Some of the features in Warden® include the ability to:
- create three types of jails: a traditional FreeBSD jail for running network services, a (less secure) ports jail for safely installing and running FreeBSD ports/packages from your PC-BSD® system, and a Linux jail for installing Linux
- set multiple IPv4 and IPv6 addresses per jail
- quickly install common network server applications on a per-jail basis
- update installed software on a per-jail basis
- manage user accounts on a per-jail basis
- manage ZFS snapshots on a per-jail basis
- export a jail which can be then be imported into the same or a different jail
Creating a Jail using the GUI Version of Warden®
Warden® can be started by clicking on its icon in Control Panel or by typing pc-su warden gui from the command line. You will be prompted for your password as administrative access is needed to create and manage jails. The initial Warden® configuration screen is shown in Figure Is there no version? a.
To create your first jail, click the "New Jail" button or go to File ➜ New Jail. A jail creation wizard, seen in Figure Is there no version? b, will launch.
The first screen in the jail creation wizard will prompt you for the following information:
Hostname: you can change the default of "Jailbird" to another value. The hostname must be unique on your network and can not contain a space. Use a hostname that reminds you of the type of jail and your reason for creating it.
IPV4 Address: input the IPv4 address to be used by the jail and access its contents. Choose an address on your network that is not already in use by another computer or jail and which will not conflict with the address range assigned by a DHCP server.
IPv6 Address: if you plan to access the jail and its contents using IPv6, check the "IPv6 Address" box and input an IPv6 address that is not already in use by another computer or jail on your network.
When finished, click "Next" to select the type of jail, as shown in Figure Is there no version? c:
There are three types of jails supported by Warden®:
Traditional Jail: select this type if you are creating the jail in order to install and run network services. For example, this type of jail is appropriate if you wish to run a web server or a database which is accessible to other systems on a network or over the Internet. This is the most secure type of jail as it is separate from the PC-BSD® host and any other jails that you create using Warden®. By default, FreeBSD's next generation of package management, known as pkgng, and the command line versions of the PC-BSD® utilities are added to a default FreeBSD installation. If you do not plan to use these tools, uncheck the box “Install PKGNG and PC-BSD utilities”. If you have already created a jail template, select the desired operating system version from the “Jail Version” drop-down menu.
Ports Jail: select this type of jail if your intention is to install software using FreeBSD packages and ports and you wish to have access to that software from your PC-BSD® system or if you plan to install any GUI applications within the jail. This type of jail is less secure then a traditional jail as applications are shared between the jail and the PC-BSD® system. This means that you should not use this type of jail to install services that will be available to other machines over a network.
Linux Jail: select this type of jail if you would like to install a Linux operating system within a jail. Linux jail support is considered to be experimental and is limited to 32-bit.
The remaining screens will differ depending upon the type of jail that you select.
Traditional or Ports Jail
If you select "Traditional Jail", you will be prompted to set the root password as seen in Figure Is there no version? d.
Input and confirm the password then press "Next" to see the screen shown in Figure Is there no version? e. If you instead select to create a "Ports Jail", you will go directly to Figure Is there no version? e.
This screen allows you to install the following options:
Include system source: if you check this box, make sure that /usr/src/ exists on the PC-BSD system as the source is copied to the jail from this location. If it is not installed, use Control Panel ➜ System Manager ➜ Tasks ➜ Fetch PC-BSD System Source to install it.
Include ports tree: if you check this box, the latest version of the ports tree will be downloaded into /usr/ports/ of the jail. This will allow you to compile FreeBSD ports within this jail.
Start jail at system bootup: if this box is checked, the jail will be started (become available) whenever you boot your main system. If the box is not checked, you can manually start the jail whenever you wish to access it using Warden®.
Once you have made your selections, click the "Finish" button to create the jail. Warden® will display a pop-up window containing status messages as it downloads the files it needs and creates and configures the new jail.
Once Warden® is finished creating the jail, a message should appear at the bottom of the pop-up window indicating that the jail has been successfully created. Click the "Close" button to return to the main screen.
If you select the "Linux Jail" and click "Next", you will be prompted to set the root password as seen in Figure Is there no version? d. After inputting the password, the wizard will prompt you to select a Linux install script, as seen in Figure Is there no version? f.
The installation script is used to install the specified Linux distribution. At this time, installation scripts for Debian Wheezy and Gentoo are provided.
Once you select the install script, the wizard will ask if you would like to start the jail at boot time as seen in Figure Is there no version? g.
Click the "Finish" button to begin the Linux installation.
Configuring Existing Jails From the GUI
Once a jail is created, an entry for the jail will be added to the "Installed Jails" box and the tabs within Warden® will become available. Each entry indicates the jail's hostname, whether or not it is currently running, and whether or not any updates are available for the meta-packages installed within the jail. The buttons beneath the "Installed Jails" box can be used to start/stop the highlighted jail, configure the jail, add a new jail, or delete the highlighted jail.
If you highlight a jail and click "Jail Configuration", the screen shown in Figure Is there no version? h will open.
The Options tab has one checkbox for enabling or disabling VNET/VIMAGE support. This option provides that jail with its own, independent networking stack. This allows the jail to do its own IP broadcasting, which is required by some applications. However, it breaks some other applications. If an application within a jail is having trouble with networking, try changing this option to see if it fixes the issue.
The IPv4 tab is shown in Figure Is there no version? i.
This screen allows you to configure the following:
IPv4 Address: uncheck this box if you do not want the jail to have an IPv4 address.
IPv4 Bridge Address (Requires VNET): if this box is checked, an IP address is input, and the "IPv4 Default Router" box is left unchecked, the bridge address will be used as the default gateway for the jail. If the "IPv4 Default Router" address is also configured, it will be used as the default gateway address and the bridge address will be used as just another address that is configured and reachable. This option requires the "Enable VNET/VIMAGE support" checkbox to be checked in the Options tab.
IPv4 Default Router: check this box and input an IP address if the jail needs a different default gateway address than that used by the PC-BSD® system. This option requires the "Enable VNET/VIMAGE support" checkbox to be checked in the Options tab.
The IPv6 tab is shown in Figure Is there no version? j.
This screen allows you to configure the following:
IPv6 Address: check this box if you want the jail to have an IPv6 address.
IPv6 Bridge Address (Requires VNET): if this box is checked, an IPv6 address is input, and the "IPv6 Default Router" box is left unchecked, the bridge address will be used as the default gateway for the jail. If the "IPv6 Default Router" address is also configured, it will be used as the default gateway address and the bridge address will be used as just another address that is configured and reachable. This option requires the "Enable VNET/VIMAGE support" checkbox to be checked in the Options tab.
IPv6 Default Router: check this box and input an IPv6 address if the jail needs a different default gateway address than that used by the PC-BSD® system. This option requires the "Enable VNET/VIMAGE support" checkbox to be checked in the Options tab.
The Aliases tab is shown in Figure Is there no version? k.
Click the drop-down menu to see all of the options shown in Figure Is there no version? k. An alias allows you to add additional IP addresses to an interface. Select the type of address you would like to add an alias to, click the Add button, type in the IP address to add and click OK.
The Permissions tab is shown in Figure Is there no version? l. This screen can be used to easily enable or disable the sysctl values that are available for jails.
The "Info" tab, as seen in the example in Figure Is there no version? m, provides an overview of a jail's configuration. If you have created multiple jails, the "Info" tab displays the configuration of the currently highlighted jail.
In the example shown in Figure Is there no version? m, three jails have been created: a traditional jail, a ports jail, and Debian Squeeze has been installed into a Linux jail.
The "Info" tab contains the following information:
- Jail Type: will indicate if the jail is a Traditional, Ports, or Linux jail.
- Size on Disk: indicates the amount of space being used by the jail. The jail itself takes up about 300MB of space, source is about 300MB, and ports are about 850MB.
- Start at boot: a status of "Enabled" indicates that the jail will automatically start when the system reboots. "Disabled" means that you will manually start the jail as needed.
- Active Connections: will list the number of active connections to the jail (e.g. through ssh or one of the running services).
- IPs: lists the jail's IP address as well as any configured aliases.
- Listening on Ports: indicates which ports are currently listening for connections.
You can sort the jail listing by clicking on the "Jail", "Status", or "Updates" header name. The "Updates" column will indicate if a software or system update is available for a jail.
The "Tools" tab, shown in Figure Is there no version? n, allows you to manage common configuration tasks within a jail.
This tab provides the following buttons:
- AppCafe: opens AppCafe® so that you can install packages within the specified traditional or ports jail. Software installed using this method will be tracked by Update Manager, meaning that Warden® will be notified when updates are available for the installed software. Since BSD-based packages are not available for Linux jails, this button is not available if a Linux jail is highlighted.
- User Administrator: opens User Manager so that you can manage the highlighted jail's user accounts and groups. The title bar will indicate that you are "Editing Users for Jail:Jailname". Note that any users and groups that you have created on your PC-BSD® system will not be added to a traditional jail as each traditional jail has its own users and groups. However, a ports jail has access to the users and groups that exist on the PC-BSD® system, yet the users you create on a ports jail will only be available within the ports jail. This button is not available if a Linux jail is highlighted.
- Service Manager: opens Service Manager so that you can view which services are running in the jail and configure which services should start when the jail is started. Note that this button is not available if a Linux jail is highlighted.
- Launch Terminal: opens a terminal with the root user logged into the jail. This allows you to administer the jail from the command line. This button will be greyed out if the highlighted jail is not running. You can start a jail by right-clicking its entry and selecting "Start this Jail" from the menu or by clicking "Start Jail".
- Check for Updates: launches Update Manager to determine if any system updates are available to be installed into the jail. If an update is found, the text "Updates available!" will appear in the "Updates" column for that jail. Note that this button is not available if a Linux jail is highlighted.
- Export Jail: launches a pop-up window prompting you to choose the directory in which to save a backup of the jail (and all of its software, configuration, and files) as a .wdn file. Creating the .wdn file may take some time, especially if you have installed src, ports, or software.
The “Snapshots” tab, shown in Figure Is there no version? o, is used to create and manage ZFS snapshots within the currently highlighted jail. The ZFS snapshot feature can be used to make point in time filesystem backups of jails. A snapshot is essentially a picture of what the filesystem looked like at that point in time. Snapshots are space efficient in that they take up zero space when created and the snapshot only grows in size as files contained within the snapshot are modified after the snapshot was taken. In other words, ZFS manages the changes between snapshots, providing a way to return to what a file looked like at the time a snapshot was taken.
Since jails share the filesystem used by PC-BSD®, any type of jail, including a Linux jail, can take advantage of this ZFS feature.
To create a snapshot of the jail, click the "+Add" button. A snapshot indicating the date and time will be added to the slider bar. If you create multiple snapshots at different times, use the slider bar to select a snapshot.
Once you have created a snapshot, the following actions can be used to manage the snapshot. Make sure that the desired snapshot is highlighted in the slider bar before clicking these buttons:
- Restore: returns the system to what it looked like at the time the snapshot was taken. Think about what you wish to accomplish before using this option as any changes to files that occurred after the snapshot was taken will be lost.
- Add: use this button to create additional snapshots.
- Remove: use this button to remove the highlighted snapshot.
This screen also allows you to schedule automatic snapshots. To enable this feature, check the box "Scheduled Snapshots". Use the drop-down menu to set the frequency to daily or hourly. You can also type in or use the arrows to configure the number of days to keep each snapshot.
To refresh the settings for all jails, use Configure ➜ Refresh Jails.
To configure Warden®, click Configure ➜ Settings which will open the screen shown in Figure Is there no version? p.
This screen allows you to configure the following:
- Jail Network Interface: all jails created within Warden® share the same physical interface. Use the drop-down menu to select the network interface to be used by the jails. Note that your jails may not work if the wrong interface is configured .
- Jail Directory: contains all of the created jails where each jail has its own sub-directory named after its IP address. By default, it is /usr/jails. If you change this directory, make sure the location has sufficient space to hold the jails.
- Temp Directory: used when exporting and importing jails. Make sure that the directory has sufficient space to create a tar file of the jail and its contents.
If you highlight a jail, its right-click menu contains the following options:
- Start or Stop this Jail: allows you to start a jail (if it is currently not running) or to stop a jail (if it is currently running). You will not be able to access a jail that has not been started. The icon next to the jail will change to indicate the current status.
- Toggle Autostart: toggles a jail's Autostart between "Disabled" (does not automatically start when the PC-BSD® system is booted) and "Enabled" (will start the jail when the PC-BSD® system is booted). The "Info" tab will be updated to indicate the new "Start at boot" status. Note that toggling autostart will not affect the current running status of the jail (i.e. it does not start or stop the jail right now) as autostart is only used when the system boots.
- Export jail to .wdn file: allows you to save the jail (and all of its software, configuration, and files) as a .wdn file. This allows you to quickly clone a pre-configured jail to a new jail on either the same or another PC-BSD® system. The exported jail will end with a .wdn extension and the filename will be the IP address of the jail. When exporting a jail, a pop-up window will prompt you to choose the directory in which to store the backup. A progress bar will indicate that the export is in progress. Creating the .wdn file may take some time, especially if you have installed src, ports, or software.
- Clone this Jail: creates an instantaneous copy of the specified jail. It will prompt for a hostname for the new jail. Highlight the new clone and click “Jail Configuration” to set the addressing information for the new jail.
- Delete Jail: removes the jail and all of its contents from the PC-BSD® system. You will be prompted to confirm this action.
Importing a Jail
The "File" menu can be used to create a new jail, import a jail, create templates, or exit Warden®.
If you click File ➜ Import Jail you will be prompted to browse to the location of a previously created .wdn file. After selecting the file, you will then see the screen shown in Figure Is there no version? q.
Input a name for the new jail. If you are creating a new jail on the same system that still has the original jail installed, check the "IPv4 Address" box and input an unused IP address for the new jail. Then, check the box "Hostname" and input an unused hostname for the new jail. However, if you have deleted the original jail or need to restore that same jail on another computer (for example, there was a hardware failure on the system containing the original jail), you can choose to leave both boxes unchecked and to reuse the same IP address and hostname. Once you press OK, Warden® will recreate the jail with all of the original settings. Whether or not those settings include the original IP address and hostname depends upon your selections.
Using Template Manager
The built-in template manager can be used to create and manage jail templates. Once created, templates can be used when installing a new jail. A template specifies the version and architecture of FreeBSD to be used as the operating system running in the jail. Templates have been tested from FreeBSD versions 4.1.1 to FreeBSD-CURRENT. Until you create your own templates and specify them during jail creation, the default version and architecture of the operating system used in the jail will be the same as that running on the PC-BSD® system.
To create a template, click File ➜ Template Manager to see the screen shown in Figure Is there no version? r.
The default icon will indicate the version of TrueOS® used by the underlying PC-BSD® system. To create a new template, click the + button. In the "System Type" drop-down menu select either:
- TrueOS: adds the command line versions of the PC-BSD® utilities to the FreeBSD base.
- FreeBSD: uses only the FreeBSD base without any of the PC-BSD® utilities.
Press OK to see the screen shown in Figure Is there no version? s.
If desired, change the 10.0 in this example to the release number to use. If you selected FreeBSD as the system type, a list of available release numbers can be found on this. If you selected TrueOS, the list of available release numbers is currently limited to 9.0, 9.1, 9.2, 9.3, 10.0, and 10.1.
Press OK. In the "System Architecture" drop-down menu, select either amd64 (for 64-bit) or i386 (for 32-bit). Press OK and input a nickname for the template. Click OK and the files needed for that version will be downloaded. Once the template is created, it will appear in the Template Manager as seen in the example in Figure Is there no version? t.
To delete a template, highlight it and click the - button. Note that Warden® will not let you delete a template if any jails exist which are using the template.
To use the template when creating a new jail, click the "Jail Version" drop-down menu shown in Figure Is there no version? c and select the desired template.
Using the Command Line Version of Warden®
The Warden® GUI is based on a Bourne shell script. This script can be manually run from the command line on a PC-BSD® server or by users who prefer using the command line. Advanced users can also refer to the command line version in their own scripts.
If you type warden at the command line, you will receive a summary of its usage:
Warden version 1.4--------------------------------- Available commands Type in help <command> for information and usage about that command help - This help file gui - Launch the GUI menu auto - Toggles the autostart flag for a jail bspkgng - BootStrap pkgng and setup TrueOS repo checkup - Check for updates to a jail chroot - Launches chroot into a jail create - Creates a new jail details - Display usage details about a jail delete - Deletes a jail export - Exports a jail to a .wdn file fstab - Start users $EDITOR on jails custom fstab fbsdupdate - Update the FreeBSD world inside jail fbsdupgrade - Upgrade the version of FreeBSD inside a jail get - Gets options list for a jail import - Imports a jail from a .wdn file list - Lists the installed jails pkgupdate - Update packages inside a jail pkgs - Lists the installed packages in a jail pbis - Lists the installed pbi's in a jail set - Sets options for a jail start - Start a jail stop - Stops a jail type - Set the jail type (pbibox|pluginjail|portjail|standard) template - Manage jail templates snap - Jail snapshot management clone - Clone an existing jail to a new jail cronsnap - Schedule snapshot creation via cron
Each command has its own help text that describes its parameters and provides a usage example. For example, to receive help on how to use the warden create command, type:
Warden version 1.4--------------------------------- Help create Creates a new jail, with options for system source, ports and autostarting. Available Flags: -32 Create 32bit jail on 64bit system --autoipv4 Use the next available IPv4 address from the pool --ipv4=<ip/mask> Set primary IPv4 address for jail --ipv6=<ip/mask> Set primary IPv6 address for jail --archive <tar> Use specified tar file for BSD jail creation --bulk <number> Create <number> of new jails, using default IP4 pool or address pool specified with --ip4pool --ip4pool <address> Starting IPv4 address to use when creating jails in bulk --linuxjail <script> Make this a linux jail and use supplied script for installation --linuxarchive <tar> Use specified tar file for Linux jail creation --pluginjail Make this a pluginjail --ports Includes the ports tree --portjail Make this a portjail --src Includes /usr/src system source --startauto Start this jail at system boot --template <string> Specify a jail template to build with --vanilla Don't install PC-BSD pkgng repo and utilities --version <string> Use this instead of /etc/version Usage: warden create <JAILNAME> <flags> Example: warden create jailbird --ipv4=192.168.0.25/24 --src --ports --startauto
You do not need superuser access to use the view commands but will for any commands that create or manage a jail. The warden command will display an error message if a command requires superuser access and you currently are not the superuser. On PC-BSD®, you can put pc-su at the beginning of the warden command to be prompted for your password. On a FreeBSD server, you can type su to become superuser, then repeat the warden command.
Creating and Accessing a Jail
Before creating a jail, verify the network settings in /usr/local/etc/warden.conf:
You can either specify the FreeBSD interface name to use in the NIC field or specify the IP address range starting point with the IP4POOL field. When using IP4POOL on a network containing a DHCP server, ensure that the DHCP server has reserved the range of addresses to be used by jails in order to prevent IP address conflicts.
To create a jail, specify a unique IP address and hostname for the jail:
Before you can access the jail, you will need to start it:
As the jail starts, the SSH host keys will be generated and sshd will start. At this point, you can use the warden chroot command to access the jail from the host system. Alternately, to access the jail over the network using ssh, you will need to first create a user account.
To access the jail in order to create that user:
Started shell session on jail1 . Type exit when finished.adduser
Follow the prompts of the adduser script in order to create a user. When you get to the following prompt, do not press enter. Instead type in wheel so that the user can use the su command to become the superuser within the jail.
When you are finished creating the user, you can type exit to exit the jail. Test that ssh works by specifying the username that you created:
To create multiple jails simultaneously, use the --bulk <number> and --ip4pool <starting address> options to specify the number of jails and the starting IP address. Alternately, instead of –ip4pool, use the --autoipv4 option as it automatically assigns the next available IP address from the pool, as defined by the IP4POOL option in /usr/local/etc/warden.conf.
Managing Jails from the Command Line
Table a shows the command line equivalents to the graphical options provided by the Warden® GUI. To get usage examples for each command, insert help into the command. For example, to get help on the auto command, type warden help auto. Note that some options are only available from the command line.
|auto||right-click highlighted jail and click Autostart||toggles the jail's autostart between Enabled and Disabled|
|bspkgng||in the GUI, this happens automatically during jail creation unless "Install PKGNG and PC-BSD utilities" is unchecked||adds the PC-BSD® utilities to an existing jail|
|checkup||in the GUI, update checks occur automaticaly and any un-applied updates are shown in the Updates column||checks for updates to either the specified jail or all jails|
|chroot||Tools ➜ Launch Terminal||opens a terminal with the root user logged into the jail|
|create||"+" button or File ➜ New Jail||creates a new jail with specified attributes|
|details||Info tab||provides an overview of specified jail's configuration|
|delete||"-" button or right-click jail ➜ Delete Jail||deletes the specified jail|
|export||right-click ➜ Export jail to .wdn file||saves the specified jail and all of its software, configuration, and files as a .wdn file.|
|fbsdupdate||Tools ➜ Check for Updates||upgrades FreeBSD world with security fixes as well as any package updates|
|fbsdupgrade||Tools ➜ Check for Updates||upgrades FreeBSD to new version|
|fstab||opens the jail's /etc/fstab in an editor|
|get||configure (wrench) icon for highlighted jail||lists the various IP addresses used by the jail|
|import||File ➜ Import Jail||import a previously created .wdn file|
|list||"Installed Jails" section of GUI||list all jails|
|pkgupdate||Tools ➜ Check for Updates||update all packages in specified jail|
|pkgs||Tools ➜ AppCafe||lists packages installed into specified jail|
|pbis||lists PBIs installed into specified jail|
|set||right-click jail||used to set options, addresses, aliases, and permissions in specified jail|
|start||right-click jail ➜ Start this Jail||starts the specified jail|
|stop||right-click jail ➜ Stop this Jail||stops the specified jail|
|type||"Jail Type" during jail creation||types differ as choices are pbibox, portjail, pluginjail, or standard; to create a Linux jail, instead use the linuxjail option with the create command|
|template||File ➜ Template Manager||used to create, delete, or list templates|
|snap||Snapshots||snapshot management for specified jail|
|clone||right-click ➜ Clone this Jail||clones an existing jail|
|cronsnap||Snapshots ➜ Scheduled Snapshots||schedules ZFS snapshot creation|
- Table Is there no version? a: Command Line and GUI Equivalents