From owner-freebsd-hackers@FreeBSD.ORG Tue Feb 1 17:08:26 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDF4D16A4CE for ; Tue, 1 Feb 2005 17:08:26 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 71E9A43D46 for ; Tue, 1 Feb 2005 17:08:19 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 97093 invoked by uid 0); 1 Feb 2005 17:00:05 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.99.7) by mail.freebsd.org.cn with SMTP; 1 Feb 2005 17:00:05 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 7370F133524; Wed, 2 Feb 2005 01:08:14 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51059-16; Wed, 2 Feb 2005 01:08:04 +0800 (CST) Received: from localhost.localdomain (unknown [221.217.209.135]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id EB0AA131C1D; Wed, 2 Feb 2005 01:08:02 +0800 (CST) From: Xin LI To: freebsd-hackers@FreeBSD.org In-Reply-To: <1107178792.613.22.camel@spirit> References: <1107178792.613.22.camel@spirit> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-doX8BtV3TgkwVR78W1XF" Organization: The FreeBSD Simplified Chinese Project Date: Wed, 02 Feb 2005 01:06:47 +0800 Message-Id: <1107277607.809.25.camel@spirit> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd-new at frontfree.net cc: ru@FreeBSD.org Subject: Re: Idea about "skeleton jail" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: delphij@delphij.net List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Feb 2005 17:08:27 -0000 --=-doX8BtV3TgkwVR78W1XF Content-Type: multipart/mixed; boundary="=-l/XhsiJlt4Wo10rp7xg1" --=-l/XhsiJlt4Wo10rp7xg1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I have attached an "alpha" patch in attachment that implements skeljail, which includes an "installskel" target to install a (hmm... as many as you wish and your hard disk allows) skeleton after buildworld. In order to make use it, follow the following procedure: 0. make buildworld is a prerequisite to run "make installskel" so do it 1. make a directory. i.e. mkdir /vhosts/1 2. cd /usr/src && make installskel DESTDIR=3D/vhosts/1 3. (You may want to copy something like password database/first ssh keys into the jail. I have a "core.tbz" to do this) 4. Add configuration to /etc/rc.conf 5. Start the jail script as usual. This includes rebooting the host, or "/etc/rc.d/jail restart". To patch your existing system to get a test run of the patch, the following procedure is recommended (other ways may work, too): 0. cvsup to latest -CURRENT 1. on top level src tree (/usr/src), do patch < (the patch file) 2. make buildworld installworld (make sure you have latest kernel installed, of course) 3. cd /usr/src/etc/rc.d && make install (this can be accomplished in a different way by running mergemaster) Added rc.conf knobs: - jail__skel_enable=3D(YES|NO) Whether to enable skeleton jail. The default is NO. - jail__skel_root Where the skeleton should mount everything from. This can be / (the default), and you can specify something like /vhosts/templateRELENG_4 if you want a different release. - jail__skel_romounts Which directories we should mount from the jail__skel_root. The default value is "bin sbin lib libexec usr/bin usr/sbin usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/share". I've received some of quite impressive scripts from our user community and I will consult these scripts to find out if I have missed something important, and do further improvements over this version. Please let me know if there are any suggestions, flaws with this patch. Thanks in advance! Cheers, --=20 Xin LI http://www.delphij.net/ --=-l/XhsiJlt4Wo10rp7xg1 Content-Disposition: attachment; filename=patch-skel Content-Type: text/x-patch; name=patch-skel; charset=ISO-8859-1 Content-Transfer-Encoding: base64 SW5kZXg6IE1ha2VmaWxlDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvTWFr ZWZpbGUsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjMxNQ0KZGlmZiAtdSAtcjEuMzE1IE1ha2Vm aWxlDQotLS0gTWFrZWZpbGUJMjEgRGVjIDIwMDQgMDk6NTk6MzkgLTAwMDAJMS4zMTUNCisrKyBN YWtlZmlsZQkxIEZlYiAyMDA1IDA2OjUxOjQzIC0wMDAwDQpAQCAtNjUsNyArNjUsNyBAQA0KIFRH VFM9CWFsbCBhbGwtbWFuIGJ1aWxka2VybmVsIGJ1aWxkd29ybGQgY2hlY2tkcGFkZCBjbGVhbiBc DQogCWNsZWFuZGVwZW5kIGNsZWFuZGlyIGRlcGVuZCBkaXN0cmlidXRlIGRpc3RyaWJ1dGV3b3Js ZCBldmVyeXRoaW5nIFwNCiAJaGllcmFyY2h5IGluc3RhbGwgaW5zdGFsbGNoZWNrIGluc3RhbGxr ZXJuZWwgaW5zdGFsbGtlcm5lbC5kZWJ1Z1wNCi0JcmVpbnN0YWxsa2VybmVsIHJlaW5zdGFsbGtl cm5lbC5kZWJ1ZyBpbnN0YWxsd29ybGQgXA0KKwlyZWluc3RhbGxrZXJuZWwgcmVpbnN0YWxsa2Vy bmVsLmRlYnVnIGluc3RhbGxza2VsIGluc3RhbGx3b3JsZCBcDQogCWtlcm5lbC10b29sY2hhaW4g bGlicmFyaWVzIGxpbnQgbWFuaW5zdGFsbCBcDQogCW9iaiBvYmpsaW5rIHJlZ3Jlc3MgcmVyZWxl YXNlIHRhZ3MgdG9vbGNoYWluIHVwZGF0ZSBcDQogCV93b3JsZHRtcCBfbGVnYWN5IF9ib290c3Ry YXAtdG9vbHMgX2NsZWFub2JqIF9vYmogXA0KQEAgLTc5LDYgKzc5LDcgQEANCiAuT1JERVI6IGJ1 aWxkd29ybGQgaW5zdGFsbHdvcmxkDQogLk9SREVSOiBidWlsZHdvcmxkIGRpc3RyaWJ1dGV3b3Js ZA0KIC5PUkRFUjogYnVpbGR3b3JsZCBidWlsZGtlcm5lbA0KKy5PUkRFUjogYnVpbGR3b3JsZCBp bnN0YWxsc2tlbA0KIC5PUkRFUjogYnVpbGRrZXJuZWwgaW5zdGFsbGtlcm5lbA0KIC5PUkRFUjog YnVpbGRrZXJuZWwgaW5zdGFsbGtlcm5lbC5kZWJ1Zw0KIC5PUkRFUjogYnVpbGRrZXJuZWwgcmVp bnN0YWxsa2VybmVsDQpJbmRleDogTWFrZWZpbGUuaW5jMQ0KPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNTIGZpbGU6 IC9ob21lL25jdnMvc3JjL01ha2VmaWxlLmluYzEsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjQ3 Mw0KZGlmZiAtdSAtcjEuNDczIE1ha2VmaWxlLmluYzENCi0tLSBNYWtlZmlsZS5pbmMxCTIwIEph biAyMDA1IDEwOjQ5OjAyIC0wMDAwCTEuNDczDQorKysgTWFrZWZpbGUuaW5jMQkxIEZlYiAyMDA1 IDE2OjQ5OjI5IC0wMDAwDQpAQCAtNTE2LDYgKzUxNiwxOCBAQA0KIAlybSAtcmYgJHtJTlNUQUxM VE1QfQ0KIA0KICMNCisjIGluc3RhbGxza2VsDQorIw0KKyMgSW5zdGFsbHMgYSBtaW5pbXVtIHNl dCBvZiBmaWxlcyB0aGF0IGNhbiBzdXBwb3J0IGEgbWluaS1qYWlsDQorIw0KK2luc3RhbGxza2Vs Og0KKwlAZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0iDQorCUBlY2hvICI+Pj4gTWFraW5nIGluc3RhbGxza2VsIg0KKwlA ZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0iDQorCSR7XytffWNkICR7LkNVUkRJUn07ICR7TUFLRX0gaGllcmFyY2h5DQor CSR7XytffWNkICR7LkNVUkRJUn0vZXRjOyAke01BS0V9IGRpc3RyaWJ1dGlvbg0KKw0KKyMNCiAj IHJlaW5zdGFsbA0KICMNCiAjIElmIHlvdSBoYXZlIGEgYnVpbGQgc2VydmVyLCB5b3UgY2FuIE5G UyBtb3VudCB0aGUgc291cmNlIGFuZCBvYmogZGlyZWN0b3JpZXMNCkluZGV4OiBldGMvcmMuZC9q YWlsDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvZXRjL3JjLmQvamFpbCx2 DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMjENCmRpZmYgLXUgLXIxLjIxIGphaWwNCi0tLSBldGMv cmMuZC9qYWlsCTE2IEphbiAyMDA1IDAzOjEyOjAzIC0wMDAwCTEuMjENCisrKyBldGMvcmMuZC9q YWlsCTEgRmViIDIwMDUgMDc6MjE6NTcgLTAwMDANCkBAIC01OSw2ICs1OSwxNCBAQA0KIAlldmFs IGphaWxfcHJvY2ZzPVwiXCRqYWlsXyR7X2p9X3Byb2Nmc19lbmFibGVcIg0KIAlbIC16ICIke2ph aWxfcHJvY2ZzfSIgXSAmJiBqYWlsX3Byb2Nmcz0iTk8iDQogDQorCSMgRGVmYXVsdCBzZXR0aW5n cyBmb3Igc2tlbCBqYWlsDQorCWV2YWwgamFpbF9za2VsX2VuYWJsZT1cIlwkamFpbF8ke19qfV9z a2VsX2VuYWJsZVwiDQorCVsgLXogIiR7amFpbF9za2VsX2VuYWJsZX0iIF0gJiYgamFpbF9za2Vs X2VuYWJsZT0iTk8iDQorCWV2YWwgamFpbF9za2VsX3Jvb3Q9XCJcJGphaWxfJHtfan1fc2tlbF9y b290XCINCisJWyAteiAiJHtqYWlsX3NrZWxfcm9vdH0iIF0gJiYgamFpbF9za2VsX3Jvb3Q9Ii8i DQorCWV2YWwgamFpbF9za2VsX3JvbW91bnRzPVwiXCRqYWlsXyR7X2p9X3NrZWxfcm9tb3VudHNc Ig0KKwlbIC16ICIke2phaWxfc2tlbF9yb21vdW50c30iIF0gJiYgamFpbF9za2VsX3JvbW91bnRz PSJiaW4gc2JpbiBsaWIgbGliZXhlYyB1c3IvYmluIHVzci9zYmluIHVzci9pbmNsdWRlIHVzci9s aWIgdXNyL2xpYmRhdGEgdXNyL2xpYmV4ZWMgdXNyL3NiaW4gdXNyL3NoYXJlIg0KKw0KIAlldmFs IGphaWxfbW91bnQ9XCJcJGphaWxfJHtfan1fbW91bnRfZW5hYmxlXCINCiAJWyAteiAiJHtqYWls X21vdW50fSIgXSAmJiBqYWlsX21vdW50PSJOTyINCiAJIyAiL2V0Yy9mc3RhYi4ke19qfSIgd2ls bCBiZSB1c2VkIGZvciB7LHV9bW91bnQoOCkgaWYgbm9uZSBpcyBzcGVjaWZpZWQuDQpAQCAtODEs NiArODksOSBAQA0KIAlkZWJ1ZyAiJF9qIGZzdGFiOiAkamFpbF9mc3RhYiINCiAJZGVidWcgIiRf aiBleGVjIHN0YXJ0OiAkamFpbF9leGVjX3N0YXJ0Ig0KIAlkZWJ1ZyAiJF9qIGV4ZWMgc3RvcDog JGphaWxfZXhlY19zdG9wIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgZW5hYmxlOiAkamFpbF9za2VsX2Vu YWJsZSINCisJZGVidWcgIiRfaiBza2VsIG1vdW50LXJlYWRvbmx5OiAkamFpbF9za2VsX3JvbW91 bnRzIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgbW91bnQtcmVhZG9ubHkgZnJvbTogJGphaWxfc2tlbF9y b290Ig0KIH0NCiANCiAjIHNldF9zeXNjdGwgcmNfa25vYiBtaWIgbXNnDQpAQCAtMTM2LDYgKzE0 NywxNCBAQA0KIAkJWyAtZiAiJHtqYWlsX2ZzdGFifSIgXSB8fCB3YXJuICIke2phaWxfZnN0YWJ9 IGRvZXMgbm90IGV4aXN0Ig0KIAkJdW1vdW50IC1hIC1GICIke2phaWxfZnN0YWJ9IiA+L2Rldi9u dWxsIDI+JjENCiAJZmkNCisJaWYgY2hlY2t5ZXNubyBqYWlsX3NrZWxfZW5hYmxlOyB0aGVuDQor CQlmb3IgX21udHB0IGluICRqYWlsX3NrZWxfcm9tb3VudHMNCisJCWRvDQorCQkJaWYgWyAtZCAi JHtqYWlsX3Jvb3RkaXJ9LyR7X21udHB0fSIgXSA7IHRoZW4NCisJCQkJdW1vdW50IC1mICR7amFp bF9yb290ZGlyfS8ke19tbnRwdH0gPiAvZGV2L251bGwgMj4mMQ0KKwkJCWZpDQorCQlkb25lDQor CWZpDQogfQ0KIA0KIGphaWxfc3RhcnQoKQ0KQEAgLTE1NSw2ICsxNzQsMTMgQEANCiAJZm9yIF9q YWlsIGluICR7amFpbF9saXN0fQ0KIAlkbw0KIAkJaW5pdF92YXJpYWJsZXMgJF9qYWlsDQorCQlp ZiBjaGVja3llc25vIGphaWxfc2tlbF9lbmFibGU7IHRoZW4NCisJCQlpbmZvICJNb3VudGluZyBz a2VsZXRvbiBmb3IgamFpbCAke19qYWlsfSBmcm9tICR7amFpbF9za2VsX3Jvb3R9Ig0KKwkJCWZv ciBfbW50cHQgaW4gJGphaWxfc2tlbF9yb21vdW50cw0KKwkJCWRvDQorCQkJCW1vdW50X251bGxm cyAtb3Jkb25seSAke2phaWxfc2tlbF9yb290fS8ke19tbnRwdH0gJHtqYWlsX3Jvb3RkaXJ9LyR7 X21udHB0fSA+IC9kZXYvbnVsbCAyPiYxDQorCQkJZG9uZQ0KKwkJZmkNCiAJCWlmIGNoZWNreWVz bm8gamFpbF9tb3VudDsgdGhlbg0KIAkJCWluZm8gIk1vdW50aW5nIGZzdGFiIGZvciBqYWlsICR7 X2phaWx9ICgke2phaWxfZnN0YWJ9KSINCiAJCQlpZiBbICEgLWYgIiR7amFpbF9mc3RhYn0iIF07 IHRoZW4NCg== --=-l/XhsiJlt4Wo10rp7xg1-- --=-doX8BtV3TgkwVR78W1XF Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB/7cn/cVsHxFZiIoRAid7AKCF2z8YRofFCtpYzyuojBKtksBJhgCeKJEj x1See+QO6M8ZMshYAJzDynk= =s1o7 -----END PGP SIGNATURE----- --=-doX8BtV3TgkwVR78W1XF--