usr/local/etc/ezjail/ /usr/local/man/man1/ /usr/local/man/man5/ /usr/local/man/man7 /usr/local/man/man8 /usr/local/etc/rc.d/ /usr/local/bin/ /usr/local/share/examples/ezjail /usr/local/share/zsh/site-functions
cp -p ezjail.conf.sample /usr/local/etc/
cp -R -p examples/example /usr/local/share/examples/ezjail/
cp -R -p examples/nullmailer-example /usr/local/share/examples/ezjail/
cp -R -p share/zsh/site-functions/ /usr/local/share/zsh/site-functions/
sed s:EZJAIL_PREFIX:/usr/local: ezjail.sh > /usr/local/etc/rc.d/ezjail
sed s:EZJAIL_PREFIX:/usr/local: ezjail-admin > /usr/local/bin/ezjail-admin
sed s:EZJAIL_PREFIX:/usr/local: man8/ezjail-admin.8 > /usr/local/man/man8/ezjail-admin.8
sed s:EZJAIL_PREFIX:/usr/local: man5/ezjail.conf.5 > /usr/local/man/man5/ezjail.conf.5
sed s:EZJAIL_PREFIX:/usr/local: man7/ezjail.7 > /usr/local/man/man7/ezjail.7
chmod 755 /usr/local/etc/rc.d/ezjail /usr/local/bin/ezjail-admin
chown -R root:wheel /usr/local/man/man8/ezjail-admin.8 /usr/local/man/man5/ezjail.conf.5 /usr/local/man/man7/ezjail.7 /usr/local/share/examples/ezjail/
chmod 0440 /usr/local/share/examples/ezjail/example/usr/local/etc/sudoers
[ -f /usr/local/etc/ezjail.conf ] ||  /bin/cp -p /usr/local/etc/ezjail.conf.sample  /usr/local/etc/ezjail.conf
===>   Compressing manual pages for ezjail-3.2.3
===>   Registering installation for ezjail-3.2.3
===>  Cleaning for ezjail-3.2.3
root@rataplan:/usr/ports/sysutils/ezjail # 

Create /usr/jails

root@rataplan:/root # zfs create zroot/usr/jails
root@rataplan:/root # 

Copy the sample config

root@rataplan:/root # cd /usr/local/etc/
root@rataplan:/usr/local/etc # cp ezjail.conf.sample ezjail.conf

Update ezjail.conf to use zfs

This will create a zfs filesystem for each jail automatically. Cool ;-)

# Setting this to YES will start to manage the basejail and newjail in ZFS
ezjail_use_zfs="YES"
# Setting this to YES will manage ALL new jails in their own zfs
ezjail_use_zfs_for_jails="YES"
# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
ezjail_jailzfs="zroot/usr/jails"

Installing the base jail without a make world

Most ezjail howto’s that I found assume that you already ran a “make world”. I want to setup the base jail without a “make world” because this takes too much time on my system. Lucky you can install the basejail without a “make world”.

root@rataplan:/usr/local/etc # ezjail-admin install
Trying 193.162.146.4:21 ...
Connected to ftp.freebsd.org.
220 beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
local: base.txz remote: base.txz
229 Entering Extended Passive Mode (|||65080|)
150 Opening BINARY mode data connection for 'base.txz' (59854248 bytes).
100% |***********************************************************************************************************************************| 58451 KiB  451.20 KiB/s    00:00 ETA
226 Transfer complete.
59854248 bytes received in 02:09 (451.20 KiB/s)
221 Goodbye.
Trying 193.162.146.4:21 ...
Connected to ftp.freebsd.org.
220 beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
local: lib32.txz remote: lib32.txz
229 Entering Extended Passive Mode (|||55936|)
150 Opening BINARY mode data connection for 'lib32.txz' (9743636 bytes).
 37% |************************************************                                                                                   |  3576 KiB  447.04 KiB/s    00:13 ETA

<snip>

/usr/jails/basejail/usr/lib32/libbsnmp.so.6
/usr/jails/basejail/usr/lib32/libcam.a
/usr/jails/basejail/usr/lib32/libsupc++.a
/usr/jails/basejail/usr/lib32/libarchive.a
/usr/jails/basejail/usr/lib32/libpcap.so.8
/usr/jails/basejail/usr/lib32/libbsdxml.so.4
108748 blocks
Note: a non-standard /etc/make.conf was copied to the template jail in order to get the ports collection running inside jails.
root@rataplan:/usr/local/etc # 
root@rataplan:/usr/local/etc # cd /usr/jails/
root@rataplan:/usr/jails # ls
basejail	flavours	newjail
root@rataplan:/usr/jails # 

Add the jails ip addresses to the system.

This is different from qjail, by ezjail it’s required to setup the ip addresses for each jail.

Open /etc/rc.conf and create interface aliases for each jail.

ifconfig_re0="inet 192.168.1.40/24"
ifconfig_re0_alias0="inet 192.168.1.41/32"
ifconfig_re0_alias1="inet 192.168.1.42/32"
ifconfig_re0_alias2="inet 192.168.1.43/32"
ifconfig_re0_alias3="inet 192.168.1.44/32"

And create them by running netif restart

root@rataplan:/etc/rc.d # ./netif restart
Stopping Network: lo0 re0.
lo0: flags=8048<LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 30:85:a9:40:58:ba
	inet6 fe80::3285:a9ff:fe40:58ba%re0 prefixlen 64 scopeid 0x6 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
Starting Network: lo0 re0.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 30:85:a9:40:58:ba
	inet6 fe80::3285:a9ff:fe40:58ba%re0 prefixlen 64 scopeid 0x6 
	inet 192.168.1.40 netmask 0xffffff00 broadcast 192.168.1.255
	inet 192.168.1.41 netmask 0xffffffff broadcast 192.168.1.41
	inet 192.168.1.42 netmask 0xffffffff broadcast 192.168.1.42
	inet 192.168.1.43 netmask 0xffffffff broadcast 192.168.1.43
	inet 192.168.1.44 netmask 0xffffffff broadcast 192.168.1.44
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (none)
	status: no carrier
root@rataplan:/etc/rc.d # 

Creating the first jail

root@rataplan:/etc/rc.d # ezjail-admin create stafpuppet 192.168.1.44
Warning: Some services already seem to be listening on IP 192.168.1.44
  This may cause some confusion, here they are:
root     ntpd       29764 31 udp4   192.168.1.44:123      *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.1.44)
  This may cause some confusion, here they are:
root     ntpd       29764 20 udp4   *:123                 *:*
root     ntpd       29764 21 udp6   *:123                 *:*
root     rpc.statd  1161  4  udp6   *:1021                *:*
root     rpc.statd  1161  5  tcp6   *:1021                *:*
root     rpc.statd  1161  6  udp4   *:1021                *:*
root     rpc.statd  1161  7  tcp4   *:1021                *:*
root     nfsd       1157  5  tcp4   *:2049                *:*
root     nfsd       1157  6  tcp6   *:2049                *:*
root     mountd     1151  6  udp6   *:942                 *:*
root     mountd     1151  7  tcp6   *:942                 *:*
root     mountd     1151  8  udp4   *:942                 *:*
root     mountd     1151  9  tcp4   *:942                 *:*
root     rpcbind    1120  6  udp6   *:111                 *:*
root     rpcbind    1120  7  udp6   *:960                 *:*
root     rpcbind    1120  8  tcp6   *:111                 *:*
root     rpcbind    1120  9  udp4   *:111                 *:*
root     rpcbind    1120  10 udp4   *:777                 *:*
root     rpcbind    1120  11 tcp4   *:111                 *:*
root     syslogd    1099  6  udp6   *:514                 *:*
root     syslogd    1099  7  udp4   *:514                 *:*
root@rataplan:/etc/rc.d # 

Starting the jail

root@rataplan:/etc/rc.d # /usr/local/etc/rc.d/ezjail 
Usage: /usr/local/etc/rc.d/ezjail [fast|force|one|quiet](start|stop|restart|rcvar|startcrypto|stopcrypto)
root@rataplan:/etc/rc.d # /usr/local/etc/rc.d/ezjail start
 ezjailConfiguring jails:.
Starting jails: stafpuppet.

Listing the jail

root@rataplan:/etc/rc.d # jls
   JID  IP Address      Hostname                      Path
     3  192.168.1.44    stafpuppet                    /usr/jails/stafpuppet
root@rataplan:/etc/rc.d # ping 192.168.1.44
PING 192.168.1.44 (192.168.1.44): 56 data bytes
64 bytes from 192.168.1.44: icmp_seq=0 ttl=64 time=0.053 ms
^C
--- 192.168.1.44 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.053/0.053/0.053/0.000 ms
root@rataplan:/etc/rc.d # 

Console access

root@rataplan:/etc/rc.d # jexec 3 csh
root@stafpuppet:/ # 

Install the freebsd ports into the base jail

[root@rataplan ~]# ezjail-admin update -P   
Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
Updating from Wed Apr 10 14:55:36 CEST 2013 to Thu Apr 11 14:00:20 CEST 2013.
Fetching 3 metadata patches.. done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 17 patches.....10... done.
Applying patches... done.
Fetching 0 new ports or files... done.
/usr/jails/basejail/usr/ports/CHANGES
/usr/jails/basejail/usr/ports/COPYRIGHT
/usr/jails/basejail/usr/ports/GIDs
/usr/jails/basejail/usr/ports/KNOBS
/usr/jails/basejail/usr/ports/Keywords/info.yaml
/usr/jails/basejail/usr/ports/LEGAL
/usr/jails/basejail/usr/ports/MOVED
/usr/jails/basejail/usr/ports/Makefile
/usr/jails/basejail/usr/ports/Mk/Uses/
/usr/jails/basejail/usr/ports/Mk/bsd.apache.mk
/usr/jails/basejail/usr/ports/Mk/bsd.autotools.mk

<snip>

/usr/jails/basejail/usr/ports/x11/xzoom/
/usr/jails/basejail/usr/ports/x11/yad/
/usr/jails/basejail/usr/ports/x11/yakuake-kde4/
/usr/jails/basejail/usr/ports/x11/yakuake/
/usr/jails/basejail/usr/ports/x11/yalias/
/usr/jails/basejail/usr/ports/x11/yeahconsole/
/usr/jails/basejail/usr/ports/x11/yelp/
/usr/jails/basejail/usr/ports/x11/zenity/
Building new INDEX files... done.
[root@rataplan ~]# 

Verify

[root@rataplan ~]# jls 
   JID  IP Address      Hostname                      Path
     3  192.168.1.44    stafpuppet                    /usr/jails/stafpuppet
[root@rataplan ~]# jexec 3 csh
root@stafpuppet:/ # cd /usr/ports/
root@stafpuppet:/usr/ports # ls
.portsnap.INDEX	KNOBS		Templates	astro		converters	finance		hungarian	math		news		science		www		x11-themes
CHANGES		Keywords	Tools		audio		databases	french		irc		misc		palm		security	x11		x11-toolkits
COPYRIGHT	LEGAL		UIDs		benchmarks	deskutils	ftp		japanese	multimedia	polish		shells		x11-clocks	x11-wm
GIDs		MOVED		UPDATING	biology		devel		games		java		net		ports-mgmt	sysutils	x11-drivers
INDEX-7		Makefile	accessibility	cad		dns		german		korean		net-im		portuguese	textproc	x11-fm
INDEX-8		Mk		arabic		chinese		editors		graphics	lang		net-mgmt	print		ukrainian	x11-fonts
INDEX-9		README		archivers	comms		emulators	hebrew		mail		net-p2p		russian		vietnamese	x11-servers
root@stafpuppet:/usr/ports # 

Update the base jail

[root@rataplan /usr]# ezjail-admin update -u
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 9.1-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... 

update /etc/rc.conf

#
# ezjails
#

ezjail_enable="YES"

Migrate the jails to ezjail

Recreate the jail

[root@rataplan /etc]# ezjail-admin create staffs 192.168.1.41
Warning: Some services already seem to be listening on IP 192.168.1.41
  This may cause some confusion, here they are:
root     ntpd       29764 24 udp4   192.168.1.41:123      *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.1.41)
  This may cause some confusion, here they are:
root     ntpd       29764 20 udp4   *:123                 *:*
root     ntpd       29764 21 udp6   *:123                 *:*
root     rpc.statd  1161  4  udp6   *:1021                *:*
root     rpc.statd  1161  5  tcp6   *:1021                *:*
root     rpc.statd  1161  6  udp4   *:1021                *:*
root     rpc.statd  1161  7  tcp4   *:1021                *:*
root     nfsd       1157  5  tcp4   *:2049                *:*
root     nfsd       1157  6  tcp6   *:2049                *:*
root     mountd     1151  6  udp6   *:942                 *:*
root     mountd     1151  7  tcp6   *:942                 *:*
root     mountd     1151  8  udp4   *:942                 *:*
root     mountd     1151  9  tcp4   *:942                 *:*
root     rpcbind    1120  6  udp6   *:111                 *:*
root     rpcbind    1120  7  udp6   *:960                 *:*
root     rpcbind    1120  8  tcp6   *:111                 *:*
root     rpcbind    1120  9  udp4   *:111                 *:*
root     rpcbind    1120  10 udp4   *:777                 *:*
root     rpcbind    1120  11 tcp4   *:111                 *:*
root     syslogd    1099  6  udp6   *:514                 *:*
root     syslogd    1099  7  udp4   *:514                 *:*
[root@rataplan /etc]# 

Clone the zfs filesystem

[root@rataplan /etc]# zfs destroy zroot/usr/jails/staffs
[root@rataplan /etc]# zfs snapshot zroot/usr/old_jails/staffs@org
[root@rataplan /etc]# zfs clone zroot/usr/old_jails/staffs@org zroot/usr/jails/staffs

Start the jail

[root@rataplan /etc]# /usr/local/etc/rc.d/ezjail start staffs
Configuring jails:.
Starting jails: staffs.
[root@rataplan /etc]# 

Leave a comment