Lines Matching +full:allow +full:- +full:set +full:- +full:time

2 .\" Copyright (c) 2008-2012 James Gritton
94 .Bl -tag -width indent
104 Exhibit a list of all configured non-wildcard jails and their parameters.
129 The jail is first removed and then re-created, as if
146 .Bl -tag -width indent
148 Clean up after an already-removed jail, running commands and operations
193 No removal-related parameters for this jail will be used \(em the jail will
219 .Va allow.dying
221 It used to allow making changes to a
251 If hierarchical jails exist, a partial-matching wildcard definition may
276 Some parameters are boolean, and do not have a value but are set by the
288 comma-separated list, or with
293 List-based parameters may also be specified multiple times on the command
309 Then there are pseudo-parameters that are only used by
313 Jails have a set of core parameters, and kernel modules can add their own
315 The current set of available parameters can be retrieved via
317 Any parameters not set will be given default values, often based on the
320 .Bl -tag -width indent
350 file format, and need not be explicitly set when using the configuration
361 If this is set, the jail is restricted to using only these addresses.
381 to allow unrestricted access to all system addresses,
393 A set of IPv6 options for the jail, the counterparts to
441 .Va allow.mount
443 .Va allow.mount.devfs
446 is set to a value lower than 2.
456 in the per-jail devfs.
480 When set to 0, all mount points are available without any restrictions.
481 When set to 1, only mount points below the jail's chroot directory are
485 When set to 2 (default), above syscalls can operate only on a mount-point
498 pseudo-parameter set.
500 The ID of the cpuset associated with this jail (read-only).
502 This is true if the jail is in the process of shutting down (read-only).
506 of the parent of this jail, or zero if this is a top-level jail
507 (read-only).
511 sysctl and uname -r.
515 and uname -K.
520 sysctl, which can only be adjusted by the non-jailed root user.
529 Each buffer can be treated as a set of key=value\\n strings.
552 .It Va allow.*
553 Some restrictions of the jail environment may be set on a per-jail
556 .Va allow.set_hostname
558 .Va allow.reserved_ports ,
560 .Bl -tag -width indent
561 .It Va allow.set_hostname
566 .It Va allow.sysvipc
568 This is deprecated in favor of the per-module parameters (see below).
569 When this parameter is set, it is equivalent to setting
576 .It Va allow.raw_sockets
583 If this is set, the source IP addresses are enforced to comply
587 flag has been set on the socket.
591 .It Va allow.chflags
594 When this parameter is set, such users are treated as privileged, and
597 .It Va allow.mount
599 system types marked as jail-friendly.
606 is set to a value lower than 2.
607 .It Va allow.mount.devfs
611 .Va allow.mount
614 is set to a value lower than 2.
618 .It Va allow.quotas
621 with non-jailed parts of the system.
622 .It Va allow.read_msgbuf
627 .It Va allow.socket_af
632 .It Va allow.mlock
635 When this parameter is set, users may
642 .It Va allow.nfsd
650 daemons are permitted to run inside a properly configured vnet-enabled jail.
653 must not be set to 0, so that
657 must be set to 1 if file systems mounted under the
687 .It Va allow.reserved_ports
689 .It Va allow.unprivileged_proc_debug
691 .It Va allow.suser
695 The super-user will be disabled automatically if its parent system has it
697 The super-user is enabled by default.
698 .It Va allow.extattr
699 Allow privileged process in the jail to manipulate filesystem extended
701 .It Va allow.adjtime
702 Allow privileged process in the jail to slowly adjusting global operating system
703 time.
706 .It Va allow.settime
707 Allow privileged process in the jail to set global operating system data
708 and time.
712 .Va allow.adjtime .
723 to encapsulate the jail in some module-specific way,
728 Module-specific parameters include:
729 .Bl -tag -width indent
730 .It Va allow.mount.fdescfs
734 .Va allow.mount
737 is set to a value lower than 2.
738 .It Va allow.mount.fusefs
740 fuse-based file systems.
742 .Va allow.mount
745 is set to a value lower than 2.
746 .It Va allow.mount.nullfs
750 .Va allow.mount
753 is set to a value lower than 2.
754 .It Va allow.mount.procfs
758 .Va allow.mount
761 is set to a value lower than 2.
762 .It Va allow.mount.linprocfs
766 .Va allow.mount
769 is set to a value lower than 2.
770 .It Va allow.mount.linsysfs
774 .Va allow.mount
777 is set to a value lower than 2.
778 .It Va allow.mount.tmpfs
782 .Va allow.mount
785 is set to a value lower than 2.
786 .It Va allow.mount.zfs
790 .Va allow.mount
793 is set to a value lower than 2.
795 .Xr zfs-jail 8
798 .It Va allow.vmm
815 Allow access to SYSV IPC message primitives.
816 If set to
820 If set to
826 If set to
828 the jail cannot perform any sysvmsg-related system calls.
830 Allow access to SYSV IPC semaphore and shared memory primitives, in the
834 When set to 1, jailed users may access the contents of ZFS snapshots
839 .Va allow.mount.zfs
840 is set, the snapshots may also be mounted.
843 There are pseudo-parameters that are not passed to the kernel, but are
846 to set up the jail environment, often by running specified commands
858 The pseudo-parameters are:
859 .Bl -tag -width indent
913 are set to the target login's default values.
915 is set to the target login.
919 is set to "/bin:/usr/bin".
921 target login are also set.
938 The maximum amount of time to wait for a command to complete, in
945 The FIB (routing table) to set when running commands inside the jail.
947 The maximum amount of time to wait for a jail's processes to exit
955 If this is set to zero, no
973 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... .
978 If a netmask in either dotted-quad or CIDR form is given
987 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... .
989 A list of network interfaces to give to a vnet-enabled jail after is it created.
994 .Va allow.mount.zfs
995 to be set.
997 .Xr zfs-jail 8
1043 .It Va allow.dying
1045 It used to allow making changes to a
1064 Jails are typically set up using one of two philosophies: either to
1082 To set up a jail directory tree containing an entire
1087 .Bd -literal -offset indent
1090 mkdir -p $D
1118 First, set up the real system's environment to be
1119 .Dq jail-friendly .
1137 .Bd -literal -offset indent
1139 inetd_flags="-wW -a 192.0.2.23"
1151 flags entries; for others it is necessary to modify per-application
1183 Any third-party network software running
1195 Start any jail for the first time without configuring the network
1196 interface so that you can clean it up a little and set up accounts.
1198 with any machine (virtual or not), you will need to set a root password, time
1205 .Bd -literal -offset indent
1206 jail -c path=/data/jail/testjail mount.devfs \\
1214 and do the post-install configuration to set various configuration options,
1219 .Bl -bullet -offset indent -compact
1240 You may also want to perform any package-specific configuration (web servers,
1256 .Bd -literal -offset indent
1284 .Bd -literal -offset indent
1285 jail -c testjail
1306 It is possible to have jails started at boot time.
1321 .Bd -literal -offset indent
1322 kill -TERM -1
1323 kill -KILL -1
1342 .Bd -literal -offset indent
1343 jail -r
1358 .Dq Li -
1369 .Dl "ps ax -o pid,jid,args"
1372 .Bd -literal -offset indent
1373 pgrep -lfj 3
1374 pkill -j 3
1378 .Dl "killall -j 3"
1385 jail-friendly, the jail's
1386 .Va allow.mount
1387 parameter is set, and the jail's
1402 The read-only entry
1412 Some MIB variables have per-jail settings.
1429 Each jail has a read-only
1435 of 0 indicates the jail is a child of the current jail (or is a top-level
1440 .Va allow.nomount ,
1442 .Va allow.mount
1452 parameter is set (remember it is zero by default).
1456 Jail names reflect this hierarchy, with a full name being an MIB-type string
1518 .Xr zfs-jail 8 ,
1530 .An -nosplit
1532 .An Poul-Henning Kamp
1542 added multi-IP jail support for IPv4 and IPv6 based on a patch
1563 For example, if a jailed process has its current working directory set to a