Question on jail setup in HardenedBSD?
22 views
Skip to first unread message
corey clingo
May 18, 2025, 6:10:29 PMMay 18
to HardenedBSD Users
Hi all,
I'll preface this by saying I am new to jails in HardenedBSD (and FreeBSD too for that matter).
I am trying to set up a "thick" jail to explore and get a feel for jails. I did read the chapter in the FreeBSD handbook about jails, and it seems pretty straightforward, but I am puzzled about the actual jail filesystem population.
In FreeBSD, this is evidently done by downloading the "base" fileset:
- fetch https://download.freebsd.org/ftp/releases/amd64/amd64/14.2-RELEASE/base.txz -o /usr/local/jails/media/14.2-RELEASE-base.txz
With HardenedBSD, it appears I can similarly apply updates to the jail with hbsd-update.
But I don't see a */base.txz or something similar on the Github site I can use to do the initial jail install. Do I have to copy the files from the host machine? Or is there something I am missing?
Thanks,
Corey
Shawn Webb
May 18, 2025, 6:27:30 PMMay 18
to corey clingo, HardenedBSD Users
On Sun, May 18, 2025 at 03:10:29PM -0700, corey clingo wrote:
> Hi all,
>
> I'll preface this by saying I am new to jails in HardenedBSD (and FreeBSD
> too for that matter).
>
> I am trying to set up a "thick" jail to explore and get a feel for jails. I
> did read the chapter in the FreeBSD handbook about jails, and it seems
> pretty straightforward, but I am puzzled about the actual jail filesystem
> population.
>
> In FreeBSD, this is evidently done by downloading the "base" fileset:
>
> - fetch
> Hi all,
>
> I'll preface this by saying I am new to jails in HardenedBSD (and FreeBSD
> too for that matter).
>
> I am trying to set up a "thick" jail to explore and get a feel for jails. I
> did read the chapter in the FreeBSD handbook about jails, and it seems
> pretty straightforward, but I am puzzled about the actual jail filesystem
> population.
>
> In FreeBSD, this is evidently done by downloading the "base" fileset:
>
> https://download.freebsd.org/ftp/releases/amd64/amd64/14.2-RELEASE/base.txz
> -o /usr/local/jails/media/14.2-RELEASE-base.txz
>
> and then extracting it to the directory previously created for the jail
> filesystem. You then copy a couple files from the host filesystem, and from
> then on you can run freebsd-update and point that at the jail's filesystem
> to update its files.
>
> With HardenedBSD, it appears I can similarly apply updates to the jail with
> hbsd-update.
>
> But I don't see a */base.txz or something similar on the Github site I can
> use to do the initial jail install. Do I have to copy the files from the
> host machine? Or is there something I am missing?
You can indeed use hbsd-update, not just to update the jail's
> -o /usr/local/jails/media/14.2-RELEASE-base.txz
>
> and then extracting it to the directory previously created for the jail
> filesystem. You then copy a couple files from the host filesystem, and from
> then on you can run freebsd-update and point that at the jail's filesystem
> to update its files.
>
> With HardenedBSD, it appears I can similarly apply updates to the jail with
> hbsd-update.
>
> But I don't see a */base.txz or something similar on the Github site I can
> use to do the initial jail install. Do I have to copy the files from the
> host machine? Or is there something I am missing?
filesystem, but also to create it.
When setting up new jails, I typically follow the process below.
Imagine that I have a ZFS pool, named rpool, and have a ZFS dataset
for my jails: rpool/usr/jails. That dataset is mounted at /usr/jails.
1. zfs create rpool/usr/jails/jailname
2. hbsd-update -V -r /usr/jails/jailname -n
3. Edit /etc/jail.conf to configure jailname
Here's an example jail.conf from a system on which I host two jails,
one for each email account with which I use neomutt, a command-line
email client.
==== BEGIN jail.conf ====
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.clean;
mount.devfs;
path = "/usr/jails/$name";
mutt-hbsd {
host.hostname = "mutt-hbsd";
ip4.addr = 192.168.1.95;
ip6.addr = 2001:470:4001:1::95;
persist;
}
mutt-gmail{
host.hostname = "mutt-gmail";
ip4.addr = 192.168.1.96;
ip6.addr = 2001:470:4001:1::96;
persist;
}
==== END jail.conf ====
After doing the initial setup, I can update the jails with the
following four commands:
1. zfs snapshot rpool/usr/jails/jailname@date_index
2. hbsd-update -V -j jailname -n
3. pkg-static -j jailname clean -y
4. pkg-static -j jailname upgrade
The ZFS snapshot example would expand to something like:
zfs snapshot rpool/usr/jails/jailname@2025-05-18_01. That way, if I
needed to do a multi-stage approach to updating the jail on the same
day, I can simply create a new snapshot with the index (01) bumped.
I hope that all makes sense.
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
corey clingo
May 18, 2025, 8:16:49 PMMay 18
to HardenedBSD Users, Shawn Webb, HardenedBSD Users
Shawn, thanks. That does make sense; hbsd-update can do the initial population as well. The example you provided will be helpful.
And thank you for all your efforts on HardenedBSD. I am primarily an OpenBSD and Windows (when I have to) user, but I have had a HardenedBSD NAS (for ZFS) for some years now and it has Just Worked (tm). I am interested in exploring what else I can use it for.
Kind regards,
Corey
Reply all
Reply to author
Forward
0 new messages