Some administrators divide jails into the following two types: “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. When creating a “complete” jail there are two options for the source of the userland: use prebuilt binaries (such as those supplied on an install media) or build from source.
To install the userland from installation media, first
create the root directory for the jail. This can be done by
DESTDIR variable to the proper
Start a shell and define
Mount the install media as covered in mdconfig(8) when using the install ISO:
mount -t cd9660 /dev/`mdconfig -f cdimage.iso` /mnt
Extract the binaries from the tarballs on the install media into the declared destination. Minimally, only the base set needs to be extracted, but a complete install can be performed when preferred.
To install just the base system:
tar -xf /mnt/usr/freebsd-dist/base.txz -C $DESTDIR
To install everything except the kernel:
setsin BASE PORTS; do tar -xf /mnt/FREEBSD_INSTALL/USR/FREEBSD_DIST/$
sets.TXZ -C $DESTDIR ; done
The jail(8) manual page explains the procedure for building a jail:
mkdir -p $D
make installworld DESTDIR=$D
make distribution DESTDIR=$D
mount -t devfs devfs $D/dev
Selecting a location for a jail is the best starting
point. This is where the jail will physically reside within
the file system of the jail's host. A good choice can be
If you have already rebuilt your userland using
This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on.
Mounting the devfs(8) file system inside a jail is not required. On the other hand, any, or almost any application requires access to at least one device, depending on the purpose of the given application. It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things in the jail. Control over devfs(8) is managed through rulesets which are described in the devfs(8) and devfs.conf(5) manual pages.
Once a jail is installed, it can be started by using the
jail(8) utility. The jail(8) utility takes four
mandatory arguments which are described in the Section 14.1, “Synopsis”. Other arguments may be specified
too, e.g., to run the jailed process with the credentials of a
specific user. The
depends on the type of the jail; for a
/etc/rc is a good choice, since it will
replicate the startup sequence of a real FreeBSD system. For a
service jail, it depends on the service or
application that will run within the jail.
Jails are often started at boot time and the FreeBSD
rc mechanism provides an easy way to do
A list of the jails which are enabled to start at boot time should be added to the rc.conf(5) file:
jail_enable="YES" # Set to NO to disable starting of any jails jail_list="
www" # Space separated list of names of jails
Jail names in
jail_listshould contain alphanumeric characters only.
For each jail listed in
jail_list, a group of rc.conf(5) settings, which describe the particular jail, should be added:
www_rootdir="/usr/jail/www" # jail's root directory jail_
www.example.org" # jail's hostname jail_
www_ip="192.168.0.10" # jail's IP address jail_
www_devfs_enable="YES" # mount devfs in the jail
The default startup of jails configured in rc.conf(5), will run the
/etc/rcscript of the jail, which assumes the jail is a complete virtual system. For service jails, the default startup command of the jail should be changed, by setting the
For a full list of available options, please see the rc.conf(5) manual page.
service(8) can be used to start or stop a jail by hand,
if an entry for it exists in
service jail start
service jail stop
jlsJID IP Address Hostname Path 3 192.168.0.10 www /usr/jail/www
More information about this can be found in the jail(8) manual page.