The main idea of this new setup is to try and isolate services for the main host, which should be only used for management.
So every service will be run in it’s own context, known as jails in the Free/Net/OpenBSD lingua.
However a few helping services on the host might be usefull, for DNS resolving, log collection, …
Since i don’t own a lot of IPv4 public adresses, some a private IPv4 network will be used for accessing services in this network familly, and some NAT will have to be set.
However online is being generous with IPv6 block so i can use a direct IPv6 connection.
To do so, i’ll use a dedicated loopback address, by adding the following to the rc.conf file:
The pf configuration from the previous post will have to be modified, to add so outbound NAT, and allow IPv6 outbound trafic for the jails:
Reloading the pf configuration is done by :
FreeBSD use the unbound resolver by default, by the default configuration won’t match our need. By default unbound will bind on 127.0.0.1:53 but we need him to listen on our jails ‘gateway’.
So we add a /etc/unbound/conf.d/interface.conf with the following content:
This forces unbound to listen on all the IP addresses we need, and all dns query from the jails.
As i’m no FreeBSD expert, even a newbie, creating jails manually from scratch wasn’t an option i looked forward to ;) so in search to alternatives EzJail looked interesting, being integrated with ZFS and “space-friendly”.
EzJail works by initialising a shared “basejail” which is later on null-mounted (FreeBSD’s version of linux ‘bind’) in each jails /basejail directory. and a “newjail” directory which is the base template of all futur jails.
You can also use “flavours” to pre-set some files on the jails, be wary of the permissions of files and directory on thoses flavors however, they will be replicated on the jails !
My flavor for example automatically set the syslog.conf to log remotly on the host, the resolver, disable sendmail, etc …
A few options are necessary on the /usr/local/etc/ezjail.conf to activate the ZFS options:
Creating the first Jail
Enjoy your micro-vm/container/whatever ;)
Update from august:
To the latest patch:
Upgrading to the current host version (need to specify the ‘source’ version):