This page looks best with JavaScript enabled

Generating Jail from physical host boot environments

 ·  🎃 kr0m

In the previous article , we used boot environments to update physical hosts or VMs without worrying about whether the updates left the system in an inconsistent state since we could revert to a previous state. This time we will delve a little deeper and generate a Jail from a physical machine.

First, we create a “boot environment” called test:

bectl create test
bectl list

BE      Active Mountpoint Space Created  
default NR     /          976M  2021-03-28 16:39  
test    -      -          8K    2021-04-02 19:40

We export the “boot environment” to a file:

bectl export test > test.raw

As we can see, it is a ZFS snapshot:

file test.raw | tr ‘,’ ‘\n’

test.raw: ZFS shapshot (little-endian machine)  
 version 17  
 type: ZFS  
 destination GUID: BA 27 32 93 51 80 2A AC  
 name: 'zroot/ROOT/test@2021-04-02-20:04:52-0'

I personally use Iocage as a Jail management system, so I create a Jail called test and assign it an IP address:

iocage create -r 12.2-RELEASE -n test
iocage set ip4_addr=“nfe0|192.168.69.69/24” test

We created the Jail just to copy the Iocage configuration files:

cp /zroot/iocage/jails/test/config.json  /root/
cp /zroot/iocage/jails/test/fstab  /root/

We destroy the Jail:

iocage destroy test

This will destroy jail test  
Are you sure? [y/N]: y  
Destroying test

We copy the file containing the ZFS snapshot to the Iocage server:

scp test.raw IOCAGE_SERVER

We manually created the zroot/iocage/jails/test and zroot/iocage/jails/test/root datasets, we did not use the Iocage functionalities because the import is buggy as described here :

zfs create zroot/iocage/jails/test
zfs create zroot/iocage/jails/test/root

We loaded the snapshot into that dataset:

zfs recv -F zroot/iocage/jails/test/root < test.raw

We copied the previously backed up configuration files:

cp /root/config.json /zroot/iocage/jails/test/config.json
cp /root/fstab /zroot/iocage/jails/test/fstab

We started the Jail:

iocage start test

We checked the status of the Jails:

iocage list

+-----+----------+-------+--------------+---------------+
| JID |   NAME   | STATE |   RELEASE    |      IP4      |
+=====+==========+=======+==============+===============+
| 17  | test     | up    | 12.2-RELEASE | 192.168.69.69 |
+-----+----------+-------+--------------+---------------+

Now we can access the Jail:

ssh kr0m@192.168.69.69
$ uname -a

FreeBSD freebsd1.alfaexploit.com 12.2-RELEASE-p4 FreeBSD 12.2-RELEASE-p4 GENERIC  amd64

Remember that the following directories are excluded from “boot environments”, if we need any of them we will have to synchronize them manually to the Jail.

/tmp  
/usr/home  
/usr/ports  
/usr/src  
/var/audit  
/var/crash  
/var/log  
/var/mail  
/var/tmp

On the physical server, we allowed the Jail keys for the root user:

vi /root/.ssh/authorized_keys

We reconfigured OpenSSH so that we can access it directly as root:

vi /etc/ssh/sshd_config

PermitRootLogin yes

We installed bash in the Jail:

pkg install bash

NOTE: Actually, we could use any shell or simply execute each of the scps consecutively.

We started bash:

bash

Finally, we synchronized each of the directories:

for DIR in /tmp /usr/home /usr/ports /usr/src /var/audit /var/crash /var/log /var/mail /var/tmp ; do echo “– Syncing: $DIR” && scp -r root@192.168.69.204 :$DIR/* $DIR ; done

And there we have it, a Jail exactly the same as our physical server.

If you liked the article, you can treat me to a RedBull here