From owner-svn-doc-all@FreeBSD.ORG Tue Jun 25 14:37:57 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5F10180A; Tue, 25 Jun 2013 14:37:57 +0000 (UTC) (envelope-from wblock@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 4E3F41ED4; Tue, 25 Jun 2013 14:37:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r5PEbvvY034887; Tue, 25 Jun 2013 14:37:57 GMT (envelope-from wblock@svn.freebsd.org) Received: (from wblock@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r5PEbv73034886; Tue, 25 Jun 2013 14:37:57 GMT (envelope-from wblock@svn.freebsd.org) Message-Id: <201306251437.r5PEbv73034886@svn.freebsd.org> From: Warren Block Date: Tue, 25 Jun 2013 14:37:57 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42036 - head/en_US.ISO8859-1/books/handbook/jails X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2013 14:37:57 -0000 Author: wblock Date: Tue Jun 25 14:37:56 2013 New Revision: 42036 URL: http://svnweb.freebsd.org/changeset/doc/42036 Log: Whitespace-only fixes. Translators, please ignore. Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Tue Jun 25 02:50:16 2013 (r42035) +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Tue Jun 25 14:37:56 2013 (r42036) @@ -24,9 +24,10 @@ This chapter will provide an explanation of what &os; jails are and how to use them. Jails, sometimes referred to as an - enhanced replacement of chroot environments, - are a very powerful tool for system administrators, but their basic - usage can also be useful for advanced users. + enhanced replacement of + chroot environments, are a very powerful + tool for system administrators, but their basic usage can also + be useful for advanced users. Jails are a powerful tool, but they are not a security @@ -66,77 +67,79 @@ - The &man.jail.8; manual page. This is the full reference - of the jail utility — the - administrative tool which can be used in &os; to start, stop, - and control &os; jails. + The &man.jail.8; manual page. This is the full + reference of the jail utility — the + administrative tool which can be used in &os; to start, + stop, and control &os; jails. - The mailing lists and their archives. The archives of the - &a.questions; and other mailing lists hosted by the + The mailing lists and their archives. The archives of + the &a.questions; and other mailing lists hosted by the &a.mailman.lists; already contain a wealth of material for jails. It should always be engaging to search the archives, or post a new question to the &a.questions.name; mailing list. - Terms Related to Jails - To facilitate better understanding of parts of the &os; system - related to jails, their internals and the way they interact with - the rest of &os;, the following terms are used further in this - chapter: + To facilitate better understanding of parts of the &os; + system related to jails, their internals and the way they + interact with the rest of &os;, the following terms are used + further in this chapter: - &man.chroot.8; (command) - - Utility, which uses &man.chroot.2; &os; system call to change - the root directory of a process and all its descendants. + &man.chroot.8; (command) + + Utility, which uses &man.chroot.2; &os; system call to + change the root directory of a process and all its + descendants. - &man.chroot.2; (environment) - - The environment of processes running in - a chroot. This includes resources such as the part - of the file system which is visible, user and group IDs which are - available, network interfaces and other IPC mechanisms, - etc. + &man.chroot.2; (environment) + + The environment of processes running in a + chroot. This includes resources such as + the part of the file system which is visible, user and + group IDs which are available, network interfaces and + other IPC mechanisms, etc. - &man.jail.8; (command) - - The system administration utility which allows launching of - processes within a jail environment. + &man.jail.8; (command) + + The system administration utility which allows + launching of processes within a jail environment. - host (system, process, user, etc.) - - The controlling system of a jail environment. The host system - has access to all the hardware resources available, and can - control processes both outside of and inside a jail environment. - One of the important differences of the host system from a jail is - that the limitations which apply to superuser processes inside a - jail are not enforced for processes of the host system. + host (system, process, user, etc.) + + The controlling system of a jail environment. The + host system has access to all the hardware resources + available, and can control processes both outside of and + inside a jail environment. One of the important + differences of the host system from a jail is that the + limitations which apply to superuser processes inside a + jail are not enforced for processes of the host + system. - hosted (system, process, user, etc.) - - A process, user or other entity, whose access to resources is - restricted by a &os; jail. + hosted (system, process, user, etc.) + + A process, user or other entity, whose access to + resources is restricted by a &os; jail. @@ -147,39 +150,39 @@ Since system administration is a difficult and perplexing task, many powerful tools were developed to make life easier for - the administrator. These tools mostly provide enhancements of some sort - to the way systems are installed, configured and maintained. - Part of the tasks which an administrator is - expected to do is to properly configure the security of a system, - so that it can continue serving its real purpose, without allowing - security violations. - - One of the tools which can be used to enhance the security of - a &os; system are jails. Jails were - introduced in &os; 4.X by &a.phk;, but were greatly improved in - &os; 5.X to make them a powerful and flexible subsystem. Their - development still goes on, enhancing their usefulness, performance, reliability, - and security. + the administrator. These tools mostly provide enhancements of + some sort to the way systems are installed, configured and + maintained. Part of the tasks which an administrator is + expected to do is to properly configure the security of a + system, so that it can continue serving its real purpose, + without allowing security violations. + + One of the tools which can be used to enhance the security + of a &os; system are jails. Jails were + introduced in &os; 4.X by &a.phk;, but were greatly + improved in &os; 5.X to make them a powerful and flexible + subsystem. Their development still goes on, enhancing their + usefulness, performance, reliability, and security. What is a Jail - BSD-like operating systems have had &man.chroot.2; since the - time of 4.2BSD. The &man.chroot.8; utility can be used to - change the root directory - of a set of processes, creating a safe environment, separate - from the rest of the system. Processes created in the chrooted - environment can not access files or resources outside of it. - For that reason, compromising a service running in a chrooted - environment should not allow the attacker to compromise the - entire system. The &man.chroot.8; utility is good for easy - tasks which do not require much flexibility or complex, - advanced features. Since the inception of the - chroot concept, however, many ways have been found to escape from a - chrooted environment and, although they have been fixed in - modern versions of the &os; kernel, it was clear that - &man.chroot.2; was not the ideal solution for securing services. - A new subsystem had to be implemented. + BSD-like operating systems have had &man.chroot.2; since + the time of 4.2BSD. The &man.chroot.8; utility can be used to + change the root directory of a set of processes, creating a + safe environment, separate from the rest of the system. + Processes created in the chrooted environment can not access + files or resources outside of it. For that reason, + compromising a service running in a chrooted environment + should not allow the attacker to compromise the entire system. + The &man.chroot.8; utility is good for easy tasks which do not + require much flexibility or complex, advanced features. Since + the inception of the chroot concept, however, many ways have + been found to escape from a chrooted environment and, although + they have been fixed in modern versions of the &os; kernel, it + was clear that &man.chroot.2; was not the ideal solution for + securing services. A new subsystem had to be + implemented. This is one of the main reasons why jails were developed. @@ -187,16 +190,16 @@ Jails improve on the concept of the traditional &man.chroot.2; environment in several ways. In a traditional &man.chroot.2; environment, processes are only limited in the - part of the file system they can access. The rest of the system - resources (like the set of system users, the running processes, - or the networking subsystem) are shared by the chrooted - processes and the processes of the host system. Jails expand - this model by virtualizing not only access to the file system, - but also the set of users, the networking subsystem of the &os; - kernel and a few other things. A more complete set of - fine-grained controls available for tuning the access of a - jailed environment is described in . + part of the file system they can access. The rest of the + system resources (like the set of system users, the running + processes, or the networking subsystem) are shared by the + chrooted processes and the processes of the host system. + Jails expand this model by virtualizing not only access to the + file system, but also the set of users, the networking + subsystem of the &os; kernel and a few other things. A more + complete set of fine-grained controls available for tuning the + access of a jailed environment is described in + . A jail is characterized by four elements: @@ -211,51 +214,54 @@ A hostname — the hostname which will be used - within the jail. Jails are mainly used for hosting network - services, therefore having a descriptive hostname for each - jail can really help the system administrator. + within the jail. Jails are mainly used for hosting + network services, therefore having a descriptive hostname + for each jail can really help the system + administrator. An IP address — this will be - assigned to the jail and cannot be changed in any way during - the jail's life span. The IP address of a jail is usually an alias address - for an existing network interface, but this is not strictly necessary. + assigned to the jail and cannot be changed in any way + during the jail's life span. The IP address of a jail is + usually an alias address for an existing network + interface, but this is not strictly necessary. - A command — the path name of an executable to run - inside the jail. The path name is relative to the root directory of - the jail environment. + A command — the path name of an executable to + run inside the jail. The path name is relative to the + root directory of the jail environment. - Apart from these, jails can have their own set of users and - their own root user. Naturally, the powers - of the root user are limited within the - jail environment and, from the point of view of the host system, - the jail root user is not an omnipotent user. - In addition, the root user of a jail is not - allowed to perform critical operations to the system outside of - the associated &man.jail.8; environment. More information - about capabilities and restrictions of the - root user will be discussed in below. + Apart from these, jails can have their own set of users + and their own root user. Naturally, the + powers of the root user are limited + within the jail environment and, from the point of view of the + host system, the jail root user is not an + omnipotent user. In addition, the root + user of a jail is not allowed to perform critical operations + to the system outside of the associated &man.jail.8; + environment. More information about capabilities and + restrictions of the root user will be + discussed in + below. Creating and Controlling Jails - Some administrators divide jails into the following two types: - complete jails, which resemble a real &os; system, - and service jails, dedicated to one application or - service, possibly running with privileges. This is only a - conceptual division and the process of building a jail is not - affected by it. The &man.jail.8; manual page is quite clear about - the procedure for building a jail: + Some administrators divide jails into the following two + types: complete jails, which resemble a real &os; + system, and service jails, dedicated to one + application or service, possibly running with privileges. This + is only a conceptual division and the process of building a jail + is not affected by it. The &man.jail.8; manual page is quite + clear about the procedure for building a jail: - &prompt.root; setenv D /here/is/the/jail + &prompt.root; setenv D /here/is/the/jail &prompt.root; mkdir -p $D &prompt.root; cd /usr/src &prompt.root; make buildworld @@ -265,61 +271,67 @@ - Selecting a location for a jail is the best starting point. - This is where the jail will physically reside within the file system of the jail's host. - A good choice can be Selecting a location for a jail is the best starting + point. This is where the jail will physically reside within + the file system of the jail's host. A good choice can be + /usr/jail/jailname, where jailname is the hostname - identifying the jail. The /usr/ file system usually has - enough space for the jail file system, which for complete jails is, essentially, - a replication of every file present in a default installation - of the &os; base system. + identifying the jail. The + /usr/ file system + usually has enough space for the jail file system, which for + complete jails is, essentially, a replication + of every file present in a default installation of the &os; + base system. If you have already rebuilt your userland using - make world or make buildworld, - you can skip this step and install your existing userland into the - new jail. + make world or + make buildworld, you can skip this step + and install your existing userland into the new jail. This command will populate the directory subtree chosen as jail's physical location on the file system with the - necessary binaries, libraries, manual pages and so on. + necessary binaries, libraries, manual pages and so + on. The distribution target for make installs every needed - configuration file. In simple words, it installs every installable file of + configuration file. In simple words, it installs every + installable file of /usr/src/etc/ to the - /etc directory of the jail - environment: + /etc directory of the + jail environment: $D/etc/. Mounting the &man.devfs.8; file system inside a jail is not required. On the other hand, any, or almost any - application requires access to at least one device, depending - on the purpose of the given application. It is very important - to control access to devices from inside a jail, as improper - settings could permit an attacker to do nasty things in the - jail. Control over &man.devfs.8; is managed through rulesets - which are described in the &man.devfs.8; and - &man.devfs.conf.5; manual pages. + application requires access to at least one device, + depending on the purpose of the given application. It is + very important to control access to devices from inside a + jail, as improper settings could permit an attacker to do + nasty things in the jail. Control over &man.devfs.8; is + managed through rulesets which are described in the + &man.devfs.8; and &man.devfs.conf.5; manual pages. Once a jail is installed, it can be started by using the - &man.jail.8; utility. The &man.jail.8; utility takes four - mandatory arguments which are described in the . Other arguments may be - specified too, e.g., to run the jailed process with the credentials of a specific - user. The argument depends on - the type of the jail; for a virtual system, + &man.jail.8; utility. The &man.jail.8; utility takes four + mandatory arguments which are described in the + . Other arguments may be specified + too, e.g., to run the jailed process with the credentials of a + specific user. The + argument + depends on the type of the jail; for a + virtual system, /etc/rc is a good choice, since it will replicate the startup sequence of a real &os; system. For a service jail, it depends on the service or @@ -377,11 +389,11 @@ jail_www_devf &prompt.root; service jail stop www A clean way to shut down a &man.jail.8; is not available at - the moment. This is because commands normally used to accomplish - a clean system shutdown cannot be used inside a jail. The best - way to shut down a jail is to run the following command from - within the jail itself or using the &man.jexec.8; utility from - outside the jail: + the moment. This is because commands normally used to + accomplish a clean system shutdown cannot be used inside a jail. + The best way to shut down a jail is to run the following command + from within the jail itself or using the &man.jexec.8; utility + from outside the jail: &prompt.root; sh /etc/rc.shutdown @@ -393,20 +405,22 @@ jail_www_devf Fine Tuning and Administration There are several options which can be set for any jail, and - various ways of combining a host &os; system with jails, to produce - higher level applications. This section presents: + various ways of combining a host &os; system with jails, to + produce higher level applications. This section + presents: - Some of the options available for tuning the behavior and - security restrictions implemented by a jail + Some of the options available for tuning the behavior + and security restrictions implemented by a jail installation. Some of the high-level applications for jail management, - which are available through the &os; Ports Collection, and can - be used to implement overall jail-based solutions. + which are available through the &os; Ports Collection, and + can be used to implement overall jail-based + solutions. @@ -426,32 +440,32 @@ jail_www_devf security.jail.set_hostname_allowed: - 1 + 1 security.jail.socket_unixiproute_only: - 1 + 1 security.jail.sysvipc_allowed: - 0 + 0 security.jail.enforce_statfs: - 2 + 2 security.jail.allow_raw_sockets: - 0 + 0 security.jail.chflags_allowed: - 0 + 0 @@ -469,14 +483,14 @@ jail_www_devf root inside a jail may not load or unload &man.devfs.8; rulesets, set firewall rules, or do many other administrative tasks which require modifications of in-kernel - data, such as setting the securelevel of the - kernel. + data, such as setting the securelevel of + the kernel. The base system of &os; contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. The &man.jls.8; and - &man.jexec.8; commands are part of the base &os; system, and can be used - to perform the following simple tasks: + &man.jexec.8; commands are part of the base &os; system, and + can be used to perform the following simple tasks: @@ -486,13 +500,13 @@ jail_www_devf - Attach to a running jail, from its host system, and run - a command inside the jail or perform administrative tasks inside the - jail itself. This is especially useful when the - root user wants to cleanly shut down a - jail. The &man.jexec.8; utility can also be used to start a - shell in a jail to do administration in it; for - example: + Attach to a running jail, from its host system, and + run a command inside the jail or perform administrative + tasks inside the jail itself. This is especially useful + when the root user wants to cleanly + shut down a jail. The &man.jexec.8; utility can also be + used to start a shell in a jail to do administration in + it; for example: &prompt.root; jexec 1 tcsh @@ -503,11 +517,12 @@ jail_www_devf High-Level Administrative Tools in the &os; Ports Collection - Among the many third-party utilities for jail administration, - one of the most complete and useful is sysutils/jailutils. It is a set of - small applications that contribute to &man.jail.8; management. - Please refer to its web page for more information. + Among the many third-party utilities for jail + administration, one of the most complete and useful is + sysutils/jailutils. It is + a set of small applications that contribute to &man.jail.8; + management. Please refer to its web page for more + information. @@ -530,8 +545,8 @@ jail_www_devf This section is based upon an idea originally presented by &a.simon; at , and an - updated article written by Ken Tom + url="http://simon.nitro.dk/service-jails.html">, and + an updated article written by Ken Tom locals@gmail.com. This section illustrates how to set up a &os; system that adds an additional layer of security, using the &man.jail.8; feature. It is also assumed @@ -540,24 +555,24 @@ jail_www_devf understood. - Design + Design - One of the major problems with jails is the management of - their upgrade process. This tends to be a problem because - every jail has to be rebuilt from scratch whenever it is - updated. This is usually not a problem for a single jail, - since the update process is fairly simple, but can be quite - time consuming and tedious if a lot of jails are + One of the major problems with jails is the management + of their upgrade process. This tends to be a problem + because every jail has to be rebuilt from scratch whenever + it is updated. This is usually not a problem for a single + jail, since the update process is fairly simple, but can be + quite time consuming and tedious if a lot of jails are created. This setup requires advanced experience with &os; and usage of its features. If the presented steps below look too complicated, it is advised to take a look at a simpler - system such as sysutils/ezjail, which provides - an easier method of administering &os; jails and is not as - sophisticated as this setup. + system such as + sysutils/ezjail, which + provides an easier method of administering &os; jails and + is not as sophisticated as this setup. This idea has been presented to resolve such issues by @@ -570,8 +585,9 @@ jail_www_devf Examples of services in this context are: an - HTTP server, a DNS - server, a SMTP server, and so forth. + HTTP server, a DNS + server, a SMTP server, and so + forth. The goals of the setup described in this section @@ -579,79 +595,93 @@ jail_www_devf - Create a simple and easy to understand jail structure. - This implies not having to run a full - installworld on each and every jail. + Create a simple and easy to understand jail + structure. This implies not having + to run a full installworld on each and every + jail. + Make it easy to add new jails or remove existing ones. + Make it easy to update or upgrade existing jails. + Make it possible to run a customized &os; branch. + Be paranoid about security, reducing as much as possible the possibility of compromise. + Save space and inodes, as much as possible. As it has been already mentioned, this design relies - heavily on having a single master template which is read-only - (known as nullfs) mounted into each - jail and one read-write device per jail. A device can be a - separate physical disc, a partition, or a vnode backed - &man.md.4; device. In this example, we will use read-write - nullfs mounts. + heavily on having a single master template which is + read-only (known as nullfs) + mounted into each jail and one read-write device per jail. + A device can be a separate physical disc, a partition, or a + vnode backed &man.md.4; device. In this example, we will + use read-write nullfs + mounts. The file system layout is described in the following list: - Each jail will be mounted under the /home/j directory. + Each jail will be mounted under the + /home/j + directory. + - /home/j/mroot is - the template for each jail and the read-only partition for - all of the jails. + /home/j/mroot + is the template for each jail and the read-only + partition for all of the jails. + - A blank directory will be created for each jail under - the /home/j + A blank directory will be created for each jail + under the /home/j directory. + - Each jail will have a /s directory, that will be - linked to the read-write portion of the system. + Each jail will have a + /s directory, + that will be linked to the read-write portion of the + system. + - Each jail shall have its own read-write system that is - based upon Each jail shall have its own read-write system that + is based upon /home/j/skel. + - Each jailspace (read-write portion of each jail) shall - be created in Each jailspace (read-write portion of each jail) + shall be created in /home/js. This assumes that the jails are based under the - /home partition. This - can, of course, be changed to anything else, but this change - will have to be reflected in each of the examples + /home partition. + This can, of course, be changed to anything else, but this + change will have to be reflected in each of the examples below. @@ -660,37 +690,40 @@ jail_www_devf Creating the Template - This section will describe the steps needed to create the - master template that will be the read-only portion for the - jails to use. - - It is always a good idea to update the &os; system to the - latest -RELEASE branch. Check the corresponding Handbook - Chapter + This section will describe the steps needed to create + the master template that will be the read-only portion for + the jails to use. + + It is always a good idea to update the &os; system to + the latest -RELEASE branch. Check the corresponding + Handbook Chapter to accomplish this task. In the case the update is not - feasible, the buildworld will be required in order to be able - to proceed. Additionally, the sysutils/cpdup package will be - required. We will use the &man.portsnap.8; utility to - download the &os; Ports Collection. The Handbook Portsnap Chapter - is always good reading for newcomers. + feasible, the buildworld will be required in order to be + able to proceed. Additionally, the + sysutils/cpdup package + will be required. We will use the &man.portsnap.8; utility + to download the &os; Ports Collection. The Handbook + Portsnap + Chapter is always good reading for + newcomers. - First, create a directory structure for the read-only - file system which will contain the &os; binaries for our - jails, then change directory to the &os; source tree and - install the read-only file system to the jail - template: + First, create a directory structure for the + read-only file system which will contain the &os; + binaries for our jails, then change directory to the + &os; source tree and install the read-only file system + to the jail template: &prompt.root; mkdir /home/j /home/j/mroot &prompt.root; cd /usr/src &prompt.root; make installworld DESTDIR=/home/j/mroot + - Next, prepare a &os; Ports Collection for the jails as - well as a &os; source tree, which is required for + Next, prepare a &os; Ports Collection for the jails + as well as a &os; source tree, which is required for mergemaster: &prompt.root; cd /home/j/mroot @@ -698,6 +731,7 @@ jail_www_devf &prompt.root; portsnap -p /home/j/mroot/usr/ports fetch extract &prompt.root; cpdup /usr/src /home/j/mroot/usr/src + Create a skeleton for the read-write portion of the system: @@ -709,23 +743,26 @@ jail_www_devf &prompt.root; mv var /home/j/skel &prompt.root; mv root /home/j/skel + - Use mergemaster to install - missing configuration files. Then get rid of the extra - directories that mergemaster - creates: + Use mergemaster to + install missing configuration files. Then get rid of + the extra directories that + mergemaster creates: &prompt.root; mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i &prompt.root; cd /home/j/skel &prompt.root; rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev + Now, symlink the read-write file system to the - read-only file system. Please make sure that the symlinks - are created in the correct s/ locations. Real - directories or the creation of directories in the wrong - locations will cause the installation to fail. + read-only file system. Please make sure that the + symlinks are created in the correct + s/ locations. + Real directories or the creation of directories in the + wrong locations will cause the installation to + fail. &prompt.root; cd /home/j/mroot &prompt.root; mkdir s @@ -738,15 +775,15 @@ jail_www_devf &prompt.root; ln -s s/tmp tmp &prompt.root; ln -s s/var var + As a last step, create a generic /home/j/skel/etc/make.conf with its contents as shown below: - WRKDIRPREFIX?= /s/portbuild + WRKDIRPREFIX?= /s/portbuild - - Having WRKDIRPREFIX set up this + Having WRKDIRPREFIX set up this way will make it possible to compile &os; ports inside each jail. Remember that the ports directory is part of the read-only system. The custom path for @@ -761,16 +798,16 @@ jail_www_devf Now that we have a complete &os; jail template, we can setup and configure the jails in - /etc/rc.conf. This example demonstrates - the creation of 3 jails: NS, + /etc/rc.conf. This example + demonstrates the creation of 3 jails: NS, MAIL and WWW. Put the following lines into the /etc/fstab file, so that the - read-only template for the jails and the read-write space - will be available in the respective jails: + read-only template for the jails and the read-write + space will be available in the respective jails: /home/j/mroot /home/j/ns nullfs ro 0 0 /home/j/mroot /home/j/mail nullfs ro 0 0 @@ -786,12 +823,14 @@ jail_www_devf &man.dump.8;. We do not want fsck to check nullfs mounts or - dump to back up the read-only - nullfs mounts of the jails. This is why they are marked - with 0 0 in the last two columns of - each fstab entry above. + dump to back up the + read-only nullfs mounts of the jails. This is why + they are marked with 0 0 in the + last two columns of each fstab + entry above. + Configure the jails in /etc/rc.conf: @@ -815,34 +854,37 @@ jail_www_devfs_enable="YES" The reason why the jail_name_rootdir - variable is set to /usr/home instead of - /home is that the - physical path of the /home directory on a - default &os; installation is /usr/home. The + variable is set to + /usr/home + instead of + /home is that + the physical path of the + /home directory + on a default &os; installation is + /usr/home. The jail_name_rootdir - variable must not be set to a path - which includes a symbolic link, otherwise the jails will - refuse to start. Use the &man.realpath.1; utility to - determine a value which should be set to this variable. - Please see the &os;-SA-07:01.jail Security Advisory for - more information. + variable must not be set to a + path which includes a symbolic link, otherwise the + jails will refuse to start. Use the &man.realpath.1; + utility to determine a value which should be set to + this variable. Please see the &os;-SA-07:01.jail + Security Advisory for more information. + Create the required mount points for the read-only file system of each jail: &prompt.root; mkdir /home/j/ns /home/j/mail /home/j/www + - Install the read-write template into each jail. Note - the use of sysutils/cpdup, which helps to - ensure that a correct copy is done of each - directory: + Install the read-write template into each jail. + Note the use of + sysutils/cpdup, + which helps to ensure that a correct copy is done of + each directory: