Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/jail/jail.8
| .\" | |||||
| .\" SPDX-License-Identifier: BSD-2-Clause | |||||
| .\" | |||||
| .\" Copyright (c) 2000, 2003 Robert N. M. Watson | .\" Copyright (c) 2000, 2003 Robert N. M. Watson | ||||
| .\" Copyright (c) 2008-2012 James Gritton | .\" Copyright (c) 2008-2012 James Gritton | ||||
| .\" All rights reserved. | .\" All rights reserved. | ||||
| .\" | .\" | ||||
| .\" Redistribution and use in source and binary forms, with or without | .\" Redistribution and use in source and binary forms, with or without | ||||
| .\" modification, are permitted provided that the following conditions | .\" modification, are permitted provided that the following conditions | ||||
| .\" are met: | .\" are met: | ||||
| .\" 1. Redistributions of source code must retain the above copyright | .\" 1. Redistributions of source code must retain the above copyright | ||||
| Show All 9 Lines | |||||
| .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||||
| .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| .\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .Dd October 8, 2025 | .Dd November 6, 2025 | ||||
| .Dt JAIL 8 | .Dt JAIL 8 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm jail | .Nm jail | ||||
| .Nd "manage system jails" | .Nd "manage system jails" | ||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||
| .Ss From Configuration File | .Ss From Configuration File | ||||
| .Nm | .Nm | ||||
| ▲ Show 20 Lines • Show All 1,080 Lines • ▼ Show 20 Lines | |||||
| libraries, application configuration files, etc. | libraries, application configuration files, etc. | ||||
| However, for a virtual server configuration, a fair amount of | However, for a virtual server configuration, a fair amount of | ||||
| additional work is required so as to replace the | additional work is required so as to replace the | ||||
| .Dq boot | .Dq boot | ||||
| process. | process. | ||||
| This manual page documents the configuration steps necessary to support | This manual page documents the configuration steps necessary to support | ||||
| either of these steps, although the configuration steps may need to be | either of these steps, although the configuration steps may need to be | ||||
| refined based on local requirements. | refined based on local requirements. | ||||
| .Ss "Setting up a Jail Directory Tree" | .Ss Setting up a Jail Directory Tree From Source | ||||
| To set up a jail directory tree containing an entire | To set up a jail directory tree containing an entire | ||||
| .Fx | .Fx | ||||
| distribution, the following | distribution, the following | ||||
| .Xr sh 1 | .Xr sh 1 | ||||
| command script can be used: | command script can be used: | ||||
| .Bd -literal -offset indent | .Bd -literal -offset indent | ||||
| D=/here/is/the/jail | D=/here/is/the/jail | ||||
| cd /usr/src | cd /usr/src | ||||
| mkdir -p $D | mkdir -p $D | ||||
| make world DESTDIR=$D | make world DESTDIR=$D | ||||
| make distribution DESTDIR=$D | make distribution DESTDIR=$D | ||||
| .Ed | .Ed | ||||
| .Ss Setting up a Jail Directory Tree from Distribution Files | |||||
| To set up a jail directory tree containing an entire | |||||
| .Fx | |||||
| distribution, the following | |||||
| .Xr sh 1 | |||||
| command script can be used: | |||||
| .Bd -literal -offset indent | |||||
| D=/here/is/the/jail | |||||
| mkdir -p $D | |||||
| tar -xf /usr/freebsd-dist/base.txz -C $D --unlink | |||||
| .Ed | |||||
ziaee: I didn't add `Setting up a Jail Directory Tree from Packages` here, because I am still waiting… | |||||
Not Done Inline ActionsThe $D should be double quoted as "$D". crest_freebsd_rlwinm.de: The $D should be double quoted as "$D". | |||||
| .Pp | .Pp | ||||
| In many cases this example would put far more in the jail than needed. | In many cases these examples would put far more in the jail than needed. | ||||
| In the other extreme case a jail might contain only one file: | In the other extreme case a jail might contain only one file: | ||||
| the executable to be run in the jail. | the executable to be run in the jail. | ||||
| .Pp | .Pp | ||||
| We recommend experimentation, and caution that it is a lot easier to | We recommend experimentation, and caution that it is a lot easier to | ||||
| start with a | start with a | ||||
| .Dq fat | .Dq fat | ||||
| jail and remove things until it stops working, | jail and remove things until it stops working, | ||||
| than it is to start with a | than it is to start with a | ||||
| .Dq thin | .Dq thin | ||||
| jail and add things until it works. | jail and add things until it works. | ||||
| .Ss "Setting Up a Jail" | .Ss "Setting Up a Jail" | ||||
| Do what was described in | Do what was described in | ||||
| .Sx "Setting Up a Jail Directory Tree" | .Sx "Setting Up a Jail Directory Tree" | ||||
| to build the jail directory tree. | to build the jail directory tree. | ||||
| For the sake of this example, we will | For the sake of this example, we will | ||||
| assume you built it in | assume you built it in | ||||
| .Pa /data/jail/testjail , | .Pa /data/jail/testjail , | ||||
| for a jail named | for a jail named | ||||
| .Dq testjail . | .Dq testjail . | ||||
| Substitute below as needed with your | Substitute below as needed with your | ||||
| own directory, IP address, and hostname. | own directory, IP address, and hostname. | ||||
| .Ss "Setting up the Host Environment" | .Ss "Setting up the Host Environment" | ||||
Done Inline ActionsI don't know that the information in this subsection still works ziaee: I don't know that the information in this subsection still works | |||||
Not Done Inline ActionsIt assumes non-vnet jails, but other than that things should still be the same as they were. But this section predates my involvement, and I've never followed its advice anyway. So maybe it hasn't "worked" for a long time. jamie: It assumes non-vnet jails, but other than that things should still be the same as they were. | |||||
| First, set up the real system's environment to be | First, set up the real system's environment to be | ||||
| .Dq jail-friendly . | .Dq jail-friendly . | ||||
| For consistency, we will refer to the parent box as the | For consistency, we will refer to the parent box as the | ||||
| .Dq "host environment" , | .Dq "host environment" , | ||||
| and to the jailed virtual machine as the | and to the jailed virtual machine as the | ||||
| .Dq "jail environment" . | .Dq "jail environment" . | ||||
| Since jails are implemented using IP aliases, one of the first things to do | Since jails are implemented using IP aliases, one of the first things to do | ||||
| is to disable IP services on the host system that listen on all local | is to disable IP services on the host system that listen on all local | ||||
| ▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | |||||
| appearing to be offered by the jail environments. | appearing to be offered by the jail environments. | ||||
| .Pp | .Pp | ||||
| Once | Once | ||||
| these daemons have been disabled or fixed in the host environment, it is | these daemons have been disabled or fixed in the host environment, it is | ||||
| best to reboot so that all daemons are in a known state, to reduce the | best to reboot so that all daemons are in a known state, to reduce the | ||||
| potential for confusion later (such as finding that when you send mail | potential for confusion later (such as finding that when you send mail | ||||
| to a jail, and its sendmail is down, the mail is delivered to the host, | to a jail, and its sendmail is down, the mail is delivered to the host, | ||||
| etc.). | etc.). | ||||
| .Ss "Configuring the Jail" | .Ss "Configuring the Jail" | ||||
Done Inline ActionsI don't know that the information in this subsection still works. ziaee: I don't know that the information in this subsection still works. | |||||
| Start any jail for the first time without configuring the network | Start any jail for the first time without configuring the network | ||||
| interface so that you can clean it up a little and set up accounts. | interface so that you can clean it up a little and set up accounts. | ||||
| As | As | ||||
| with any machine (virtual or not), you will need to set a root password, time | with any machine (virtual or not), you will need to set a root password, time | ||||
| zone, etc. | zone, etc. | ||||
| Some of these steps apply only if you intend to run a full virtual server | Some of these steps apply only if you intend to run a full virtual server | ||||
| inside the jail; others apply both for constraining a particular application | inside the jail; others apply both for constraining a particular application | ||||
| or for running a virtual server. | or for running a virtual server. | ||||
| ▲ Show 20 Lines • Show All 373 Lines • Show Last 20 Lines | |||||
I didn't add Setting up a Jail Directory Tree from Packages here, because I am still waiting on this to be possible from a system that was installed with distribution sets.