|
Lines 50-56
Link Here
|
| 50 |
host system. Jails expand this model by virtualizing access to |
50 |
host system. Jails expand this model by virtualizing access to |
| 51 |
the file system, the set of users, and the networking subsystem. |
51 |
the file system, the set of users, and the networking subsystem. |
| 52 |
More fine-grained controls are available for tuning the access |
52 |
More fine-grained controls are available for tuning the access |
| 53 |
of a jailed environment.</para> |
53 |
of a jailed environment. |
|
|
54 |
Jails can be considered as a type of operating system-level |
| 55 |
virtualization</para> |
| 54 |
|
56 |
|
| 55 |
<para>A jail is characterized by four elements:</para> |
57 |
<para>A jail is characterized by four elements:</para> |
| 56 |
|
58 |
|
|
Lines 194-202
Link Here
|
| 194 |
system, and <quote>service</quote> jails, dedicated to one |
196 |
system, and <quote>service</quote> jails, dedicated to one |
| 195 |
application or service, possibly running with privileges. This |
197 |
application or service, possibly running with privileges. This |
| 196 |
is only a conceptual division and the process of building a jail |
198 |
is only a conceptual division and the process of building a jail |
| 197 |
is not affected by it. The &man.jail.8; manual page is quite |
199 |
is not affected by it. |
| 198 |
clear about the procedure for building a jail:</para> |
200 |
When creating a <quote>complete</quote> jail there are two |
|
|
201 |
options for the source of the userland, use prebuilt binaries |
| 202 |
(such as those supplied on a install media ) or build from |
| 203 |
source.</para> |
| 199 |
|
204 |
|
|
|
205 |
<para>To install the userland from installation media, first |
| 206 |
create the root directory for the jail.</para> |
| 207 |
|
| 208 |
<para>Set the <varname>DESTDIR</varname> variable to this |
| 209 |
location.</para> |
| 210 |
|
| 211 |
<para>If using <command>sh</command></para> |
| 212 |
|
| 213 |
<screen>&prompt.root; <userinput>export DESTDIR=<replaceable>/here/is/the/jail</replaceable></userinput></screen> |
| 214 |
|
| 215 |
<para>If using <command>csh</command>/<command>tcsh</command></para> |
| 216 |
|
| 217 |
<screen>&prompt.root; <userinput>setenv DESTDIR <replaceable>/here/is/the/jail</replaceable></userinput></screen> |
| 218 |
|
| 219 |
<para>mount the install media as covered in &man.mdconfig.8; |
| 220 |
if using the install ISO</para> |
| 221 |
|
| 222 |
<screen>&prompt.root; <userinput>mount -t cd9660 /dev/`mdconfig -f cdimage.iso` /mnt</userinput></screen> |
| 223 |
|
| 224 |
<para>Extract the binaries from the tar balls on the install media |
| 225 |
into the declared destination, realistically, only the base set |
| 226 |
needs to be extracted but a complete install can be performed if |
| 227 |
preferred.</para> |
| 228 |
|
| 229 |
<para>To install just base:</para> |
| 230 |
|
| 231 |
<para>On &os; 9.x and newer</para> |
| 232 |
|
| 233 |
<screen>&prompt.root; <userinput>tar -xf /mnt/freebsd_install/usr/freebsd_dist/base.txz -C $DESTDIR</userinput></screen> |
| 234 |
|
| 235 |
<para>On &os; 8.x</para> |
| 236 |
|
| 237 |
<screen>&prompt.root; <userinput>/mnt/8.4-RELEASE/base/install.sh</userinput></screen> |
| 238 |
|
| 239 |
<para>To install everything but kernel:</para> |
| 240 |
|
| 241 |
<para>If using <command>sh</command></para> |
| 242 |
|
| 243 |
<para>On &os; 9.x and newer</para> |
| 244 |
|
| 245 |
<screen>&prompt.root; <userinput>for sets in BASE DOC GAMES PORTS; do (tar -xf /mnt/FREEBSD_INSTALL/USR/FREEBSD_DIST/$sets.TXZ -C $DESTDIR</userinput></screen> |
| 246 |
|
| 247 |
<para>On &os; 8.x</para> |
| 248 |
|
| 249 |
<screen>&prompt.root; <userinput>cd /mnt/8.4-RELEASE; for dir in base catpages dict doc games info manpages ports; do (cd $dir ; ./install.s h) ; done</userinput></screen> |
| 250 |
|
| 251 |
<para>If using <command>csh</command>/<command>tcsh</command></para> |
| 252 |
|
| 253 |
<para>On &os; 9.x and newer</para> |
| 254 |
|
| 255 |
<screen>&prompt.root; <userinput>foreach sets ( BASE DOC GAMES PORTS ) |
| 256 |
tar -xf /mnt/FREEBSD_INSTALL/USR/FREEBSD_DIST/$sets.TXZ -C $DESTDIR |
| 257 |
done</userinput></screen> |
| 258 |
|
| 259 |
<para>On &os; 8.x</para> |
| 260 |
|
| 261 |
<screen>&prompt.root; <userinput>foreach dir ( base catpages dict doc games info manpages ports ) |
| 262 |
cd /mnt/8.4-RELEASE/$dir; ./install.sh |
| 263 |
done</userinput></screen> |
| 264 |
|
| 265 |
<para>The &man.jail.8; manual page is quite clear about the |
| 266 |
procedure for building a jail from source:</para> |
| 267 |
|
| 200 |
<screen>&prompt.root; <userinput>setenv D <replaceable>/here/is/the/jail</replaceable></userinput> |
268 |
<screen>&prompt.root; <userinput>setenv D <replaceable>/here/is/the/jail</replaceable></userinput> |
| 201 |
&prompt.root; <userinput>mkdir -p $D</userinput> <co xml:id="jailpath"/> |
269 |
&prompt.root; <userinput>mkdir -p $D</userinput> <co xml:id="jailpath"/> |
| 202 |
&prompt.root; <userinput>cd /usr/src</userinput> |
270 |
&prompt.root; <userinput>cd /usr/src</userinput> |
|
Lines 299-306
Link Here
|
| 299 |
<programlisting>jail_<replaceable>www</replaceable>_rootdir="/usr/jail/www" # jail's root directory |
367 |
<programlisting>jail_<replaceable>www</replaceable>_rootdir="/usr/jail/www" # jail's root directory |
| 300 |
jail_<replaceable>www</replaceable>_hostname="<replaceable>www</replaceable>.example.org" # jail's hostname |
368 |
jail_<replaceable>www</replaceable>_hostname="<replaceable>www</replaceable>.example.org" # jail's hostname |
| 301 |
jail_<replaceable>www</replaceable>_ip="192.168.0.10" # jail's IP address |
369 |
jail_<replaceable>www</replaceable>_ip="192.168.0.10" # jail's IP address |
| 302 |
jail_<replaceable>www</replaceable>_devfs_enable="YES" # mount devfs in the jail |
370 |
jail_<replaceable>www</replaceable>_devfs_enable="YES" # mount devfs in the jail</programlisting> |
| 303 |
jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</replaceable>" # devfs ruleset to apply to jail</programlisting> |
|
|
| 304 |
|
371 |
|
| 305 |
<para>The default startup of jails configured in |
372 |
<para>The default startup of jails configured in |
| 306 |
&man.rc.conf.5;, will run the <filename>/etc/rc</filename> |
373 |
&man.rc.conf.5;, will run the <filename>/etc/rc</filename> |
|
Lines 460-465
Link Here
|
| 460 |
applications that contribute to &man.jail.8; management. |
527 |
applications that contribute to &man.jail.8; management. |
| 461 |
Please refer to its web page for more information.</para> |
528 |
Please refer to its web page for more information.</para> |
| 462 |
</sect2> |
529 |
</sect2> |
|
|
530 |
|
| 531 |
<sect2 xml:id="jails-updating"> |
| 532 |
<title>Keeping jails patched and up to date</title> |
| 533 |
|
| 534 |
<para>Jails should be kept up to date from the host operating |
| 535 |
system as attempting to patch userland from within the jail |
| 536 |
may likely fail as the default behaviour in FreeBSD is to |
| 537 |
disallow the use of &man.chflags.1; in a jail which prevents |
| 538 |
the replacement of some files. |
| 539 |
It's possible to change this behaviour but it is recommended |
| 540 |
to use &man.freebsd-update.8; to maintain jails instead. |
| 541 |
Using the <option>-b</option> option the path of the jail to |
| 542 |
be updated can be specified.</para> |
| 543 |
|
| 544 |
<screen>&prompt.root; <userinput>freebsd-update -b <replaceable>/here/is/the/jail</replaceable> fetch</userinput> |
| 545 |
&prompt.root; <userinput>freebsd-update -b <replaceable>/here/is/the/jail</replaceable> install</userinput></screen> |
| 546 |
</sect2> |
| 547 |
|
| 463 |
</sect1> |
548 |
</sect1> |
| 464 |
|
549 |
|
| 465 |
<sect1 xml:id="jails-application"> |
550 |
<sect1 xml:id="jails-application"> |