Lines 33-39
Link Here
|
33 |
<para>Jails build upon the &man.chroot.2; concept, which is used |
33 |
<para>Jails build upon the &man.chroot.2; concept, which is used |
34 |
to change the root directory of a set of processes, creating a |
34 |
to change the root directory of a set of processes, creating a |
35 |
safe environment, separate from the rest of the system. |
35 |
safe environment, separate from the rest of the system. |
36 |
Processes created in the chrooted environment can not access |
36 |
Processes created in the chrooted environment cannot access |
37 |
files or resources outside of it. For that reason, compromising |
37 |
files or resources outside of it. For that reason, compromising |
38 |
a service running in a chrooted environment should not allow the |
38 |
a service running in a chrooted environment should not allow the |
39 |
attacker to compromise the entire system. However, a chroot has |
39 |
attacker to compromise the entire system. However, a chroot has |
Lines 225-231
Link Here
|
225 |
<para>To install just the base system, run the next command when |
225 |
<para>To install just the base system, run the next command when |
226 |
using &os; 9.x or newer:</para> |
226 |
using &os; 9.x or newer:</para> |
227 |
|
227 |
|
228 |
<screen>&prompt.root; <userinput>tar -xf /mnt/usr/freebsd_dist/base.txz -C $DESTDIR</userinput></screen> |
228 |
<screen>&prompt.root; <userinput>tar -xf /mnt/usr/freebsd-dist/base.txz -C $DESTDIR</userinput></screen> |
229 |
|
229 |
|
230 |
<para>On &os; 8.x systems, use this command instead:</para> |
230 |
<para>On &os; 8.x systems, use this command instead:</para> |
231 |
|
231 |
|
Lines 236-242
Link Here
|
236 |
|
236 |
|
237 |
<para>When using &os; 9.x and newer:</para> |
237 |
<para>When using &os; 9.x and newer:</para> |
238 |
|
238 |
|
239 |
<screen>&prompt.root; <userinput>for <replaceable>sets</replaceable> in BASE PORTS; do tar -xf /mnt/FREEBSD_INSTALL/USR/FREEBSD_DIST/$<replaceable>sets</replaceable>.TXZ -C $DESTDIR ; done</userinput></screen> |
239 |
<screen>&prompt.root; <userinput>for <replaceable>sets</replaceable> in BASE PORTS; do tar -xf /mnt/usr/freebsd-dist/$<replaceable>sets</replaceable>.TXZ -C $DESTDIR ; done</userinput></screen> |
240 |
|
240 |
|
241 |
<para>When using &os; 8.x:</para> |
241 |
<para>When using &os; 8.x:</para> |
242 |
|
242 |
|
Lines 320-331
Link Here
|
320 |
<emphasis>service</emphasis> jail, it depends on the service or |
320 |
<emphasis>service</emphasis> jail, it depends on the service or |
321 |
application that will run within the jail.</para> |
321 |
application that will run within the jail.</para> |
322 |
|
322 |
|
323 |
<para>Jails are often started at boot time and the &os; |
323 |
<para>Jails can be started at boot time using |
324 |
<filename>rc</filename> mechanism provides an easy way to do |
324 |
<filename>jails.conf</filename> on &os; 9.1 or newer, or |
325 |
this.</para> |
325 |
by using <filename>rc</filename> mechanism for &os; 9.0 |
|
|
326 |
and earlier.</para> |
326 |
|
327 |
|
|
|
328 |
<para>When using &os; 9.1 or newer:</para> |
329 |
|
327 |
<procedure> |
330 |
<procedure> |
328 |
<step> |
331 |
<step> |
|
|
332 |
<para>Add to &man.rc.conf.5;:</para> |
333 |
<programlisting>jail_enable="YES" # Set to NO to disable starting of any jails</programlisting> |
334 |
</step> |
335 |
|
336 |
<step> |
337 |
<para>Create an entry in &man.jail.conf.5; for each |
338 |
jail:</para> |
339 |
<programlisting>testjail { |
340 |
path = /usr/local/jail/testjail; |
341 |
mount.devfs; |
342 |
host.hostname = testhostname; |
343 |
ip4.addr = 192.0.2.100; |
344 |
interface = ed0; |
345 |
exec.start = "/bin/sh /etc/rc"; |
346 |
exec.stop = "/bin/sh /etc/rc.shutdown"; |
347 |
}</programlisting> |
348 |
</step> |
349 |
</procedure> |
350 |
|
351 |
<para>When using &os; 9.0 and older:</para> |
352 |
|
353 |
<procedure> |
354 |
<step> |
329 |
<para>A list of the jails which are enabled to start at boot |
355 |
<para>A list of the jails which are enabled to start at boot |
330 |
time should be added to the &man.rc.conf.5; file:</para> |
356 |
time should be added to the &man.rc.conf.5; file:</para> |
331 |
|
357 |
|
Lines 363-370
Link Here
|
363 |
</step> |
389 |
</step> |
364 |
</procedure> |
390 |
</procedure> |
365 |
|
391 |
|
366 |
<para>&man.service.8; can be used to start or stop a jail by hand, |
392 |
<para>&man.service.8; can be used to start or stop a jail if an |
367 |
if an entry for it exists in |
393 |
entry for it exists in <filename>jail.conf</filename> or |
368 |
<filename>rc.conf</filename>:</para> |
394 |
<filename>rc.conf</filename>:</para> |
369 |
|
395 |
|
370 |
<screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput> |
396 |
<screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput> |