# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2024-12-29 08:30-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/jails/_index.adoc:1 #, no-wrap msgid "Jails improve on the concept of the traditional chroot environment in several ways" msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/jails/_index.adoc:1 #, no-wrap msgid "Part III. System Administration" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/jails/_index.adoc:1 #, no-wrap msgid "Chapter 17. Jails and Containers" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/jails/_index.adoc:14 #, no-wrap msgid "Jails and Containers" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:52 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:58 msgid "" "Since system administration is a difficult task, many tools have been " "developed to make life easier for the administrator. These tools often " "enhance the way systems are installed, configured, and maintained. One of " "the tools which can be used to enhance the security of a FreeBSD system is " "_jails_. Jails have been available since FreeBSD 4.X and continue to be " "enhanced in their usefulness, performance, reliability, and security." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:63 msgid "" "Jails build upon the man:chroot[2] concept, which is used to change the root " "directory of a set of processes. This creates a safe environment, separate " "from the rest of the system. Processes created in the chrooted environment " "can not access files or resources outside of it. For that reason, " "compromising a service running in a chrooted environment should not allow " "the attacker to compromise the entire system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:67 msgid "" "However, a chroot has several limitations. It is suited to easy tasks which " "do not require much flexibility or complex, advanced features. Over time, " "many ways have been found to escape from a chrooted environment, making it a " "less than ideal solution for securing services." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:69 msgid "" "Jails improve on the concept of the traditional chroot environment in " "several ways." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:75 msgid "" "In a traditional chroot environment, processes are only limited in the part " "of the file system they can access. The rest of the system resources, " "system users, running processes, and the networking subsystem are shared by " "the chrooted processes and the processes of the host system. Jails expand " "this model by virtualizing access to the file system, the set of users, and " "the networking subsystem. More fine-grained controls are available for " "tuning the access of a jailed environment. Jails can be considered as a " "type of operating system-level virtualization." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:77 msgid "This chapter covers:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:79 msgid "What a jail is and what purpose it may serve in FreeBSD installations." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:80 msgid "The different types of jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:81 msgid "The different ways to configure the network for a jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:82 msgid "The jail configuration file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:83 msgid "How to create the different types of jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:84 msgid "How to start, stop, and restart a jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:85 msgid "" "The basics of jail administration, both from inside and outside the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:86 msgid "How to upgrade the different types of jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:87 msgid "A incomplete list of the different FreeBSD jail managers." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:89 #, no-wrap msgid "Jail Types" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:93 msgid "" "Some administrators divide jails into different types, although the " "underlying technology is the same. Each administrator will have to assess " "what type of jail to create in each case depending on the problem they have " "to solve." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:95 msgid "" "Below can be found a list of the different types, their characteristics, and " "considerations for use." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:97 #, no-wrap msgid "Thick Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:104 msgid "" "A thick jail is a traditional form of FreeBSD Jail. In a thick jail, a " "complete copy of the base system is replicated within the jail's " "environment. This means that the jail has its own separate instance of the " "FreeBSD base system, including libraries, executables, and configuration " "files. The jail can be thought of as an almost complete standalone FreeBSD " "installation, but running within the confines of the host system. This " "isolation ensures that the processes within the jail are kept separate from " "those on the host and other jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:106 msgid "Advantages of Thick Jails:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:108 msgid "" "High degree of isolation: Processes within the jail are isolated from the " "host system and other jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:109 msgid "" "Independence: Thick jails can have different versions of libraries, " "configurations, and software than the host system or other jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:110 msgid "" "Security: Since the jail contains its own base system, vulnerabilities or " "issues affecting the jail environment won't directly impact the host or " "other jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:112 msgid "Disadvantages of Thick Jails:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:114 msgid "" "Resource overhead: Because each jail maintains its own separate base system, " "thick jails consume more resources compared to thin jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:115 msgid "" "Maintenance: Each jail requires its own maintenance and updates for its base " "system components." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:117 #: documentation/content/en/books/handbook/jails/_index.adoc:411 #, no-wrap msgid "Thin Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:123 msgid "" "A thin jail shares the base system using OpenZFS snapshots or NullFS mounts " "from a template. Only a minimal subset of base system is duplicated for " "each thin jail, resulting in less resource consumption compared to a thick " "jail. However, this also means that thin jails have less isolation and " "independence compared to thick jails. Changes in shared components could " "potentially affect multiple thin jails simultaneously." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:125 msgid "" "In summary, a FreeBSD Thin Jail is a type of FreeBSD Jail that replicates a " "substantial portion, but not all, of the base system within the isolated " "environment." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:127 msgid "Advantages of Thin Jails:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:129 msgid "" "Resource Efficiency: Thin jails are more resource-efficient compared to " "thick jails. Since they share most of the base system, they consume less " "disk space and memory. This makes it possible to run more jails on the same " "hardware without consuming excessive resources." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:130 msgid "" "Faster Deployment: Creating and launching thin jails is generally faster " "compared to thick jails. This can be particularly advantageous when you need " "to rapidly deploy multiple instances." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:131 msgid "" "Unified Maintenance: Since thin jails share the majority of their base " "system with the host system, updates and maintenance of common base system " "components (such as libraries and binaries) only need to be done once on the " "host. This simplifies the maintenance process compared to maintaining an " "individual base system for each thick jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:132 msgid "" "Shared Resources: Thin jails can more easily share common resources such as " "libraries and binaries with the host system. This can potentially lead to " "more efficient disk caching and improved performance for applications within " "the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:134 msgid "Disadvantages of Thin Jails:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:136 msgid "" "Reduced Isolation: The primary disadvantage of thin jails is that they offer " "less isolation compared to thick jails. Since they share a significant " "portion of the template's base system, vulnerabilities or issues affecting " "shared components could potentially impact multiple jails simultaneously." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:137 msgid "" "Security Concerns: The reduced isolation in thin jails could pose security " "risks, as a compromise in one jail might have a greater potential to affect " "other jails or the host system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:138 msgid "" "Dependency Conflicts: If multiple thin jails require different versions of " "the same libraries or software, managing dependencies can become complex. In " "some cases, this might require additional effort to ensure compatibility." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:139 msgid "" "Compatibility Challenges: Applications within a thin jail might encounter " "compatibility issues if they assume a certain base system environment that " "differs from the shared components provided by the template." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:141 #, no-wrap msgid "Service Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:147 msgid "" "A service jail shares the complete filesystem tree directly with the host " "(the jail root path is [.filename]#/#) and as such can access and modify any " "file on the host, and shares the same user accounts with the host. By " "default it has no access to the network or other resources which are " "restricted in jails, but they can be configured to re-use the network of the " "host and to remove some of the jail-restrictions. The use case for service " "jails is automatic confinement of services/daemons inside a jail with " "minimal configuration, and without any knowledge of the files needed by such " "service/daemon. Service jails exist since FreeBSD 15." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:149 msgid "Advantages of Service Jails:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:151 msgid "" "Zero Administration: A service jail ready service needs only one config line " "in [.filename]#/etc/rc.conf#, a service which is not service jails ready " "needs two config lines." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:152 msgid "" "Resource Efficiency: Service jails are more resource efficient than thin " "jails, as they do not need any additional disk space or network resource." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:153 msgid "" "Faster Deployment: Creating and launching service jails is generally faster " "compared to thin jails if only distinct services/daemons shall be jailed and " "no parallel instances of the same service/daemon is needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:154 msgid "" "Shared Resources: Service jails share all resources such as libraries and " "binaries with the host system. This can potentially lead to more efficient " "disk caching and improved performance for applications within the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:155 msgid "" "Process Isolation: Service jails isolate a particular service, it can not " "see processes which are not a child of the service jail, even if they run " "within the same user account." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:157 msgid "Disadvantages of Service Jails:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:159 msgid "" "Reduced Isolation: The primary disadvantage of service jails is that they " "offer no filesystem isolation compared to thick or thin jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:160 msgid "" "Security Concerns: The reduced isolation in service jails could pose " "security risks, as a compromise in one jail might have a greater potential " "to affect everything on the host system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:163 msgid "" "Most of the configuration of jails which is discussed below is not needed " "for service jails. To understand how jails work, it is recommended to " "understand those configuration possibilities. The details about what is " "needed to configure a service jail is in crossref:jails[service-jails-" "config, Configuring service jails]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:165 #, no-wrap msgid "VNET Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:170 msgid "" "A FreeBSD VNET jail is a virtualized environment that allows for the " "isolation and control of network resources for processes running within it. " "It provides a high level of network segmentation and security by creating a " "separate network stack for processes within the jail, ensuring that network " "traffic within the jail is isolated from the host system and other jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:173 msgid "" "In essence, FreeBSD VNET jails add a network configuration mechanism. This " "means a VNET jail can be created as a Thick or Thin Jail." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:175 #, no-wrap msgid "Linux Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:180 msgid "" "A FreeBSD Linux Jail is a feature in the FreeBSD operating system that " "enables the use of Linux binaries and applications within a FreeBSD jail. " "This functionality is achieved by incorporating a compatibility layer that " "allows certain Linux system calls and libraries to be translated and " "executed on the FreeBSD kernel. The purpose of a Linux Jail is to " "facilitate the execution of Linux software on a FreeBSD system without " "needing a separate Linux virtual machine or environment." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:182 #, no-wrap msgid "Host Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:185 msgid "" "Before creating any jail on the host system it is necessary to perform " "certain configuration and obtain some information from the host system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:187 msgid "" "It will be necessary to configure the man:jail[8] utility, create the " "necessary directories to configure and install jails, obtain information " "from the host's network, and check whether the host uses OpenZFS or UFS as " "its file system." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/jails/_index.adoc:191 msgid "" "The FreeBSD version running in the jail can not be newer than the version " "running in the host." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:194 #, no-wrap msgid "Jail Utility" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:197 msgid "The man:jail[8] utility manages jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:199 msgid "To start jails when the system boots, run the following commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:204 #, no-wrap msgid "" "# sysrc jail_enable=\"YES\"\n" "# sysrc jail_parallel_start=\"YES\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/jails/_index.adoc:209 msgid "" "With `jail_parallel_start`, all configured jails will be started in the " "background." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:212 #, no-wrap msgid "Networking" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:215 msgid "Networking for FreeBSD jails can be configured several different ways:" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/jails/_index.adoc:216 #, no-wrap msgid "Host Networking Mode (IP Sharing)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:220 msgid "" "In host networking mode, a jail shares the same networking stack as the host " "system. When a jail is created in host networking mode it uses the same " "network interface and IP address. This means that the jail doesn't have a " "separate IP address, and its network traffic is associated with the host's " "IP." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/jails/_index.adoc:221 #, no-wrap msgid "Virtual Networks (VNET)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:225 msgid "" "Virtual Networks are a feature of FreeBSD jails that offer more advanced and " "flexible networking solutions than a basic networking mode like host " "networking. VNET allows the creation of isolated network stacks for each " "jail, providing them with their own separate IP addresses, routing tables, " "and network interfaces. This offers a higher level of network isolation and " "allows jails to function as if they are running on separate virtual machines." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/jails/_index.adoc:226 #, no-wrap msgid "The netgraph system" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:229 msgid "" "man:netgraph[4] is a versatile kernel framework for creating custom network " "configurations. It can be used to define how network traffic flows between " "jails and the host system and between different jails." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:231 #, no-wrap msgid "Setting Up the Jail Directory Tree" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:234 msgid "There is no specific place to put the files for the jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:237 msgid "" "Some administrators use [.filename]#/jail#, others [.filename]#/usr/jail#, " "and still others [.filename]#/usr/local/jails#. In this chapter [." "filename]#/usr/local/jails# will be used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:239 msgid "" "Apart from [.filename]#/usr/local/jails# other directories will be created:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:241 msgid "" "[.filename]#media# will contain the compressed files of the downloaded " "userlands." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:242 msgid "" "[.filename]#templates# will contain the templates when using Thin Jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:243 msgid "[.filename]#containers# will contain the jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:245 msgid "" "When using OpenZFS, execute the following commands to create datasets for " "these directories:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:252 #, no-wrap msgid "" "# zfs create -o mountpoint=/usr/local/jails zroot/jails\n" "# zfs create zroot/jails/media\n" "# zfs create zroot/jails/templates\n" "# zfs create zroot/jails/containers\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/jails/_index.adoc:257 msgid "" "In this case, `zroot` was used for the parent dataset, but other datasets " "could have been used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:260 msgid "" "When using UFS, execute the following commands to create the directories:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:267 #, no-wrap msgid "" "# mkdir /usr/local/jails/\n" "# mkdir /usr/local/jails/media\n" "# mkdir /usr/local/jails/templates\n" "# mkdir /usr/local/jails/containers\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:270 #, no-wrap msgid "Jail Configuration Files" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:273 msgid "There are two ways to configure jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:276 msgid "" "The first one is to add an entry for each jail to the file [.filename]#/etc/" "jail.conf#. The other option is to create a file for each jail in the " "directory [.filename]#/etc/jail.conf.d/#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:279 msgid "" "In case a host system has few jails, an entry for each jail can be added in " "the file [.filename]#/etc/jail.conf#. If the host system has many jails, it " "is a good idea to have one configuration file for each jail in the [." "filename]#/etc/jail.conf.d/# directory." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:281 msgid "" "The files in [.filename]#/etc/jail.conf.d/# must have `.conf` as their " "extension and have to be included in [.filename]#/etc/jail.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:285 #, no-wrap msgid ".include \"/etc/jail.conf.d/*.conf\";\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:288 msgid "A typical jail entry would look like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:296 #, no-wrap msgid "" "jailname { <.>\n" " # STARTUP/LOGGING\n" " exec.start = \"/bin/sh /etc/rc\"; <.>\n" " exec.stop = \"/bin/sh /etc/rc.shutdown\"; <.>\n" " exec.consolelog = \"/var/log/jail_console_${name}.log\"; <.>\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:301 #, no-wrap msgid "" " # PERMISSIONS\n" " allow.raw_sockets; <.>\n" " exec.clean; <.>\n" " mount.devfs; <.>\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:305 #, no-wrap msgid "" " # HOSTNAME/PATH\n" " host.hostname = \"${name}\"; <.>\n" " path = \"/usr/local/jails/containers/${name}\"; <.>\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:311 #, no-wrap msgid "" " # NETWORK\n" " ip4.addr = 192.168.1.151; <.>\n" " ip6.addr = ::ffff:c0a8:197 <.>\n" " interface = em0; <.>\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:314 msgid "`jailname` - Name of the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:315 msgid "" "`exec.start` - Command(s) to run in the jail environment when a jail is " "created. A typical command to run is \"/bin/sh /etc/rc\"." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:316 msgid "" "`exec.stop` - Command(s) to run in the jail environment before a jail is " "removed. A typical command to run is \"/bin/sh /etc/rc.shutdown\"." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:317 msgid "" "`exec.consolelog` - A file to direct command output (stdout and stderr) to." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:318 msgid "" "`allow.raw_sockets` - Allow creating raw sockets inside the jail. Setting " "this parameter allows utilities like man:ping[8] and man:traceroute[8] to " "operate inside the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:319 msgid "`exec.clean` - Run commands in a clean environment." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:320 msgid "" "`mount.devfs` - Mount a man:devfs[5] filesystem on the chrooted [.filename]#/" "dev# directory, and apply the ruleset in the devfs_ruleset parameter to " "restrict the devices visible inside the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:321 msgid "`host.hostname` - The hostname of the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:322 msgid "" "`path` - The directory which is to be the root of the jail. Any commands " "that are run inside the jail, either by jail or from man:jexec[8], are run " "from this directory." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:323 msgid "" "`ip4.addr` - IPv4 address. There are two configuration possibilities for " "IPv4. The first is to establish an IP or a list of IPs as has been done in " "the example. The other is to use `ip4` instead and set the `inherit` value " "to inherit the host's IP address." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:324 msgid "" "`ip6.addr` - IPv6 address. There are two configuration possibilities for " "IPv6. The first is to establish an IP or a list of IPs as has been done in " "the example. The other is to use `ip6` instead and set the `inherit` value " "to inherit the host's IP address." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:325 msgid "" "`interface` - A network interface to add the jail's IP addresses. Usually " "the host interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:327 msgid "" "More information about configuration variables can be found in man:jail[8] " "and man:jail.conf[5]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:329 #, no-wrap msgid "Classic Jail (Thick Jail)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:333 msgid "" "These jails resemble a real FreeBSD system. They can be managed more or " "less like a normal host system and updated independently." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:335 #, no-wrap msgid "Creating a Classic Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:338 msgid "" "In principle, a jail only needs a hostname, a root directory, an IP address, " "and a userland." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:340 msgid "" "The userland for the jail can be obtained from the official FreeBSD download " "servers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:342 msgid "Execute the following command to download the userland:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:346 #: documentation/content/en/books/handbook/jails/_index.adoc:440 #: documentation/content/en/books/handbook/jails/_index.adoc:544 #, no-wrap msgid "# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:349 msgid "" "Once the download is complete, it will be necessary to extract the contents " "into the jail directory." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:351 msgid "" "Execute the following commands to extract the userland into the jail's " "directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:356 #, no-wrap msgid "" "# mkdir -p /usr/local/jails/containers/classic\n" "# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/containers/classic --unlink\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:359 msgid "" "With the userland extracted in the jail directory, it will be necessary to " "copy the timezone and DNS server files:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:364 #, no-wrap msgid "" "# cp /etc/resolv.conf /usr/local/jails/containers/classic/etc/resolv.conf\n" "# cp /etc/localtime /usr/local/jails/containers/classic/etc/localtime\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:367 msgid "" "With the files copied, the next thing to do is update to the latest patch " "level by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:371 #, no-wrap msgid "# freebsd-update -b /usr/local/jails/containers/classic/ fetch install\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:375 #: documentation/content/en/books/handbook/jails/_index.adoc:484 msgid "" "The last step is to configure the jail. It will be necessary to add an " "entry to the configuration file [.filename]#/etc/jail.conf# or in [." "filename]#jail.conf.d# with the parameters of the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:377 #: documentation/content/en/books/handbook/jails/_index.adoc:486 msgid "An example would be the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:385 #, no-wrap msgid "" "classic {\n" " # STARTUP/LOGGING\n" " exec.start = \"/bin/sh /etc/rc\";\n" " exec.stop = \"/bin/sh /etc/rc.shutdown\";\n" " exec.consolelog = \"/var/log/jail_console_${name}.log\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:390 #: documentation/content/en/books/handbook/jails/_index.adoc:499 #: documentation/content/en/books/handbook/jails/_index.adoc:653 #, no-wrap msgid "" " # PERMISSIONS\n" " allow.raw_sockets;\n" " exec.clean;\n" " mount.devfs;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:394 #: documentation/content/en/books/handbook/jails/_index.adoc:503 #: documentation/content/en/books/handbook/jails/_index.adoc:864 #, no-wrap msgid "" " # HOSTNAME/PATH\n" " host.hostname = \"${name}\";\n" " path = \"/usr/local/jails/containers/${name}\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:399 #, no-wrap msgid "" " # NETWORK\n" " ip4.addr = 192.168.1.151;\n" " interface = em0;\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:402 #: documentation/content/en/books/handbook/jails/_index.adoc:511 #: documentation/content/en/books/handbook/jails/_index.adoc:676 msgid "Execute the following command to start the jail:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:406 #, no-wrap msgid "# service jail start classic\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:409 #: documentation/content/en/books/handbook/jails/_index.adoc:519 msgid "" "More information on how to manage jails can be found in the section crossref:" "jails[jail-management, Jail Management]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:417 msgid "" "Although Thin Jails use the same technology as Thick Jails, the creation " "procedure is different. Thin jails can be created using OpenZFS snapshots " "or using templates and NullFS. The use of OpenZFS snapshots and templates " "using NullFS have certain advantages over classic jails, such as being able " "to create them faster from snapshots or being able to update multiple jails " "using NullFS." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:419 #, no-wrap msgid "Creating a Thin Jail Using OpenZFS Snapshots" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:422 msgid "" "Due to the good integration between FreeBSD and OpenZFS it is very easy to " "create new Thin Jails using OpenZFS Snapshots." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:424 msgid "" "To create a Thin Jail using OpenZFS Snapshots the first step is to create a " "template." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:427 msgid "" "Templates will only be used to create new jails. For this reason they are " "created in \"read-only\" mode so that jails are created with an immutable " "base." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:429 msgid "To create the dataset for the template, execute the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:433 #, no-wrap msgid "# zfs create -p zroot/jails/templates/13.2-RELEASE\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:436 #: documentation/content/en/books/handbook/jails/_index.adoc:540 msgid "Then execute the following command to download the userland:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:443 #: documentation/content/en/books/handbook/jails/_index.adoc:547 msgid "" "Once the download is complete, it will be necessary to extract the contents " "in the template directory by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:447 #, no-wrap msgid "# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE --unlink\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:450 msgid "" "With the userland extracted in the templates directory, it will be necessary " "to copy the timezone and DNS server files to the template directory by " "executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:455 #, no-wrap msgid "" "# cp /etc/resolv.conf /usr/local/jails/templates/13.2-RELEASE/etc/resolv.conf\n" "# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE/etc/localtime\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:458 msgid "" "The next thing to do is update to the latest patch level by executing the " "following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:462 #, no-wrap msgid "# freebsd-update -b /usr/local/jails/templates/13.2-RELEASE/ fetch install\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:465 msgid "Once the update is finished, the template is ready." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:467 msgid "" "To create an OpenZFS Snapshot from the template, execute the following " "command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:471 #, no-wrap msgid "# zfs snapshot zroot/jails/templates/13.2-RELEASE@base\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:474 msgid "" "Once the OpenZFS Snapshot has been created, infinite jails can be created " "using the OpenZFS clone function." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:476 msgid "To create a Thin Jail named `thinjail`, execute the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:480 #, no-wrap msgid "# zfs clone zroot/jails/templates/13.2-RELEASE@base zroot/jails/containers/thinjail\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:494 #: documentation/content/en/books/handbook/jails/_index.adoc:648 #, no-wrap msgid "" "thinjail {\n" " # STARTUP/LOGGING\n" " exec.start = \"/bin/sh /etc/rc\";\n" " exec.stop = \"/bin/sh /etc/rc.shutdown\";\n" " exec.consolelog = \"/var/log/jail_console_${name}.log\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:508 #, no-wrap msgid "" " # NETWORK\n" " ip4 = inherit;\n" " interface = em0;\n" "}\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:515 #: documentation/content/en/books/handbook/jails/_index.adoc:680 #, no-wrap msgid "# service jail start thinjail\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:521 #, no-wrap msgid "Creating a Thin Jail Using NullFS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:524 msgid "" "A jail can be created with reduced duplication of system files by using the " "Thin Jail technique and using NullFS to selectively share specific " "directories from the host system into the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:526 msgid "" "The first step is to create the dataset to save the template, execute the " "following command if using OpenZFS:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:530 #, no-wrap msgid "# zfs create -p zroot/jails/templates/13.2-RELEASE-base\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:533 msgid "Or this one if using UFS:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:537 #, no-wrap msgid "# mkdir /usr/local/jails/templates/13.2-RELEASE-base\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:551 #, no-wrap msgid "# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE-base --unlink\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:554 msgid "" "Once the userland is extracted in the templates directory, it will be " "necessary to copy the timezone and DNS server files to the template " "directory by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:559 #, no-wrap msgid "" "# cp /etc/resolv.conf /usr/local/jails/templates/13.2-RELEASE-base/etc/resolv.conf\n" "# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE-base/etc/localtime\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:562 msgid "" "With the files moved to the template, the next thing to do is update to the " "latest patch level by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:566 #, no-wrap msgid "# freebsd-update -b /usr/local/jails/templates/13.2-RELEASE-base/ fetch install\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:570 msgid "" "In addition to the base template, it is also necessary to create a directory " "where the `skeleton` will be located. Some directories will be copied from " "the template to the `skeleton`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:572 msgid "" "Execute the following command to create the dataset for the `skeleton` in " "case of using OpenZFS:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:576 #, no-wrap msgid "# zfs create -p zroot/jails/templates/13.2-RELEASE-skeleton\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:579 msgid "Or this one in case of using UFS:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:583 #, no-wrap msgid "# mkdir /usr/local/jails/templates/13.2-RELEASE-skeleton\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:587 msgid "" "Then create the `skeleton` directories. The `skeleton` directories will " "hold the local directories of the jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:589 msgid "Execute the following commands to create the directories:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:599 #, no-wrap msgid "" "# mkdir -p /usr/local/jails/templates/13.2-RELEASE-skeleton/home\n" "# mkdir -p /usr/local/jails/templates/13.2-RELEASE-skeleton/usr\n" "# mv /usr/local/jails/templates/13.2-RELEASE-base/etc /usr/local/jails/templates/13.2-RELEASE-skeleton/etc\n" "# mv /usr/local/jails/templates/13.2-RELEASE-base/usr/local /usr/local/jails/templates/13.2-RELEASE-skeleton/usr/local\n" "# mv /usr/local/jails/templates/13.2-RELEASE-base/tmp /usr/local/jails/templates/13.2-RELEASE-skeleton/tmp\n" "# mv /usr/local/jails/templates/13.2-RELEASE-base/var /usr/local/jails/templates/13.2-RELEASE-skeleton/var\n" "# mv /usr/local/jails/templates/13.2-RELEASE-base/root /usr/local/jails/templates/13.2-RELEASE-skeleton/root\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:602 msgid "" "The next step is to create the symlinks to the `skeleton` by executing the " "following commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:613 #, no-wrap msgid "" "# cd /usr/local/jails/templates/13.2-RELEASE-base/\n" "# mkdir skeleton\n" "# ln -s skeleton/etc etc\n" "# ln -s skeleton/home home\n" "# ln -s skeleton/root root\n" "# ln -s ../skeleton/usr/local usr/local\n" "# ln -s skeleton/tmp tmp\n" "# ln -s skeleton/var var\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:616 msgid "" "With the `skeleton` ready, it will be necessary to copy the data to the jail " "directory." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:618 msgid "" "In case of using OpenZFS, OpenZFS snapshots can be used to easily create as " "many jails as necessary by executing the following commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:623 #, no-wrap msgid "" "# zfs snapshot zroot/jails/templates/13.2-RELEASE-skeleton@base\n" "# zfs clone zroot/jails/templates/13.2-RELEASE-skeleton@base zroot/jails/containers/thinjail\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:626 msgid "" "In case of using UFS the man:cp[1] program can be used by executing the " "following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:630 #, no-wrap msgid "# cp -R /usr/local/jails/templates/13.2-RELEASE-skeleton /usr/local/jails/containers/thinjail\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:633 msgid "" "Then create the directory in which the base template and the skeleton will " "be mounted:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:637 #, no-wrap msgid "# mkdir -p /usr/local/jails/thinjail-nullfs-base\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:640 msgid "" "Add a jail entry in [.filename]#/etc/jail.conf# or a file in [." "filename]#jail.conf.d# as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:657 #, no-wrap msgid "" " # HOSTNAME/PATH\n" " host.hostname = \"${name}\";\n" " path = \"/usr/local/jails/${name}-nullfs-base\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:661 #, no-wrap msgid "" " # NETWORK\n" " ip4.addr = 192.168.1.153;\n" " interface = em0;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:665 #, no-wrap msgid "" " # MOUNT\n" " mount.fstab = \"/usr/local/jails/${name}-nullfs-base.fstab\";\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:668 msgid "" "Then the create the [.filename]#/usr/local/jails/thinjail-nullfs-base.fstab# " "file as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:673 #, no-wrap msgid "" "/usr/local/jails/templates/13.2-RELEASE-base /usr/local/jails/thinjail-nullfs-base/ nullfs ro 0 0\n" "/usr/local/jails/containers/thinjail /usr/local/jails/thinjail-nullfs-base/skeleton nullfs rw 0 0\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:683 #, no-wrap msgid "Creating a VNET Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:686 msgid "" "FreeBSD VNET Jails have their own distinct networking stack, including " "interfaces, IP addresses, routing tables, and firewall rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:688 msgid "" "The first step to create a VNET jail is to create the man:bridge[4] by " "executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:692 #, no-wrap msgid "# ifconfig bridge create\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:695 #: documentation/content/en/books/handbook/jails/_index.adoc:956 #: documentation/content/en/books/handbook/jails/_index.adoc:972 msgid "The output should be similar to the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:699 #, no-wrap msgid "bridge0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:702 msgid "" "With the `bridge` created, it will be necessary to attach it to the `em0` " "interface by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:706 #, no-wrap msgid "# ifconfig bridge0 addm em0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:709 msgid "" "To make this setting persist across reboots, add the following lines to [." "filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:715 #, no-wrap msgid "" "defaultrouter=\"192.168.1.1\"\n" "cloned_interfaces=\"bridge0\"\n" "ifconfig_bridge0=\"inet 192.168.1.150/24 addm em0 up\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:718 msgid "The next step is to create the jail as indicated above." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:722 msgid "" "Either the crossref:jails[classic-jail, Classic Jail (Thick Jail)] procedure " "and the crossref:jails[thin-jail, Thin Jails] procedure can be used. The " "only thing that will change is the configuration in the [.filename]#/etc/" "jail.conf# file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:724 msgid "" "The path [.filename]#/usr/local/jails/containers/vnet# will be used as an " "example for the created jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:726 msgid "The following is an example configuration for a VNET jail:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:734 #, no-wrap msgid "" "vnet {\n" " # STARTUP/LOGGING\n" " exec.start = \"/bin/sh /etc/rc\";\n" " exec.stop = \"/bin/sh /etc/rc.shutdown\";\n" " exec.consolelog = \"/var/log/jail_console_${name}.log\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:740 #, no-wrap msgid "" " # PERMISSIONS\n" " allow.raw_sockets;\n" " exec.clean;\n" " mount.devfs;\n" " devfs_ruleset = 5;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:744 #, no-wrap msgid "" " # PATH/HOSTNAME\n" " path = \"/usr/local/jails/containers/${name}\";\n" " host.hostname = \"${name}\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:748 #, no-wrap msgid "" " # VNET/VIMAGE\n" " vnet;\n" " vnet.interface = \"${epair}b\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:755 #, no-wrap msgid "" " # NETWORKS/INTERFACES\n" " $id = \"154\"; <.>\n" " $ip = \"192.168.1.${id}/24\";\n" " $gateway = \"192.168.1.1\";\n" " $bridge = \"bridge0\"; <.>\n" " $epair = \"epair${id}\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:765 #, no-wrap msgid "" " # ADD TO bridge INTERFACE\n" " exec.prestart = \"/sbin/ifconfig ${epair} create up\";\n" " exec.prestart += \"/sbin/ifconfig ${epair}a up descr jail:${name}\";\n" " exec.prestart += \"/sbin/ifconfig ${bridge} addm ${epair}a up\";\n" " exec.start += \"/sbin/ifconfig ${epair}b ${ip} up\";\n" " exec.start += \"/sbin/route add default ${gateway}\";\n" " exec.poststop = \"/sbin/ifconfig ${bridge} deletem ${epair}a\";\n" " exec.poststop += \"/sbin/ifconfig ${epair}a destroy\";\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:768 msgid "Represents the IP of the Jail, it must be *unique*." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:769 msgid "Refers to the bridge created previously." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:771 #, no-wrap msgid "Creating a Linux Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:777 msgid "" "FreeBSD can run Linux inside a jail using crossref:linuxemu[linuxemu,Linux " "Binary Compatibility] and man:debootstrap[8]. Jails do not have a kernel. " "They run on the host's kernel. Therefore it is necessary to enable Linux " "Binary Compatibility in the host system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:779 msgid "To enable the Linux ABI at boot time, execute the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:783 #, no-wrap msgid "# sysrc linux_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:786 msgid "" "Once enabled, it can be started without rebooting by executing the following " "command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:790 #, no-wrap msgid "# service linux start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:795 msgid "" "The next step will be to create a jail as indicated above, for example in " "crossref:jails[creating-thin-jail-openzfs-snapshots, Creating a Thin Jail " "Using OpenZFS Snapshots], but *without* performing the configuration. " "FreeBSD Linux jails require a specific configuration that will be detailed " "below." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:797 msgid "" "Once the jail has been created as explained above, execute the following " "command to perform required configuration for the jail and start it:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:818 #, no-wrap msgid "" "# jail -cm \\\n" " name=ubuntu \\\n" " host.hostname=\"ubuntu.example.com\" \\\n" " path=\"/usr/local/jails/ubuntu\" \\\n" " interface=\"em0\" \\\n" " ip4.addr=\"192.168.1.150\" \\\n" " exec.start=\"/bin/sh /etc/rc\" \\\n" " exec.stop=\"/bin/sh /etc/rc.shutdown\" \\\n" " mount.devfs \\\n" " devfs_ruleset=4 \\\n" " allow.mount \\\n" " allow.mount.devfs \\\n" " allow.mount.fdescfs \\\n" " allow.mount.procfs \\\n" " allow.mount.linprocfs \\\n" " allow.mount.linsysfs \\\n" " allow.mount.tmpfs \\\n" " enforce_statfs=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:821 msgid "" "To access the jail, it will be necessary to install package:sysutils/" "debootstrap[]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:823 msgid "Execute the following command to access the FreeBSD Linux jail:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:827 #, no-wrap msgid "# jexec -u root ubuntu\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:830 msgid "" "Inside the jail, execute the following commands to install package:sysutils/" "debootstrap[] and prepare the Ubuntu environment:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:835 #, no-wrap msgid "" "# pkg install debootstrap\n" "# debootstrap jammy /compat/ubuntu\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:839 msgid "" "When the process has finished and the message `Base system installed " "successfully` is displayed on the console, it will be necessary to stop the " "jail from the host system by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:843 #, no-wrap msgid "# service jail onestop ubuntu\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:846 msgid "Then add an entry in [.filename]#/etc/jail.conf# for the Linux jail:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:854 #, no-wrap msgid "" "ubuntu {\n" " # STARTUP/LOGGING\n" " exec.start = \"/bin/sh /etc/rc\";\n" " exec.stop = \"/bin/sh /etc/rc.shutdown\";\n" " exec.consolelog = \"/var/log/jail_console_${name}.log\";\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:860 #, no-wrap msgid "" " # PERMISSIONS\n" " allow.raw_sockets;\n" " exec.clean;\n" " mount.devfs;\n" " devfs_ruleset = 4;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:868 #, no-wrap msgid "" " # NETWORK\n" " ip4.addr = 192.168.1.155;\n" " interface = em0;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:878 #, no-wrap msgid "" " # MOUNT\n" " mount += \"devfs $path/compat/ubuntu/dev devfs rw 0 0\";\n" " mount += \"tmpfs $path/compat/ubuntu/dev/shm tmpfs rw,size=1g,mode=1777 0 0\";\n" " mount += \"fdescfs $path/compat/ubuntu/dev/fd fdescfs rw,linrdlnk 0 0\";\n" " mount += \"linprocfs $path/compat/ubuntu/proc linprocfs rw 0 0\";\n" " mount += \"linsysfs $path/compat/ubuntu/sys linsysfs rw 0 0\";\n" " mount += \"/tmp $path/compat/ubuntu/tmp nullfs rw 0 0\";\n" " mount += \"/home $path/compat/ubuntu/home nullfs rw 0 0\";\n" "}\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:881 msgid "Then the jail can be started as usual with the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:885 #, no-wrap msgid "# service jail start ubuntu\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:888 msgid "The Ubuntu environment can be accessed using the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:892 #, no-wrap msgid "# jexec ubuntu chroot /compat/ubuntu /bin/bash\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:895 msgid "" "More information can be found in the chapter crossref:linuxemu[linuxemu," "Linux Binary Compatibility]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:897 #, no-wrap msgid "Configuring Service Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:904 msgid "" "A service jail is configured completely via [.filename]#/etc/rc.conf# or man:" "sysrc[8]. The base system services are service jails ready. They contain a " "config line which enables networking or lift other restrictions of jails. " "Base system services which do not make sense to run inside jails are " "configured to not be started as a service jail, even if enabled in [." "filename]#/etc/rc.conf#. Some examples of such a service are services which " "want to mount or unmount something in the start of stop method, or only " "configure something like a route, or firewall, or the like." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:906 msgid "" "Third party services may or may not be service jails ready. To check if a " "service is service jail ready, the following command can be used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:910 #, no-wrap msgid "# grep _svcj_options /path/to/rc.d/servicename\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:913 msgid "" "If there is no output, the service is not service jail ready, or does not " "need any additional privileges like e.g. network access." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:915 msgid "" "If the service is not service jail ready, and needs network access, it can " "be made ready by adding the necessary config to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:919 #, no-wrap msgid "# sysrc servicename_svcj_options=net_basic\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:922 msgid "For all possible `_svcj_options` see the man:rc.conf[5] man-page." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:925 msgid "" "To enable a service jail for a given service, the service needs to be " "stopped and the `servicename_svcj` variable needs to be set to YES. To put " "man:syslogd[8] into a service jail, use the following sequence of commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:931 #, no-wrap msgid "" "# service syslogd stop\n" "# sysrc syslogd_svcj=YES\n" "# service syslogd start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:935 msgid "" "If the `servicename_svcj` variable is changed, the service needs to be " "stopped before it is changed. If it is not stopped, the rc framework will " "not detect the correct state of the service and will not be able to do what " "is requested." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:938 msgid "" "Service jails are managed only via man:rc.conf[5]/man:sysrc[8] and the man:" "service[8] command. The jail utilities, like man:jls[8] as described in " "crossref:jails[jail-management,Jail Management] can be used to investigate " "the operation, but the man:jail[8] command is not supposed to be used to " "manage them." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:940 #, no-wrap msgid "Jail Management" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:944 msgid "" "Once the jail is created, there are a number of operations that can be " "performed, like starting, rebooting or deleting the jail, installing " "software in it, etc. In this section the different actions that can be done " "with jails from the host will be described." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:946 #, no-wrap msgid "List Running Jails" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:949 msgid "" "To list the jails that are running on the host system, the command man:" "jls[8] can be used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:953 #, no-wrap msgid "# jls\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:960 #, no-wrap msgid "" " JID IP Address Hostname Path\n" " 1 192.168.250.70 classic /usr/local/jails/containers/classic\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:963 msgid "" "man:jls[8] supports the `--libxo` argument, which through the man:libxo[3] " "library allows other types of formats to be displayed, such as `JSON`, " "`HTML`, etc." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:965 msgid "For example, execute the following command to get the `JSON` output:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:969 #, no-wrap msgid "# jls --libxo=json\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:975 #, no-wrap msgid "{\"__version\": \"2\", \"jail-information\": {\"jail\": [{\"jid\":1,\"ipv4\":\"192.168.250.70\",\"hostname\":\"classic\",\"path\":\"/usr/local/jails/containers/classic\"}]}}\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:978 #, no-wrap msgid "Start, Restart, and Stop a Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:981 msgid "man:service[8] is used to start, reboot, or stop a jail on the host." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:983 msgid "For example, to start a jail, run the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:987 #, no-wrap msgid "# service jail start jailname\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:990 msgid "" "Change the `start` argument to `restart` or `stop` to perform other actions " "on the jail." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:992 #, no-wrap msgid "Destroy a Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:995 msgid "" "Destroying a jail is not as simple as stopping the jail using man:service[8] " "and removing the jail directory and [.filename]#/etc/jail.conf# entry." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:999 msgid "" "FreeBSD takes system security very seriously. For this reason there are " "certain files that not even the root user can delete. This functionality is " "known as File Flags." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1001 msgid "" "The first step is to stop the desired jail executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1005 #, no-wrap msgid "# service jail stop jailname\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1008 msgid "" "The second step is to remove these flags with man:chflags[1] by executing " "the following command, in which `classic` is the name of the jail to remove:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1012 #, no-wrap msgid "# chflags -R 0 /usr/local/jails/containers/classic\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1015 msgid "The third step is to delete the directory where the jail was:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1019 #, no-wrap msgid "# rm -rf /usr/local/jails/containers/classic\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1022 msgid "" "Finally, it will be necessary to remove the jail entry in [.filename]#/etc/" "jail.conf# or in [.filename]#jail.conf.d#." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:1024 #, no-wrap msgid "Handle Packages in a Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1027 msgid "" "The man:pkg[8] tool supports the `-j` argument in order to handle packages " "installed inside the jail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1029 msgid "" "For example, to install package:nginx-lite[] in the jail, the next command " "can be executed *from the host*:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1033 #, no-wrap msgid "# pkg -j classic install nginx-lite\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1036 msgid "" "For more information on working with packages in FreeBSD, see crossref:" "ports[ports,\"Installing Applications: Packages and Ports\"]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:1038 #, no-wrap msgid "Access a Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1041 msgid "" "While it has been stated above that it is best to manage jails from the host " "system, a jail can be entered with man:jexec[8]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1043 msgid "The jail can be entered by running man:jexec[8] from the host:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1047 #, no-wrap msgid "# jexec -u root jailname\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1050 msgid "" "When gaining access to the jail, the message configured in man:motd[5] will " "be displayed." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:1052 #, no-wrap msgid "Execute Commands in a Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1055 msgid "" "To execute a command from the host system in a jail the man:jexec[8] can be " "used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1057 msgid "" "For example, to stop a service that is running inside a jail, the command " "will be executed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1061 #, no-wrap msgid "# jexec -l jailname service nginx stop\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:1064 #, no-wrap msgid "Jail Upgrading" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1067 msgid "" "Upgrading FreeBSD Jails ensures that the isolated environments remain " "secure, up-to-date, and in line with the latest features and improvements " "available in the FreeBSD ecosystem." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:1069 #, no-wrap msgid "Upgrading a Classic Jail or a Thin Jail using OpenZFS Snapshots" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1074 msgid "" "Jails *must be updated from the host* operating system. The default " "behavior in FreeBSD is to disallow the use of man:chflags[1] in a jail. " "This will prevent the update of some files so updating from within the jail " "will fail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1076 msgid "" "To update the jail to the latest patch release of the version of FreeBSD it " "is running, execute the following commands on the host:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1081 #, no-wrap msgid "" "# freebsd-update -j classic fetch install\n" "# service jail restart classic\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1085 msgid "" "To upgrade the jail to a new major or minor version, first upgrade the host " "system as described in crossref:cutting-edge[freebsdupdate-upgrade," "\"Performing Major and Minor Version Upgrades\"]. Once the host has been " "upgraded and rebooted, the jail can then be upgraded." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1089 msgid "" "In case of upgrade from one version to another, it is easier to create a new " "jail than to upgrade completely." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1092 msgid "" "For example to upgrade from 13.1-RELEASE to 13.2-RELEASE, execute the " "following commands on the host:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1100 #, no-wrap msgid "" "# freebsd-update -j classic -r 13.2-RELEASE upgrade\n" "# freebsd-update -j classic install\n" "# service jail restart classic\n" "# freebsd-update -j classic install\n" "# service jail restart classic\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1106 msgid "" "It is necessary to execute the `install` step two times. The first one " "upgrades the kernel, and the second one upgrades the rest of the components." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1110 msgid "" "Then, if it was a major version upgrade, reinstall all installed packages " "and restart the jail again. This is required because the ABI version " "changes when upgrading between major versions of FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1112 msgid "From the host:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1117 #, no-wrap msgid "" "# pkg -j jailname upgrade -f\n" "# service jail restart jailname\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/jails/_index.adoc:1120 #, no-wrap msgid "Upgrading a Thin Jail Using NullFS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1125 msgid "" "Since Thin Jails that use NullFS share the majority of system directories, " "they are very easy to update. It is enough to update the template. This " "allows updating multiple jails at the same time." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1127 msgid "" "To update the template to the latest patch release of the version of FreeBSD " "it is running, execute the following commands on the host:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1132 #, no-wrap msgid "" "# freebsd-update -b /usr/local/jails/templates/13.1-RELEASE-base/ fetch install\n" "# service jail restart\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1136 msgid "" "To upgrade the template to a new major or minor version, first upgrade the " "host system as described in crossref:cutting-edge[freebsdupdate-upgrade," "\"Performing Major and Minor Version Upgrades\"]. Once the host has been " "upgraded and rebooted, the template can then be upgraded." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1138 msgid "" "For example, to upgrade from 13.1-RELEASE to 13.2-RELEASE, execute the " "following commands on the host:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1146 #, no-wrap msgid "" "# freebsd-update -b /usr/local/jails/templates/13.1-RELEASE-base/ -r 13.2-RELEASE upgrade\n" "# freebsd-update -b /usr/local/jails/templates/13.1-RELEASE-base/ install\n" "# service jail restart\n" "# freebsd-update -b /usr/local/jails/templates/13.1-RELEASE-base/ install\n" "# service jail restart\n" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:1149 #, no-wrap msgid "Jail Resource Limits" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1152 msgid "" "Controlling the resources that a jail uses from the host system is a task to " "be taken into account by the system administrator." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1154 msgid "" "man:rctl[8] allows you to manage the resources that a jail can use from the " "host system." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1158 msgid "" "The `kern.racct.enable` tunable must be enabled at [.filename]#/boot/loader." "conf#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1161 msgid "The syntax to limit the resources of a jail is as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1165 #, no-wrap msgid "rctl -a jail::resource:action=amount/percentage\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1168 msgid "" "For example, to limit the maximum RAM that a jail can access, run the " "following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1172 #, no-wrap msgid "# rctl -a jail:classic:memoryuse:deny=2G\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1175 msgid "" "To make the limitation persistent across reboots of the host system, it will " "be necessary to add the rule to the [.filename]#/etc/rctl.conf# file as " "follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/jails/_index.adoc:1179 #, no-wrap msgid "jail:classic:memoryuse:deny=2G/jail\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1182 msgid "" "More information on resource limits can be found in the security chapter in " "the crossref:security[security-resourcelimits,\"Resource Limits section\"]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/jails/_index.adoc:1184 #, no-wrap msgid "Jail Managers and Containers" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1187 msgid "" "As previously explained, each type of FreeBSD Jail can be created and " "configured manually, but FreeBSD also has third-party utilities to make " "configuration and administration easier." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/jails/_index.adoc:1189 msgid "Below is an incomplete list of the different FreeBSD Jail managers:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/jails/_index.adoc:1190 #, no-wrap msgid "Jail Managers" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1193 #, no-wrap msgid "Name" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1193 #, no-wrap msgid "License" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1193 #, no-wrap msgid "Package" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1195 #, no-wrap msgid "Documentation" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1196 #, no-wrap msgid "BastilleBSD" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1197 #: documentation/content/en/books/handbook/jails/_index.adoc:1202 #: documentation/content/en/books/handbook/jails/_index.adoc:1212 #, no-wrap msgid "BSD-3" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1198 #, no-wrap msgid "package:sysutils/bastille[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1200 #, no-wrap msgid "link:https://bastille.readthedocs.io/en/latest/[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1201 #, no-wrap msgid "pot" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1203 #, no-wrap msgid "package:sysutils/pot[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1205 #, no-wrap msgid "link:https://pot.pizzamig.dev/[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1206 #, no-wrap msgid "cbsd" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1207 #: documentation/content/en/books/handbook/jails/_index.adoc:1217 #, no-wrap msgid "BSD-2" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1208 #, no-wrap msgid "package:sysutils/cbsd[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1210 #, no-wrap msgid "link:https://www.bsdstore.ru/en/docs.html[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1211 #, no-wrap msgid "AppJail" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1213 #, no-wrap msgid "package:sysutils/appjail[], for devel package:sysutils/appjail-devel[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1215 #, no-wrap msgid "link:https://github.com/DtxdF/AppJail#getting-started[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1216 #, no-wrap msgid "iocage" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1218 #, no-wrap msgid "package:sysutils/iocage[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1220 #, no-wrap msgid "link:https://iocage.readthedocs.io/en/latest/[Documentation]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1221 #, no-wrap msgid "ezjail" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1222 #, no-wrap msgid "link:https://erdgeist.org/beerware.html[Beer Ware]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1223 #, no-wrap msgid "package:sysutils/ezjail[]" msgstr "" #. type: Table #: documentation/content/en/books/handbook/jails/_index.adoc:1225 #, no-wrap msgid "link:https://erdgeist.org/arts/software/ezjail/[Documentation]" msgstr ""