stafwag Blog

staf wagemakers blog

Migrating From Qjail to Ezjail

I was using qjail on my freebsd system but I’m migrating to ezjail.

The reason for this is that the port is marked as RESTRICTED. Since it seems to be a fork from ezjail without respecting the copyright and license https://lists.freebsd.org/pipermail/freebsd-jail/2013-March/002149.html.

Backup

Move the existing jails to old_jails

Move the existing jails zfs filesystem aside just in case we need to migrate back

1
2
3
4
5
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails zroot/usr/jails
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails/staffs zroot/usr/jails/staffs
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails/stafmail zroot/usr/jails/stafmail
root@rataplan:/usr/ports/sysutils/ezjail # zfs set mountpoint=/usr/old_jails/stafdb zroot/usr/jails/stafdb
root@rataplan:/usr/ports/sysutils/ezjail # zfs rename zroot/usr/jails zroot/usr/old_jails

Stop the running jails

Stop the jails that are still running.

1
2
3
4
root@rataplan:/usr/local/etc # qjail stop
Jail stopped successfully. stafmail
Jail stopped successfully. staffs
Jail already stopped.      stafdb

ezjail setup

Installing ezjail

The installation of ezjail is pretty straightforward…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@rataplan:/root # cd /usr/ports/sysutils/ezjail/
root@rataplan:/usr/ports/sysutils/ezjail # make install clean
===>  Installing for ezjail-3.2.3
===>   Generating temporary packing list
===>  Checking if sysutils/ezjail already installed
mkdir -p /usr/local/etc/ezjail/ /usr/local/man/man1/ /usr/local/man/man5/ /usr/local/man/man7 /usr/local/man/man8 /usr/local/etc/rc.d/ /usr/local/bin/ /usr/local/share/examples/ezjail /usr/local/share/zsh/site-functions
cp -p ezjail.conf.sample /usr/local/etc/
cp -R -p examples/example /usr/local/share/examples/ezjail/
cp -R -p examples/nullmailer-example /usr/local/share/examples/ezjail/
cp -R -p share/zsh/site-functions/ /usr/local/share/zsh/site-functions/
sed s:EZJAIL_PREFIX:/usr/local: ezjail.sh > /usr/local/etc/rc.d/ezjail
sed s:EZJAIL_PREFIX:/usr/local: ezjail-admin > /usr/local/bin/ezjail-admin
sed s:EZJAIL_PREFIX:/usr/local: man8/ezjail-admin.8 > /usr/local/man/man8/ezjail-admin.8
sed s:EZJAIL_PREFIX:/usr/local: man5/ezjail.conf.5 > /usr/local/man/man5/ezjail.conf.5
sed s:EZJAIL_PREFIX:/usr/local: man7/ezjail.7 > /usr/local/man/man7/ezjail.7
chmod 755 /usr/local/etc/rc.d/ezjail /usr/local/bin/ezjail-admin
chown -R root:wheel /usr/local/man/man8/ezjail-admin.8 /usr/local/man/man5/ezjail.conf.5 /usr/local/man/man7/ezjail.7 /usr/local/share/examples/ezjail/
chmod 0440 /usr/local/share/examples/ezjail/example/usr/local/etc/sudoers
[ -f /usr/local/etc/ezjail.conf ] ||  /bin/cp -p /usr/local/etc/ezjail.conf.sample  /usr/local/etc/ezjail.conf
===>   Compressing manual pages for ezjail-3.2.3
===>   Registering installation for ezjail-3.2.3
===>  Cleaning for ezjail-3.2.3
root@rataplan:/usr/ports/sysutils/ezjail # 

Create /usr/jails

1
2
root@rataplan:/root # zfs create zroot/usr/jails
root@rataplan:/root # 

Copy the sample config

1
2
root@rataplan:/root # cd /usr/local/etc/
root@rataplan:/usr/local/etc # cp ezjail.conf.sample ezjail.conf

Update ezjail.conf to use zfs

This will create a zfs filesystem for each jail automatically. Cool ;-)

1
2
3
4
5
6
# Setting this to YES will start to manage the basejail and newjail in ZFS
ezjail_use_zfs="YES"
# Setting this to YES will manage ALL new jails in their own zfs
ezjail_use_zfs_for_jails="YES"
# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
ezjail_jailzfs="zroot/usr/jails"

Installing the base jail without a make world

Most ezjail howto’s that I found assume that you already ran a “make world”. I want to setup the base jail without a “make world” because this takes too much time on my system. Lucky you can install the basejail without a “make world”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@rataplan:/usr/local/etc # ezjail-admin install
Trying 193.162.146.4:21 ...
Connected to ftp.freebsd.org.
220 beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
local: base.txz remote: base.txz
229 Entering Extended Passive Mode (|||65080|)
150 Opening BINARY mode data connection for 'base.txz' (59854248 bytes).
100% |***********************************************************************************************************************************| 58451 KiB  451.20 KiB/s    00:00 ETA
226 Transfer complete.
59854248 bytes received in 02:09 (451.20 KiB/s)
221 Goodbye.
Trying 193.162.146.4:21 ...
Connected to ftp.freebsd.org.
220 beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
local: lib32.txz remote: lib32.txz
229 Entering Extended Passive Mode (|||55936|)
150 Opening BINARY mode data connection for 'lib32.txz' (9743636 bytes).
 37% |************************************************                                                                                   |  3576 KiB  447.04 KiB/s    00:13 ETA

<snip>

1
2
3
4
5
6
7
8
9
/usr/jails/basejail/usr/lib32/libbsnmp.so.6
/usr/jails/basejail/usr/lib32/libcam.a
/usr/jails/basejail/usr/lib32/libsupc++.a
/usr/jails/basejail/usr/lib32/libarchive.a
/usr/jails/basejail/usr/lib32/libpcap.so.8
/usr/jails/basejail/usr/lib32/libbsdxml.so.4
108748 blocks
Note: a non-standard /etc/make.conf was copied to the template jail in order to get the ports collection running inside jails.
root@rataplan:/usr/local/etc # 
1
2
3
4
root@rataplan:/usr/local/etc # cd /usr/jails/
root@rataplan:/usr/jails # ls
basejail  flavours    newjail
root@rataplan:/usr/jails # 

Add the jails ip addresses to the system.

This is different from qjail, by ezjail it’s required to setup the ip addresses for each jail.

Open /etc/rc.conf and create interface aliases for each jail.

1
2
3
4
5
ifconfig_re0="inet 192.168.1.40/24"
ifconfig_re0_alias0="inet 192.168.1.41/32"
ifconfig_re0_alias1="inet 192.168.1.42/32"
ifconfig_re0_alias2="inet 192.168.1.43/32"
ifconfig_re0_alias3="inet 192.168.1.44/32"

And create them by running netif restart

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@rataplan:/etc/rc.d # ./netif restart
Stopping Network: lo0 re0.
lo0: flags=8048<LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
  ether 30:85:a9:40:58:ba
  inet6 fe80::3285:a9ff:fe40:58ba%re0 prefixlen 64 scopeid 0x6 
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
Starting Network: lo0 re0.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128 
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 
  inet 127.0.0.1 netmask 0xff000000 
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
  ether 30:85:a9:40:58:ba
  inet6 fe80::3285:a9ff:fe40:58ba%re0 prefixlen 64 scopeid 0x6 
  inet 192.168.1.40 netmask 0xffffff00 broadcast 192.168.1.255
  inet 192.168.1.41 netmask 0xffffffff broadcast 192.168.1.41
  inet 192.168.1.42 netmask 0xffffffff broadcast 192.168.1.42
  inet 192.168.1.43 netmask 0xffffffff broadcast 192.168.1.43
  inet 192.168.1.44 netmask 0xffffffff broadcast 192.168.1.44
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (none)
  status: no carrier
root@rataplan:/etc/rc.d # 

Creating the first jail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@rataplan:/etc/rc.d # ezjail-admin create stafpuppet 192.168.1.44
Warning: Some services already seem to be listening on IP 192.168.1.44
  This may cause some confusion, here they are:
root     ntpd       29764 31 udp4   192.168.1.44:123      *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.1.44)
  This may cause some confusion, here they are:
root     ntpd       29764 20 udp4   *:123                 *:*
root     ntpd       29764 21 udp6   *:123                 *:*
root     rpc.statd  1161  4  udp6   *:1021                *:*
root     rpc.statd  1161  5  tcp6   *:1021                *:*
root     rpc.statd  1161  6  udp4   *:1021                *:*
root     rpc.statd  1161  7  tcp4   *:1021                *:*
root     nfsd       1157  5  tcp4   *:2049                *:*
root     nfsd       1157  6  tcp6   *:2049                *:*
root     mountd     1151  6  udp6   *:942                 *:*
root     mountd     1151  7  tcp6   *:942                 *:*
root     mountd     1151  8  udp4   *:942                 *:*
root     mountd     1151  9  tcp4   *:942                 *:*
root     rpcbind    1120  6  udp6   *:111                 *:*
root     rpcbind    1120  7  udp6   *:960                 *:*
root     rpcbind    1120  8  tcp6   *:111                 *:*
root     rpcbind    1120  9  udp4   *:111                 *:*
root     rpcbind    1120  10 udp4   *:777                 *:*
root     rpcbind    1120  11 tcp4   *:111                 *:*
root     syslogd    1099  6  udp6   *:514                 *:*
root     syslogd    1099  7  udp4   *:514                 *:*
root@rataplan:/etc/rc.d # 

Starting the jail

1
2
3
4
5
root@rataplan:/etc/rc.d # /usr/local/etc/rc.d/ezjail 
Usage: /usr/local/etc/rc.d/ezjail [fast|force|one|quiet](start|stop|restart|rcvar|startcrypto|stopcrypto)
root@rataplan:/etc/rc.d # /usr/local/etc/rc.d/ezjail start
 ezjailConfiguring jails:.
Starting jails: stafpuppet.

Listing the jail

1
2
3
4
5
6
7
8
9
10
11
root@rataplan:/etc/rc.d # jls
   JID  IP Address      Hostname                      Path
     3  192.168.1.44    stafpuppet                    /usr/jails/stafpuppet
root@rataplan:/etc/rc.d # ping 192.168.1.44
PING 192.168.1.44 (192.168.1.44): 56 data bytes
64 bytes from 192.168.1.44: icmp_seq=0 ttl=64 time=0.053 ms
^C
--- 192.168.1.44 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.053/0.053/0.053/0.000 ms
root@rataplan:/etc/rc.d # 

Console access

1
2
root@rataplan:/etc/rc.d # jexec 3 csh
root@stafpuppet:/ # 

Install the freebsd ports into the base jail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@rataplan ~]# ezjail-admin update -P   
Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
Updating from Wed Apr 10 14:55:36 CEST 2013 to Thu Apr 11 14:00:20 CEST 2013.
Fetching 3 metadata patches.. done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 17 patches.....10... done.
Applying patches... done.
Fetching 0 new ports or files... done.
/usr/jails/basejail/usr/ports/CHANGES
/usr/jails/basejail/usr/ports/COPYRIGHT
/usr/jails/basejail/usr/ports/GIDs
/usr/jails/basejail/usr/ports/KNOBS
/usr/jails/basejail/usr/ports/Keywords/info.yaml
/usr/jails/basejail/usr/ports/LEGAL
/usr/jails/basejail/usr/ports/MOVED
/usr/jails/basejail/usr/ports/Makefile
/usr/jails/basejail/usr/ports/Mk/Uses/
/usr/jails/basejail/usr/ports/Mk/bsd.apache.mk
/usr/jails/basejail/usr/ports/Mk/bsd.autotools.mk

<snip>

1
2
3
4
5
6
7
8
9
10
/usr/jails/basejail/usr/ports/x11/xzoom/
/usr/jails/basejail/usr/ports/x11/yad/
/usr/jails/basejail/usr/ports/x11/yakuake-kde4/
/usr/jails/basejail/usr/ports/x11/yakuake/
/usr/jails/basejail/usr/ports/x11/yalias/
/usr/jails/basejail/usr/ports/x11/yeahconsole/
/usr/jails/basejail/usr/ports/x11/yelp/
/usr/jails/basejail/usr/ports/x11/zenity/
Building new INDEX files... done.
[root@rataplan ~]# 

Verify

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@rataplan ~]# jls 
   JID  IP Address      Hostname                      Path
     3  192.168.1.44    stafpuppet                    /usr/jails/stafpuppet
[root@rataplan ~]# jexec 3 csh
root@stafpuppet:/ # cd /usr/ports/
root@stafpuppet:/usr/ports # ls
.portsnap.INDEX   KNOBS       Templates   astro       converters  finance     hungarian   math        news        science     www     x11-themes
CHANGES       Keywords    Tools       audio       databases   french      irc     misc        palm        security    x11     x11-toolkits
COPYRIGHT LEGAL       UIDs        benchmarks  deskutils   ftp     japanese    multimedia  polish      shells      x11-clocks  x11-wm
GIDs      MOVED       UPDATING    biology     devel       games       java        net     ports-mgmt  sysutils    x11-drivers
INDEX-7       Makefile    accessibility   cad     dns     german      korean      net-im      portuguese  textproc    x11-fm
INDEX-8       Mk      arabic      chinese     editors     graphics    lang        net-mgmt    print       ukrainian   x11-fonts
INDEX-9       README      archivers   comms       emulators   hebrew      mail        net-p2p     russian     vietnamese  x11-servers
root@stafpuppet:/usr/ports # 

Update the base jail

1
2
3
4
5
[root@rataplan /usr]# ezjail-admin update -u
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 9.1-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... 

update /etc/rc.conf

1
2
3
4
5
#
# ezjails
#

ezjail_enable="YES"

Migrate the jails to ezjail

Recreate the jail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@rataplan /etc]# ezjail-admin create staffs 192.168.1.41
Warning: Some services already seem to be listening on IP 192.168.1.41
  This may cause some confusion, here they are:
root     ntpd       29764 24 udp4   192.168.1.41:123      *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.1.41)
  This may cause some confusion, here they are:
root     ntpd       29764 20 udp4   *:123                 *:*
root     ntpd       29764 21 udp6   *:123                 *:*
root     rpc.statd  1161  4  udp6   *:1021                *:*
root     rpc.statd  1161  5  tcp6   *:1021                *:*
root     rpc.statd  1161  6  udp4   *:1021                *:*
root     rpc.statd  1161  7  tcp4   *:1021                *:*
root     nfsd       1157  5  tcp4   *:2049                *:*
root     nfsd       1157  6  tcp6   *:2049                *:*
root     mountd     1151  6  udp6   *:942                 *:*
root     mountd     1151  7  tcp6   *:942                 *:*
root     mountd     1151  8  udp4   *:942                 *:*
root     mountd     1151  9  tcp4   *:942                 *:*
root     rpcbind    1120  6  udp6   *:111                 *:*
root     rpcbind    1120  7  udp6   *:960                 *:*
root     rpcbind    1120  8  tcp6   *:111                 *:*
root     rpcbind    1120  9  udp4   *:111                 *:*
root     rpcbind    1120  10 udp4   *:777                 *:*
root     rpcbind    1120  11 tcp4   *:111                 *:*
root     syslogd    1099  6  udp6   *:514                 *:*
root     syslogd    1099  7  udp4   *:514                 *:*
[root@rataplan /etc]# 

Clone the zfs filesystem

1
2
3
[root@rataplan /etc]# zfs destroy zroot/usr/jails/staffs
[root@rataplan /etc]# zfs snapshot zroot/usr/old_jails/staffs@org
[root@rataplan /etc]# zfs clone zroot/usr/old_jails/staffs@org zroot/usr/jails/staffs

Start the jail

1
2
3
4
[root@rataplan /etc]# /usr/local/etc/rc.d/ezjail start staffs
Configuring jails:.
Starting jails: staffs.
[root@rataplan /etc]# 

Comments