# 12.4 Creating and Controlling Jails Some administrators divide jails into the following two types: “complete” jails, which resemble a real DragonFly system, and “service” jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) manual page is quite clear about the procedure for building a jail: # setenv D /here/is/the/jail # mkdir -p $D (1) # cd /usr/src # make installworld DESTDIR=$D (2) # cd etc # make distribution DESTDIR=$D -DNO_MAKEDEV_RUN (3) # cd $D/dev # sh MAKEDEV jail # cd $D # ln -sf dev/null kernel **(1)** Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be /usr/jail/jailname, where jailname is the hostname identifying the jail. The /usr/ file system usually has enough space for the jail file system, which for “complete” jails is, essentially, a replication of every file present in a default installation of the DragonFly base system. *** **(2)** This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on. Everything is done in the typical DragonFly style -- first everything is built/compiled, then installed to the destination path. *** ***'(3)***' The distribution target for make installs every needed configuration file. In simple words, it installs every installable file of /usr/src/etc/ to the /etc directory of the jail environment: ***$D/etc/***. *** Once a jail is installed, it can be started by using the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) utility. The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) utility takes four mandatory arguments which are described in the Section 12.3.1. Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The command argument depends on the type of the jail; for a virtual system, ***/etc/rc*** is a good choice, since it will replicate the startup sequence of a real DragonFly system. For a service jail, it depends on the service or application that will run within the jail. *** Jails are often started at boot time and the DragonFly rc mechanism provides an easy way to do this. *** A list of the jails which are enabled to start at boot time should be added to the [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) file: jail_enable="YES" # Set to NO to disable starting of any jails jail_list="www" # Space separated list of names of jails *** For each jail listed in ***jail_list***, a group of [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) settings, which describe the particular jail, should be added: jail_www_rootdir="/usr/jail/www" # jail's root directory jail_www_hostname="www.example.org" # jail's hostname jail_www_ip="192.168.0.10" # jail's IP address The default startup of jails configured in [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5), will run the ***/etc/rc*** script of the jail, which assumes the jail is a complete virtual system. For service jails, the default startup command of the jail should be changed, by setting the ***jail_jailname_exec_start*** option appropriately. *** *** **Note:** For a full list of available options, please see the [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) manual page. *** The ***/etc/rc.d/jail*** script can be used to start or stop a jail by hand, if an entry for it exists in ***rc.conf***: # /etc/rc.d/jail start www # /etc/rc.d/jail stop www *** A clean way to shut down a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) is not available at the moment. This is because commands normally used to accomplish a clean system shutdown cannot be used inside a jail. The best way to shut down a jail is to run the following command from within the jail itself or using the [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jexec§ion=8) utility from outside the jail: # sh /etc/rc.shutdown *** More information about this can be found in the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) manual page. ----