Attachment 94055 Details for Bug 132113 – jails-build.txt

jails-build.txt

jails-build.txt (text/plain), 12.19 KB, created by Pat McCary on 2009-03-11 06:27:17 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Pat McCary

Created: 2009-03-11 06:27:17 UTC

Size: 12.19 KB

patch

obsolete

><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
><html xmlns="http://www.w3.org/1999/xhtml">
><head>
><meta name="generator" content="HTML Tidy, see www.w3.org" />
><title>Creating and Controlling Jails</title>
><meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79" />
><link rel="HOME" title="FreeBSD Handbook" href="index.html" />
><link rel="UP" title="Jails" href="jails.html" />
><link rel="PREVIOUS" title="Introduction" href="jails-intro.html" />
><link rel="NEXT" title="Fine Tuning and Administration" href="jails-tuning.html" />
><link rel="STYLESHEET" type="text/css" href="docbook.css" />
><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
></head>
><body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
>alink="#0000FF">
><div class="NAVHEADER">
><table summary="Header navigation table" width="100%" border="0" cellpadding="0"
>cellspacing="0">
><tr>
><th colspan="3" align="center">FreeBSD Handbook</th>
></tr>
>
><tr>
><td width="10%" align="left" valign="bottom"><a href="jails-intro.html"
>accesskey="P">Prev</a></td>
><td width="80%" align="center" valign="bottom">Chapter 15 Jails</td>
><td width="10%" align="right" valign="bottom"><a href="jails-tuning.html"
>accesskey="N">Next</a></td>
></tr>
></table>
>
><hr align="LEFT" width="100%" />
></div>
>
><div class="SECT1">
><h1 class="SECT1"><a id="JAILS-BUILD" name="JAILS-BUILD">15.4 Creating and Controlling
>Jails</a></h1>
>
>Some administrators divide jails into the following two types: &#8220;complete&#8221;
>jails, which resemble a real FreeBSD system, and &#8220;service&#8221; jails, dedicated
>to one application or service, possibly running with privileges. This is only a
>conceptual division and the process of building a jail is not affected by it. The <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=jail&amp;sektion=8">class="CITEREFENTRY">jail(8)</a> manual page is
>quite clear about the procedure for building a jail:
>
><pre class="SCREEN">
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">setenv D <tt
>class="REPLACEABLE">/here/is/the/jail</tt></kbd>
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">mkdir -p $D</kbd> <a id="JAILPATH"
>name="JAILPATH"><img src="./imagelib/callouts/1.png" hspace="0" vspace="0" border="0"
>alt="(1)" /></a>
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src</kbd>
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">make world DESTDIR=$D</kbd> <a
>id="JAILWORLD" name="JAILWORLD"><img src="./imagelib/callouts/2.png" hspace="0"
>vspace="0" border="0" alt="(2)" /></a>
></pre>
>If you are running FreebBSD 5.x or older
>you need to change the working directory to <tt class="FILENAME">/usr/src/etc</tt> at this point. 
>FreeBSD 6.0 or later stay in <tt class="FILENAME">/usr/src</tt>.
><pre class="SCREEN">
><samp class="PROMPT">#</samp> <kbd
>class="USERINPUT">make distribution DESTDIR=$D</kbd> <a id="JAILDISTRIB"
>name="JAILDISTRIB"><img src="./imagelib/callouts/3.png" hspace="0" vspace="0" border="0"
>alt="(3)" /></a>
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">mount -t devfs devfs $D/dev</kbd> <a
>id="JAILDEVFS" name="JAILDEVFS"><img src="./imagelib/callouts/4.png" hspace="0"
>vspace="0" border="0" alt="(4)" /></a>
></pre>
>
><div class="CALLOUTLIST">
><dl compact="COMPACT">
><dt><a href="jails-build.html#JAILPATH"><img src="./imagelib/callouts/1.png" hspace="0"
>vspace="0" border="0" alt="(1)" /></a></dt>
>
><dd>Selecting a location for a jail is the best starting point. This is where the jail
>will physically reside within the file system of the jail's host. A good choice can be
><tt class="FILENAME">/usr/jail/<tt class="REPLACEABLE">jailname</tt></tt>, where
><tt class="REPLACEABLE">jailname</tt> is the hostname identifying the jail. The
><tt class="FILENAME">/usr/</tt> file system usually has enough space for the jail file
>system, which for &#8220;complete&#8221; jails is, essentially, a replication of every
>file present in a default installation of the FreeBSD base system.</dd>
>
><dt><a href="jails-build.html#JAILWORLD"><img src="./imagelib/callouts/2.png" hspace="0"
>vspace="0" border="0" alt="(2)" /></a></dt>
>
><dd>This command will populate the directory subtree chosen as jail's physical location
>on the file system with the necessary binaries, libraries, manual pages and so on.
>Everything is done in the typical FreeBSD style -- first everything is built/compiled,
>then installed to the destination path.</dd>
>
><dt><a href="jails-build.html#JAILDISTRIB"><img src="./imagelib/callouts/3.png"
>hspace="0" vspace="0" border="0" alt="(3)" /></a></dt>
>
><dd>The <tt class="MAKETARGET">distribution</tt> target for class="APPLICATION">make installs every needed configuration file. In simple words,
>it installs every installable file of <tt class="FILENAME">/usr/src/etc/</tt> to the <tt
>class="FILENAME">/etc</tt> directory of the jail environment: <tt
>class="FILENAME">$D/etc/</tt>.</dd>
>
><dt><a href="jails-build.html#JAILDEVFS"><img src="./imagelib/callouts/4.png" hspace="0"
>vspace="0" border="0" alt="(4)" /></a></dt>
>
><dd>Mounting the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=devfs&amp;sektion=8">class="CITEREFENTRY">devfs(8)</a> file system
>inside a jail is not required. On the other hand, any, or almost any application requires
>access to at least one device, depending on the purpose of the given application. It is
>very important to control access to devices from inside a jail, as improper settings
>could permit an attacker to do nasty things in the jail. Control over <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=devfs&amp;sektion=8">class="CITEREFENTRY">devfs(8)</a> is managed
>through rulesets which are described in the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=devfs&amp;sektion=8">class="CITEREFENTRY">devfs(8)</a> and <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=devfs.conf&amp;sektion=5">class="CITEREFENTRY">devfs.conf(5)</a> manual
>pages.</dd>
></dl>
></div>
>
>Once a jail is installed, it can be started by using the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=jail&amp;sektion=8">class="CITEREFENTRY">jail(8)</a> utility. The
><a href="http://www.FreeBSD.org/cgi/man.cgi?query=jail&amp;sektion=8">class="CITEREFENTRY">jail(8)</a> utility takes
>four mandatory arguments which are described in the <a
>href="jails-intro.html#JAILS-WHAT">Section 15.3.1</a>. Other arguments may be specified
>too, e.g., to run the jailed process with the credentials of a specific user. The <code
>class="OPTION"><tt class="REPLACEABLE">command</tt></code> argument depends on the
>type of the jail; for a virtual
>system, <tt class="FILENAME">/etc/rc</tt> is a good choice, since it will
>replicate the startup sequence of a real FreeBSD system. For a class="EMPHASIS">service jail, it depends on the service or application that
>will run within the jail.
>
>Jails are often started at boot time and the FreeBSD <tt class="FILENAME">rc</tt>
>mechanism provides an easy way to do this.
>
><div class="PROCEDURE">
><ol type="1">
><li class="STEP">
>A list of the jails which are enabled to start at boot time should be added to the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=rc.conf&amp;sektion=5">class="CITEREFENTRY">rc.conf(5)</a> file:
>
><pre class="PROGRAMLISTING">
>jail_enable="YES" # Set to NO to disable starting of any jails
>jail_list="<tt
>class="REPLACEABLE">www</tt>" # Space separated list of names of jails
></pre>
></li>
>
><li class="STEP">
>For each jail listed in <code class="VARNAME">jail_list</code>, a group of <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=rc.conf&amp;sektion=5">class="CITEREFENTRY">rc.conf(5)</a> settings,
>which describe the particular jail, should be added:
>
><pre class="PROGRAMLISTING">
>jail_<tt
>class="REPLACEABLE">www</tt>_rootdir="/usr/jail/www" # jail's root directory
>jail_<tt class="REPLACEABLE">www</tt>_hostname="<tt
>class="REPLACEABLE">www</tt>.example.org" # jail's hostname
>jail_<tt
>class="REPLACEABLE">www</tt>_ip="192.168.0.10" # jail's IP address
>jail_<tt
>class="REPLACEABLE">www</tt>_devfs_enable="YES" # mount devfs in the jail
>jail_<tt class="REPLACEABLE">www</tt>_devfs_ruleset="<tt
>class="REPLACEABLE">www_ruleset</tt>" # devfs ruleset to apply to jail
></pre>
>
>The default startup of jails configured in <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=rc.conf&amp;sektion=5">class="CITEREFENTRY">rc.conf(5)</a>, will run
>the <tt class="FILENAME">/etc/rc</tt> script of the jail, which assumes the jail is a
>complete virtual system. For service jails, the default startup command of the jail
>should be changed, by setting the <code class="VARNAME">jail_<tt
>class="REPLACEABLE">jailname</tt>_exec_start</code> option appropriately.
>
><div class="NOTE">
><blockquote class="NOTE">
>Note: For a full list of available options, please see the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=rc.conf&amp;sektion=5">class="CITEREFENTRY">rc.conf(5)</a> manual
>page.
></blockquote>
></div>
></li>
></ol>
></div>
>
>The <tt class="FILENAME">/etc/rc.d/jail</tt> script can be used to start or stop a
>jail by hand, if an entry for it exists in <tt class="FILENAME">rc.conf</tt>:
>
><pre class="SCREEN">
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">/etc/rc.d/jail start <tt
>class="REPLACEABLE">www</tt></kbd>
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">/etc/rc.d/jail stop <tt
>class="REPLACEABLE">www</tt></kbd>
></pre>
>
>A clean way to shut down a <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=jail&amp;sektion=8">class="CITEREFENTRY">jail(8)</a> is not
>available at the moment. This is because commands normally used to accomplish a clean
>system shutdown cannot be used inside a jail. The best way to shut down a jail is to run
>the following command from within the jail itself or using the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=jexec&amp;sektion=8">class="CITEREFENTRY">jexec(8)</a> utility from
>outside the jail:
>
><pre class="SCREEN">
><samp class="PROMPT">#</samp> <kbd class="USERINPUT">sh /etc/rc.shutdown</kbd>
></pre>
>
>More information about this can be found in the <a
>href="http://www.FreeBSD.org/cgi/man.cgi?query=jail&amp;sektion=8">class="CITEREFENTRY">jail(8)</a> manual
>page.
></div>
>
><div class="NAVFOOTER">
><hr align="LEFT" width="100%" />
><table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
>cellspacing="0">
><tr>
><td width="33%" align="left" valign="top"><a href="jails-intro.html"
>accesskey="P">Prev</a></td>
><td width="34%" align="center" valign="top"><a href="index.html"
>accesskey="H">Home</a></td>
><td width="33%" align="right" valign="top"><a href="jails-tuning.html"
>accesskey="N">Next</a></td>
></tr>
>
><tr>
><td width="33%" align="left" valign="top">Introduction</td>
><td width="34%" align="center" valign="top"><a href="jails.html"
>accesskey="U">Up</a></td>
><td width="33%" align="right" valign="top">Fine Tuning and Administration</td>
></tr>
></table>
></div>
>
>This, and other documents, can be downloaded from <a
>href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.
>
>For questions about FreeBSD, read the <a
>href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
>href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;. 
>For questions about this documentation, e-mail &#60;<a
>href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.
></body>
></html>
>

Actions: View

Attachments on bug 132113: 94054 | 94055