Mujahid Jaleel - My Life, My Blog: October 2018

Thursday, 25 October 2018

How to Setup phpMyAdmin in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup phpMyAdmin in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Database: MariaDB v10.2.17
Web Server: NGINX v1.14.0_12
Web Directory: /usr/local/www/html
PHP Version: 7.2
phpMyAdmin Version: 4.8.3
Setup iocage Jail
Setup NGINX Web Server
Setup MariaDB

Install phpMyAdmin

Since we are using php72 on the nginx webserver, we will install phpMyAdmin for the php72 version
root@test:~ # pkg install phpMyAdmin-php72

Create a Symbolic Link to the phpMyAdmin directory into the webroot directory
root@test:~ # ln -s /usr/local/www/phpMyAdmin /usr/local/www/html/phpmyadmin

Restart nginx and php-fpm service
root@test:~ # service nginx restart; service php-fpm restart

Configure phpMyAdmin

Edit the /usr/local/www/phpMyAdmin/config.inc.php file and configure phpMyAdmin settings or delete the /usr/local/www/phpMyAdmin/config.inc.php and then go to http://test/phpmyadmin/setup to configure a database server host. For our example, I am going to use the phpMyAdmin setup wizard.

First delete /usr/local/www/phpMyAdmin/config.inc.php file
root@test:~ # rm -v /usr/local/www/phpMyAdmin/config.inc.php

Go to http://test/phpmyadmin/setup and configure a database server host

Copy the text of the generated configuration file and then paste it into the /usr/local/www/phpMyAdmin/config.inc.php file

Paste the config text into /usr/local/www/phpMyAdmin/config.inc.php and Save File
root@test:~ # ee /usr/local/www/phpMyAdmin/config.inc.php

Login to phpMyAdmin

Go to http://test/phpmyadmin in your browser and login using your root username and password.

Resource Links

Wednesday, 24 October 2018

How to Setup a MariaDB Server v10.2 in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup MariaDB Database Server v10.2.17 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Database: MariaDB
Database Version: 10.2.17
Setup iocage Jail

Install MariaDB

root@test:~ # pkg install mariadb102-server

MariaDB Configuration

Choose the configuration file from template for Database server eg: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf

root@test:~ # cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

Enable MariaDB Server to start on boot

root@test:~ # sysrc mysql_enable="yes"

Start MariaDB Server

root@test:~ # service mysql-server start

Configure and Secure MariaDB Server for production

root@test:~ # mysql_secure_installation

Enter current password for root (enter for none): [Press Enter]

Set root password? [Y/n]: y

Remove anonymous users? [Y/n]: y

Disallow root login remotely? [Y/n]: y

Remove test database and access to it? [Y/n]: y

Reload privilege tables now? [Y/n]: y

Test Login of 'root' user

root@test:~ # mysql -u root -p

Test SQL Queries

MariaDB [(none)]> select user,host,password from mysql.user;

MariaDB [(none)]> show databases;

MariaDB [(none)]> exit;

Helpful Commands

Search for package
root@test:~ # pkg search mariadb

Resource Links

How to Setup NGINX Web Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup NGINX Web Server with PHP72 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
NGINX Version: 1.14.0_12
Web Directory: /usr/local/www/html
PHP Version: 7.2
Certificate File Name and Location: /usl/local/etc/ssl/test.crt
Certificate Key File Name and Location: /usr/local/etc/ssl/test.key
Setup iocage Jail

NGINX

Install NGINX

root@test:~ # pkg install nginx

Install Output

Enable NGINX to start on boot

root@test:~ # sysrc nginx_enable="yes"

Start NGINX Server

root@test:~ # service nginx start

Check to see what ports NGINX is listening on

root@test:~ # sockstat -4 -6 | grep nginx

NGINX Running Success

NGINX Loads Default Page

PHP72

Install PHP72

root@test:~ # pkg install php72 php72-extensions

Create Web Directory

root@test:~ # mkdir -p /usr/local/www/html

Edit NGINX main configuration file to set php as server side script

root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . . .

02: user www;
. . . . . . . . . . . .

42: server_name test;
. . . . . . . . . . . .

49: root /usr/local/www/html;

50: index index.php index.html index.htm;
. . . . . . . . . . . .

70: location ~ \.php$ {

71: root /usr/local/www/html;

72: fastcgi_pass 127.0.0.1:9000;

73: fastcgi_index index.php;

74: fastcgi_param SCRIPT_FILENAME $request_filename;

75: include fastcgi_params;

76: }
. . . . . . . . . . . .

Create php.ini file from copying the php production file template

root@test:~ # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Configure php.ini

root@test:~ # ee /usr/local/etc/php.ini

672: post_max_size = 10M

776: cgi.fix_pathinfo=0

825: upload_max_filesize = 10M

939: date.timezone = "Australia/Melbourne"

Enable PHP-FPM to start on boot

root@test:~ # sysrc php_fpm_enable="yes"

Start the PHP-FPM Service

root@test:~ # service php-fpm start

Check to see what ports PHP-FPM is listening on

root@test:~ # sockstat -4 -6| grep php-fpm

PHP-FPM Running Success

Create a php file to check if php works

root@test:~ # echo "<?php phpinfo(); ?>" | tee /usr/local/www/html/phpinfo.php

Restart NGINX

root@test:~ # service nginx restart

Go to http://test/phpinfo.php to check if php script works.

PHP Page Load Success

Setup HTTPS / SSL / TLS Service

In order to enable the HTTPS service on NGINX, we would need a SSL Certificate and Key. There are more than one way to acquire these certificate and key.

Self-Signed Certificate and Key
Webhosting Provider
Let's Encrypt / Certbot / Acme

Once you have acquired the certificate files, then copy them in the following directory.

Certificate File Name and Location: '/usl/local/etc/ssl/test.crt'
Key File Name and Location: '/usr/local/etc/ssl/test.key'

Certificate and Key File Location

Edit '/usr/local/etc/nginx/nginx.conf' file to define the location of those certificates.
root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . .
22: http {
. . . . . . . . . . .
40: server {
. . . . . . . . . . .
84: } # End of http server block
. . . . . . . . . . .
123: # HTTPS Server
124: server {
125: listen 443 ssl;
126: server_name test;
127:
128: ssl_certificate /usr/local/etc/ssl/test.crt;
129: ssl_certificate_key /usr/local/etc/ssl/test.key;
130
131: ssl_session_cache shared:SSL:1m;
132: ssl_session_timeout 5m;
133:
134: ssl_ciphers HIGH:!aNULL:!MD5;
135: ssl_prefer_server_ciphers on;
136:
137: root /usr/local/www/html;
138:
139: location / {
140: index index.php index.html index.htm;
141: }
142:
143: location ~ \.php$ {
144: fastcgi_param HTTPS on;
145: fastcgi_pass 127.0.0.1:9000;
146: fastcgi_index index.php;
147: fastcgi_param SCRIPT_FILENAME $request_filename;
148: include fastcgi_params;
149: }
150: } # End of https server block
. . . . . . . . . . .
153:} # End of http block

HTTPS Server Block

Restart NGINX and PHP-FPM Service
root@test:~ # service nginx restart ; service php-fpm restart

Go to https://test/phpinfo.php to check if the certificate work.

Certificate works

Observations

When using Self-Signed Certificates, make sure your Internet browser recognises the Certificate Authority that issued the certificate and key.

Helpful Commands

Check NGINX configuration settings and syntax

root@test:~# nginx -t

Resource Links

NGINX
PHP

How to Setup Emby Media Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup Emby Media Server in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: emby
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/movies
Emby Server Version: 3.5.3.0
Setup iocage Jail

Create a Dataset on FreeNAS and Set Permissions

Create dataset 'movies' on FreeNAS as windows type

Set dataset 'movies' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.

Mount Dataset in Emby Jail with Read/Write Permissions

root@fn:~ # iocage fstab -a emby /mnt/tank/movies /mnt/movies nullfs rw 0 0

Installation

Login/Console into Emby Jail

root@fn:~ # iocage console emby

Go to https://emby.media/freebsd-server.html to look up the instructions and release version on how to install the latest emby package.

Install Dependency packages for Emby Server

root@emby:~ # pkg install mono libass fontconfig freetype2 fribidi gnutls iconv opus samba48 sqlite3 libtheora libva libvorbis webp libx264 libzvbi

Install Emby Server

root@emby:~ # pkg add -f https://github.com/MediaBrowser/Emby.Releases/releases/download/3.5.3.0/emby-server-freebsd_3.5.3.0_amd64.txz

Create group 'media' with gid:8675309 in the emby jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'emby' user to the 'media' group on the emby jail as a member. This will make sure emby has group read/write permissions to the 'movies' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the emby jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309

root@emby:~ # pw groupadd -n media -g 8675309

Add user 'emby' to group 'media'

root@emby:~ # pw groupmod media -m emby

Enable Emby to run at boot

root@emby:~ # sysrc emby_server_enable="YES"

Start Emby Service

root@emby:~ # service emby-server start

Run Emby Server Setup Wizard

Open your web browser and visit http://[IP ADDRESS]:8096 to run the Emby Server setup wizard.

Resource Links

Emby Media Server: https://emby.media
FreeBSD Installation: https://emby.media/freebsd-server.html

Tuesday, 23 October 2018

How to Setup an OpenVPN Client with IPFW in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup and configure an OpenVPN Client in an Transmission iocage jail on FreeNAS 11.1 with IPFW to implement a VPN Killswitch.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: transmission
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
VPN Service Provider: Trust Zone VPN (https://trust.zone)
Setup iocage Jail
Firewall: IPFW

OpenVPN Pre-Setup Tasks

Allow Jail To Create TUN Network Devices

OpenVPN Client needs to create a TUN interface in order to establish a secure encrypted connection. According to the default iocage jail security settings (rule 4), it doesn't allow the jail to create a tun network interface device. Because of that, the OpenVPN client won't be able to create and establish a VPN Tunnel to your choice of a VPN Service Provider. So, in order for it to be able to do that, you would need to allow the devfs rule 4 to be able to create a tun device network interface for the OpenVPN. And the way to do that is to create a 'preinit' task on the FreeNAS to run the following command on reboot on the FreeNAS server.

devfs rule -s 4 add path 'tun*' unhide

Reboot FreeNAS.

Download OpenVPN files from your VPN Provider

Download the necessary files from your VPN service provider. I downloaded and copied the *.ovpn and userpass.txt files from my vpn provider (trust.zone) to the (/usr/local/etc/openvpn/) directory, create the directory if it does not exist. Make sure all the certificates, keys and settings are listed in the (trust_zone_vpn.ovpn) file and the 'auth-user-pass' setting in the trust_zone_vpn.ovpn is set to point at 'userpass.txt'.The 'userpass.txt' file has your VPN account's username and password listed in it. You will need this for OpenVPN to auto login when the jail start/restart.

root@transmission:~ # mkdir -p /usr/local/etc/openvpn

Setup OpenVPN Client

Install the openvpn package

root@transmission:~ # pkg install openvpn

Set the location of the openvpn config file

root@transmission:~ # sysrc openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Enable OpenVPN to start on boot

root@transmission:~ # sysrc openvpn_enable="YES"

Create a symbolic link 'openvpn.conf' to your trustzone.ovpn settings file

root@transmission:~ # ln -s /usr/local/etc/openvpn/trust_zone_vpn.ovpn /usr/local/etc/openvpn/openvpn.conf

Before starting the openvpn service, first check and note down your public IP.

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

Start the openvpn service

root@transmission:~ # service openvpn start

Wait a minute for the openvpn service to start and establish a connection. Check to see if the TUN device has been assigned a different IP.

root@transmission:~ # ifconfig

Then check the public IP again. It should be different to the public IP you checked earlier before you started the openvpn service.

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

If the vpn tunnel is not created or established or the public IP remains the same as before, then something went wrong. Check the messages log file. Look for the line where it says "openvpn[####]: Initialization Sequence Completed". The line "openvpn[####]: Initialization Sequence Completed" indicates the connection was successful and established.

root@transmission:~ # tail -f -n 30 /var/log/messages

Setup VPN Killswitch with IPFW

Create directory to hold the ipfw startup script(s)
root@transmission:~ # mkdir -p /usr/local/etc/ipfw

Create startup script for ipfw rules
root@transmission:~ # ee /usr/local/etc/ipfw/ipfw_rules

---------File "/usr/local/etc/ipfw/ipfw_rules"---------------
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 10.0.0.0/24 uid transmission
$cmd 00102 allow all from 10.0.0.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission
--------------End of File-------------------------------------------

Enable IPFW to start on boot
root@transmission:~ # sysrc firewall_enable="YES"

Set the startup script for ipfw rules
root@transmission:~ # sysrc firewall_script="/usr/local/etc/ipfw/ipfw_rules"

Start the IPFW service
root@transmission:~ # service ipfw start

Note: Although, the listed IPFW rules above implements a VPN killswitch. But, the major disadvantage of these rules is that it also prevents the access to the web admin GUI interface of Transmission from the LAN for Torrent administration when VPN tunnel is active. If anyone can write better IPFW rules that would implement a VPN killswitch without losing access to the web interface of Transmission, then let me know.

On my personal setup, instead of placing the OpenVPN and the Firewall rules to implement a VPN killswitch within the Jail itself, I have placed the VPN client on my pfSense router and configured the firewall rules on the pfSense router for my Transmission jail accordingly. I will probably write up a tutorial on how to do that on a separate post.

Helpful Commands

Check your Public IP

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

.....or.....

root@transmission:~ # curl https://wtfismyip.com/text

.....or.....

root@transmission:~ # curl ifconfig.me

Create a Symbolic link

root@transmission:~ # ln -s /path/to/source/file /path/to/new/link/file

Watch/Monitor a log file in real-time up to 30 lines

root@transmission:~ # tail -f -n 30 /var/log/messages

Resource Links

https://forums.freenas.org/index.php?resources/fn11-1-iocage-jails-plex-tautulli-sonarr-radarr-lidarr-jackett-ombi-transmission-organizr.58/
Transmission (https://transmissionbt.com)
Trust Zone VPN (https://trust.zone)

Thursday, 11 October 2018

How to Setup BitTorrent Client Transmission iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup and configure a Bit Torrent Transmission Client in an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: transmission
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/torrents
Setup iocage Jail

Instructions

1. Create an iocage Jail with VNET configured by DHCP

iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

root@fn:~ # iocage create -n "transmission" -r 11.1-RELEASE defaultrouter="10.0.0.1" vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" host_hostname="transmission" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

2. Create Dataset and then mount inside the Jail

Create a user (eg:mujahid) as member of the media (gid:8675309) group that will have group access to the 'torrents' dataset on FreeNAS.

Create a dataset 'torrents' on the FreeNAS volume as type 'Windows'.

Create a torrent watch directory(watch_dir) for transmission within the 'torrents' dataset. When any torrent file is copied into this directory, transmission will read the file and add to its queue for downloading. This is optional if you don't need to create a torrent watch directory.

root@fn:~ # mkdir -p /mnt/tank/torrents/watch_dir

Create a torrent downloads directory(downloads) for transmission within the 'torrents' dataset. This is the directory transmission will use to save the downloaded files.

root@fn:~ # mkdir -p /mnt/tank/torrents/downloads

Set dataset 'torrents' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.

Create a windows share for the 'torrents' dataset on FreeNAS, So the FreeNAS user 'mujahid' can access the 'downloads' directory contents.

Mount the dataset '/mnt/tank/torrents/downloads' on FreeNAS into "Transmission" jail with read/write access.

root@fn:~ # iocage fstab -a transmission /mnt/tank/torrents/downloads /mnt/downloads nullfs rw 0 0

Mount dataset '/mnt/tank/torrents/watch_dir' on FreeNAS into transmission jail with read/write access.

root@fn:~ # iocage fstab -a transmission /mnt/tank/torrents/watch_dir /mnt/watch_dir nullfs rw 0 0

3. Install and Configure Transmission client in iocage jail

root@fn:~ # iocage console transmission

Install the transmission package

root@transmission:~ # pkg install transmission-daemon

Create group 'media' with gid:8675309 in the transmission jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'transmission' user to the 'media' group on the transmission jail as a member. This will make sure transmission has group read/write permissions to the 'torrents' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the transmission jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309

root@transmission:~ # pw groupadd -n media -g 8675309

Add user 'transmission' to group 'media'

root@transmission:~ # pw groupmod media -m transmission

Enable transmission to start on boot

root@transmission:~ # sysrc transmission_enable="YES"

Set the transmission auto file permissions and ownership check to 'No'. Because, when the transmission service starts, it resets the user and group ownership of the FreeNAS dataset 'torrents' to the default jail user and group "root:wheel", which we don't want because the user won't be able to access the downloads share directory contents.

root@transmission:~ # sysrc transmission_chown="NO"

Set the download directory for transmission

root@transmission:~ # sysrc transmission_download_dir="/mnt/downloads"

Set the torrents watch directory for transmission.

root@transmission:~ # sysrc transmission_download_dir="/mnt/watch_dir"

Start and then stop the transmission service to create a '/usr/local/etc/transmission/home/settings.json' file with default settings.

root@transmission:~ # service transmission start && service transmission stop

Edit the 'settings.json' file to change the transmission configurations with the following settings

root@transmission:~ # ee /usr/local/etc/transmission/home/settings.json

{

"port-forwarding-enabled": false,

.......

"rpc-whitelist": "127.0.0.1, 10.0.0.*", # Only for internal network clients to access

.......

"speed-limit-up-enabled": true,

.......

"trash-original-torrent-files": false, # Do not save torrent files

"umask": 2, # Make downloads directory group read writable

.......

"watch-dir": "/mnt/watch_dir", # Watch directory for *.torrent files

"watch-dir-enabled": true # Watch directory enabled

}

Start transmission service

root@transmission:~ # service transmission start

Go to http://[IP]:9091/transmission/web to check if the transmission web-gui is accessible.

Helpful Commands

Remove user from group

root@transmission:~ # pw groupmod media -d transmission

Show Group members

root@transmission:~ # pw groupshow media

watch/monitor a log file in real-time up to 30 lines

root@transmission:~ # tail -f -n 30/var/log/messages

Links and Resources

How to Create and Configure an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to create and configure an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP | STATIC
Jail IP: 10.0.0.3
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/share

Instructions

List iocage Commands

root@fn:~ # iocage

Activate iocage zpool volume

Set iocage to use the default volume, use the following command.
root@fn:~ # iocage activate
or
Set iocage to use a zpool volume if more than one exist on the FreeNAS
iocage activate [zpool]
root@fn:~ # iocage activate tank

Fetch/Download a Release Image

Fetch a release which will be used to create a jail.

Fetch a release from a list
root@fn:~ # iocage fetch

Fetch a release by name
iocage fetch -r [RELEASE IMAGE NAME]
root@fn:~ # iocage fetch -r 11.1-RELEASE

Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and DHCP

Command Example: iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

The following command creates a jail "test" from the "11.1-RELEASE" image with the following jail properties enabled, vnet/vimage network stack, Start on boot, and dhcp.

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and Static IP Configuration

Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="vnet[N]|[IP]/[Mask]" defaultrouter="[IP]" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" ip4_addr="vnet0|10.0.0.3/24" defaultrouter="10.0.0.1" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

Create a Jail with a Shared IP

Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="[IF]|[IP]/[MASK]" defaultrouter="[IP]" vnet="off" allow_raw_sockets="1" boot="on" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE ip4_addr="igb0|10.0.0.100/24" defaultrouter="10.0.0.1" vnet="off" allow_raw_sockets="1" boot="on" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

List Jails, Releases, and Plugins

List all Jails
root@fn:~ # iocage list

List all downloaded Releases
root@fn:~ # iocage list -r

List all available Templates
root@fn:~ # iocage list -t

List Remote Plugins
iocage list -PR
or
iocage list --plugins --remote

List Installed Plugins
iocage list -P
or
iocage list --plugins

Start, Stop, or Restart a Jail

Start a Jail

iocage start [JAIL NAME]

root@fn:~ # iocage start test

Stop a Jail

iocage stop [JAIL NAME]

root@fn:~ # iocage stop test

Restart a Jail

iocage restart [JAIL NAME]

root@fn:~ # iocage restart test

Configure a Jail

Set Jail Property

iocage set [PROPERTY]="[ARG]" [JAIL NAME]

root@fn:~ # iocage set notes="This is a test jail." test

Get Jail Property

iocage get [PROPERTY] [JAIL NAME]

root@fn:~ # iocage get notes test

Get All Properties of a Jail

iocage get all [JAIL NAME]

root@fn:~ # iocage get all test

Delete/Destroy a Jail

iocage destroy [JAIL NAME]

root@fn:~ # iocage destroy test

Rename a Jail

iocage rename [OLD JAIL NAME] [NEW JAIL NAME]

root@fn:~ # iocage rename test test2

Log in to a Jail

iocage console [JAIL NAME]

root@fn:~ # iocage console test

Run a command inside a Jail

iocage exec [JAIL NAME] "[COMMAND]"

root@fn:~ # iocage exec test "ls -lfa /etc"

Mount Dataset inside a Jail as Read Only

iocage fstab -a [JAIL NAME] /source/folder /destination/folder/in/jail nullfs ro 0 0

root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs ro 0 0

Mount Dataset inside a Jail as Read and Write

iocage fstab -a [JAIL NAME] /source/folder /destination/folder/in/jail nullfs rw 0 0

root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs rw 0 0

List Jail Mount Entries

iocage fstab -l [JAIL NAME]

root@fn:~ # iocage fstab -l test

Edit Jail Mount Entries

iocage fstab -e [JAIL NAME]

root@fn:~ # iocage fstab -e test

Remove a Jail Mount Entry

iocage fstab -r [JAIL NAME] [INDEX]

root@fn:~ # iocage fstab -r test 0

Create Jail Snapshot

iocage snapshot -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapshot -n "Recent Upgrade" test

List Jail Snapshots

iocage snaplist [JAIL]
root@fn:~ # iocage snaplist test

Remove/Delete Jail Snapshot

iocage snapremove -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapremove -n "Recent Upgrade" test

Rollback Jail to a Snapshot

iocage rollback -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage rollback -n "Recent Upgrade" test

Observations

DNS Resolver

When you create a Jail in iocage and skip to define the 'resolver' property, the iocage uses the host system's (in this case the FreeNAS host) default DNS settings defined in the '/etc/resolv.conf'.

If your FreeNAS has been configured as a Domain Controller, it resets the DNS setting in the '/etc/resolv.conf' to point to itself. Example: "nameserver 127.0.0.1". Incidentally, the iocage jail DNS is also set to 127.0.0.1. As a result, all the DNS queries within the jail fail because the jail points to itself as a nameserver where a name service does not exits. So, in order for the jail's DNS to work, we will need to manually define the resolver property for the jail.

And if you have a complicated network setup, like a switch with multiple VLANs. You will also need to define the 'defaultrouter' and 'interfaces' property so that the vnet interface is linked to the correct bridge interface and the bridge interface is link to the correct VLAN interface.

Helpful Commands

Check iocage version
root@fn:~ # iocage -v

iocage Help command
root@fn:~ # iocage --help

List all zpools on the FreeNAS
root@fn:~ # zpool list

Delete Release
iocage destroy -r [RELEASE NAME]
root@fn:~ # iocage destroy -r 11.0-RELEASE