This page looks best with JavaScript enabled

Generating Jail from physical host boot environments

 ·  🎃 kr0m

In the previous article , we used boot environments to update physical hosts or VMs without worrying about whether the updates left the system in an inconsistent state since we could revert to a previous state. This time we will delve a little deeper and generate a Jail from a physical machine.

First, we create a “boot environment” called test:

bectl create test
bectl list

BE      Active Mountpoint Space Created  
default NR     /          976M  2021-03-28 16:39  
test    -      -          8K    2021-04-02 19:40

We export the “boot environment” to a file:

bectl export test > test.raw

As we can see, it is a ZFS snapshot:

file test.raw | tr ‘,’ ‘\n’

test.raw: ZFS shapshot (little-endian machine)  
 version 17  
 type: ZFS  
 destination GUID: BA 27 32 93 51 80 2A AC  
 name: 'zroot/ROOT/test@2021-04-02-20:04:52-0'

I personally use Iocage as a Jail management system, so I create a Jail called test and assign it an IP address:

iocage create -r 12.2-RELEASE -n test
iocage set ip4_addr=“nfe0|” test

We created the Jail just to copy the Iocage configuration files:

cp /zroot/iocage/jails/test/config.json  /root/
cp /zroot/iocage/jails/test/fstab  /root/

We destroy the Jail:

iocage destroy test

This will destroy jail test  
Are you sure? [y/N]: y  
Destroying test

We copy the file containing the ZFS snapshot to the Iocage server:

scp test.raw IOCAGE_SERVER

We manually created the zroot/iocage/jails/test and zroot/iocage/jails/test/root datasets, we did not use the Iocage functionalities because the import is buggy as described here :

zfs create zroot/iocage/jails/test
zfs create zroot/iocage/jails/test/root

We loaded the snapshot into that dataset:

zfs recv -F zroot/iocage/jails/test/root < test.raw

We copied the previously backed up configuration files:

cp /root/config.json /zroot/iocage/jails/test/config.json
cp /root/fstab /zroot/iocage/jails/test/fstab

We started the Jail:

iocage start test

We checked the status of the Jails:

iocage list

| JID |   NAME   | STATE |   RELEASE    |      IP4      |
| 17  | test     | up    | 12.2-RELEASE | |

Now we can access the Jail:

FreeBSD 12.2-RELEASE-p4 FreeBSD 12.2-RELEASE-p4 GENERIC  amd64

Remember that the following directories are excluded from “boot environments”, if we need any of them we will have to synchronize them manually to the Jail.


On the physical server, we allowed the Jail keys for the root user:

vi /root/.ssh/authorized_keys

We reconfigured OpenSSH so that we can access it directly as root:

vi /etc/ssh/sshd_config

PermitRootLogin yes

We installed bash in the Jail:

pkg install bash

NOTE: Actually, we could use any shell or simply execute each of the scps consecutively.

We started bash:


Finally, we synchronized each of the directories:

for DIR in /tmp /usr/home /usr/ports /usr/src /var/audit /var/crash /var/log /var/mail /var/tmp ; do echo “– Syncing: $DIR” && scp -r root@ :$DIR/* $DIR ; done

And there we have it, a Jail exactly the same as our physical server.

If you liked the article, you can treat me to a RedBull here