Lines Matching +full:host +full:- +full:only

2 .\" Copyright (c) 2008-2012 James Gritton
94 .Bl -tag -width indent
104 Exhibit a list of all configured non-wildcard jails and their parameters.
129 The jail is first removed and then re-created, as if
146 .Bl -tag -width indent
148 Clean up after an already-removed jail, running commands and operations
157 .Va host.hostname
166 Output (only) the jail identifier of the newly created jail(s).
188 Only error messages will be printed.
193 No removal-related parameters for this jail will be used \(em the jail will
203 The user name from host environment as whom jailed commands should run.
234 A single argument of a jail name will operate only on the specified jail.
251 If hierarchical jails exist, a partial-matching wildcard definition may
288 comma-separated list, or with
293 List-based parameters may also be specified multiple times on the command
309 Then there are pseudo-parameters that are only used by
320 .Bl -tag -width indent
361 If this is set, the jail is restricted to using only these addresses.
367 It is only possible to start multiple jails with the same IP address
411 .It Va host.hostname
414 .Va host.domainname ,
415 .Va host.hostuuid
417 .Va host.hostid .
418 .It Va host
440 Mounting devfs inside a jail is possible only if the
449 NOTE: It is important that only appropriate device nodes in devfs be
456 in the per-jail devfs.
481 When set to 1, only mount points below the jail's chroot directory are
485 When set to 2 (default), above syscalls can operate only on a mount-point
498 pseudo-parameter set.
500 The ID of the cpuset associated with this jail (read-only).
502 This is true if the jail is in the process of shutting down (read-only).
506 of the parent of this jail, or zero if this is a top-level jail
507 (read-only).
511 sysctl and uname -r.
515 and uname -K.
517 Some restrictions of the jail environment may be set on a per-jail
524 .Bl -tag -width indent
532 This is deprecated in favor of the per-module parameters (see below).
563 system types marked as jail-friendly.
568 This permission is effective only if
574 This permission is effective only together with
576 and only when
585 with non-jailed parts of the system.
614 daemons are permitted to run inside a properly configured vnet-enabled jail.
624 For exporting only the jail's file system, a setting of 2
659 The super-user will be disabled automatically if its parent system has it
661 The super-user is enabled by default.
680 Kernel modules may add their own parameters, which only exist when the
687 to encapsulate the jail in some module-specific way,
692 Module-specific parameters include:
693 .Bl -tag -width indent
697 This permission is effective only together with
699 and only when
704 fuse-based file systems.
705 This permission is effective only together with
707 and only when
713 This permission is effective only together with
715 and only when
721 This permission is effective only together with
723 and only when
729 This permission is effective only together with
731 and only when
737 This permission is effective only together with
739 and only when
745 This permission is effective only together with
747 and only when
753 This permission is effective only together with
755 and only when
759 .Xr zfs-jail 8
765 This flag is only available when the
786 the jail will have its own key namespace, and can only see the objects
792 the jail cannot perform any sysvmsg-related system calls.
807 There are pseudo-parameters that are not passed to the kernel, but are
822 The pseudo-parameters are:
823 .Bl -tag -width indent
937 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... .
942 If a netmask in either dotted-quad or CIDR form is given
951 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... .
953 A list of network interfaces to give to a vnet-enabled jail after is it created.
961 .Xr zfs-jail 8
966 .Va host.hostname
1051 .Bd -literal -offset indent
1054 mkdir -p $D
1060 In the other extreme case a jail might contain only one file:
1081 .Ss "Setting up the Host Environment"
1083 .Dq jail-friendly .
1085 .Dq "host environment" ,
1089 is to disable IP services on the host system that listen on all local
1091 If a network service is present in the host environment that binds all
1096 to only listen on the
1100 in the host environment:
1101 .Bd -literal -offset indent
1103 inetd_flags="-wW -a 192.0.2.23"
1108 is the native IP address for the host system, in this example.
1111 can be easily configured to use only the specified host IP address.
1115 flags entries; for others it is necessary to modify per-application
1132 them in the host environment.
1141 IP address to bind should not be run in the host environment unless they
1144 NFS from the host environment may also cause confusion, and cannot be
1145 easily reconfigured to use only specific IPs, as some NFS services are
1147 Any third-party network software running
1148 in the host environment should also be checked and configured so that it
1153 these daemons have been disabled or fixed in the host environment, it is
1156 to a jail, and its sendmail is down, the mail is delivered to the host,
1164 Some of these steps apply only if you intend to run a full virtual server
1169 .Bd -literal -offset indent
1170 jail -c path=/data/jail/testjail mount.devfs \\
1178 and do the post-install configuration to set various configuration options,
1183 .Bl -bullet -offset indent -compact
1195 Set a root password, probably different from the real host system.
1204 You may also want to perform any package-specific configuration (web servers,
1210 in the host environment to listen on the syslog socket in the jail
1220 .Bd -literal -offset indent
1248 .Bd -literal -offset indent
1249 jail -c testjail
1285 .Bd -literal -offset indent
1286 kill -TERM -1
1287 kill -KILL -1
1295 the host environment!
1306 .Bd -literal -offset indent
1307 jail -r
1322 .Dq Li -
1333 .Dl "ps ax -o pid,jid,args"
1336 .Bd -literal -offset indent
1337 pgrep -lfj 3
1338 pkill -j 3
1342 .Dl "killall -j 3"
1349 jail-friendly, the jail's
1361 are not aware of jails but only look at the user and group IDs.
1366 The read-only entry
1376 Some MIB variables have per-jail settings.
1377 Changes to these variables by a jailed process do not affect the host
1378 environment, only the jail environment.
1391 These child jails are kept in a hierarchy, with jails only able to see and/or
1393 Each jail has a read-only
1399 of 0 indicates the jail is a child of the current jail (or is a top-level
1420 Jail names reflect this hierarchy, with a full name being an MIB-type string
1428 in the base system (though it is only seen as
1482 .Xr zfs-jail 8 ,
1494 .An -nosplit
1496 .An Poul-Henning Kamp
1506 added multi-IP jail support for IPv4 and IPv6 based on a patch
1519 host environment such that host daemons do not impose on services offered
1522 offered on the host, possibly limiting it to services offered from
1535 and thereby obtain elevated privileges in the host environment.
1537 is not accessible to unprivileged users in the host environment.
1539 to a jail should not be given access to the host environment.