Lines Matching +full:host +full:- +full:only

2 .\" Copyright (c) 2008-2012 James Gritton
94 .Bl -tag -width indent
104 Exhibit a list of all configured non-wildcard jails and their parameters.
129 The jail is first removed and then re-created, as if
146 .Bl -tag -width indent
148 Clean up after an already-removed jail, running commands and operations
157 .Va host.hostname
166 Output (only) the jail identifier of the newly created jail(s).
188 Only error messages will be printed.
193 No removal-related parameters for this jail will be used \(em the jail will
203 The user name from host environment as whom jailed commands should run.
234 A single argument of a jail name will operate only on the specified jail.
251 If hierarchical jails exist, a partial-matching wildcard definition may
288 comma-separated list, or with
293 List-based parameters may also be specified multiple times on the command
309 Then there are pseudo-parameters that are only used by
320 .Bl -tag -width indent
361 If this is set, the jail is restricted to using only these addresses.
367 It is only possible to start multiple jails with the same IP address
411 .It Va host.hostname
414 .Va host.domainname ,
415 .Va host.hostuuid
417 .Va host.hostid .
418 .It Va host
440 Mounting devfs inside a jail is possible only if the
449 NOTE: It is important that only appropriate device nodes in devfs be
456 in the per-jail devfs.
481 When set to 1, only mount points below the jail's chroot directory are
485 When set to 2 (default), above syscalls can operate only on a mount-point
498 pseudo-parameter set.
500 The ID of the cpuset associated with this jail (read-only).
502 This is true if the jail is in the process of shutting down (read-only).
506 of the parent of this jail, or zero if this is a top-level jail
507 (read-only).
511 sysctl and uname -r.
515 and uname -K.
520 sysctl, which can only be adjusted by the non-jailed root user.
553 Some restrictions of the jail environment may be set on a per-jail
560 .Bl -tag -width indent
568 This is deprecated in favor of the per-module parameters (see below).
599 system types marked as jail-friendly.
604 This permission is effective only if
610 This permission is effective only together with
612 and only when
621 with non-jailed parts of the system.
650 daemons are permitted to run inside a properly configured vnet-enabled jail.
660 For exporting only the jail's file system, a setting of 2
695 The super-user will be disabled automatically if its parent system has it
697 The super-user is enabled by default.
716 Kernel modules may add their own parameters, which only exist when the
723 to encapsulate the jail in some module-specific way,
728 Module-specific parameters include:
729 .Bl -tag -width indent
733 This permission is effective only together with
735 and only when
740 fuse-based file systems.
741 This permission is effective only together with
743 and only when
749 This permission is effective only together with
751 and only when
757 This permission is effective only together with
759 and only when
765 This permission is effective only together with
767 and only when
773 This permission is effective only together with
775 and only when
781 This permission is effective only together with
783 and only when
789 This permission is effective only together with
791 and only when
795 .Xr zfs-jail 8
801 This flag is only available when the
822 the jail will have its own key namespace, and can only see the objects
828 the jail cannot perform any sysvmsg-related system calls.
843 There are pseudo-parameters that are not passed to the kernel, but are
858 The pseudo-parameters are:
859 .Bl -tag -width indent
973 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... .
978 If a netmask in either dotted-quad or CIDR form is given
987 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... .
989 A list of network interfaces to give to a vnet-enabled jail after is it created.
997 .Xr zfs-jail 8
1002 .Va host.hostname
1087 .Bd -literal -offset indent
1090 mkdir -p $D
1096 In the other extreme case a jail might contain only one file:
1117 .Ss "Setting up the Host Environment"
1119 .Dq jail-friendly .
1121 .Dq "host environment" ,
1125 is to disable IP services on the host system that listen on all local
1127 If a network service is present in the host environment that binds all
1132 to only listen on the
1136 in the host environment:
1137 .Bd -literal -offset indent
1139 inetd_flags="-wW -a 192.0.2.23"
1144 is the native IP address for the host system, in this example.
1147 can be easily configured to use only the specified host IP address.
1151 flags entries; for others it is necessary to modify per-application
1168 them in the host environment.
1177 IP address to bind should not be run in the host environment unless they
1180 NFS from the host environment may also cause confusion, and cannot be
1181 easily reconfigured to use only specific IPs, as some NFS services are
1183 Any third-party network software running
1184 in the host environment should also be checked and configured so that it
1189 these daemons have been disabled or fixed in the host environment, it is
1192 to a jail, and its sendmail is down, the mail is delivered to the host,
1200 Some of these steps apply only if you intend to run a full virtual server
1205 .Bd -literal -offset indent
1206 jail -c path=/data/jail/testjail mount.devfs \\
1214 and do the post-install configuration to set various configuration options,
1219 .Bl -bullet -offset indent -compact
1231 Set a root password, probably different from the real host system.
1240 You may also want to perform any package-specific configuration (web servers,
1246 in the host environment to listen on the syslog socket in the jail
1256 .Bd -literal -offset indent
1284 .Bd -literal -offset indent
1285 jail -c testjail
1321 .Bd -literal -offset indent
1322 kill -TERM -1
1323 kill -KILL -1
1331 the host environment!
1342 .Bd -literal -offset indent
1343 jail -r
1358 .Dq Li -
1369 .Dl "ps ax -o pid,jid,args"
1372 .Bd -literal -offset indent
1373 pgrep -lfj 3
1374 pkill -j 3
1378 .Dl "killall -j 3"
1385 jail-friendly, the jail's
1397 are not aware of jails but only look at the user and group IDs.
1402 The read-only entry
1412 Some MIB variables have per-jail settings.
1413 Changes to these variables by a jailed process do not affect the host
1414 environment, only the jail environment.
1427 These child jails are kept in a hierarchy, with jails only able to see and/or
1429 Each jail has a read-only
1435 of 0 indicates the jail is a child of the current jail (or is a top-level
1456 Jail names reflect this hierarchy, with a full name being an MIB-type string
1464 in the base system (though it is only seen as
1518 .Xr zfs-jail 8 ,
1530 .An -nosplit
1532 .An Poul-Henning Kamp
1542 added multi-IP jail support for IPv4 and IPv6 based on a patch
1555 host environment such that host daemons do not impose on services offered
1558 offered on the host, possibly limiting it to services offered from
1571 and thereby obtain elevated privileges in the host environment.
1573 is not accessible to unprivileged users in the host environment.
1575 to a jail should not be given access to the host environment.