svn commit: r44518 - head/en_US.ISO8859-1/books/handbook/jails
Dru Lavigne
dru at FreeBSD.org
Thu Apr 10 16:39:25 UTC 2014
Author: dru
Date: Thu Apr 10 16:39:24 2014
New Revision: 44518
URL: http://svnweb.freebsd.org/changeset/doc/44518
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/jails/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Thu Apr 10 15:07:29 2014 (r44517)
+++ head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Thu Apr 10 16:39:24 2014 (r44518)
@@ -5,97 +5,91 @@
$FreeBSD$
-->
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="jails">
- <info><title>Jails</title>
+ <info>
+ <title>Jails</title>
+
<authorgroup>
- <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed by </contrib></author>
+ <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed
+ by </contrib></author>
</authorgroup>
</info>
-
-
<indexterm><primary>jails</primary></indexterm>
<sect1 xml:id="jails-synopsis">
<title>Synopsis</title>
- <para>Since system administration is a difficult
- task, many tools have been developed to make life easier for
- the administrator. These tools often enhance
- the way systems are installed, configured, and
- maintained. One of the tools which can be used to enhance the security
- of a &os; system is <firstterm>jails</firstterm>. Jails have
- been available since &os; 4.X and continue to be
- enhanced in their
- usefulness, performance, reliability, and security.</para>
-
- <para>Jails build upon the &man.chroot.2; concept, which is used to
- change the root directory of a set of processes, creating a
- safe environment, separate from the rest of the system.
- Processes created in the chrooted environment can not access
- files or resources outside of it. For that reason,
- compromising a service running in a chrooted environment
- should not allow the attacker to compromise the entire system.
- However, a chroot has several limitations. It is suited to easy tasks which do not
- require much flexibility or complex, advanced features. Over time
- many ways have
- been found to escape from a chrooted environment, making it
- a less than ideal solution for
- securing services.</para>
-
- <para>Jails improve on the concept of the traditional
- chroot environment in several ways. In a traditional
- chroot environment, processes are only limited in the
- part of the file system they can access. The rest of the
- system resources, system users, running
- processes, and the networking subsystem are shared by the
- chrooted processes and the processes of the host system.
- Jails expand this model by virtualizing access to the
- file system, the set of users, and the networking
- subsystem. More
- fine-grained controls are available for tuning the
- access of a jailed environment.</para>
+ <para>Since system administration is a difficult task, many tools
+ have been developed to make life easier for the administrator.
+ These tools often enhance the way systems are installed,
+ configured, and maintained. One of the tools which can be used
+ to enhance the security of a &os; system is
+ <firstterm>jails</firstterm>. Jails have been available since
+ &os; 4.X and continue to be enhanced in their usefulness,
+ performance, reliability, and security.</para>
+
+ <para>Jails build upon the &man.chroot.2; concept, which is used
+ to change the root directory of a set of processes, creating a
+ safe environment, separate from the rest of the system.
+ Processes created in the chrooted environment can not access
+ files or resources outside of it. For that reason, compromising
+ a service running in a chrooted environment should not allow the
+ attacker to compromise the entire system. However, a chroot has
+ several limitations. It is suited to easy tasks which do not
+ require much flexibility or complex, advanced features. Over
+ time many ways have been found to escape from a chrooted
+ environment, making it a less than ideal solution for securing
+ services.</para>
+
+ <para>Jails improve on the concept of the traditional chroot
+ environment in several ways. In a traditional chroot
+ environment, processes are only limited in the part of the file
+ system they can access. The rest of the system resources,
+ system users, running processes, and the networking subsystem
+ are shared by the chrooted processes and the processes of the
+ host system. Jails expand this model by virtualizing access to
+ the file system, the set of users, and the networking subsystem.
+ More fine-grained controls are available for tuning the access
+ of a jailed environment.</para>
- <para>A jail is characterized by four elements:</para>
+ <para>A jail is characterized by four elements:</para>
- <itemizedlist>
- <listitem>
- <para>A directory subtree: the starting point from
- which a jail is entered. Once inside the jail, a process
- is not permitted to escape outside of this subtree.</para>
- </listitem>
+ <itemizedlist>
+ <listitem>
+ <para>A directory subtree: the starting point from which a
+ jail is entered. Once inside the jail, a process is not
+ permitted to escape outside of this subtree.</para>
+ </listitem>
- <listitem>
- <para>A hostname: which will be used
- by the jail.</para>
- </listitem>
+ <listitem>
+ <para>A hostname: which will be used by the jail.</para>
+ </listitem>
- <listitem>
- <para>An <acronym>IP</acronym> address: which is
- assigned to the jail. The <acronym>IP</acronym> address of a jail is
- often an alias address for an existing network
- interface.</para>
- </listitem>
+ <listitem>
+ <para>An <acronym>IP</acronym> address: which is assigned to
+ the jail. The <acronym>IP</acronym> address of a jail is
+ often an alias address for an existing network
+ interface.</para>
+ </listitem>
- <listitem>
- <para>A command: the path name of an executable to
- run inside the jail. The path is relative to the
- root directory of the jail environment.</para>
- </listitem>
- </itemizedlist>
+ <listitem>
+ <para>A command: the path name of an executable to run inside
+ the jail. The path is relative to the root directory of the
+ jail environment.</para>
+ </listitem>
+ </itemizedlist>
- <para>Jails have their own set of users
- and their own <systemitem class="username">root</systemitem> account which
- are limited
- to the jail environment.
- The <systemitem class="username">root</systemitem>
- account of a jail is not allowed to perform operations
- to the system outside of the associated jail
- environment.</para>
-
- <para>This chapter provides an overview of jail terminology
- are how to use &os; jails. Jails are a powerful
- tool for system administrators, but their basic usage can also
- be useful for advanced users.</para>
+ <para>Jails have their own set of users and their own <systemitem
+ class="username">root</systemitem> account which are limited
+ to the jail environment. The <systemitem
+ class="username">root</systemitem> account of a jail is not
+ allowed to perform operations to the system outside of the
+ associated jail environment.</para>
+
+ <para>This chapter provides an overview of jail terminology are
+ how to use &os; jails. Jails are a powerful tool for system
+ administrators, but their basic usage can also be useful for
+ advanced users.</para>
<para>After reading this chapter, you will know:</para>
@@ -110,25 +104,24 @@
</listitem>
<listitem>
- <para>The basics of jail administration, both from inside
- and outside the jail.</para>
+ <para>The basics of jail administration, both from inside and
+ outside the jail.</para>
</listitem>
</itemizedlist>
<important>
<para>Jails are a powerful tool, but they are not a security
- panacea. While it
- is not possible for a jailed process to break out on its own,
- there are several ways in which an unprivileged user outside
- the jail can cooperate with a privileged user inside the jail
- to obtain elevated privileges in the host
- environment.</para>
+ panacea. While it is not possible for a jailed process to
+ break out on its own, there are several ways in which an
+ unprivileged user outside the jail can cooperate with a
+ privileged user inside the jail to obtain elevated privileges
+ in the host environment.</para>
<para>Most of these attacks can be mitigated by ensuring that
the jail root is not accessible to unprivileged users in the
- host environment. As a general rule, untrusted
- users with privileged access to a jail should not be given
- access to the host environment.</para>
+ host environment. As a general rule, untrusted users with
+ privileged access to a jail should not be given access to the
+ host environment.</para>
</important>
</sect1>
@@ -268,8 +261,8 @@
<para>Once a jail is installed, it can be started by using the
&man.jail.8; utility. The &man.jail.8; utility takes four
- mandatory arguments which are described in the
- <xref linkend="jails-synopsis"/>. Other arguments may be specified
+ mandatory arguments which are described in the <xref
+ linkend="jails-synopsis"/>. Other arguments may be specified
too, e.g., to run the jailed process with the credentials of a
specific user. The
<option><replaceable>command</replaceable></option> argument
@@ -324,8 +317,8 @@ jail_<replaceable>www</replaceable>_devf
</step>
</procedure>
- <para>&man.service.8; can be used to
- start or stop a jail by hand, if an entry for it exists in
+ <para>&man.service.8; can be used to start or stop a jail by hand,
+ if an entry for it exists in
<filename>rc.conf</filename>:</para>
<screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput>
@@ -418,16 +411,17 @@ jail_<replaceable>www</replaceable>_devf
<para>These variables can be used by the system administrator of
the <emphasis>host system</emphasis> to add or remove some of
- the limitations imposed by default on the
- <systemitem class="username">root</systemitem> user. Note that there are some
- limitations which cannot be removed. The
- <systemitem class="username">root</systemitem> user is not allowed to mount or
- unmount file systems from within a &man.jail.8;. The
- <systemitem class="username">root</systemitem> inside a jail may not load or unload
- &man.devfs.8; rulesets, set firewall rules, or do many other
- administrative tasks which require modifications of in-kernel
- data, such as setting the <varname>securelevel</varname> of
- the kernel.</para>
+ the limitations imposed by default on the <systemitem
+ class="username">root</systemitem> user. Note that there
+ are some limitations which cannot be removed. The
+ <systemitem class="username">root</systemitem> user is not
+ allowed to mount or unmount file systems from within a
+ &man.jail.8;. The <systemitem
+ class="username">root</systemitem> inside a jail may not
+ load or unload &man.devfs.8; rulesets, set firewall rules, or
+ do many other administrative tasks which require modifications
+ of in-kernel data, such as setting the
+ <varname>securelevel</varname> of the kernel.</para>
<para>The base system of &os; contains a basic set of tools for
viewing information about the active jails, and attaching to a
@@ -446,10 +440,10 @@ jail_<replaceable>www</replaceable>_devf
<para>Attach to a running jail, from its host system, and
run a command inside the jail or perform administrative
tasks inside the jail itself. This is especially useful
- when the <systemitem class="username">root</systemitem> user wants to cleanly
- shut down a jail. The &man.jexec.8; utility can also be
- used to start a shell in a jail to do administration in
- it; for example:</para>
+ when the <systemitem class="username">root</systemitem>
+ user wants to cleanly shut down a jail. The &man.jexec.8;
+ utility can also be used to start a shell in a jail to do
+ administration in it; for example:</para>
<screen>&prompt.root; <userinput>jexec <replaceable>1</replaceable> tcsh</userinput></screen>
</listitem>
@@ -462,10 +456,9 @@ jail_<replaceable>www</replaceable>_devf
<para>Among the many third-party utilities for jail
administration, one of the most complete and useful is
- <package>sysutils/jailutils</package>. It is
- a set of small applications that contribute to &man.jail.8;
- management. Please refer to its web page for more
- information.</para>
+ <package>sysutils/jailutils</package>. It is a set of small
+ applications that contribute to &man.jail.8; management.
+ Please refer to its web page for more information.</para>
</sect2>
</sect1>
@@ -474,7 +467,8 @@ jail_<replaceable>www</replaceable>_devf
<title>Updating Multiple Jails</title>
<authorgroup>
- <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed by </contrib></author>
+ <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed
+ by </contrib></author>
</authorgroup>
<authorgroup>
<author>
@@ -496,191 +490,176 @@ jail_<replaceable>www</replaceable>_devf
</authorgroup>
</info>
- <para>The management of multiple jails can become
- problematic
- because every jail has to be rebuilt from scratch whenever
- it is upgraded. This can be
- time consuming and tedious if a lot of jails are
- created and manually updated.</para>
-
- <para>This section demonstrates one method to resolve this issue by
- safely sharing as much as is possible between jails
- using read-only &man.mount.nullfs.8; mounts, so that
- updating is simpler. This makes it more attractive to put single services,
- such as <acronym>HTTP</acronym>, <acronym>DNS</acronym>,
- and <acronym>SMTP</acronym>, into
- individual jails. Additionally,
- it provides a simple way to add, remove, and
- upgrade jails.</para>
+ <para>The management of multiple jails can become problematic
+ because every jail has to be rebuilt from scratch whenever it is
+ upgraded. This can be time consuming and tedious if a lot of
+ jails are created and manually updated.</para>
+
+ <para>This section demonstrates one method to resolve this issue
+ by safely sharing as much as is possible between jails using
+ read-only &man.mount.nullfs.8; mounts, so that updating is
+ simpler. This makes it more attractive to put single services,
+ such as <acronym>HTTP</acronym>, <acronym>DNS</acronym>, and
+ <acronym>SMTP</acronym>, into individual jails. Additionally,
+ it provides a simple way to add, remove, and upgrade
+ jails.</para>
+
+ <note>
+ <para>Simpler solutions exist, such as
+ <package>sysutils/ezjail</package>, which provides an easier
+ method of administering &os; jails and is not as sophisticated
+ as this setup.</para>
+ </note>
- <note>
- <para>Simpler solutions exist,
- such as
- <package>sysutils/ezjail</package>, which
- provides an easier method of administering &os; jails and
- is not as sophisticated as this setup.</para>
- </note>
+ <para>The goals of the setup described in this section are:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Create a simple and easy to understand jail structure
+ that does not require running a full installworld on each
+ and every jail.</para>
+ </listitem>
+
+ <listitem>
+ <para>Make it easy to add new jails or remove existing
+ ones.</para>
+ </listitem>
+
+ <listitem>
+ <para>Make it easy to update or upgrade existing jails.</para>
+ </listitem>
+
+ <listitem>
+ <para>Make it possible to run a customized &os; branch.</para>
+ </listitem>
- <para>The goals of the setup described in this section
- are:</para>
+ <listitem>
+ <para>Be paranoid about security, reducing as much as
+ possible the possibility of compromise.</para>
+ </listitem>
+
+ <listitem>
+ <para>Save space and inodes, as much as possible.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>This design relies on a single, read-only master template
+ which is mounted into each jail and one read-write device per
+ jail. A device can be a separate physical disc, a partition, or
+ a vnode backed memory device. This example uses read-write
+ <application>nullfs</application> mounts.</para>
- <itemizedlist>
- <listitem>
- <para>Create a simple and easy to understand jail
- structure that does not require
- running a full installworld on each and every
- jail.</para>
- </listitem>
-
- <listitem>
- <para>Make it easy to add new jails or remove existing
- ones.</para>
- </listitem>
-
- <listitem>
- <para>Make it easy to update or upgrade existing
- jails.</para>
- </listitem>
-
- <listitem>
- <para>Make it possible to run a customized &os;
- branch.</para>
- </listitem>
-
- <listitem>
- <para>Be paranoid about security, reducing as much as
- possible the possibility of compromise.</para>
- </listitem>
-
- <listitem>
- <para>Save space and inodes, as much as possible.</para>
- </listitem>
- </itemizedlist>
-
- <para>This design relies
- on a single, read-only master template which is
- mounted into each jail and one read-write device per jail.
- A device can be a separate physical disc, a partition, or a
- vnode backed memory device. This example
- uses read-write <application>nullfs</application>
- mounts.</para>
-
- <para>The file system layout is as follows:</para>
-
- <itemizedlist>
- <listitem>
- <para>The jails are based under the
- <filename>/home</filename> partition.</para>
- </listitem>
-
- <listitem>
- <para>Each jail will be mounted under the
- <filename>/home/j</filename>
- directory.</para>
- </listitem>
-
- <listitem>
- <para>The template for each jail and the read-only
- partition for all of the jails is <filename>/home/j/mroot</filename>.</para>
- </listitem>
-
- <listitem>
- <para>A blank directory will be created for each jail
- under the <filename>/home/j</filename>
- directory.</para>
- </listitem>
-
- <listitem>
- <para>Each jail will have a
- <filename>/s</filename> directory
- that will be linked to the read-write portion of the
- system.</para>
- </listitem>
-
- <listitem>
- <para>Each jail will have its own read-write system that
- is based upon <filename>/home/j/skel</filename>.</para>
- </listitem>
-
- <listitem>
- <para>The read-write portion of each jail
- will be created in <filename>/home/js</filename>.</para>
- </listitem>
- </itemizedlist>
+ <para>The file system layout is as follows:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>The jails are based under the
+ <filename>/home</filename> partition.</para>
+ </listitem>
+
+ <listitem>
+ <para>Each jail will be mounted under the
+ <filename>/home/j</filename> directory.</para>
+ </listitem>
+
+ <listitem>
+ <para>The template for each jail and the read-only partition
+ for all of the jails is
+ <filename>/home/j/mroot</filename>.</para>
+ </listitem>
+
+ <listitem>
+ <para>A blank directory will be created for each jail under
+ the <filename>/home/j</filename> directory.</para>
+ </listitem>
+
+ <listitem>
+ <para>Each jail will have a <filename>/s</filename> directory
+ that will be linked to the read-write portion of the
+ system.</para>
+ </listitem>
+
+ <listitem>
+ <para>Each jail will have its own read-write system that is
+ based upon <filename>/home/j/skel</filename>.</para>
+ </listitem>
+
+ <listitem>
+ <para>The read-write portion of each jail will be created in
+ <filename>/home/js</filename>.</para>
+ </listitem>
+ </itemizedlist>
<!-- Insert an image or drawing here to illustrate the example. -->
- <sect2 xml:id="jails-service-jails-template">
- <title>Creating the Template</title>
+ <sect2 xml:id="jails-service-jails-template">
+ <title>Creating the Template</title>
- <para>This section describes the steps needed to create
- the master template.</para>
+ <para>This section describes the steps needed to create the
+ master template.</para>
- <para>It is recommended to first update the host &os; system to
- the latest -RELEASE branch using the instructions in
- <xref linkend="makeworld"/>.
- Additionally, this template uses the
- <package>sysutils/cpdup</package> package or port
- and <application>portsnap</application>
- will be used to download the &os; Ports Collection.</para>
-
- <procedure>
- <step>
- <para>First, create a directory structure for the
- read-only file system which will contain the &os;
- binaries for the jails. Then, change directory to the
- &os; source tree and install the read-only file system
- to the jail template:</para>
+ <para>It is recommended to first update the host &os; system to
+ the latest -RELEASE branch using the instructions in <xref
+ linkend="makeworld"/>. Additionally, this template uses the
+ <package>sysutils/cpdup</package> package or port and
+ <application>portsnap</application> will be used to download
+ the &os; Ports Collection.</para>
+
+ <procedure>
+ <step>
+ <para>First, create a directory structure for the read-only
+ file system which will contain the &os; binaries for the
+ jails. Then, change directory to the &os; source tree and
+ install the read-only file system to the jail
+ template:</para>
- <screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput>
+ <screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput>
&prompt.root; <userinput>cd /usr/src</userinput>
&prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Next, prepare a &os; Ports Collection for the jails
- as well as a &os; source tree, which is required for
- <application>mergemaster</application>:</para>
+ <step>
+ <para>Next, prepare a &os; Ports Collection for the jails as
+ well as a &os; source tree, which is required for
+ <application>mergemaster</application>:</para>
- <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
+ <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
&prompt.root; <userinput>mkdir usr/ports</userinput>
&prompt.root; <userinput>portsnap -p /home/j/mroot/usr/ports fetch extract</userinput>
&prompt.root; <userinput>cpdup /usr/src /home/j/mroot/usr/src</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Create a skeleton for the read-write portion of the
- system:</para>
+ <step>
+ <para>Create a skeleton for the read-write portion of the
+ system:</para>
- <screen>&prompt.root; <userinput>mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles</userinput>
+ <screen>&prompt.root; <userinput>mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles</userinput>
&prompt.root; <userinput>mv etc /home/j/skel</userinput>
&prompt.root; <userinput>mv usr/local /home/j/skel/usr-local</userinput>
&prompt.root; <userinput>mv tmp /home/j/skel</userinput>
&prompt.root; <userinput>mv var /home/j/skel</userinput>
&prompt.root; <userinput>mv root /home/j/skel</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Use <application>mergemaster</application> to
- install missing configuration files. Then, remove the
- the extra directories that
- <application>mergemaster</application> creates:</para>
+ <step>
+ <para>Use <application>mergemaster</application> to install
+ missing configuration files. Then, remove the the extra
+ directories that <application>mergemaster</application>
+ creates:</para>
- <screen>&prompt.root; <userinput>mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i</userinput>
+ <screen>&prompt.root; <userinput>mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i</userinput>
&prompt.root; <userinput>cd /home/j/skel</userinput>
&prompt.root; <userinput>rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Now, symlink the read-write file system to the
- read-only file system. Ensure that the
- symlinks are created in the correct
- <filename>s/</filename> locations as
- the creation of directories in the
- wrong locations will cause the installation to
- fail.</para>
+ <step>
+ <para>Now, symlink the read-write file system to the
+ read-only file system. Ensure that the symlinks are
+ created in the correct <filename>s/</filename> locations
+ as the creation of directories in the wrong locations will
+ cause the installation to fail.</para>
- <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
+ <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
&prompt.root; <userinput>mkdir s</userinput>
&prompt.root; <userinput>ln -s s/etc etc</userinput>
&prompt.root; <userinput>ln -s s/home home</userinput>
@@ -690,61 +669,59 @@ jail_<replaceable>www</replaceable>_devf
&prompt.root; <userinput>ln -s s/distfiles usr/ports/distfiles</userinput>
&prompt.root; <userinput>ln -s s/tmp tmp</userinput>
&prompt.root; <userinput>ln -s s/var var</userinput></screen>
- </step>
+ </step>
+
+ <step>
+ <para>As a last step, create a generic
+ <filename>/home/j/skel/etc/make.conf</filename> containing
+ this line:</para>
+
+ <programlisting>WRKDIRPREFIX?= /s/portbuild</programlisting>
+
+ <para>This makes it possible to compile &os; ports inside
+ each jail. Remember that the ports directory is part of
+ the read-only system. The custom path for
+ <literal>WRKDIRPREFIX</literal> allows builds to be done
+ in the read-write portion of every jail.</para>
+ </step>
+ </procedure>
+ </sect2>
+
+ <sect2 xml:id="jails-service-jails-creating">
+ <title>Creating Jails</title>
- <step>
- <para>As a last step, create a generic
- <filename>/home/j/skel/etc/make.conf</filename> containing
- this line:</para>
-
- <programlisting>WRKDIRPREFIX?= /s/portbuild</programlisting>
-
- <para>This
- makes it possible to compile &os; ports inside
- each jail. Remember that the ports directory is part of
- the read-only system. The custom path for
- <literal>WRKDIRPREFIX</literal> allows builds to be done
- in the read-write portion of every jail.</para>
- </step>
- </procedure>
- </sect2>
-
- <sect2 xml:id="jails-service-jails-creating">
- <title>Creating Jails</title>
-
- <para>The jail template can now be used to
- setup and configure the jails in
- <filename>/etc/rc.conf</filename>. This example
- demonstrates the creation of 3 jails: <literal>NS</literal>,
- <literal>MAIL</literal> and <literal>WWW</literal>.</para>
-
- <procedure>
- <step>
- <para>Add the following lines to
- <filename>/etc/fstab</filename>, so that the
- read-only template for the jails and the read-write
- space will be available in the respective jails:</para>
+ <para>The jail template can now be used to setup and configure
+ the jails in <filename>/etc/rc.conf</filename>. This example
+ demonstrates the creation of 3 jails: <literal>NS</literal>,
+ <literal>MAIL</literal> and <literal>WWW</literal>.</para>
+
+ <procedure>
+ <step>
+ <para>Add the following lines to
+ <filename>/etc/fstab</filename>, so that the read-only
+ template for the jails and the read-write space will be
+ available in the respective jails:</para>
- <programlisting>/home/j/mroot /home/j/ns nullfs ro 0 0
+ <programlisting>/home/j/mroot /home/j/ns nullfs ro 0 0
/home/j/mroot /home/j/mail nullfs ro 0 0
/home/j/mroot /home/j/www nullfs ro 0 0
/home/js/ns /home/j/ns/s nullfs rw 0 0
/home/js/mail /home/j/mail/s nullfs rw 0 0
/home/js/www /home/j/www/s nullfs rw 0 0</programlisting>
- <para>To prevent
- <application>fsck</application> from checking
- <application>nullfs</application> mounts during boot and
- <application>dump</application> from backing up the
- read-only nullfs mounts of the jails, the last two
- columns are both set to <literal>0</literal>.</para>
- </step>
-
- <step>
- <para>Configure the jails in
- <filename>/etc/rc.conf</filename>:</para>
+ <para>To prevent
+ <application>fsck</application> from checking
+ <application>nullfs</application> mounts during boot and
+ <application>dump</application> from backing up the
+ read-only nullfs mounts of the jails, the last two
+ columns are both set to <literal>0</literal>.</para>
+ </step>
+
+ <step>
+ <para>Configure the jails in
+ <filename>/etc/rc.conf</filename>:</para>
- <programlisting>jail_enable="YES"
+ <programlisting>jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list="ns mail www"
jail_ns_hostname="ns.example.org"
@@ -760,167 +737,164 @@ jail_www_ip="62.123.43.14"
jail_www_rootdir="/usr/home/j/www"
jail_www_devfs_enable="YES"</programlisting>
- <para>The
- <varname>jail_<replaceable>name</replaceable>_rootdir</varname>
- variable is set to
- <filename class="directory">/usr/home</filename>
- instead of
- <filename class="directory">/home</filename> because
- the physical path of
- <filename class="directory">/home</filename>
- on a default &os; installation is
- <filename class="directory">/usr/home</filename>. The
- <varname>jail_<replaceable>name</replaceable>_rootdir</varname>
- variable must <emphasis>not</emphasis> be set to a
- path which includes a symbolic link, otherwise the
- jails will refuse to start.</para>
- </step>
-
- <step>
- <para>Create the required mount points for the read-only
- file system of each jail:</para>
-
- <screen>&prompt.root; <userinput>mkdir /home/j/ns /home/j/mail /home/j/www</userinput></screen>
- </step>
-
- <step>
- <para>Install the read-write template into each jail using
- <package>sysutils/cpdup</package>:</para>
+ <para>The
+ <varname>jail_<replaceable>name</replaceable>_rootdir</varname>
+ variable is set to
+ <filename class="directory">/usr/home</filename> instead
+ of <filename class="directory">/home</filename> because
+ the physical path of <filename
+ class="directory">/home</filename> on a default &os;
+ installation is <filename
+ class="directory">/usr/home</filename>. The
+ <varname>jail_<replaceable>name</replaceable>_rootdir</varname>
+ variable must <emphasis>not</emphasis> be set to a path
+ which includes a symbolic link, otherwise the jails will
+ refuse to start.</para>
+ </step>
+
+ <step>
+ <para>Create the required mount points for the read-only
+ file system of each jail:</para>
+
+ <screen>&prompt.root; <userinput>mkdir /home/j/ns /home/j/mail /home/j/www</userinput></screen>
+ </step>
+
+ <step>
+ <para>Install the read-write template into each jail using
+ <package>sysutils/cpdup</package>:</para>
<!-- keramida: Why is cpdup required here? Doesn't cpio(1)
already include adequate functionality for performing this
job *and* have the advantage of being part of the base
system of FreeBSD? -->
- <screen>&prompt.root; <userinput>mkdir /home/js</userinput>
+ <screen>&prompt.root; <userinput>mkdir /home/js</userinput>
&prompt.root; <userinput>cpdup /home/j/skel /home/js/ns</userinput>
&prompt.root; <userinput>cpdup /home/j/skel /home/js/mail</userinput>
&prompt.root; <userinput>cpdup /home/j/skel /home/js/www</userinput></screen>
- </step>
+ </step>
- <step>
- <para>In this phase, the jails are built and prepared to
- run. First, mount the required file systems for each
- jail, and then start them:</para>
+ <step>
+ <para>In this phase, the jails are built and prepared to
+ run. First, mount the required file systems for each
+ jail, and then start them:</para>
- <screen>&prompt.root; <userinput>mount -a</userinput>
+ <screen>&prompt.root; <userinput>mount -a</userinput>
&prompt.root; <userinput>service jail start</userinput></screen>
- </step>
- </procedure>
+ </step>
+ </procedure>
- <para>The jails should be running now. To check if they have
- started correctly, use <command>jls</command>. Its output
- should be similar to the following:</para>
+ <para>The jails should be running now. To check if they have
+ started correctly, use <command>jls</command>. Its output
+ should be similar to the following:</para>
- <screen>&prompt.root; <userinput>jls</userinput>
+ <screen>&prompt.root; <userinput>jls</userinput>
JID IP Address Hostname Path
3 192.168.3.17 ns.example.org /home/j/ns
2 192.168.3.18 mail.example.org /home/j/mail
1 62.123.43.14 www.example.org /home/j/www</screen>
- <para>At this point, it should be possible to log onto each
- jail, add new users, or configure daemons. The
- <literal>JID</literal> column indicates the jail
- identification number of each running jail. Use the
- following command to perform administrative tasks
- in the jail whose <acronym>JID</acronym> is <literal>3</literal>:</para>
-
- <screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen>
- </sect2>
-
- <sect2 xml:id="jails-service-jails-upgrading">
- <title>Upgrading</title>
-
- <para>The design of this setup
- provides an easy way to upgrade existing jails while
- minimizing their downtime. Also, it
- provides a way to roll back to the older version should a
- problem occur.</para>
-
- <procedure>
- <step>
- <para>The first step is to upgrade the host system.
- Then, create a new temporary read-only
- template in <filename>/home/j/mroot2</filename>.</para>
+ <para>At this point, it should be possible to log onto each
+ jail, add new users, or configure daemons. The
+ <literal>JID</literal> column indicates the jail
+ identification number of each running jail. Use the following
+ command to perform administrative tasks in the jail whose
+ <acronym>JID</acronym> is <literal>3</literal>:</para>
+
+ <screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen>
+ </sect2>
+
+ <sect2 xml:id="jails-service-jails-upgrading">
+ <title>Upgrading</title>
+
+ <para>The design of this setup provides an easy way to upgrade
+ existing jails while minimizing their downtime. Also, it
+ provides a way to roll back to the older version should a
+ problem occur.</para>
+
+ <procedure>
+ <step>
+ <para>The first step is to upgrade the host system. Then,
+ create a new temporary read-only template in
+ <filename>/home/j/mroot2</filename>.</para>
- <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput>
+ <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput>
&prompt.root; <userinput>cd /usr/src</userinput>
&prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot2</userinput>
&prompt.root; <userinput>cd /home/j/mroot2</userinput>
&prompt.root; <userinput>cpdup /usr/src usr/src</userinput>
&prompt.root; <userinput>mkdir s</userinput></screen>
- <para>The <buildtarget>installworld</buildtarget>
- creates a few unnecessary directories, which should be
- removed:</para>
+ <para>The <buildtarget>installworld</buildtarget> creates a
+ few unnecessary directories, which should be
+ removed:</para>
- <screen>&prompt.root; <userinput>chflags -R 0 var</userinput>
+ <screen>&prompt.root; <userinput>chflags -R 0 var</userinput>
&prompt.root; <userinput>rm -R etc var root usr/local tmp</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Recreate the read-write symlinks for the master file
- system:</para>
+ <step>
+ <para>Recreate the read-write symlinks for the master file
+ system:</para>
- <screen>&prompt.root; <userinput>ln -s s/etc etc</userinput>
+ <screen>&prompt.root; <userinput>ln -s s/etc etc</userinput>
&prompt.root; <userinput>ln -s s/root root</userinput>
&prompt.root; <userinput>ln -s s/home home</userinput>
&prompt.root; <userinput>ln -s ../s/usr-local usr/local</userinput>
&prompt.root; <userinput>ln -s ../s/usr-X11R6 usr/X11R6</userinput>
&prompt.root; <userinput>ln -s s/tmp tmp</userinput>
&prompt.root; <userinput>ln -s s/var var</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Next, stop the jails:</para>
+ <step>
+ <para>Next, stop the jails:</para>
- <screen>&prompt.root; <userinput>service jail stop</userinput></screen>
- </step>
+ <screen>&prompt.root; <userinput>service jail stop</userinput></screen>
+ </step>
- <step>
- <para>Unmount the original file systems as the read-write
- systems are attached to the read-only system
- (<filename>/s</filename>):</para>
+ <step>
+ <para>Unmount the original file systems as the read-write
+ systems are attached to the read-only system
+ (<filename>/s</filename>):</para>
<!-- keramida: Shouldn't we suggest a short script-based
loop here, instead of tediously copying the same commands
multiple times? -->
- <screen>&prompt.root; <userinput>umount /home/j/ns/s</userinput>
+ <screen>&prompt.root; <userinput>umount /home/j/ns/s</userinput>
&prompt.root; <userinput>umount /home/j/ns</userinput>
&prompt.root; <userinput>umount /home/j/mail/s</userinput>
&prompt.root; <userinput>umount /home/j/mail</userinput>
&prompt.root; <userinput>umount /home/j/www/s</userinput>
&prompt.root; <userinput>umount /home/j/www</userinput></screen>
- </step>
+ </step>
- <step>
- <para>Move the old read-only file system and replace it
- with the new one. This will serve as a backup and
- archive of the old read-only file system should
- something go wrong. The naming convention used here
- corresponds to when a new read-only file system has been
- created. Move the original &os; Ports Collection over
- to the new file system to save some space and
- inodes:</para>
+ <step>
+ <para>Move the old read-only file system and replace it with
+ the new one. This will serve as a backup and archive of
+ the old read-only file system should something go wrong.
+ The naming convention used here corresponds to when a new
+ read-only file system has been created. Move the original
+ &os; Ports Collection over to the new file system to save
+ some space and inodes:</para>
- <screen>&prompt.root; <userinput>cd /home/j</userinput>
+ <screen>&prompt.root; <userinput>cd /home/j</userinput>
&prompt.root; <userinput>mv mroot mroot.20060601</userinput>
&prompt.root; <userinput>mv mroot2 mroot</userinput>
&prompt.root; <userinput>mv mroot.20060601/usr/ports mroot/usr</userinput></screen>
- </step>
+ </step>
- <step>
- <para>At this point the new read-only template is ready,
- so the only remaining task is to remount the file
- systems and start the jails:</para>
+ <step>
+ <para>At this point the new read-only template is ready, so
+ the only remaining task is to remount the file systems and
+ start the jails:</para>
- <screen>&prompt.root; <userinput>mount -a</userinput>
+ <screen>&prompt.root; <userinput>mount -a</userinput>
&prompt.root; <userinput>service jail start</userinput></screen>
- </step>
- </procedure>
+ </step>
+ </procedure>
- <para>Use <command>jls</command> to check if the jails started correctly.
- Run <command>mergemaster</command> in each jail to update the
- configuration files.</para>
+ <para>Use <command>jls</command> to check if the jails started
+ correctly. Run <command>mergemaster</command> in each jail to
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list