Created
June 8, 2020 03:11
-
-
Save fuzzy/e79301500f8a0fd3ba84c12a8cc0dc70 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| allow.chflags; # allow setuid inside the jail | |
| allow.mount; # allow mounting filesystems | |
| allow.mount.devfs; | |
| allow.mount.fdescfs; | |
| allow.mount.fusefs; | |
| allow.mount.nullfs; | |
| allow.mount.procfs; | |
| allow.mount.linprocfs; | |
| allow.mount.linsysfs; | |
| allow.mount.tmpfs; | |
| allow.quotas; # allow quota administration in jail | |
| allow.raw_sockets; # allow pings | |
| allow.reserved_ports; # allow privileged ports | |
| allow.sysvipc; # allow sysv(ipc|msg|sem|shm) support | |
| enforce_statfs = 1; # allow filesystems under the jail root | |
| exec.clean; # specify clean environments | |
| exec.system_user = "root"; | |
| exec.jail_user = "root"; | |
| # jail-init.sh can be configured for values including network setup | |
| # packages to ensure are installed and/or upgraded, service configs | |
| # and service startup configuration. If no configuration is provided | |
| # it will simply execute "/bin/sh /etc/rc" as normal. | |
| exec.start = "/bin/sh /etc/jail-init.sh"; | |
| exec.stop = "/bin/sh /etc/rc.shutdown"; | |
| # Here we can ensure that before we start any jail, if bridge0 is not | |
| # configured, we bring it up and give it its IP address. | |
| exec.prestart = "ifconfig bridge0 >/dev/null 2>&1 || ( ifconfig bridge0 create && ifconfig bridge0 inet 192.168.0.1/22 up)"; | |
| # and by extension, ensure we clean up after ourselves when we're done | |
| exec.poststop = "ifconfig bridge0 destroy"; | |
| exec.consolelog = "/var/log/jail_${name}_console.log"; | |
| # since we've allowed linux binary compatibility, let's ensure that | |
| # no jail can see the host systems environment. | |
| linux = "new"; | |
| # and let's go ahead and get these mounted, then at the least, bash | |
| # and htop will be working as expected. | |
| mount.devfs; | |
| mount.fdescfs; | |
| mount.procfs; | |
| # if this file exists, it will setup additional mounts | |
| mount.fstab = "/etc/fstab.${name}" | |
| # and the paths can be pretty predictable | |
| path = "/jails/${name}"; | |
| # like with linux emulation, setting these to "new" ensures they do not | |
| # inherit access to the host systems namespace and objects | |
| sysvmsg = "new"; | |
| sysvsem = "new"; | |
| sysvshm = "new"; | |
| # finally ensure that it's noted that all our jails are vnet enabled | |
| vnet; | |
| # JAIL DEFINITION: devel | |
| devel { | |
| host.hostname = "devel.jail"; | |
| vnet.interface = "epair0b"; | |
| # these lines ensure that our epair interface is created | |
| # we specifically note which interface so we can do ip | |
| # address mapping, and to make templating easier. That | |
| # may be modified in the future, but for now, it is | |
| # what it is. | |
| exec.prestart += "ifconfig epair0 create up"; | |
| exec.prestart += "ifconfig bridge0 addm epair0a"; | |
| exec.poststop += "ifconfig bridge0 deletem epair0a"; | |
| exec.poststop += "ifconfig epair0a destroy"; | |
| } | |
| # JAIL DEFINITION: plan | |
| plan { | |
| host.hostname = "plan.jail"; | |
| vnet.interface = "epair1b"; | |
| exec.prestart += "ifconfig epair1 create up"; | |
| exec.prestart += "ifconfig bridge0 addm epair1a"; | |
| exec.poststop += "ifconfig bridge0 deletem epair1a"; | |
| exec.poststop += "ifconfig epair1a destroy"; | |
| } | |
| # JAIL DEFINITION: dbase | |
| dbase { | |
| host.hostname = "dbase.jail"; | |
| vnet.interface = "epair2b"; | |
| exec.prestart += "ifconfig epair2 create up"; | |
| exec.prestart += "ifconfig bridge0 addm epair2a"; | |
| exec.poststop += "ifconfig bridge0 deletem epair2a"; | |
| exec.poststop += "ifconfig epair2a destroy"; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment