Site Navigation

Date:      Wed, 02 Feb 2005 01:06:47 +0800
From:      Xin LI <delphij@frontfree.net>
To:        freebsd-hackers@FreeBSD.org
Cc:        ru@FreeBSD.org
Subject:   Re: Idea about "skeleton jail"
Message-ID:  <1107277607.809.25.camel@spirit>
In-Reply-To: <1107178792.613.22.camel@spirit>
References:  <1107178792.613.22.camel@spirit>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--=-doX8BtV3TgkwVR78W1XF
Content-Type: multipart/mixed; boundary="=-l/XhsiJlt4Wo10rp7xg1"


--=-l/XhsiJlt4Wo10rp7xg1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I have attached an "alpha" patch in attachment that implements skeljail,
which includes an "installskel" target to install a (hmm... as many as
you wish and your hard disk allows) skeleton after buildworld.

In order to make use it, follow the following procedure:

0. make buildworld is a prerequisite to run "make installskel" so do it
1. make a directory.  i.e. mkdir /vhosts/1
2. cd /usr/src && make installskel DESTDIR=3D/vhosts/1
3. (You may want to copy something like password database/first ssh keys
into the jail.  I have a "core.tbz" to do this)
4. Add configuration to /etc/rc.conf
5. Start the jail script as usual.  This includes rebooting the host, or
"/etc/rc.d/jail restart".

To patch your existing system to get a test run of the patch, the
following procedure is recommended (other ways may work, too):
0. cvsup to latest -CURRENT
1. on top level src tree (/usr/src), do patch < (the patch file)
2. make buildworld installworld (make sure you have latest kernel
installed, of course)
3. cd /usr/src/etc/rc.d && make install (this can be accomplished in a
different way by running mergemaster)

Added rc.conf knobs:
- jail_<X>_skel_enable=3D(YES|NO)
Whether to enable skeleton jail.  The default is NO.

- jail_<X>_skel_root
Where the skeleton should mount everything from.  This can be / (the
default), and you can specify something like /vhosts/templateRELENG_4 if
you want a different release.

- jail_<X>_skel_romounts
Which directories we should mount from the jail_<X>_skel_root.  The
default value is "bin sbin lib libexec usr/bin usr/sbin usr/include
usr/lib usr/libdata usr/libexec usr/sbin usr/share".

I've received some of quite impressive scripts from our user community
and I will consult these scripts to find out if I have missed something
important, and do further improvements over this version.  Please let me
know if there are any suggestions, flaws with this patch.

Thanks in advance!

Cheers,
--=20
Xin LI <delphij delphij net>  http://www.delphij.net/

--=-l/XhsiJlt4Wo10rp7xg1
Content-Disposition: attachment; filename=patch-skel
Content-Type: text/x-patch; name=patch-skel; charset=ISO-8859-1
Content-Transfer-Encoding: base64

SW5kZXg6IE1ha2VmaWxlDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvTWFr
ZWZpbGUsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjMxNQ0KZGlmZiAtdSAtcjEuMzE1IE1ha2Vm
aWxlDQotLS0gTWFrZWZpbGUJMjEgRGVjIDIwMDQgMDk6NTk6MzkgLTAwMDAJMS4zMTUNCisrKyBN
YWtlZmlsZQkxIEZlYiAyMDA1IDA2OjUxOjQzIC0wMDAwDQpAQCAtNjUsNyArNjUsNyBAQA0KIFRH
VFM9CWFsbCBhbGwtbWFuIGJ1aWxka2VybmVsIGJ1aWxkd29ybGQgY2hlY2tkcGFkZCBjbGVhbiBc
DQogCWNsZWFuZGVwZW5kIGNsZWFuZGlyIGRlcGVuZCBkaXN0cmlidXRlIGRpc3RyaWJ1dGV3b3Js
ZCBldmVyeXRoaW5nIFwNCiAJaGllcmFyY2h5IGluc3RhbGwgaW5zdGFsbGNoZWNrIGluc3RhbGxr
ZXJuZWwgaW5zdGFsbGtlcm5lbC5kZWJ1Z1wNCi0JcmVpbnN0YWxsa2VybmVsIHJlaW5zdGFsbGtl
cm5lbC5kZWJ1ZyBpbnN0YWxsd29ybGQgXA0KKwlyZWluc3RhbGxrZXJuZWwgcmVpbnN0YWxsa2Vy
bmVsLmRlYnVnIGluc3RhbGxza2VsIGluc3RhbGx3b3JsZCBcDQogCWtlcm5lbC10b29sY2hhaW4g
bGlicmFyaWVzIGxpbnQgbWFuaW5zdGFsbCBcDQogCW9iaiBvYmpsaW5rIHJlZ3Jlc3MgcmVyZWxl
YXNlIHRhZ3MgdG9vbGNoYWluIHVwZGF0ZSBcDQogCV93b3JsZHRtcCBfbGVnYWN5IF9ib290c3Ry
YXAtdG9vbHMgX2NsZWFub2JqIF9vYmogXA0KQEAgLTc5LDYgKzc5LDcgQEANCiAuT1JERVI6IGJ1
aWxkd29ybGQgaW5zdGFsbHdvcmxkDQogLk9SREVSOiBidWlsZHdvcmxkIGRpc3RyaWJ1dGV3b3Js
ZA0KIC5PUkRFUjogYnVpbGR3b3JsZCBidWlsZGtlcm5lbA0KKy5PUkRFUjogYnVpbGR3b3JsZCBp
bnN0YWxsc2tlbA0KIC5PUkRFUjogYnVpbGRrZXJuZWwgaW5zdGFsbGtlcm5lbA0KIC5PUkRFUjog
YnVpbGRrZXJuZWwgaW5zdGFsbGtlcm5lbC5kZWJ1Zw0KIC5PUkRFUjogYnVpbGRrZXJuZWwgcmVp
bnN0YWxsa2VybmVsDQpJbmRleDogTWFrZWZpbGUuaW5jMQ0KPT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNTIGZpbGU6
IC9ob21lL25jdnMvc3JjL01ha2VmaWxlLmluYzEsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjQ3
Mw0KZGlmZiAtdSAtcjEuNDczIE1ha2VmaWxlLmluYzENCi0tLSBNYWtlZmlsZS5pbmMxCTIwIEph
biAyMDA1IDEwOjQ5OjAyIC0wMDAwCTEuNDczDQorKysgTWFrZWZpbGUuaW5jMQkxIEZlYiAyMDA1
IDE2OjQ5OjI5IC0wMDAwDQpAQCAtNTE2LDYgKzUxNiwxOCBAQA0KIAlybSAtcmYgJHtJTlNUQUxM
VE1QfQ0KIA0KICMNCisjIGluc3RhbGxza2VsDQorIw0KKyMgSW5zdGFsbHMgYSBtaW5pbXVtIHNl
dCBvZiBmaWxlcyB0aGF0IGNhbiBzdXBwb3J0IGEgbWluaS1qYWlsDQorIw0KK2luc3RhbGxza2Vs
Og0KKwlAZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0iDQorCUBlY2hvICI+Pj4gTWFraW5nIGluc3RhbGxza2VsIg0KKwlA
ZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0iDQorCSR7XytffWNkICR7LkNVUkRJUn07ICR7TUFLRX0gaGllcmFyY2h5DQor
CSR7XytffWNkICR7LkNVUkRJUn0vZXRjOyAke01BS0V9IGRpc3RyaWJ1dGlvbg0KKw0KKyMNCiAj
IHJlaW5zdGFsbA0KICMNCiAjIElmIHlvdSBoYXZlIGEgYnVpbGQgc2VydmVyLCB5b3UgY2FuIE5G
UyBtb3VudCB0aGUgc291cmNlIGFuZCBvYmogZGlyZWN0b3JpZXMNCkluZGV4OiBldGMvcmMuZC9q
YWlsDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvZXRjL3JjLmQvamFpbCx2
DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMjENCmRpZmYgLXUgLXIxLjIxIGphaWwNCi0tLSBldGMv
cmMuZC9qYWlsCTE2IEphbiAyMDA1IDAzOjEyOjAzIC0wMDAwCTEuMjENCisrKyBldGMvcmMuZC9q
YWlsCTEgRmViIDIwMDUgMDc6MjE6NTcgLTAwMDANCkBAIC01OSw2ICs1OSwxNCBAQA0KIAlldmFs
IGphaWxfcHJvY2ZzPVwiXCRqYWlsXyR7X2p9X3Byb2Nmc19lbmFibGVcIg0KIAlbIC16ICIke2ph
aWxfcHJvY2ZzfSIgXSAmJiBqYWlsX3Byb2Nmcz0iTk8iDQogDQorCSMgRGVmYXVsdCBzZXR0aW5n
cyBmb3Igc2tlbCBqYWlsDQorCWV2YWwgamFpbF9za2VsX2VuYWJsZT1cIlwkamFpbF8ke19qfV9z
a2VsX2VuYWJsZVwiDQorCVsgLXogIiR7amFpbF9za2VsX2VuYWJsZX0iIF0gJiYgamFpbF9za2Vs
X2VuYWJsZT0iTk8iDQorCWV2YWwgamFpbF9za2VsX3Jvb3Q9XCJcJGphaWxfJHtfan1fc2tlbF9y
b290XCINCisJWyAteiAiJHtqYWlsX3NrZWxfcm9vdH0iIF0gJiYgamFpbF9za2VsX3Jvb3Q9Ii8i
DQorCWV2YWwgamFpbF9za2VsX3JvbW91bnRzPVwiXCRqYWlsXyR7X2p9X3NrZWxfcm9tb3VudHNc
Ig0KKwlbIC16ICIke2phaWxfc2tlbF9yb21vdW50c30iIF0gJiYgamFpbF9za2VsX3JvbW91bnRz
PSJiaW4gc2JpbiBsaWIgbGliZXhlYyB1c3IvYmluIHVzci9zYmluIHVzci9pbmNsdWRlIHVzci9s
aWIgdXNyL2xpYmRhdGEgdXNyL2xpYmV4ZWMgdXNyL3NiaW4gdXNyL3NoYXJlIg0KKw0KIAlldmFs
IGphaWxfbW91bnQ9XCJcJGphaWxfJHtfan1fbW91bnRfZW5hYmxlXCINCiAJWyAteiAiJHtqYWls
X21vdW50fSIgXSAmJiBqYWlsX21vdW50PSJOTyINCiAJIyAiL2V0Yy9mc3RhYi4ke19qfSIgd2ls
bCBiZSB1c2VkIGZvciB7LHV9bW91bnQoOCkgaWYgbm9uZSBpcyBzcGVjaWZpZWQuDQpAQCAtODEs
NiArODksOSBAQA0KIAlkZWJ1ZyAiJF9qIGZzdGFiOiAkamFpbF9mc3RhYiINCiAJZGVidWcgIiRf
aiBleGVjIHN0YXJ0OiAkamFpbF9leGVjX3N0YXJ0Ig0KIAlkZWJ1ZyAiJF9qIGV4ZWMgc3RvcDog
JGphaWxfZXhlY19zdG9wIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgZW5hYmxlOiAkamFpbF9za2VsX2Vu
YWJsZSINCisJZGVidWcgIiRfaiBza2VsIG1vdW50LXJlYWRvbmx5OiAkamFpbF9za2VsX3JvbW91
bnRzIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgbW91bnQtcmVhZG9ubHkgZnJvbTogJGphaWxfc2tlbF9y
b290Ig0KIH0NCiANCiAjIHNldF9zeXNjdGwgcmNfa25vYiBtaWIgbXNnDQpAQCAtMTM2LDYgKzE0
NywxNCBAQA0KIAkJWyAtZiAiJHtqYWlsX2ZzdGFifSIgXSB8fCB3YXJuICIke2phaWxfZnN0YWJ9
IGRvZXMgbm90IGV4aXN0Ig0KIAkJdW1vdW50IC1hIC1GICIke2phaWxfZnN0YWJ9IiA+L2Rldi9u
dWxsIDI+JjENCiAJZmkNCisJaWYgY2hlY2t5ZXNubyBqYWlsX3NrZWxfZW5hYmxlOyB0aGVuDQor
CQlmb3IgX21udHB0IGluICRqYWlsX3NrZWxfcm9tb3VudHMNCisJCWRvDQorCQkJaWYgWyAtZCAi
JHtqYWlsX3Jvb3RkaXJ9LyR7X21udHB0fSIgXSA7IHRoZW4NCisJCQkJdW1vdW50IC1mICR7amFp
bF9yb290ZGlyfS8ke19tbnRwdH0gPiAvZGV2L251bGwgMj4mMQ0KKwkJCWZpDQorCQlkb25lDQor
CWZpDQogfQ0KIA0KIGphaWxfc3RhcnQoKQ0KQEAgLTE1NSw2ICsxNzQsMTMgQEANCiAJZm9yIF9q
YWlsIGluICR7amFpbF9saXN0fQ0KIAlkbw0KIAkJaW5pdF92YXJpYWJsZXMgJF9qYWlsDQorCQlp
ZiBjaGVja3llc25vIGphaWxfc2tlbF9lbmFibGU7IHRoZW4NCisJCQlpbmZvICJNb3VudGluZyBz
a2VsZXRvbiBmb3IgamFpbCAke19qYWlsfSBmcm9tICR7amFpbF9za2VsX3Jvb3R9Ig0KKwkJCWZv
ciBfbW50cHQgaW4gJGphaWxfc2tlbF9yb21vdW50cw0KKwkJCWRvDQorCQkJCW1vdW50X251bGxm
cyAtb3Jkb25seSAke2phaWxfc2tlbF9yb290fS8ke19tbnRwdH0gJHtqYWlsX3Jvb3RkaXJ9LyR7
X21udHB0fSA+IC9kZXYvbnVsbCAyPiYxDQorCQkJZG9uZQ0KKwkJZmkNCiAJCWlmIGNoZWNreWVz
bm8gamFpbF9tb3VudDsgdGhlbg0KIAkJCWluZm8gIk1vdW50aW5nIGZzdGFiIGZvciBqYWlsICR7
X2phaWx9ICgke2phaWxfZnN0YWJ9KSINCiAJCQlpZiBbICEgLWYgIiR7amFpbF9mc3RhYn0iIF07
IHRoZW4NCg==


--=-l/XhsiJlt4Wo10rp7xg1--

--=-doX8BtV3TgkwVR78W1XF
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: 
	=?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBB/7cn/cVsHxFZiIoRAid7AKCF2z8YRofFCtpYzyuojBKtksBJhgCeKJEj
x1See+QO6M8ZMshYAJzDynk=
=s1o7
-----END PGP SIGNATURE-----

--=-doX8BtV3TgkwVR78W1XF--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1107277607.809.25.camel>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact