FreeBSD Bugzilla – Attachment 234299 Details for
Bug 264317
handbook/jails: Mounting devfs in a jail is explained only for readers installing from source
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
patch with email headers and commit message
patch-jails-1.patch (text/plain), 4.17 KB, created by
Benjamin Spiegel
on 2022-05-28 18:07:37 UTC
(
hide
)
Description:
patch with email headers and commit message
Filename:
MIME Type:
Creator:
Benjamin Spiegel
Created:
2022-05-28 18:07:37 UTC
Size:
4.17 KB
patch
obsolete
>From 2455817b670d935d00d1792d04353c7d5e4a09aa Mon Sep 17 00:00:00 2001 >From: Benjamin Spiegel <bspiegel100@gmail.com> >Date: Sat, 28 May 2022 11:57:28 -0500 >Subject: [PATCH] Clarify mount.devfs and devfs_ruleset for jails > >Introduce the concept of mounting devfs inside a jail under "Configuring >the Host" instead of "To build and install a jail from source." > >Readers who install from the Internet or an ISO could be confused when >they see the devfs_ruleset and mount.devfs arguments under "Configuring >the Host," because this concept was introduced in the section about >installing from source and wasn't mentioned the procedures that they >performed. > >Additionally, update the explanation of the mount.devfs argument to >mention that a default ruleset for devices usually found in a jail is >applied if mount.devfs is specified without the devfs_ruleset argument. > >Signed-off-by: Benjamin Spiegel <bspiegel100@gmail.com> >--- > .../content/en/books/handbook/jails/_index.adoc | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > >diff --git a/documentation/content/en/books/handbook/jails/_index.adoc b/documentation/content/en/books/handbook/jails/_index.adoc >index 36c177926a..5d1c2cc840 100644 >--- a/documentation/content/en/books/handbook/jails/_index.adoc >+++ b/documentation/content/en/books/handbook/jails/_index.adoc >@@ -196,7 +196,6 @@ The man:jail[8] manual page explains the procedure for building a jail: > # make buildworld <.> > # make installworld DESTDIR=$D <.> > # make distribution DESTDIR=$D <.> >-# mount -t devfs devfs $D/dev <.> > .... > > <.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system. >@@ -206,8 +205,6 @@ The man:jail[8] manual page explains the procedure for building a jail: > <.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on. > <.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#. > >-<.> Mounting the man:devfs[8] file system inside a jail is not required. On the other hand, any, or almost any application requires access to at least one device, depending on the purpose of the given application. It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things in the jail. Control over man:devfs[8] is managed through rulesets which are described in the man:devfs[8] and man:devfs.conf[5] manual pages. >- > === Configuring the Host > > Once a jail is installed, it can be started by using the man:jail[8] utility. >@@ -216,6 +213,13 @@ Other arguments may be specified too, e.g., to run the jailed process with the c > The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system. > For a _service_ jail, it depends on the service or application that will run within the jail. > >+Most applications need access to at least one device. >+To make devices available in a jail, mount the man:devfs[8] file system in the jail by specifying `_mount.devfs_`. >+It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things from the jail. >+This access is managed with rulesets, as described in man:devfs[8] and man:devfs.conf[5]. >+When `_mount.devfs_` is specified, a default ruleset for jails is applied. >+Optionally, add the `_devfs_ruleset_` argument to define a different ruleset for the jail. >+ > Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this. > > [.procedure] >-- >2.36.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=234299">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 264317
:
234299
|
234300
|
237282