Lines 197-203
The man:jail[8] manual page explains the procedure for building a jail:
Link Here
|
197 |
# make buildworld <.> |
197 |
# make buildworld <.> |
198 |
# make installworld DESTDIR=$D <.> |
198 |
# make installworld DESTDIR=$D <.> |
199 |
# make distribution DESTDIR=$D <.> |
199 |
# make distribution DESTDIR=$D <.> |
200 |
# mount -t devfs devfs $D/dev <.> |
|
|
201 |
.... |
200 |
.... |
202 |
|
201 |
|
203 |
<.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system. |
202 |
<.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system. |
Lines 207-214
The man:jail[8] manual page explains the procedure for building a jail:
Link Here
|
207 |
<.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on. |
206 |
<.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on. |
208 |
<.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#. |
207 |
<.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#. |
209 |
|
208 |
|
210 |
<.> Mounting the man:devfs[8] file system inside a jail is not required. On the other hand, any, or almost any application requires access to at least one device, depending on the purpose of the given application. It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things in the jail. Control over man:devfs[8] is managed through rulesets which are described in the man:devfs[8] and man:devfs.conf[5] manual pages. |
|
|
211 |
|
212 |
=== Configuring the Host |
209 |
=== Configuring the Host |
213 |
|
210 |
|
214 |
Once a jail is installed, it can be started by using the man:jail[8] utility. |
211 |
Once a jail is installed, it can be started by using the man:jail[8] utility. |
Lines 217-222
Other arguments may be specified too, e.g., to run the jailed process with the c
Link Here
|
217 |
The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system. |
214 |
The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system. |
218 |
For a _service_ jail, it depends on the service or application that will run within the jail. |
215 |
For a _service_ jail, it depends on the service or application that will run within the jail. |
219 |
|
216 |
|
|
|
217 |
Many applications need access to at least one device. |
218 |
To make devices available in a jail, mount the man:devfs[8] file system in the jail by specifying `_mount.devfs_`. |
219 |
It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things from the jail. |
220 |
This access is managed with rulesets, as described in man:devfs[8] and man:devfs.conf[5]. |
221 |
When `_mount.devfs_` is specified, a default ruleset for jails is applied. |
222 |
Optionally, add the `_devfs_ruleset_` argument to define a different ruleset for the jail. |
223 |
|
220 |
Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this. |
224 |
Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this. |
221 |
|
225 |
|
222 |
[.procedure] |
226 |
[.procedure] |