diff options
Diffstat (limited to 'man7/ezjail.7')
-rw-r--r-- | man7/ezjail.7 | 605 |
1 files changed, 605 insertions, 0 deletions
diff --git a/man7/ezjail.7 b/man7/ezjail.7 new file mode 100644 index 0000000..95fde42 --- /dev/null +++ b/man7/ezjail.7 | |||
@@ -0,0 +1,605 @@ | |||
1 | .Dd January 15, 2011 | ||
2 | .Dt EZJAIL 7 USD | ||
3 | .Os | ||
4 | .Sh NAME | ||
5 | .Cm ezjail | ||
6 | .Nd Jail administration framework. | ||
7 | .Sh SYNOPSIS | ||
8 | .Nm ezjail-admin Ar command arguments... | ||
9 | .Sh OVERVIEW | ||
10 | The ezjail commands provides a simple way to create multiple jails | ||
11 | using FreeBSD's jail system. It simplifies jail administration effort | ||
12 | and minimizes jail system resource usage. | ||
13 | .Pp | ||
14 | If you are not familiar with the FreeBSD jail concept, please refer to | ||
15 | .Xr jail 8 | ||
16 | before continuing. For additional design information, see the ezjail | ||
17 | site at | ||
18 | .Li http://erdgeist.org/arts/software/ezjail . | ||
19 | .Sh DESCRIPTION | ||
20 | The ezjail system enables the system administrator to create multiple | ||
21 | OS-level virtualization containers called jails. Services like web | ||
22 | servers, mail servers, FTP servers, are typically under frequent attack | ||
23 | from the public Internet and are exposed to possible compromise. The | ||
24 | typical usage of jails is to run a single service in each jail and if | ||
25 | that service becomes compromised the rest of the jails and the host | ||
26 | system are protected from also being compromised. | ||
27 | .Pp | ||
28 | The major shortcoming of jails is that each jail has its own copy of | ||
29 | the world. This eats disk space, inodes, and more importantly, | ||
30 | prevents the sharing of binaries images between jails, thus increasing | ||
31 | the memory pressure on the host system. In addition, this causes a | ||
32 | major administration headache when comes the time to update the host | ||
33 | system, as each jail need to be updated independently. | ||
34 | .Pp | ||
35 | Ezjail addresses these problems by creating a single basejail (a read-only | ||
36 | .Xr nullfs 4 ) | ||
37 | populated with the same running binaries as the host system and them | ||
38 | shares that basejail with all the other service jails created by | ||
39 | ezjail. Is is possible to update the base jail (and thus all the | ||
40 | jails) in a single ezjail command. | ||
41 | .Pp | ||
42 | Typical usage of jails include separation of services, creating test | ||
43 | environments, consolidation of different services on a single physical | ||
44 | host, and more. | ||
45 | .Sh EZJAIL SYSTEM | ||
46 | The administrative interface to the ezjail system is the | ||
47 | .Xr ezjail-admin 8 | ||
48 | command. It is used to install the ezjail environment, create new | ||
49 | jails, archive, restore, delete and update jails, open a jail console, | ||
50 | and list the status of all the jails. See below for example usage, and | ||
51 | refer to its man page for complete usage details. | ||
52 | .Pp | ||
53 | The configuration is done in the | ||
54 | .Xr ezjail.conf 5 | ||
55 | file, which see. It will not be necessary to edit this file for most | ||
56 | users. A sample file is installed as | ||
57 | .Pa EZJAIL_PREFIX/etc/ezjail.conf . | ||
58 | .Pp | ||
59 | A rc script is also installed to allow the ezjail to be started | ||
60 | at boot time, as | ||
61 | .Pa ezjail.sh . | ||
62 | It is enabled by setting the | ||
63 | .Xr rc.conf 5 | ||
64 | variable | ||
65 | .Dq Li $ezjail_enable | ||
66 | to | ||
67 | .Dq Li YES . | ||
68 | .Sh WHAT'S IN A JAIL | ||
69 | .Ss The Life of an Ezjail Installation | ||
70 | The base jail is first created by running | ||
71 | .Nm Cm update | ||
72 | or | ||
73 | .Nm Cm install . | ||
74 | Example usage of this command is section | ||
75 | .Sx EXAMPLES . | ||
76 | This will create the base jail, setup a template jail used when | ||
77 | setting up new jails, install an example flavour (see below), | ||
78 | configure miscellaneous things. | ||
79 | .Pp | ||
80 | This step is necessary before using the ezjail system. In particular, | ||
81 | it is not possible to create new jails without initializing the base | ||
82 | jail in advance. | ||
83 | .Pp | ||
84 | Once the base jail has been created, new jails may be created with | ||
85 | .Nm Cm create . | ||
86 | A new jail is defined by its name and its IP address (or addresses). | ||
87 | Creating a new jail involves copying the template jail to the new | ||
88 | location, configuring | ||
89 | .Xr nullfs 4 | ||
90 | mounts for giving access to the base jail, and little more. A jail | ||
91 | that has just be created occupies about 2MB of disk space ; when | ||
92 | running, only a handful of daemons (cron, syslog, sendmail mainly) use | ||
93 | memory. | ||
94 | .Pp | ||
95 | After their creation, jails may be archived to a | ||
96 | .Xr pax 1 | ||
97 | archive, restored, and eventually deleted. | ||
98 | .Pp | ||
99 | When a new version of FreeBSD is released, or when an errata is | ||
100 | published, only the base jail need to be updated. Both source upgrades | ||
101 | and binary upgrades (using | ||
102 | .Xr freebsd-update 8 ) | ||
103 | are supported. The | ||
104 | .Xr ports 7 | ||
105 | collection may also be updated by ezjail, but individual ports need to | ||
106 | be upgraded individually by the administrator. | ||
107 | .Ss Anatomy of a Jail | ||
108 | In the ezjail system, a jail is defined by a root directory and a | ||
109 | couple of configuration values, mainly a name and IP addresses. The | ||
110 | root directory of the jail contains only the jail-specific files: | ||
111 | configuration files, data files, and ports installed by the | ||
112 | administrator. The base system is shared amongst all jails, using a | ||
113 | .Xr nullfs 4 | ||
114 | mount. This saves space and inodes (especially when the ports | ||
115 | collection in made available to the jails), and also memory, as the | ||
116 | kernel is now able to share copies of running programs between the | ||
117 | jails. | ||
118 | .Pp | ||
119 | Unless the variable | ||
120 | .Dq Li $ezjail_jaildir | ||
121 | has been set by the administrator, the root directory of the jail is | ||
122 | kept in | ||
123 | .Pa /usr/jails , | ||
124 | which therefore needs to reside on a partition big enough. | ||
125 | .Pp | ||
126 | There are also file-based jails, in which the storage space for the | ||
127 | jail is kept in a file mounted with | ||
128 | .Xr mdconfig 8 . | ||
129 | There are two advantages to image jails. The amount of disk space | ||
130 | allocated to the jail is limited, while normal jails have no bound on | ||
131 | the amount of disk space they use. On the other hand, the space | ||
132 | dedicated to the jail is no longer available to the host, even if the | ||
133 | jail doesn't use all its allocated space. In addition, image jails | ||
134 | contain a full copy of the basejail. This makes them portable between | ||
135 | hosts running the same FreeBSD version as the image was created with. | ||
136 | Of course, the jail now needs to be updated independently from all | ||
137 | other jails, and there is no longer any sharing of common files | ||
138 | between the jails. | ||
139 | .Pp | ||
140 | Image jails may also be encrypted using | ||
141 | .Xr bde 4 | ||
142 | or | ||
143 | .Xr geli 8 , | ||
144 | depending on the options given at creation time. | ||
145 | .Ss Per-Jail options | ||
146 | As we saw earlier, a jail is described by a file in | ||
147 | .Pa EZJAIL_PREFIX/etc/ezjail/ . | ||
148 | This file has the same name as the jail it configures. It is a set of | ||
149 | variables interpreted by | ||
150 | .Xr sh 1 , | ||
151 | much like | ||
152 | .Xr rc.conf 5 | ||
153 | is. This file is created at the same time as the jail, and usually | ||
154 | doesn't require tweaking from the administrator. | ||
155 | .Pp | ||
156 | In addition to the variables described below, any variable used by the | ||
157 | init script | ||
158 | .Pa /etc/rc.d/jail | ||
159 | may be added manually by the administrator. The following variables | ||
160 | are handled by ezjail, replacing JAILNAME with the actual name of the jail: | ||
161 | .Bl -tag -width indent | ||
162 | .It jail_JAILNAME_hostname | ||
163 | The hostname of the jail. Defaults to the name of the jail, unless | ||
164 | special characters needed to be stripped. | ||
165 | .It jail_JAILNAME_ip | ||
166 | The IP addresses the jail is allowed to use. Since FreeBSD 7.2, | ||
167 | several IP addresses may be given, separated by commas. | ||
168 | .It jail_JAILNAME_rootdir | ||
169 | The directory holding the jail files (the directory used as a mount | ||
170 | point for file-based jails). Defaults to the jail name inside | ||
171 | .Dq Li $ezjail_jaildir . | ||
172 | .It jail_JAILNAME_exec_start | ||
173 | The command to run inside the jail when starting it. Defaults to | ||
174 | .Dq Li $ezjail_exec_start | ||
175 | or | ||
176 | .Dq Li /bin/sh /etc/rc . | ||
177 | .It jail_JAILNAME_exec_stop | ||
178 | The command to run inside the jail when stopping it. Defaults to the | ||
179 | empty string, which means | ||
180 | .Dq Li /bin/sh /etc/rc.shutdown . | ||
181 | .It jail_JAILNAME_mount_enable | ||
182 | A boolean | ||
183 | .Dq ( YES | ||
184 | or | ||
185 | .Dq NO ) , | ||
186 | that specifies whether the filesystems in | ||
187 | .Pa /etc/fstab. Ar JAILNAME | ||
188 | are carried out. Set by ezjail to | ||
189 | .Dq Li YES , | ||
190 | set to | ||
191 | .Qd Li NO | ||
192 | at your own risk. | ||
193 | .It jail_JAILNAME_devfs_enable | ||
194 | A boolean specifying whether to mount a | ||
195 | .Pa /dev | ||
196 | filesystem inside the jail. Defaults to | ||
197 | .Dq Li $ezjail_devfs_enable , | ||
198 | or | ||
199 | .Dq Li YES . | ||
200 | .It jail_JAILNAME_devfs_ruleset | ||
201 | The ruleset to apply when mounting a | ||
202 | .Pa /dev | ||
203 | filesystem inside a jail. Defaults to | ||
204 | .Dq Li $ezjail_devfs_ruleset , | ||
205 | or | ||
206 | .Dq Li devfsrules_jail . | ||
207 | .It ezjail_JAILNAME_procfs | ||
208 | A boolean specifying whether to mount a | ||
209 | .Pa /proc | ||
210 | filesystem inside the jail. Defaults to | ||
211 | .Dq Li $ezjail_procfs_enable , | ||
212 | or | ||
213 | .Dq Li YES . | ||
214 | .It ezjail_JAILNAME_fdescfs | ||
215 | A boolean specifying whether to mount a | ||
216 | .Pa /dev/fs | ||
217 | filesystem inside the jail. Defaults to | ||
218 | .Dq Li $ezjail_fdescfs_enable , | ||
219 | or | ||
220 | .Dq Li YES . | ||
221 | .It ezjail_JAILNAME_image | ||
222 | The path to the image file backing the jail, if the jail is | ||
223 | file-based; or the empty string. | ||
224 | .It ezjail_JAILNAME_imagetype | ||
225 | The type of the image, if the jail is file-based; the empty string | ||
226 | otherwise. | ||
227 | .It ezjail_JAILNAME_attachparams | ||
228 | The parameters to pass to the tool used to decrypt file-based, | ||
229 | encrypted jails. Initialized from the | ||
230 | .Fl C | ||
231 | option when creating such a jail, or the empty string. | ||
232 | .Ir ezjail_JAILNAME_attachblocking | ||
233 | .Dq Li YES | ||
234 | if the jail requires interaction with the administrator when starting | ||
235 | (typically, encrypted jails that needs a password to be decrypted). | ||
236 | .It ezjail_JAILNAME_forceblocking | ||
237 | If | ||
238 | .Dq Li YES , | ||
239 | start the jail even when it is marked as blocking. | ||
240 | .It ezjail_JAILNAME_zfs_datasets | ||
241 | For ZFS jails, additionnal ZFS datasets to attach to the jail when | ||
242 | starting it. Taken from the | ||
243 | .Fl z | ||
244 | option when configuring a jail; the empty string otherwise. | ||
245 | .It ezjail_JAILNAME_cpuset | ||
246 | The processor set to place the jail in when starting it (see | ||
247 | .Xr cpuset 1 ) . | ||
248 | Taken from the | ||
249 | .Fl c | ||
250 | option when configuring a jail; the empty string otherwise. | ||
251 | .It ezjail_JAILNAME_fib | ||
252 | The network view to give to the jail (see | ||
253 | .Xr setfib 1 ) | ||
254 | when starting it. Taken from the | ||
255 | .Fl f | ||
256 | option when configuring the jail; the empty string otherwise. | ||
257 | .El | ||
258 | .Pp | ||
259 | In addition to these | ||
260 | .Xr sh 1 Ns No -style | ||
261 | variables, the administrator may add comment lines starting with | ||
262 | .Dq PROVIDE: , | ||
263 | .Dq REQUIRE: | ||
264 | and | ||
265 | .Dq BEFORE: . | ||
266 | These comments are used by | ||
267 | .Xr rcorder 8 | ||
268 | to determine the order in which the jails are started. The default is | ||
269 | to keep | ||
270 | .Dq REQUIRE | ||
271 | and | ||
272 | .Dq BEFORE | ||
273 | empty, meaning the jails are started in no particular order. | ||
274 | .Ss Flavours | ||
275 | When a jail is created, it is not configured; in particular you likely | ||
276 | want to edit files such as | ||
277 | .Pa /etc/resolv.conf , /etc/localtime | ||
278 | and others. You may also want to create some system users, maybe | ||
279 | enable | ||
280 | .Xr sshd 8 . | ||
281 | Ezjail solves this problem by using the concept of | ||
282 | .Dq flavours . | ||
283 | When a flavour is selected at jail creation time, the flavour | ||
284 | directory tree is merged into the new jail's directory tree. In | ||
285 | addition, the jail is configured so that on its first boot, the file | ||
286 | .Pa ezjail.flavour | ||
287 | is executed. | ||
288 | .Pp | ||
289 | As part of the install sub-command, the flavour base directory | ||
290 | was created as | ||
291 | .Pa /usr/jails/flavours | ||
292 | and populated with an single flavour named | ||
293 | .Cm example . | ||
294 | This flavour contains 3 files customized for running in a | ||
295 | jail | ||
296 | .Pa ( etc/make.conf , etc/periodic.conf , etc/rc.conf ) . | ||
297 | The example | ||
298 | .Pa ezjail.flavour | ||
299 | also show how to create users, and introduce the convention of placing | ||
300 | packages in | ||
301 | .Pa /pkg | ||
302 | that are installed when the jail is first brought up. You are | ||
303 | encouraged to copy the example flavour to create your own flavour. | ||
304 | Typical flavour usages include setting up jails with site-specific | ||
305 | configuration, creating classes of jails for development or testing | ||
306 | (such as a webdev flavour that would install Apache with your | ||
307 | favourite web development framework), pre-creating local users, and so | ||
308 | on. | ||
309 | .Ss Updating the Base Jail | ||
310 | We already mentionned how easy it is to update jails, since only one | ||
311 | copy needs to be updated. Ezjail only handles updating the base | ||
312 | system; updating the ports is left to the administrator (but see | ||
313 | .Dq Li ports-mgmt/jailaudit | ||
314 | for a way to get notified of ports in need of an update). Updates are | ||
315 | handled with the | ||
316 | .Nm Cm update | ||
317 | command. It is possible to update the base jail from source or from | ||
318 | binary packages. If a base jail already exists, the | ||
319 | .Cm update | ||
320 | command installs the world in a temporary directory before moving it | ||
321 | to the basejail, thus leaving intact all installed libraries. After | ||
322 | making sure all software running in the jails is linked with the new | ||
323 | librairies, you may want to remove the old library versions. It is | ||
324 | often a good idea to update the jails when a new kernel is installed | ||
325 | in the host, using the same sources. | ||
326 | .Ss Starting Jails | ||
327 | The ezjail script | ||
328 | .Pa EZJAIL_PREFIX/etc/rc.d/ezjail.sh | ||
329 | takes parameters | ||
330 | .Cm start , startcrypto , restart | ||
331 | and | ||
332 | .Cm stop . | ||
333 | It may be passed an additional list of jails. If no jail name is | ||
334 | specified (usually when the script is called by the rc system at boot | ||
335 | and shutdown time), all jails in ezjail's scope, except crypto image | ||
336 | jails (or jails marked as blocking), are started/stopped. To start all | ||
337 | crypto image jails (or those depending on them), use the | ||
338 | .Cm startcrypto | ||
339 | parameter. | ||
340 | .Pp | ||
341 | The | ||
342 | .Nm Cm start | ||
343 | command provides the same functionnality. | ||
344 | .Pp | ||
345 | The script examines its config, attaches and mounts images, and sets | ||
346 | variables for each jail in the jail_list before passing its command on | ||
347 | to the | ||
348 | .Pa /etc/rc.d/jail | ||
349 | script. | ||
350 | .Pp | ||
351 | .Cm ezjail.sh | ||
352 | enforces the execution of \fB/etc/rc.d/jail\fR, by prepending | ||
353 | .Em one | ||
354 | to the start, restart, and stop commands so it is | ||
355 | .Em NOT NECESSARY | ||
356 | to set | ||
357 | .Dq Li $jail_enable | ||
358 | in the | ||
359 | .Xr /etc/rc.conf 5 | ||
360 | config file. | ||
361 | .Pp | ||
362 | It is possible to set jails as either | ||
363 | .Em norun | ||
364 | (using | ||
365 | .Nm Cm config Fl r Ar norun Ar jailname ) | ||
366 | or as blocking | ||
367 | .Ss Remarks & Tips | ||
368 | Jails can be either accessed from the network, for instance by using | ||
369 | .Xr ssh 1 , | ||
370 | or from the host system by using the | ||
371 | .Cm console | ||
372 | command, which gives you an interactive shell inside the jail. It is | ||
373 | also possible to edit the files of a running jail, and the | ||
374 | modifications will appear immediately inside the jail environment. | ||
375 | When dealing image-based, the | ||
376 | .Cm config -i attach | ||
377 | command allows one to access the disk of a file-based jail without starting it. | ||
378 | .Pp | ||
379 | Raw sockets are disallowed by default for all jails. This is not a ezjail | ||
380 | restriction, but a design default of the jail command. This means the | ||
381 | .Xr ping 8 | ||
382 | command will get | ||
383 | .Dq Operation not permitted. | ||
384 | error when used from inside of a jail. There are | ||
385 | .Xr sysctl 3 | ||
386 | knobs for allowing a jail to access raw sockets, see the | ||
387 | .Xr jail 8 | ||
388 | man page for details. | ||
389 | .Pp | ||
390 | Once your jail has network access, then all your normal application | ||
391 | install functions are availabe, right from the jails console. In | ||
392 | particular, if the ports collection was installed, it can be used as | ||
393 | if from the host system. A modified | ||
394 | .Pa make.conf | ||
395 | file is installed by the example flavour, that enable the ports | ||
396 | collection to work even with a read-only | ||
397 | .Pa /usr/ports . | ||
398 | .Pp | ||
399 | It is possible to change the IP address of a jail by editing its | ||
400 | configuration file in | ||
401 | .Pa EZJAIL_PREFIX/etc/ezjail | ||
402 | and restarting the jail. | ||
403 | .Pp | ||
404 | The jails use the same network stack as the host system. In | ||
405 | particular, that means that if a firewall is needed, it must be | ||
406 | configured in the host system. | ||
407 | .Pp | ||
408 | The ezjail system (and the jails it controls) depends on the | ||
409 | .Dq Li $ezjail_enable | ||
410 | variable being set to | ||
411 | .Dq Li YES | ||
412 | in | ||
413 | .Pa rc.conf . | ||
414 | It is possible to set this variable to | ||
415 | .Dq Li NO | ||
416 | if the administrator wants to temporarily ezjail, or if she doesn't | ||
417 | want the jails to be automatically started on boot. | ||
418 | .Pp | ||
419 | The ezjail system may be reset to a printine state by removing all its | ||
420 | files, that is: | ||
421 | .Bl -item -compact | ||
422 | .It | ||
423 | .Pa /usr/jails/ | ||
424 | .It | ||
425 | .Pa EZJAIL_PREFIX/etc/ezjail/ | ||
426 | .It | ||
427 | .Pa EZJAIL_PREFIX/etc/ezjail.conf | ||
428 | .It | ||
429 | .Pa /etc/fstab.* No (but check the list of files this matches) | ||
430 | .El | ||
431 | .Sh EXAMPLES | ||
432 | The examples below are only that, examples. The reader is encouraged | ||
433 | to read the | ||
434 | .Xr ezjail-admin 8 | ||
435 | man page for definitive documentation of all the options. | ||
436 | .Ss Initial Binary Installation | ||
437 | The ezjail system may be bootstrapped either from binary packages, or | ||
438 | by building from source. The | ||
439 | .Cm install | ||
440 | command allow to bootstrap from binary packages, while the | ||
441 | .Cm update | ||
442 | deals with installations (and updates) from source. | ||
443 | .Bl -tag -width indent | ||
444 | .It Nm Cm install No (without any options) | ||
445 | Fetch and install binaries for populating the base jail from the | ||
446 | FreeBSD FTP server. If the host is not running a -RELEASE version, you | ||
447 | will be asked for the release to install. Neither the man pages nor | ||
448 | the source nor the ports tree are installed. Note that the FreeBSD FTP | ||
449 | server is sometimes so busy the download times out. Use the | ||
450 | .Fl h Ar host | ||
451 | option to specify a less loaded server, or the | ||
452 | .Dq Li $ezjail_ftphost | ||
453 | option in | ||
454 | .Xr ezjail.conf 8 . | ||
455 | .It Nm Cm install Fl ms | ||
456 | Same behavior as above, except that man pages and sources are installed in the | ||
457 | base jail. | ||
458 | .It Nm Cm install Fl p | ||
459 | Same as the first example, but use | ||
460 | .Xr portsnap 8 | ||
461 | to fetch and extract a full FreeBSD ports tree from | ||
462 | .Li portsnap.FreeBSD.org | ||
463 | into the base jail. This is necessary if you plan to install ports at later | ||
464 | time into service jails. | ||
465 | .It Nm Cm install Fl P No (note uppercase P) | ||
466 | Only fetch the current version of the ports tree, adding it to the base jail. | ||
467 | This allow to either add the ports tree after the initial installation or update the ports tree in the base jail. | ||
468 | .It Install from a disk image | ||
469 | Mount and use a downloaded | ||
470 | .Pa disc1.iso | ||
471 | CDRom image file. | ||
472 | .Bd -literal -offset indent | ||
473 | mdconfig -a -f /usr/8.0-RELEASE-i386-disc1.iso md0 | ||
474 | mount -v -t cd9660 /dev/md0 /mnt | ||
475 | cd /mnt/8.0-RELEASE | ||
476 | ezjail-admin install -h file:// -sm | ||
477 | .Ed | ||
478 | .Pp | ||
479 | When the installation finishes, use the following to release the | ||
480 | .Pa disc1.iso | ||
481 | .Pa md0 | ||
482 | file. | ||
483 | .Bd -literal -offset indent | ||
484 | cd /usr | ||
485 | umount /mnt | ||
486 | mdconfig -d -u md0 | ||
487 | .Ed | ||
488 | .It Install from a local directory | ||
489 | To fetch the RELEASE base files manually, create a | ||
490 | .Pa .netrc | ||
491 | file in your home directory and populate it with this. | ||
492 | .Bd -literal -offset indent | ||
493 | machine ftp2.jp.FreeBSD.org | ||
494 | login anonymous | ||
495 | password FBSD@home.com | ||
496 | macdef init | ||
497 | prompt off | ||
498 | cd /pub/FreeBSD/releases/i386/8.0-RELEASE | ||
499 | epsv4 off | ||
500 | $ getdir base kernels manpages src | ||
501 | quit | ||
502 | macdef getdir | ||
503 | ! mkdir $i | ||
504 | mreget $i/* | ||
505 | .Ed | ||
506 | .Pp | ||
507 | Then issue this command on the command line. If the FTP download | ||
508 | times out re-issue the FTP command again to resume where it left off. | ||
509 | .Bd -literal -offset indent | ||
510 | mkdir /usr/8.0-RELEASE | ||
511 | cd /usr/8.0-RELEASE | ||
512 | ftp -v ftp2.jp.FreeBSD.org | ||
513 | ezjail-admin install -h file:// -sm | ||
514 | .Ed | ||
515 | .Pp | ||
516 | Use this option to target the 8.0-RELEASE files you FTP'ed as the source of | ||
517 | the running binaries used to populate the base jail. In addition the man | ||
518 | pages and sources will be installed into the base jail. | ||
519 | .El | ||
520 | .Ss From Source Installation and Update | ||
521 | The | ||
522 | .Cm update | ||
523 | is used to both install or update from source the base jail, and for | ||
524 | updating the base jail from binary packages. | ||
525 | .Bl -tag -width indent | ||
526 | .It Nm Cm update Fl b | ||
527 | Build and install a world from source. The sources are taken from | ||
528 | .Pa /usr/src | ||
529 | (but see the | ||
530 | .Fl s | ||
531 | flag). This can be used both for creating the initial base jail, and | ||
532 | for updating it after the host has been upgraded. | ||
533 | .It Nm Cm update Fl u | ||
534 | Update the base jail to the next release using | ||
535 | .Xr freebsd-update 8 | ||
536 | (i.e. using binary packages). This may be used only to update an | ||
537 | existing installation. | ||
538 | .El | ||
539 | .Ss Jail Creation Examples | ||
540 | .Bl -tag -width indent | ||
541 | .It Nm Cm create Ar www.example.com 10.0.10.1 | ||
542 | Create a new jail. The jail files will reside in directory | ||
543 | .Pa www_example_com | ||
544 | in | ||
545 | .Pa /usr/jails , | ||
546 | unless the variable | ||
547 | .Dq Li $ezjail_jaildir | ||
548 | has been set to some other value. The jail will only be allowed to use | ||
549 | the given IP address. A warning will be displayed if this IP address | ||
550 | is not already configured in the host, or if some network daemon is | ||
551 | already listening on this address. The name of the jail which will | ||
552 | appear in the | ||
553 | .Cm list | ||
554 | command or which will need to be given to the | ||
555 | .Cm console | ||
556 | command is | ||
557 | .Ar www.example.com . | ||
558 | .It Nm Cm create Fl f Ar example Fl r Ar webserver www.example.com 10.0.10.2,2001:db8:1:9243::80 | ||
559 | Create a new jail, placing it in directory | ||
560 | .Pa webserver | ||
561 | instead of deriving the directory name of the jail from its host name. | ||
562 | The jail will be created with the flavour | ||
563 | .Ar example . | ||
564 | This jail will be given two IP addressses; this is possible only since | ||
565 | FreeBSD 7.2. | ||
566 | .It Nm Cm create Fl i Fl s Ar 600M sandbox2 10.0.10.4 | ||
567 | This creates a new file-based jail having a file size of 600 megabytes | ||
568 | in | ||
569 | .Pa /usr/jails/sandbox2.img . | ||
570 | An empty directory, | ||
571 | .Pa /usr/jails/sandbox2 , | ||
572 | will be created, and used as a mount point when starting the jail. | ||
573 | .It Nm Cm create Fl i Fl c Cm bde Fl s Ar 600M sandbox3 10.0.10.5 | ||
574 | This creates a new file based image jail, with | ||
575 | .Xr gbde 4 | ||
576 | encryption. During the gbde creation process you are asked to enter a | ||
577 | passphrase that is used as the prime seed value of the encryption | ||
578 | process. Remember this passphrase, you will be asked for the | ||
579 | passphrase every time sub-command start is used on this jail. As they | ||
580 | require administrator interaction, jails backed by an encrypted file | ||
581 | are not automatically started when the system boots. | ||
582 | .El | ||
583 | .Sh FILES | ||
584 | .Pa EZJAIL_PREFIX/bin/ezjail-admin | ||
585 | .br | ||
586 | .Pa EZJAIL_PREFIX/etc/rc.d/ezjail.sh | ||
587 | .br | ||
588 | .Pa EZJAIL_PREFIX/etc/ezjail.conf | ||
589 | .br | ||
590 | .Pa EZJAIL_PREFIX/share/examples/ezjail/ | ||
591 | .br | ||
592 | .Pa EZJAIL_PREFIX/etc/ezjail/* | ||
593 | .br | ||
594 | .Pa /usr/etc/fstab.* | ||
595 | .Sh SEE ALSO | ||
596 | .Xr ezjail-admin 8 , | ||
597 | .Xr ezjail.conf 5 , | ||
598 | .Xr jail 8 , | ||
599 | .Xr nullfs 4 . | ||
600 | .Pp | ||
601 | Interesting additional tools include: | ||
602 | .Dq Li ports-mgmt/jailaudit . | ||
603 | .Sh AUTHOR | ||
604 | .An Dirk Engling | ||
605 | .Aq erdgeist@erdgeist.org . | ||