Add jail experiment to freebsd page

1 files changed, 76 insertions, 0 deletions

diff --git a/freebsd.md b/freebsd.md
index 1a3a985..88d7f81 100644
--- a/freebsd.md
+++ b/freebsd.md
@@ -81,3 +81,79 @@ which will no doubt be helpful in my transition from pfSense to pure pf.
 
 I intend to update this page with notes as I continue on my FreeBSD journey.
 Stay tuned!
+
+## 2018-09-20: Experiment 1: Jails
+
+In my preparations for removing ESXi, I tried creating a simple jail on my test
+box `helios`. As part of my purpose is to learn as much as possible, I decided
+against using a tool like `ezjail` in favor of doing it "by hand." While the
+FreeBSD Handbook has some information on creating jails without using additional
+tools, pretty much every other document I found suggested using ezjail. There's
+a chance I'll revisit ezjail in the future, as it seems to have some helpful
+features like having a "base jail" so you only need one copy of the FreeBSD base
+system, but for now I'd like to do as much as possible without additional tools.
+
+My goal for this experiment was to set up a simple web server (nginx) inside a
+jail. To start, I edited `/etc/jail.conf` to contain the following:
+
+```
+www {
+  host.hostname = www.local;
+  ip4.addr = 10.0.2.202;
+  path = "/usr/jail/www";
+  exec.start = "/bin/sh /etc/rc";
+  exec.stop = "/bin/sh /etc/rc.shutdown";
+}
+```
+
+Next, I used `bsdinstall(8)` to install the base system instead of compiling
+from source:
+
+```
+root@helios:~ # bsdinstall jail /usr/jail/www
+```
+
+I then added `jail_enable="YES"` to `/etc/rc.conf` and started the jail:
+
+```
+root@helios:~ # service jail start www
+```
+
+This took a few seconds to complete, and then the jail showed up when I ran
+`jls`:
+
+```
+root@helios:~ # jls
+   JID  IP Address      Hostname                      Path
+     1  10.0.2.202      www.local                     /usr/jail/www
+```
+
+I was able to enter the jail:
+
+```
+root@helios:~ # jexec www /bin/sh
+#
+```
+
+But I seem not to have Internet connectivity, as attempting to use `pkg-ng`
+fails:
+
+```
+# pkg install nginx
+The package management tool is not yet installed on your system.
+Do you want to fetch and install it now? [y/N]: y
+Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
+pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure
+A pre-built version of pkg could not be found for your system.
+Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
+```
+
+Running `ifconfig` inside the jail shows that I do not seem to have an IP
+address, nor can I seem to communicate with any hosts. Interestingly when I
+attempt to ping my gateway, I get the message:
+
+```
+ping: ssend socket: Operation not permitted
+```
+
+Clearly there's something I've not yet figured out.