Lines Matching +full:allow +full:- +full:set +full:- +full:time

2 .\" Copyright (c) 2008-2012 James Gritton
94 .Bl -tag -width indent
104 Exhibit a list of all configured non-wildcard jails and their parameters.
129 The jail is first removed and then re-created, as if
146 .Bl -tag -width indent
148 Clean up after an already-removed jail, running commands and operations
178 Set the jail's name.
193 No removal-related parameters for this jail will be used \(em the jail will
196 Set the
219 .Va allow.dying
221 It used to allow making changes to a
251 If hierarchical jails exist, a partial-matching wildcard definition may
276 Some parameters are boolean, and do not have a value but are set by the
288 comma-separated list, or with
293 List-based parameters may also be specified multiple times on the command
309 Then there are pseudo-parameters that are only used by
313 Jails have a set of core parameters, and kernel modules can add their own
315 The current set of available parameters can be retrieved via
317 Any parameters not set will be given default values, often based on the
320 .Bl -tag -width indent
324 set), and can be used to identify the jail for later modification, or
350 file format, and need not be explicitly set when using the configuration
361 If this is set, the jail is restricted to using only these addresses.
381 to allow unrestricted access to all system addresses,
393 A set of IPv6 options for the jail, the counterparts to
419 Set the origin of hostname and related information.
441 .Va allow.mount
443 .Va allow.mount.devfs
446 is set to a value lower than 2.
456 in the per-jail devfs.
480 When set to 0, all mount points are available without any restrictions.
481 When set to 1, only mount points below the jail's chroot directory are
485 When set to 2 (default), above syscalls can operate only on a mount-point
498 pseudo-parameter set.
500 The ID of the cpuset associated with this jail (read-only).
502 This is true if the jail is in the process of shutting down (read-only).
506 of the parent of this jail, or zero if this is a top-level jail
507 (read-only).
511 sysctl and uname -r.
515 and uname -K.
516 .It Va allow.*
517 Some restrictions of the jail environment may be set on a per-jail
520 .Va allow.set_hostname
522 .Va allow.reserved_ports ,
524 .Bl -tag -width indent
525 .It Va allow.set_hostname
530 .It Va allow.sysvipc
532 This is deprecated in favor of the per-module parameters (see below).
533 When this parameter is set, it is equivalent to setting
540 .It Va allow.raw_sockets
547 If this is set, the source IP addresses are enforced to comply
551 flag has been set on the socket.
555 .It Va allow.chflags
558 When this parameter is set, such users are treated as privileged, and
561 .It Va allow.mount
563 system types marked as jail-friendly.
570 is set to a value lower than 2.
571 .It Va allow.mount.devfs
575 .Va allow.mount
578 is set to a value lower than 2.
582 .It Va allow.quotas
585 with non-jailed parts of the system.
586 .It Va allow.read_msgbuf
591 .It Va allow.socket_af
596 .It Va allow.mlock
599 When this parameter is set, users may
606 .It Va allow.nfsd
614 daemons are permitted to run inside a properly configured vnet-enabled jail.
617 must not be set to 0, so that
621 must be set to 1 if file systems mounted under the
651 .It Va allow.reserved_ports
653 .It Va allow.unprivileged_proc_debug
655 .It Va allow.suser
659 The super-user will be disabled automatically if its parent system has it
661 The super-user is enabled by default.
662 .It Va allow.extattr
663 Allow privileged process in the jail to manipulate filesystem extended
665 .It Va allow.adjtime
666 Allow privileged process in the jail to slowly adjusting global operating system
667 time.
670 .It Va allow.settime
671 Allow privileged process in the jail to set global operating system data
672 and time.
676 .Va allow.adjtime .
687 to encapsulate the jail in some module-specific way,
692 Module-specific parameters include:
693 .Bl -tag -width indent
694 .It Va allow.mount.fdescfs
698 .Va allow.mount
701 is set to a value lower than 2.
702 .It Va allow.mount.fusefs
704 fuse-based file systems.
706 .Va allow.mount
709 is set to a value lower than 2.
710 .It Va allow.mount.nullfs
714 .Va allow.mount
717 is set to a value lower than 2.
718 .It Va allow.mount.procfs
722 .Va allow.mount
725 is set to a value lower than 2.
726 .It Va allow.mount.linprocfs
730 .Va allow.mount
733 is set to a value lower than 2.
734 .It Va allow.mount.linsysfs
738 .Va allow.mount
741 is set to a value lower than 2.
742 .It Va allow.mount.tmpfs
746 .Va allow.mount
749 is set to a value lower than 2.
750 .It Va allow.mount.zfs
754 .Va allow.mount
757 is set to a value lower than 2.
759 .Xr zfs-jail 8
762 .It Va allow.vmm
779 Allow access to SYSV IPC message primitives.
780 If set to
784 If set to
790 If set to
792 the jail cannot perform any sysvmsg-related system calls.
794 Allow access to SYSV IPC semaphore and shared memory primitives, in the
798 When set to 1, jailed users may access the contents of ZFS snapshots
803 .Va allow.mount.zfs
804 is set, the snapshots may also be mounted.
807 There are pseudo-parameters that are not passed to the kernel, but are
810 to set up the jail environment, often by running specified commands
822 The pseudo-parameters are:
823 .Bl -tag -width indent
877 are set to the target login's default values.
879 is set to the target login.
883 is set to "/bin:/usr/bin".
885 target login are also set.
902 The maximum amount of time to wait for a command to complete, in
909 The FIB (routing table) to set when running commands inside the jail.
911 The maximum amount of time to wait for a jail's processes to exit
919 If this is set to zero, no
937 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... .
942 If a netmask in either dotted-quad or CIDR form is given
951 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... .
953 A list of network interfaces to give to a vnet-enabled jail after is it created.
958 .Va allow.mount.zfs
959 to be set.
961 .Xr zfs-jail 8
1007 .It Va allow.dying
1009 It used to allow making changes to a
1028 Jails are typically set up using one of two philosophies: either to
1046 To set up a jail directory tree containing an entire
1051 .Bd -literal -offset indent
1054 mkdir -p $D
1082 First, set up the real system's environment to be
1083 .Dq jail-friendly .
1101 .Bd -literal -offset indent
1103 inetd_flags="-wW -a 192.0.2.23"
1115 flags entries; for others it is necessary to modify per-application
1147 Any third-party network software running
1159 Start any jail for the first time without configuring the network
1160 interface so that you can clean it up a little and set up accounts.
1162 with any machine (virtual or not), you will need to set a root password, time
1169 .Bd -literal -offset indent
1170 jail -c path=/data/jail/testjail mount.devfs \\
1178 and do the post-install configuration to set various configuration options,
1183 .Bl -bullet -offset indent -compact
1195 Set a root password, probably different from the real host system.
1197 Set the timezone.
1204 You may also want to perform any package-specific configuration (web servers,
1220 .Bd -literal -offset indent
1248 .Bd -literal -offset indent
1249 jail -c testjail
1270 It is possible to have jails started at boot time.
1285 .Bd -literal -offset indent
1286 kill -TERM -1
1287 kill -KILL -1
1306 .Bd -literal -offset indent
1307 jail -r
1322 .Dq Li -
1333 .Dl "ps ax -o pid,jid,args"
1336 .Bd -literal -offset indent
1337 pgrep -lfj 3
1338 pkill -j 3
1342 .Dl "killall -j 3"
1349 jail-friendly, the jail's
1350 .Va allow.mount
1351 parameter is set, and the jail's
1366 The read-only entry
1376 Some MIB variables have per-jail settings.
1393 Each jail has a read-only
1399 of 0 indicates the jail is a child of the current jail (or is a top-level
1404 .Va allow.nomount ,
1406 .Va allow.mount
1407 set.
1416 parameter is set (remember it is zero by default).
1420 Jail names reflect this hierarchy, with a full name being an MIB-type string
1482 .Xr zfs-jail 8 ,
1494 .An -nosplit
1496 .An Poul-Henning Kamp
1506 added multi-IP jail support for IPv4 and IPv6 based on a patch
1527 For example, if a jailed process has its current working directory set to a