Daemon Security Blog RSS Feed

[04/29/2015] jail.conf hack when upgrading from FreeBSD 9.x to 10.

If you are still using FreeBSD 9.x, you will want to migrate your jails to the new jail.conf format when you upgrade to FreeBSD 10. The new jail.conf format has been around since FreeBSD 9.1:

jail.conf manpage

In an effort to assist with migrating to the new jail.conf format, a template file is created based on the configuration of the jails within your rc.conf file. In the following example, a jail called "testjail" is configured in rc.conf then started on a FreeBSD 10.1 system:jail_testjail_rootdir="/usr/jails/testjail"
jail_testjail_hostname="testjail"
jail_testjail_ip="192.168.1.22"
jail_testjail_procfs_enable="NO"
jail_testjail_devfs_enable="YES"
jail_testjail_mount_enable="YES"
jail_testjail_fstab="/etc/fstab.testjail"
If you run the jail, you will receive the following output:# service jail start testjail
Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.testjail.conf is created and used for jail testjail.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider to migrate to /etc/jail.conf
When you use the old rc.conf variables, the jail service script will create the new format for you, in this case /var/run/jail.testjail.conf. This file can be copied to /etc/jail.conf and used to start your jail with the new format. The following is the contents of the converted jail.testjail.conf:# Generated by rc.d/jail at 2015-04-28 13:23:43
testjail {
host.hostname = "testjail";
path = "/usr/jails/testjail";
ip4.addr += "192.168.1.22/32";
allow.raw_sockets = 0;
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_testjail_console.log";
mount.fstab = "/etc/fstab.testjail";
mount.devfs;
allow.mount;
allow.set_hostname = 0;
allow.sysvipc = 0;
}
The generated jail.conf files can be consolidated into a single /etc/jail.conf file as documented by Dan Rue (2014):cat /var/run/jail.limbo.conf /var/run/jail.lussuria.conf >> /etc/jail.confIf you do not want to run the jail, you can use the "config" option with the service script and it will create the jail.conf file based on the content of your rc.conf file:# service jail config
testjail/etc/rc.d/jail: WARNING: /var/run/jail.testjail.conf is created and used for jail testjail.
testjail: parameters are in /var/run/jail.testjail.conf.
If you are supporting a number of customers (and jails), you can simply copy all of the generated configs into a single /etc/jail.conf file. Tools like ezjail handle the updating of the jail.conf for you when creating or modifying FreeBSD jails. With the "config" option, you can avoid having to run the jail in order to generate the proper jail.conf file for your jails.

Reference:
Rue, D. (2014) Convert FreeBSD 10 jails from rc.conf to jail.conf. Retrieved from http://therub.org/2014/08/11/convert-freebsd-jails-from-rc.conf-to-jail.conf

Share This