1.\" Copyright (c) 2012 James Gritton 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd Jun 3, 2023 28.Dt JAIL.CONF 5 29.Os 30.Sh NAME 31.Nm jail.conf 32.Nd configuration file for 33.Xr jail 8 34.Sh DESCRIPTION 35A 36.Xr jail 8 37configuration file consists of one or more jail definitions statements, 38and parameter or variable statements within those jail definitions. 39A jail definition statement looks something like a C compound statement. 40A parameter statement looks like a C assignment, 41including a terminating semicolon. 42.Pp 43The general syntax of a jail definition is: 44.Bd -literal -offset indent 45jailname { 46 parameter = "value"; 47 parameter = "value"; 48 ... 49} 50.Ed 51.Pp 52Each jail is required to have a 53.Va name 54at the front of its definition. 55This is used by 56.Xr jail 8 57to specify a jail on the command line and report the jail status, 58and is also passed to the kernel when creating the jail. 59.Ss Parameters 60A jail is defined by a set of named parameters, specified inside the 61jail definition. 62.Em See 63.Xr jail 8 64.Em for a list of jail parameters 65passed to the kernel, as well as internal parameters used when creating and 66removing jails. 67.Pp 68A typical parameter has a name and a value. 69Some parameters are boolean and may be specified with values of 70.Dq true 71or 72.Dq false , 73or as valueless shortcuts, with a 74.Dq no 75prefix indicating a false value. 76For example, these are equivalent: 77.Bd -literal -offset indent 78allow.mount = "false"; 79allow.nomount; 80.Ed 81.Pp 82Other parameters may have more than one value. 83A comma-separated list of values may be set in a single statement, 84or an existing parameter list may be appended to using 85.Dq += : 86.Bd -literal -offset indent 87ip4.addr = 10.1.1.1, 10.1.1.2, 10.1.1.3; 88 89ip4.addr = 10.1.1.1; 90ip4.addr += 10.1.1.2; 91ip4.addr += 10.1.1.3; 92.Ed 93.Pp 94Note the 95.Va name 96parameter is implicitly set to the name in the jail definition. 97.Ss String format 98Parameter values, including jail names, can be single tokens or quoted 99strings. 100A token is any sequence of characters that aren't considered special in 101the syntax of the configuration file (such as a semicolon or 102whitespace). 103If a value contains anything more than letters, numbers, dots, dashes 104and underscores, it is advisable to put quote marks around that value. 105Either single or double quotes may be used. 106.Pp 107Special characters may be quoted by preceding them with a backslash. 108Common C-style backslash character codes are also supported, including 109control characters and octal or hex ASCII codes. 110A backslash at the end of a line will ignore the subsequent newline and 111continue the string at the start of the next line. 112.Ss Variables 113A string may use shell-style variable substitution. 114A parameter or variable name preceded by a dollar sign, and possibly 115enclosed in braces, will be replaced with the value of that parameter or 116variable. 117For example, a jail's path may be defined in terms of its name or 118hostname: 119.Bd -literal -offset indent 120path = "/var/jail/$name"; 121 122path = "/var/jail/${host.hostname}"; 123.Ed 124.Pp 125Variable substitution occurs in unquoted tokens or in double-quoted 126strings, but not in single-quote strings. 127.Pp 128A variable is defined in the same way a parameter is, except that the 129variable name is preceded with a dollar sign: 130.Bd -literal -offset indent 131$parentdir = "/var/jail"; 132path = "$parentdir/$name"; 133.Ed 134.Pp 135The difference between parameters and variables is that variables are 136only used for substitution, while parameters are used both for 137substitution and for passing to the kernel. 138.Ss Wildcards 139A jail definition with a name of 140.Dq * 141is used to define wildcard parameters. 142Every defined jail will contain both the parameters from its own 143definition statement, as well as any parameters in a wildcard 144definition. 145.Pp 146Variable substitution is done on a per-jail basis, even when that 147substitution is for a parameter defined in a wildcard section. 148This is useful for wildcard parameters based on e.g. a jail's name. 149.Pp 150Later definitions in the configuration file supersede earlier ones, so a 151wildcard section placed before (above) a jail definition defines 152parameters that could be changed on a per-jail basis. 153Or a wildcard section placed after (below) all jails would contain 154parameters that always apply to every jail. 155Multiple wildcard statements are allowed, and wildcard parameters may 156also be specified outside of a jail definition statement. 157.Pp 158If hierarchical jails are defined, a partial-matching wildcard 159definition may be specified. 160For example, a definition with a name of 161.Dq foo.* 162would apply to jails with names like 163.Dq foo.bar 164and 165.Dq foo.bar.baz . 166.Ss Includes 167A line of the form 168.Bd -literal -offset ident 169.include "filename"; 170.Ed 171.Pp 172will include another file in the configuration. The filename must be 173a literal string, and cannot contain variable expansions. 174.Ss Comments 175The configuration file may contain comments in the common C, C++, and 176shell formats: 177.Bd -literal -offset indent 178/* This is a C style comment. 179 * It may span multiple lines. 180 */ 181 182// This is a C++ style comment. 183 184# This is a shell style comment. 185.Ed 186.Pp 187Comments are legal wherever whitespace is allowed, i.e. anywhere except 188in the middle of a string or a token. 189.Sh FILES 190.Bl -tag -width "indent" -compact 191.It Pa /etc/jail.conf 192.It Pa /etc/jail.*.conf 193.It Pa /etc/jail.conf.d/*.conf 194.It Pa /usr/share/examples/jails/ 195.El 196.Sh EXAMPLES 197.Bd -literal 198# Typical static defaults: 199# Use the rc scripts to start and stop jails. Mount jail's /dev. 200exec.start = "/bin/sh /etc/rc"; 201exec.stop = "/bin/sh /etc/rc.shutdown jail"; 202exec.clean; 203mount.devfs; 204 205# Dynamic wildcard parameter: 206# Base the path off the jail name. 207path = "/var/jail/$name"; 208 209# A typical jail. 210foo { 211 host.hostname = "foo.com"; 212 ip4.addr = 10.1.1.1, 10.1.1.2, 10.1.1.3; 213} 214 215# This jail overrides the defaults defined above. 216bar { 217 exec.start = ''; 218 exec.stop = ''; 219 path = /; 220 mount.nodevfs; 221 persist; // Required because there are no processes 222} 223 224# Include configurations from standard locations. 225\[char46]include "/etc/jail.conf.d/*.conf"; 226\[char46]include "/etc/jail.*.conf"; 227\[char46]include "/usr/local/etc/jail[.]conf"; 228\[char46]include "/usr/local/etc/jail.conf.d/*.conf"; 229\[char46]include "/usr/local/etc/jail.*.conf"; 230.Ed 231.Sh SEE ALSO 232.Xr jail_set 2 , 233.Xr rc.conf 5 , 234.Xr jail 8 , 235.Xr jls 8 236.Sh HISTORY 237The 238.Xr jail 8 239utility appeared in 240.Fx 4.0 . 241The 242.Nm 243file was added in 244.Fx 9.1 . 245.Sh AUTHORS 246.An -nosplit 247The jail feature was written by 248.An Poul-Henning Kamp 249for R&D Associates 250who contributed it to 251.Fx . 252.Pp 253.An James Gritton 254added the extensible jail parameters and configuration file. 255