> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-33-linux-jails/di-33.5-jie-alpine-jail.md). # 33.5 Alpine Jail ## Create the Alpine Jail Base System Build the base system: ```sh # Download the Alpine Linux 3.17.1 minirootfs image # fetch https://mirrors.ustc.edu.cn/alpine/v3.17/releases/x86_64/alpine-minirootfs-3.17.1-x86_64.tar.gz # Create the Alpine Jail root directory # mkdir -p /usr/jails/alpine # Extract the minirootfs to the Jail root directory # tar zxf alpine-minirootfs-3.17.1-x86_64.tar.gz -C /usr/jails/alpine/ # Create necessary device nodes # touch /usr/jails/alpine/dev/shm # touch /usr/jails/alpine/dev/fd ``` ## Manage Mount Files Create the **/etc/fstab.alpine** file. The **/tmp** mount is commented out to avoid exposing the entire host **/tmp** directory to the Jail, improving security: ```ini devfs /usr/jails/alpine/dev devfs rw 0 0 tmpfs /usr/jails/alpine/dev/shm tmpfs rw,size=1g,mode=1777 0 0 fdescfs /usr/jails/alpine/dev/fd fdescfs rw,linrdlnk 0 0 linprocfs /usr/jails/alpine/proc linprocfs rw 0 0 linsysfs /usr/jails/alpine/sys linsysfs rw 0 0 #/tmp /usr/jails/alpine/tmp nullfs rw 0 0 # Commented out to avoid exposing the entire host /tmp directory to the Jail ``` ## Manage the Jail Template Add the following to the **/etc/jail.conf** file: ```ini alpine { # Jail name host.hostname = "alpine"; # Set the Jail's hostname mount.fstab = "/etc/fstab.alpine"; # fstab file used by the Jail path = "/usr/jails/alpine"; # Jail root directory path devfs_ruleset = 4; # devfs mount ruleset enforce_statfs = 1; # Set mount point visibility allow.mount; # Allow mounting file systems allow.mount.devfs; # Allow mounting devfs exec.start = "/bin/true"; # No init system in minirootfs, using /bin/true for now; openrc will be configured later exec.stop = "/bin/true"; # Use /bin/true at shutdown persist; # Keep the Jail alive even without processes allow.raw_sockets; # Allow raw sockets interface = "lo1"; # Specify the network interface ip4.addr = 192.168.5.4; # Assign IPv4 address ip6 = "disable"; # Disable IPv6 } ``` Set up boot-time startup, then start immediately: ```sh # sysrc jail_list+="alpine" # jail -c alpine ``` ## Firewall Network Access Allow network access in the pf firewall, using the same method as described earlier: ```sh # pfctl -t jails -T add 192.168.5.4 ``` ## Configure OpenRC for the Base System Enter the Jail. The minirootfs only provides a basic environment; installing OpenRC gives full service management capabilities: ```sh freebsd # jexec alpine /bin/sh # Only sh is available initially, note the shell prompt change alpine # sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/' /etc/apk/repositories # Change the mirror address alpine # echo 'nameserver 223.5.5.5' >> /etc/resolv.conf # This file does not exist initially, create it manually alpine # apk update # minirootfs can run programs directly but cannot manage services; install OpenRC for full service management capabilities alpine # apk add openrc # Install OpenRC as the init system alpine # mkdir /run/openrc # Create the OpenRC runtime directory alpine # touch /run/openrc/softlevel # It is recommended to create this file when using OpenRC in Docker, Chroot, or Jail environments alpine # exit # Note the shell prompt change FreeBSD # jail -r alpine # Stop the Alpine Jail first to configure OpenRC on the FreeBSD host ``` Modify the Alpine configuration in the **/etc/jail.conf** file: ```ini alpine { # Jail name host.hostname = "alpine"; # Set the Jail's hostname mount.fstab = "/etc/fstab.alpine"; # fstab file used by the Jail path = "/usr/jails/alpine"; # Jail root directory path devfs_ruleset = 4; # devfs mount ruleset enforce_statfs = 1; # Set mount point visibility allow.mount; # Allow mounting file systems allow.mount.devfs; # Allow mounting devfs exec.start = "/sbin/openrc default"; # Use OpenRC init system, start the default runlevel exec.stop = "/sbin/openrc shutdown"; # Use OpenRC init system, execute shutdown runlevel tasks persist; # Keep the Jail alive even without processes allow.raw_sockets; # Allow raw sockets interface = "lo1"; # Specify the network interface ip4.addr = 192.168.5.4; # Assign IPv4 address ip6 = "disable"; # Disable IPv6 } ``` Restart the alpine Jail: ```sh # jail -c alpine ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.bsdcn.org/ask/flat/chapter-33-linux-jails/di-33.5-jie-alpine-jail.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.