Tag Archives: FreeBSD

VNET Jail HowTo

So Dan has been tweeting that there’s no good example to get started with VNET Jails with jail.conf, I thought it’s time to write one.

In this example I’ve used FreeBSD 12.1-RELEASE

root@jail-host:~ # freebsd-version
12.1-RELEASE
root@jail-host:~ # uname -a
FreeBSD jail-host 12.1-RELEASE FreeBSD 12.1-RELEASE r354233 GENERIC  amd64
root@jail-host:~ #

First thing first, let’s setup a bridge on our host

root@jail-host:~ # sysrc cloned_interfaces="bridge0"
cloned_interfaces:  -> bridge0
root@jail-host:~ # sysrc ifconfig_bridge0="inet 10.0.0.1 netmask 0xffffff00 descr jails-bridge"
ifconfig_bridge0:  -> inet 10.0.0.1 netmask 0xffffff00 descr jails-bridge

Start the bridge0 interface without restarting the other interfaces

root@jail-host:~ # service netif start bridge0

Good! let’s setup a ZFS dataset for Jails 😉

root@jail-host:~ # zfs create -o mountpoint=/usr/local/jails zroot/jails

Good! now let’s fetch the base.txz file. I will be using my closest mirror, you should use yours.

root@jail-host:~ # mkdir /usr/local/jails/.dist-files
root@jail-host:~ # fetch -o /usr/local/jails/.dist-files/FreeBSD-12.1-RELEASE-base.txz http://mirror.yandex.ru/freebsd/releases/amd64/12.1-RELEASE/base.txz

Perfect!

Now, we will extract the base into the jail.

root@jail-host:~ # zfs create zroot/jails/www
root@jail-host:~ # tar xf /usr/local/jails/.dist-files/FreeBSD-12.1-RELEASE-base.txz -C /usr/local/jails/www/

Nicely done! Now let’s setup our /etc/jail.conf 🙂

Here’s my configuration.

# vim: set syntax=sh:
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean;
allow.raw_sockets;
allow.mount.tmpfs;
mount.devfs;


www {
    $id     = "10";
    $ipaddr = "10.0.0.${id}";
    $mask   = "255.255.255.0";
    $gw     = "10.0.0.1";
    vnet;
    vnet.interface = "epair${id}b";

    exec.prestart   = "ifconfig epair${id} create up";
    exec.prestart  += "ifconfig epair${id}a up descr vnet-${name}";
    exec.prestart  += "ifconfig bridge0 addm epair${id}a up";

    exec.start      = "/sbin/ifconfig lo0 127.0.0.1 up";
    exec.start     += "/sbin/ifconfig epair${id}b ${ipaddr} netmask ${mask} up";
    exec.start     += "/sbin/route add default ${gw}";
    exec.start     += "/bin/sh /etc/rc";

    exec.prestop    = "ifconfig epair${id}b -vnet ${name}";

    exec.poststop   = "ifconfig bridge0 deletem epair${id}a";
    exec.poststop  += "ifconfig epair${id}a destroy";

    host.hostname = "${name}.jail-host";
    path = "/usr/local/jails/${name}";
    exec.consolelog = "/var/log/jail-${name}.log";
    persist;
}

Now let’s start our Jail!

root@jail-host:~ # service jail enable
jail enabled in /etc/rc.conf
root@jail-host:~ # service jail start www
Starting jails: www.
root@jail-host:~ # jls
   JID  IP Address      Hostname                      Path
     1                  www.jail-host                 /usr/local/jails/www

Let’s check the networking 🙂

root@jail-host:~ # ping -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10): 56 data bytes
64 bytes from 10.0.0.10: icmp_seq=0 ttl=64 time=0.164 ms

--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.164/0.164/0.164/0.000 ms

We can do the same from the jail.

root@jail-host:~ # jexec www
root@www:/ # ping -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.087 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.087/0.087/0.087/0.000 ms

We can also stop all the jails.

root@jail-host:~ # service jail stop
Stopping jails: www.

Okay! Couple of notes 🙂

You can have jail.conf at /etc/jail.conf or /etc/something.jail.conf. The problem with the latter is that if you have jail_enable="YES" in rc.conf without defining jail_list then it will run only the jails in /etc/jail.conf

There are more ways to configure VNET Jails, either with jib or jng, an example is here.

Ideally, it would be nice to have /etc/jail.d/myjail.conf, and I wrote a patch for that (D24570), if you are a FreeBSD developer, please have a look 🙂

Reply via email.

FreeBSD Root-on-ZFS Migration

My home server (running this blog) got old, it has only 2G of RAM and a very old hard drive.

I usually like to use laptops as home server, they get the job done! I know I can’t have fancy things like RAID1, but I usually keep my backups on a separate disk/machine anyway.

So, I got my Dell Latitude E5470 next to my 11 years old Dell Inspiron to start the migration process.

Here’s a simple how-to guide for migrating a FreeBSD system from one machine to another.

Snapshotting The Pool

Okay, on the old host let snapshot the pool.

zfs snap -r zroot@migrate

Let’s save that snapshot in a file.

zfs send -R zroot@migrate | gzip > /usr/local/zroot.zfs.gz

This might take a while, grab some coffee 🙂

Now let’s save the ZFS Boot Environment (bootfs) property

# zpool get bootfs zroot
NAME PROPERTY VALUE SOURCE
zroot bootfs zroot/ROOT/default local

Perfect! now let’s go to the new host! 🙂

Installing FreeBSD

Well, this is simple 🙂 first, install FreeBSD on the new machine. DON’T forget to use ZFS! 🙂

The reason why we are doing this so the FreeBSD installer will handle all the boot loader installation process. If you know how to do this manually, then be my guest (and blog about it).

“Reset” ZFS

Okay, now let’s “reset” that pool

zpool destroy zroot
zpool create -R /mnt zroot /dev/ada0p3 # please check the partition index thought
zpool export zroot # so we can import again with -N
zpool import -N -R /mnt zroot

Restore Old Snapshot

Here we go.

ssh antranigv@pingvinashen "gzcat /usr/local/zroot.zfs.gz" | zfs receive -v -u -F zroot

Aaand we wait again.

So, check you restored all the datasets with zfs list -r zroot

Set the bootfs property.

zpool set bootfs=zroot/ROOT/default zroot

Fingers Crossed and reboot

well, now it’s the time.

shutdown -r now

Done

Hope this helps 🙂

Reply via email.

Setting route interface in FreeBSD

I usually blog for myself, so I don’t forget stuff when I need them 😛

I’m usually connected via WiFi to a network, however, FreeBSD’s WiFi drivers are not very… good. I mean they do work and do essential stuff, but it’s slow 🙂 anyways.

That’s why I’m always connected to the network using a wire as well.

The problem that I always encounter and want to solve is to change the default route’s interface after wiring up 🙂

Here’s how you can do that.

# netstat -4rn | grep default
default            10.10.200.254      UGS       wlan0
# route change default 10.10.200.254 -ifp em0
change net default: gateway 10.10.200.254 fib 0
# netstat -4rn | grep default
default            10.10.200.254      UGS         em0

and so on…

Reply via email.

FreeBSD USB Disk and ZVOL Encryption with GELI

Disk encryption is becoming more important in our day to day life, specially when you have access to some corporate servers or “top secret” files.

I love FreeBSD, it’s simple, rock-solid, easy to use, the handbook is amazing! It also has the option to encrypt the disks during installation. I use FreeBSD everywhere (and TrueOS on my laptop), but disk encryption takes a lot of power, so I chose instead of doing full disk encryption in my laptop, I’ll just have a small media like a USB drive or ZFS ZVOL and encrypt that.

Here’s how to do so 🙂

If you compiled your own kernel ensure it contains these options

options GEOM_ELI
device crypto

Now, make sure crypto and geom_eli is loaded and add these lines to /boot/loader.conf:

crypto_load=YES
geom_eli_load=YES

Let’s move on.

Now, we need the partition that we are going to encrypt it.
In case it’s a USB drive that you want to encrypt, here’s what to do. First, plug-in the USB drive into your computer. Now, let’s check it’s GEOM class name.

# geom disk list
Geom name: ada0
Providers:
1. Name: ada0
   Mediasize: 480103981056 (447G)
   Sectorsize: 512
   Mode: r1w1e2
   descr: SanDisk Ultra II 480GB
   lunid: 5001b444a4a40542
   ident: 162265428493
   rotationrate: 0
   fwsectors: 63
   fwheads: 16

Geom name: da0
Providers:
1. Name: da0
   Mediasize: 4004511744 (3.7G)
   Sectorsize: 512
   Mode: r0w0e0
   descr: SanDisk Cruzer Fit
   lunname: SanDisk Cruzer Fit      4C532000030211123165
   lunid: SanDisk Cruzer Fit      4C532000030211123165
   ident: 4C532000030211123165
   rotationrate: unknown
   fwsectors: 63
   fwheads: 255

Destroy and Create New Partitions

Okay, as we can see it’s da0. First, let’s destroy it and make a new partition on it! (Make sure you backup your data in case you have any important files).

# gpart destroy -F da0
da0 destroyed
# gpart create -s GPT da0
da0 created
# gpart add -t freebsd-ufs -i 1 da0
da0p1 added

In my case, I didn’t want to use a USB drive, I wanted to have an encrypted ZVOL, here’s how to do that as well.
First, create a ZVOL

# zfs create -V 1G zroot/private

Okay, so, in case of a USB drive, we have a partition waiting for us, in case of ZVOL, we have 1GB volume.

Let’s encrypt those!

Initiating Encryption

There are multiple ways to encrypt a disk, check geli(8) for detailed info. Here I’ll show you two options.

Encrypting with a master key that is protected with a passphrase.
Encrypting with a passphrase only.

For the first option first, generate a key!

# dd if=/dev/random of=/root/master.key bs=64 count=1

Now we initialize the provider which needs to be encrypted.

# geli init -s 4096 -K /root/master.key /dev/da0p1

or in case of ZVOL

# geli init -s 4096 -K /root/master.key /dev/zvol/zroot/private

You’ll be asked to enter your passphrase, twice.

For the second option, it’s exactly the same command without -K /root/master.key. So for the ZVOL it would be

# geli init -s 4096 /dev/zvol/zroot/private

Attaching Encrypted Disks

Now we can attach the provider with the generated key or without it, here’s an example.

# geli attach -k /root/master.key /dev/da0p1

You will be asked for your passphrase.
Or without the key, only the passphrase, here’s an example.

# geli attach /dev/zvol/zroot/private

This creates a new device with .eli extention:

# ls /dev/zvol/zroot/private
private.eli%    private%

Create New File System

First, let’s randomize whatever is on the device and then format it with UFS file system.

# dd if=/dev/random of=/dev/zvol/zroot/private.eli bs=1m
# newfs /dev/zvol/zroot/private.eli

Mount and Use

# mount /dev/zvol/zroot/private.eli /mnt/private
# echo 'some data' > /mnt/private/mytopsecretdata

Detaching Encrypted Volume

# umount /mnt/private
# geli detach /dev/zvol/zroot/private.eli

That’s all folks! 🙂

Reply via email.

Thanks for your description! It's particularly useful to see how you've set your router up. I've got OpenWRT doing that…

@antranigv What is "Taco Bell programming"?

@antranigv I have noticed the same.

[…] FreeBSD Bhyve CPU Allocation Test for 256 Core Machine. https://weblog.antranigv.am/posts/2023/10/bhyve-cpu-allocation-256/ […]

How can I Jailing Devuan by using BastilleBSD? It should be simple than this way.

Antranig Vartanian

I’m your worst nightmare…

Tag Archives: FreeBSD

VNET Jail HowTo

FreeBSD Root-on-ZFS Migration

Snapshotting The Pool

Installing FreeBSD

“Reset” ZFS

Restore Old Snapshot

Fingers Crossed and reboot

Done

Setting route interface in FreeBSD

FreeBSD USB Disk and ZVOL Encryption with GELI

Destroy and Create New Partitions

Initiating Encryption

Attaching Encrypted Disks

Create New File System

Mount and Use

Detaching Encrypted Volume

That’s all folks! 🙂