1.\" 2.\"Copyright (c) 2000 Robert N. M. Watson 3.\"All rights reserved. 4.\" 5.\"Redistribution and use in source and binary forms, with or without 6.\"modification, are permitted provided that the following conditions 7.\"are met: 8.\"1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\"2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\"THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\"ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\"IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\"ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\"FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\"DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\"OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\"HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\"LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\"OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\"SUCH DAMAGE. 25.\" 26.\" 27.\"---------------------------------------------------------------------------- 28.\""THE BEER-WARE LICENSE" (Revision 42): 29.\"<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\"can do whatever you want with this stuff. If we meet some day, and you think 31.\"this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\"---------------------------------------------------------------------------- 33.\" 34.\"$FreeBSD$ 35.\" 36.Dd April 28, 1999 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd imprison process and its descendants 42.Sh SYNOPSIS 43.Nm 44.Ar path 45.Ar hostname 46.Ar ip-number 47.Ar command 48.Ar ... 49.Sh DESCRIPTION 50The 51.Nm 52command imprisons a process and all future descendants. 53.Pp 54Please see the 55.Xr jail 2 56man page for further details. 57.Sh EXAMPLES 58.Ss Setting up a Jail Directory Tree 59This shows how to setup a jail directory tree: 60.Bd -literal 61D=/here/is/the/jail 62cd /usr/src 63make world DESTDIR=$D 64cd etc 65make distribution DESTDIR=$D NO_MAKEDEV_RUN=yes 66cd $D/dev 67sh MAKEDEV jail 68cd $D 69ln -sf dev/null kernel 70.Ed 71.Ss Setting Up a Jail 72Do what was described in 73.Sx Setting Up a Jail Directory Tree 74to build the jail directory tree. For the sake of this example, we will 75assume you built it in 76.Pa /data/jail/192.168.11.100 , 77named for the jailed IP address. Substitute below as needed with your 78own directory, IP address, and hostname. 79.Pp 80First, you will want to set up your real system's environment to be 81.Dq jail-friendly . 82For consistency, we will refer to the parent box as the 83.Dq host environment , 84and to the jailed virtual machine as the 85.Dq jail environment . 86Because jail is implemented using IP aliases, one of the first things to do 87is to disable IP services on the host system that listen on all local 88IP addresses for a service. This means changing 89.Xr inetd 8 90to only listen on the 91appropriate IP address, and so forth. Add the following to 92.Pa /etc/rc.conf 93in the host environment: 94.Bd -literal -offset indent 95sendmail_enable="NO" 96inetd_flags="-wW -a 192.168.11.23" 97portmap_enable="NO" 98.Ed 99.Pp 100.Li 192.169.11.23 101is the native IP address for the host system, in this example. Daemons that 102run out of 103.Xr inetd 8 104can be easily set to use only the specified host IP address. Other daemons 105will need to be manually configured--for some this is possible through 106the 107.Xr rc.conf 5 108flags entries, for others it is not possible without munging 109the per-application configuration files, or even recompiling. For those 110applications that cannot specify the IP they run on, it is better to disable 111them, if possible. 112.Pp 113A number of daemons ship with the base system that may have problems when 114run from outside of a jail in a jail-centric environment. This includes 115.Xr sendmail 8 , 116.Xr named 8 , 117and 118.Xr rpcbind 8 . 119While sendmail and named can be configured to listen only on a specific 120IP using their configuration files, in most cases it is easier to simply 121run the daemons in jails only, and not in the host environment. 122Attempting to serve 123NFS from the host environment may also cause confusion, and cannot be 124easily reconfigured to use only specific IPs, as some NFS services are 125hosted directly from the kernel. Any third party network software running 126in the host environment should also be checked and configured so that it 127does not bind all IP addresses, which would result in those services also 128appearing to be offered by the jail environments. 129.Pp 130Once 131these daemons have been disabled or fixed in the host environment, it is 132best to reboot so that all daemons are in a known state, to reduce the 133potential for confusion later (such as finding that when you send mail 134to a jail, and its sendmail is down, the mail is delivered to the host, 135etc.) 136.Pp 137Start any jails for the first time without configuring the network 138interface so that you can clean it up a little and set up accounts. As 139with any machine (virtual or not) you will need to set a root password, time 140zone, etc. Before beginning, you may want to copy 141.Xr sysinstall 8 142into the tree so that you can use it to set things up easily. Do this using: 143.Bd -literal -offset indent 144# mkdir /data/jail/192.168.11.100/stand 145# cp /stand/sysinstall /data/jail/192.168.11.100/stand 146.Ed 147.Pp 148Now start the jail: 149.Bd -literal -offset indent 150# jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh 151.Ed 152.Pp 153You will end up with a shell prompt, assuming no errors, within the jail. You 154can now run 155.Pa /stand/sysinstall 156and do the post-install configuration to set various configuration options, 157or perform these actions manually by editing rc.conf, etc. 158.Pp 159.Bl -bullet -offset indent -compact 160.It 161Create an empty /etc/fstab to quell startup warnings about missing fstab 162.It 163Disable the port mapper (rc.conf: portmap_enable="NO") 164.It 165Run 166.Xr newaliases 1 167to quell sendmail warnings. 168.It 169Disable interface configuration to quell startup warnings about ifconfig 170(network_interfaces="") 171.It 172Configure /etc/resolv.conf 173so that name resolution within the jail will work correctly 174.It 175Set a root password, probably different from the real host system 176.It 177Set the timezone 178.It 179Add accounts for users in the jail environment 180.It 181Install any packages that you think the environment requires 182.El 183.Pp 184You may also want to perform any package-specific configuration (web servers, 185SSH servers, etc), patch up /etc/syslog.conf so it logs as you'd like, etc. 186.Pp 187Exit from the shell, and the jail will be shut down. 188.Ss Starting the Jail 189You are now ready to restart the jail and bring up the environment with 190all of its daemons and other programs. To do this, first bring up the 191virtual host interface, and then start the jail's 192.Pa /etc/rc 193script from within the jail. 194.Pp 195NOTE: If you plan to allow untrusted users to have root access inside the 196jail, you may wish to consider setting the jail.set_hostname_allowed to 1970. Please see the management reasons why this is a good idea. If you 198do decide to set this variable, it must be set before starting any jails, 199and once each boot. 200.Bd -literal -offset indent 201# ifconfig ed0 inet alias 192.168.11.100 netmask 255.255.255.255 202# mount -t procfs proc /data/jail/192.168.11.100/proc 203# jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\ 204 /bin/sh /etc/rc 205.Ed 206.Pp 207A few warnings will be produced, because most 208.Xr sysctl 8 209configuration variables cannot be set from within the jail, as they are 210global across all jails and the host environment. 211However, it should all 212work properly. 213You should be able to see 214.Xr inetd 8 , 215.Xr syslogd 8 , 216and other processes running within the jail using 217.Xr ps 1 , 218with the 219.Dq J 220flag appearing beside jailed processes. You should also be able to 221telnet to the hostname or IP address of the jailed environment, and log 222in using the accounts you created previously. 223.Ss Managing the jail 224Normal machine shutdown commands, such as 225.Xr halt 8 , 226.Xr reboot 8 , 227and 228.Xr shutdown 8 , 229cannot be used successfully within the jail. To kill all processes in a 230jail, you may log into the jail and, as root, use one of the following 231commands, depending on what you want to accomplish: 232.Pp 233.Bl -bullet -offset indent -compact 234.It 235.Li kill -TERM -1 236.It 237.Li kill -KILL -1 238.El 239.Pp 240This will send the 241.Dq TERM 242or 243.Dq KILL 244signals to all processes in the jail from within the jail. Depending on 245the intended use of the jail, you may also want to run 246.Pa /etc/rc.shutdown 247from within the jail. Currently there is no way to insert new processes 248into a jail, so you must first log into the jail before performing these 249actions. 250.Pp 251To kill processes from outside the jail, you must individually identify the 252PID of each process to be killed. The 253.Pa /proc/ Ns Va pid Ns Pa /status 254file contains, as its last field, the hostname of the jail in which the 255process runs, or 256.Dq - 257to indicate that the process is not running within a jail. The 258.Xr ps 1 259command also shows a 260.Dq J 261flag for processes in a jail. However, the hostname for a jail may be, by 262default, modified from within the jail, so the 263.Pa /proc 264status entry is unreliable by default. To disable the setting of the hostname 265from within a jail, set the 266.Dq Va jail.set_hostname_allowed 267sysctl variable in the host environment to 0, which will affect all jails. 268You can have this sysctl set each boot using 269.Xr sysctl.conf 5 . 270Just add the following line to sysctl.conf: 271.Bd -literal -offset indent 272jail.set_hostname_allowed=0 273.Ed 274.Pp 275In a future version of 276.Fx , 277the mechanisms for managing jails will be 278more refined. 279.Ss Sysctl MIB Entries 280Certain aspects of the jail containments environment may be modified from 281the host environment using 282.Xr sysctl 8 283MIB variables. 284Currently, these variables affect all jails on the system, although in 285the future this functionality may be finer grained. 286.Bl -tag -width XXX 287.It jail.set_hostname_allowed 288This MIB entry determines whether or not processes within a jail are 289allowed to change their hostname via 290.Xr hostname 1 291or 292.Xr sethostname 3 . 293In the current jail implementation, the ability to set the hostname from 294within the jail can impact management tools relying on the accuracy of jail 295information in 296.Pa /proc . 297As such, this should be disabled in environments where privileged access to 298jails is given out to untrusted parties. 299.It jail.socket_unixiproute_only 300The jail functionality binds an IPv4 address to each jail, and limits 301access to other network addresses in the IPv4 space that may be available 302in the host environment. 303However, jail is not currently able to limit access to other network 304protocol stacks that have not had jail functionality added to them. 305As such, by default, processes within jails may only access protocols 306in the following domains: 307.Dv PF_LOCAL , 308.Dv PF_INET , 309and 310.Dv PF_ROUTE , 311permitting them access to UNIX domain sockets, 312IPv4 addresses, and routing sockets. 313To enable access to other domains, this MIB variable may be set to 3140. 315.It jail.sysvipc_allowed 316This MIB entry determines whether or not processes within a jail have access 317to System V IPC primitives. 318In the current jail implementation, System V primitives share a single 319namespace across the host and jail environments, meaning that processes 320within a jail would be able to communicate with (and potentially interfere 321with) processes outside of the jail, and in other jails. 322As such, this functionality is disabled by default, but can be enabled 323by setting this MIB entry to 1. 324.El 325.Sh SEE ALSO 326.Xr newaliases 1 , 327.Xr ps 1 , 328.Xr chroot 2 , 329.Xr jail 2 , 330.Xr procfs 5 , 331.Xr rc.conf 5 , 332.Xr sysctl.conf 5 , 333.Xr halt 8 , 334.Xr inetd 8 , 335.Xr named 8 , 336.Xr reboot 8 , 337.Xr rpcbind 8 , 338.Xr sendmail 8 , 339.Xr shutdown 8 , 340.Xr sysctl 8 , 341.Xr syslogd 8 342.Sh HISTORY 343The 344.Nm 345command appeared in 346.Fx 4.0 . 347.Sh AUTHORS 348The jail feature was written by 349.An Poul-Henning Kamp 350for R&D Associates 351.Dq Li http://www.rndassociates.com/ 352who contributed it to 353.Fx . 354.Pp 355Robert Watson wrote the extended documentation, found a few bugs, added 356a few new features, and cleaned up the userland jail environment. 357.Sh BUGS 358Jail currently lacks strong management functionality, such as the ability 359to deliver signals to all processes in a jail, and to allow access to 360specific jail information via 361.Xr ps 1 362as opposed to 363.Xr procfs 5 . 364Similarly, it might be a good idea to add an 365address alias flag such that daemons listening on all IPs (INADDR_ANY) 366will not bind on that address, which would facilitate building a safe 367host environment such that host daemons do not impose on services offered 368from within jails. Currently, the simplist answer is to minimize services 369offered on the host, possibly limiting it to services offered from 370.Xr inetd 8 371which is easily configurable. 372