There are several options which can be set for any jail, and various ways of combining a host FreeBSD system with jails, to produce higher level applications. This section presents:
Some of the options available for tuning the behavior and security restrictions implemented by a jail installation.
Some of the high-level applications for jail management, which are available through the FreeBSD Ports Collection, and can be used to implement overall jail-based solutions.
Fine tuning of a jail's configuration is mostly done by
setting sysctl(8) variables. A special subtree of sysctl
exists as a basis for organizing all the relevant options: the
security.jail.*
hierarchy of FreeBSD kernel
options. Here is a list of the main jail-related sysctls,
complete with their default value. Names should be
self-explanatory, but for more information about them, please
refer to the jail(8) and sysctl(8) manual
pages.
security.jail.set_hostname_allowed:
1
security.jail.socket_unixiproute_only:
1
security.jail.sysvipc_allowed:
0
security.jail.enforce_statfs:
2
security.jail.allow_raw_sockets:
0
security.jail.chflags_allowed:
0
security.jail.jailed: 0
These variables can be used by the system administrator of
the host system to add or remove some of
the limitations imposed by default on the root
user. Note that there
are some limitations which cannot be removed. The
root
user is not
allowed to mount or unmount file systems from within a
jail(8). The root
inside a jail may not
load or unload devfs(8) rulesets, set firewall rules, or
do many other administrative tasks which require modifications
of in-kernel data, such as setting the
securelevel
of the kernel.
The base system of FreeBSD contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. The jls(8) and jexec(8) commands are part of the base FreeBSD system, and can be used to perform the following simple tasks:
Print a list of active jails and their corresponding jail identifier (JID), IP address, hostname and path.
Attach to a running jail, from its host system, and
run a command inside the jail or perform administrative
tasks inside the jail itself. This is especially useful
when the root
user wants to cleanly shut down a jail. The jexec(8)
utility can also be used to start a shell in a jail to do
administration in it; for example:
#
jexec
1
tcsh
Among the many third-party utilities for jail administration, one of the most complete and useful is sysutils/ezjail. It is a set of scripts that contribute to jail(8) management. Please refer to the handbook section on ezjail for more information.
Jails should be kept up to date from the host operating
system as attempting to patch userland from within the jail
may likely fail as the default behaviour in FreeBSD is to
disallow the use of chflags(1) in a jail which prevents
the replacement of some files. It is possible to change this
behavior but it is recommended to use freebsd-update(8)
to maintain jails instead. Use -b
to specify
the path of the jail to be updated.
#
freebsd-update -b
/here/is/the/jail
fetch#
freebsd-update -b
/here/is/the/jail
install
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <[email protected]>.
Send questions about this document to <[email protected]>.