Some administrators divide jails into the following two types: “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. The jail(8) manual page is quite clear about the procedure for building a jail:
# setenv D /here/is/the/jail # mkdir -p $D # cd /usr/src # make buildworld # make installworld DESTDIR=$D # make distribution DESTDIR=$D # mount -t devfs devfs $D/dev
Once a jail is installed, it can be started by using the jail(8) utility. The
jail(8) utility takes
four mandatory arguments which are described in the Section 16.3.1. Other arguments may be specified
too, e.g., to run the jailed process with the credentials of a specific user. The command
argument depends on the
type of the jail; for a virtual
system, /etc/rc is a good choice, since it will
replicate the startup sequence of a real FreeBSD system. For a service jail, it depends on the service or application that
will run within the jail.
Jails are often started at boot time and the FreeBSD rc mechanism provides an easy way to do this.
A list of the jails which are enabled to start at boot time should be added to the rc.conf(5) file:
jail_enable="YES" # Set to NO to disable starting of any jails jail_list="www" # Space separated list of names of jails
Note: Jail names in
jail_list
should contain alphanumeric characters only.
For each jail listed in jail_list
, a group of rc.conf(5) settings,
which describe the particular jail, should be added:
jail_www_rootdir="/usr/jail/www" # jail's root directory jail_www_hostname="www.example.org" # jail's hostname jail_www_ip="192.168.0.10" # jail's IP address jail_www_devfs_enable="YES" # mount devfs in the jail jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail
The default startup of jails configured in rc.conf(5), will run
the /etc/rc script of the jail, which assumes the jail is
a complete virtual system. For service jails, the default startup command of
the jail should be changed, by setting the jail_jailname_exec_start
option
appropriately.
Note: For a full list of available options, please see the rc.conf(5) manual page.
service(8) can be used to start or stop a jail by hand, if an entry for it exists in rc.conf:
# service jail start www # service jail stop www
A clean way to shut down a jail(8) is not available at the moment. This is because commands normally used to accomplish a clean system shutdown cannot be used inside a jail. The best way to shut down a jail is to run the following command from within the jail itself or using the jexec(8) utility from outside the jail:
# sh /etc/rc.shutdown
More information about this can be found in the jail(8) manual page.