There are several options which can be set for any jail, and various ways of combining
a host FreeBSD system with jails, to produce higher level applications. This section
presents:
Fine tuning of a jail's configuration is mostly done by setting sysctl(8) variables. A
special subtree of sysctl exists as a basis for organizing all the relevant options: the
security.jail.*
hierarchy of FreeBSD kernel options. Here is
a list of the main jail-related sysctls, complete with their default value. Names should
be self-explanatory, but for more information about them, please refer to the jail(8) and sysctl(8) manual
pages.
-
security.jail.set_hostname_allowed: 1
-
security.jail.socket_unixiproute_only: 1
-
security.jail.sysvipc_allowed: 0
-
security.jail.enforce_statfs: 2
-
security.jail.allow_raw_sockets: 0
-
security.jail.chflags_allowed: 0
-
security.jail.jailed: 0
These variables can be used by the system administrator of the host system to add or remove some of the
limitations imposed by default on the root user. Note that
there are some limitations which cannot be removed. The root
user is not allowed to mount or unmount file systems from within a jail(8). The root inside a jail may not load or unload devfs(8) rulesets, set
firewall rules, or do many other administrative tasks which require modifications of
in-kernel data, such as setting the securelevel
of the
kernel.
The base system of FreeBSD contains a basic set of tools for viewing information about
the active jails, and attaching to a jail to run administrative commands. The jls(8) and jexec(8) commands are
part of the base FreeBSD system, and can be used to perform the following simple
tasks:
-
Print a list of active jails and their corresponding jail identifier (JID), IP address, hostname
and path.
-
Attach to a running jail, from its host system, and run a command inside the jail or
perform administrative tasks inside the jail itself. This is especially useful when the
root user wants to cleanly shut down a jail. The jexec(8) utility can
also be used to start a shell in a jail to do administration in it; for example:
# jexec 1 tcsh