About
History
Team
Mascot
Images

Community
Download
Mirrors
Mailing Lists

Status
Digest
Bugs

Docs
Developers
FAQ
GitWeb
Goals
Handbook
HowTos
Man pages
Presentations
Users

Security
PGP Keys

Exports
Hammer

handbook-jails-tuning

12.5 Fine Tuning and Administration

There are several options which can be set for any jail, and various ways of combining a host DragonFly system with jails, to produce higher level applications. This section presents some of the options available for tuning the behavior and security restrictions implemented by a jail installation.

12.5.1 System tools for jail tuning in DragonFly

Fine tuning of a jail's configuration is mostly done by setting sysctl(8) variables. A special subtree of sysctl exists as a basis for organizing all the relevant options: the security.jail.* hierarchy of DragonFly kernel options. Here is a list of the main jail-related sysctls, complete with their default value. Names should be self-explanatory, but for more information about them, please refer to the jail(8) and sysctl(8) manual pages.

• jail.set_hostname_allowed: 1

• jail.socket_unixiproute_only: 1

• jail.sysvipc_allowed: 0

• jail.enforce_statfs: 2

• jail.allow_raw_sockets: 0

• jail.chflags_allowed: 0

• jail.jailed: 0

These variables can be used by the system administrator of the host system to add or remove some of the limitations imposed by default on the root user. Note that there are some limitations which cannot be removed. The root user is not allowed to mount or unmount file systems from within a jail(8). The root inside a jail may not set firewall rules or do many other administrative tasks which require modifications of in-kernel data, such as setting the securelevel of the kernel.

---

The base system of DragonFly contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. The jls(8) and jexec(8) commands are part of the base DragonFly system, and can be used to perform the following simple tasks:

---

---

• Print a list of active jails and their corresponding jail identifier (JID), IP address, hostname and path.

---

---

• Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful when the root user wants to cleanly shut down a jail. The jexec(8) utility can also be used to start a shell in a jail to do administration in it; for example:

---

---

# jexec 1 tcsh

---

Site copyright © 2003-2009