Source string Read only

(itstool) path: tip/para
Context English State
Enable <application>ezjail</application> by adding this line to <filename>/etc/rc.conf</filename>:
The service will automatically start on system boot. It can be started immediately for the current session:
<prompt>#</prompt> <userinput>service ezjail start</userinput>
With <application>ezjail</application> installed, the basejail directory structure can be created and populated. This step is only needed once on the jail host computer.
In both of these examples, <option>-p</option> causes the ports tree to be retrieved with <citerefentry><refentrytitle>portsnap</refentrytitle><manvolnum>8</manvolnum></citerefentry> into the basejail. That single copy of the ports directory will be shared by all the jails. Using a separate copy of the ports directory for jails isolates them from the host. The <application>ezjail</application> <acronym>FAQ</acronym> explains in more detail: <link xlink:href=""/>.
To Populate the Jail with FreeBSD-RELEASE
For a basejail based on the FreeBSD RELEASE matching that of the host computer, use <command>install</command>. For example, on a host computer running FreeBSD 10-STABLE, the latest RELEASE version of FreeBSD -10 will be installed in the jail):
<prompt>#</prompt> <userinput>ezjail-admin install -p</userinput>
To Populate the Jail with <command>installworld</command>
The basejail can be installed from binaries created by <_:buildtarget-1/> on the host with <command>ezjail-admin update</command>.
In this example, FreeBSD 10-STABLE has been built from source. The jail directories are created. Then <_:buildtarget-1/> is executed, installing the host's <filename>/usr/obj</filename> into the basejail.
<prompt>#</prompt> <userinput>ezjail-admin update -i -p</userinput>
The host's <filename>/usr/src</filename> is used by default. A different source directory on the host can be specified with <option>-s</option> and a path, or set with <varname>ezjail_sourcetree</varname> in <filename>/usr/local/etc/ezjail.conf</filename>.
The basejail's ports tree is shared by other jails. However, downloaded distfiles are stored in the jail that downloaded them. By default, these files are stored in <filename>/var/ports/distfiles</filename> within each jail. <filename>/var/ports</filename> inside each jail is also used as a work directory when building ports.
The <acronym>FTP</acronym> protocol is used by default to download packages for the installation of the basejail. Firewall or proxy configurations can prevent or interfere with <acronym>FTP</acronym> transfers. The <acronym>HTTP</acronym> protocol works differently and avoids these problems. It can be chosen by specifying a full <acronym>URL</acronym> for a particular download mirror in <filename>/usr/local/etc/ezjail.conf</filename>:
See <xref linkend="mirrors-ftp"/> for a list of sites.
Creating and Starting a New Jail
New jails are created with <command>ezjail-admin create</command>. In these examples, the <literal>lo1</literal> loopback interface is used as described above.
Create and Start a New Jail
Create the jail, specifying a name and the loopback and network interfaces to use, along with their <acronym>IP</acronym> addresses. In this example, the jail is named <literal>dnsjail</literal>.
<prompt>#</prompt> <userinput>ezjail-admin create <replaceable>dnsjail</replaceable> '<replaceable>lo1|</replaceable>,<replaceable>em0</replaceable>|<replaceable></replaceable>'</userinput>
Most network services run in jails without problems. A few network services, most notably <citerefentry><refentrytitle>ping</refentrytitle><manvolnum>8</manvolnum></citerefentry>, use <emphasis>raw network sockets</emphasis>. In jails, raw network sockets are disabled by default for security. Services that require them will not work.
Occasionally, a jail genuinely needs raw sockets. For example, network monitoring applications often use <citerefentry><refentrytitle>ping</refentrytitle><manvolnum>8</manvolnum></citerefentry> to check the availability of other computers. When raw network sockets are actually needed in a jail, they can be enabled by editing the <application>ezjail</application> configuration file for the individual jail, <filename>/usr/local/etc/ezjail/<replaceable>jailname</replaceable></filename>. Modify the <literal>parameters</literal> entry:
export jail_<replaceable>jailname</replaceable>_parameters="allow.raw_sockets=1"
Do not enable raw network sockets unless services in the jail actually require them.
Start the jail:
<prompt>#</prompt> <userinput>ezjail-admin start <replaceable>dnsjail</replaceable></userinput>
Use a console on the jail:


No matching activity found.

Browse all component changes


English English
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: tip/para
Source string location
String age
a year ago
Source string age
a year ago
Translation file
books/handbook.pot, string 5022