Attachment #237282 for bug #264317

View | Details | Raw Unified | Return to bug 264317
Collapse All | Expand All




# make buildworld  <.>
# make installworld DESTDIR=$D  <.>
# make distribution DESTDIR=$D  <.>
# mount -t devfs devfs $D/dev   <.>
....

<.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system.

<.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on.
<.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#.

<.> Mounting the man:devfs[8] file system inside a jail is not required. On the other hand, any, or almost any application requires access to at least one device, depending on the purpose of the given application. It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things in the jail. Control over man:devfs[8] is managed through rulesets which are described in the man:devfs[8] and man:devfs.conf[5] manual pages.

=== Configuring the Host

Once a jail is installed, it can be started by using the man:jail[8] utility.

The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system.
For a _service_ jail, it depends on the service or application that will run within the jail.

Many applications need access to at least one device.
To make devices available in a jail, mount the man:devfs[8] file system in the jail by specifying `_mount.devfs_`.
It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things from the jail.
This access is managed with rulesets, as described in man:devfs[8] and man:devfs.conf[5].
When `_mount.devfs_` is specified, a default ruleset for jails is applied.
Optionally, add the `_devfs_ruleset_` argument to define a different ruleset for the jail.

Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this.

[.procedure]

Return to bug 264317

Lines 197-203 The man:jail[8] manual page explains the procedure for building a jail: Link Here

(-)b/documentation/content/en/books/handbook/jails/_index.adoc (-3 / +7 lines)
197	# make buildworld <.>	197	# make buildworld <.>
198	# make installworld DESTDIR=$D <.>	198	# make installworld DESTDIR=$D <.>
199	# make distribution DESTDIR=$D <.>	199	# make distribution DESTDIR=$D <.>
200	# mount -t devfs devfs $D/dev <.>
201	....	200	....
202		201
203	<.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system.	202	<.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system.
Lines 207-214 The man:jail[8] manual page explains the procedure for building a jail: Link Here
207	<.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on.	206	<.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on.
208	<.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#.	207	<.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#.
209		208
210	<.> Mounting the man:devfs[8] file system inside a jail is not required. On the other hand, any, or almost any application requires access to at least one device, depending on the purpose of the given application. It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things in the jail. Control over man:devfs[8] is managed through rulesets which are described in the man:devfs[8] and man:devfs.conf[5] manual pages.
211
212	=== Configuring the Host	209	=== Configuring the Host
213		210
214	Once a jail is installed, it can be started by using the man:jail[8] utility.	211	Once a jail is installed, it can be started by using the man:jail[8] utility.
Lines 217-222 Other arguments may be specified too, e.g., to run the jailed process with the c Link Here
217	The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system.	214	The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system.
218	For a _service_ jail, it depends on the service or application that will run within the jail.	215	For a _service_ jail, it depends on the service or application that will run within the jail.
219		216
		217	Many applications need access to at least one device.
		218	To make devices available in a jail, mount the man:devfs[8] file system in the jail by specifying `_mount.devfs_`.
		219	It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things from the jail.
		220	This access is managed with rulesets, as described in man:devfs[8] and man:devfs.conf[5].
		221	When `_mount.devfs_` is specified, a default ruleset for jails is applied.
		222	Optionally, add the `_devfs_ruleset_` argument to define a different ruleset for the jail.
		223
220	Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this.	224	Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this.
221		225
222	[.procedure]	226	[.procedure]