Some administrators divide jails into the following two types: “complete”
jails, which resemble a real FreeBSD system, and “service” jails, dedicated
to one application or service, possibly running with privileges. This is only a
conceptual division and the process of building a jail is not affected by it. The jail(8) manual page is
quite clear about the procedure for building a jail:
# setenv D /here/is/the/jail
# mkdir -p $D
# cd /usr/src
# make world DESTDIR=$D
# cd etc/
# make distribution DESTDIR=$D
# mount -t devfs devfs $D/dev
- Selecting a location for a jail is the best starting point. This is where the jail
will physically reside within the file system of the jail's host. A good choice can be
/usr/jail/jailname, where
jailname is the hostname identifying the jail. The
/usr/ file system usually has enough space for the jail file
system, which for “complete” jails is, essentially, a replication of every
file present in a default installation of the FreeBSD base system.
- This command will populate the directory subtree chosen as jail's physical location
on the file system with the necessary binaries, libraries, manual pages and so on.
Everything is done in the typical FreeBSD style -- first everything is built/compiled,
then installed to the destination path.
- The distribution target for make installs every needed configuration file. In simple words,
it installs every installable file of /usr/src/etc/ to the /etc directory of the jail environment: $D/etc/.
- Mounting the devfs(8) file system
inside a jail is not required. On the other hand, any, or almost any application requires
access to at least one device, depending on the purpose of the given application. It is
very important to control access to devices from inside a jail, as improper settings
could permit an attacker to do nasty things in the jail. Control over devfs(8) is managed
through rulesets which are described in the devfs(8) and devfs.conf(5) manual
pages.
Once a jail is installed, it can be started by using the jail(8) utility. The
jail(8) utility takes
four mandatory arguments which are described in the Section 15.3.1. Other arguments may be specified
too, e.g., to run the jailed process with the credentials of a specific user. The command
argument depends on the
type of the jail; for a virtual
system, /etc/rc is a good choice, since it will
replicate the startup sequence of a real FreeBSD system. For a service jail, it depends on the service or application that
will run within the jail.
Jails are often started at boot time and the FreeBSD rc
mechanism provides an easy way to do this.
-
A list of the jails which are enabled to start at boot time should be added to the rc.conf(5) file:
jail_enable="YES" # Set to NO to disable starting of any jails
jail_list="www" # Space separated list of names of jails
-
For each jail listed in jail_list
, a group of rc.conf(5) settings,
which describe the particular jail, should be added:
jail_www_rootdir="/usr/jail/www" # jail's root directory
jail_www_hostname="www.example.org" # jail's hostname
jail_www_ip="192.168.0.10" # jail's IP address
jail_www_devfs_enable="YES" # mount devfs in the jail
jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail
The default startup of jails configured in rc.conf(5), will run
the /etc/rc script of the jail, which assumes the jail is a
complete virtual system. For service jails, the default startup command of the jail
should be changed, by setting the jail_jailname_exec_start
option appropriately.
Note: For a full list of available options, please see the rc.conf(5) manual
page.
The /etc/rc.d/jail script can be used to start or stop a
jail by hand, if an entry for it exists in rc.conf:
# /etc/rc.d/jail start www
# /etc/rc.d/jail stop www
A clean way to shut down a jail(8) is not
available at the moment. This is because commands normally used to accomplish a clean
system shutdown cannot be used inside a jail. The best way to shut down a jail is to run
the following command from within the jail itself or using the jexec(8) utility from
outside the jail:
# sh /etc/rc.shutdown
More information about this can be found in the jail(8) manual
page.