Date: Thu, 10 Apr 2014 16:39:24 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44518 - head/en_US.ISO8859-1/books/handbook/jails Message-ID: <201404101639.s3AGdOBh024778@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Apr 10 16:39:24 2014 New Revision: 44518 URL: http://svnweb.freebsd.org/changeset/doc/44518 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Thu Apr 10 15:07:29 2014 (r44517) +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Thu Apr 10 16:39:24 2014 (r44518) @@ -5,97 +5,91 @@ $FreeBSD$ --> <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="jails"> - <info><title>Jails</title> + <info> + <title>Jails</title> + <authorgroup> - <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed by </contrib></author> + <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed + by </contrib></author> </authorgroup> </info> - - <indexterm><primary>jails</primary></indexterm> <sect1 xml:id="jails-synopsis"> <title>Synopsis</title> - <para>Since system administration is a difficult - task, many tools have been developed to make life easier for - the administrator. These tools often enhance - the way systems are installed, configured, and - maintained. One of the tools which can be used to enhance the security - of a &os; system is <firstterm>jails</firstterm>. Jails have - been available since &os; 4.X and continue to be - enhanced in their - usefulness, performance, reliability, and security.</para> - - <para>Jails build upon the &man.chroot.2; concept, which is used to - change the root directory of a set of processes, creating a - safe environment, separate from the rest of the system. - Processes created in the chrooted environment can not access - files or resources outside of it. For that reason, - compromising a service running in a chrooted environment - should not allow the attacker to compromise the entire system. - However, a chroot has several limitations. It is suited to easy tasks which do not - require much flexibility or complex, advanced features. Over time - many ways have - been found to escape from a chrooted environment, making it - a less than ideal solution for - securing services.</para> - - <para>Jails improve on the concept of the traditional - chroot environment in several ways. In a traditional - chroot environment, processes are only limited in the - part of the file system they can access. The rest of the - system resources, system users, running - processes, and the networking subsystem are shared by the - chrooted processes and the processes of the host system. - Jails expand this model by virtualizing access to the - file system, the set of users, and the networking - subsystem. More - fine-grained controls are available for tuning the - access of a jailed environment.</para> + <para>Since system administration is a difficult task, many tools + have been developed to make life easier for the administrator. + These tools often enhance the way systems are installed, + configured, and maintained. One of the tools which can be used + to enhance the security of a &os; system is + <firstterm>jails</firstterm>. Jails have been available since + &os; 4.X and continue to be enhanced in their usefulness, + performance, reliability, and security.</para> + + <para>Jails build upon the &man.chroot.2; concept, which is used + to change the root directory of a set of processes, creating a + safe environment, separate from the rest of the system. + Processes created in the chrooted environment can not access + files or resources outside of it. For that reason, compromising + a service running in a chrooted environment should not allow the + attacker to compromise the entire system. However, a chroot has + several limitations. It is suited to easy tasks which do not + require much flexibility or complex, advanced features. Over + time many ways have been found to escape from a chrooted + environment, making it a less than ideal solution for securing + services.</para> + + <para>Jails improve on the concept of the traditional chroot + environment in several ways. In a traditional chroot + environment, processes are only limited in the part of the file + system they can access. The rest of the system resources, + system users, running processes, and the networking subsystem + are shared by the chrooted processes and the processes of the + host system. Jails expand this model by virtualizing access to + the file system, the set of users, and the networking subsystem. + More fine-grained controls are available for tuning the access + of a jailed environment.</para> - <para>A jail is characterized by four elements:</para> + <para>A jail is characterized by four elements:</para> - <itemizedlist> - <listitem> - <para>A directory subtree: the starting point from - which a jail is entered. Once inside the jail, a process - is not permitted to escape outside of this subtree.</para> - </listitem> + <itemizedlist> + <listitem> + <para>A directory subtree: the starting point from which a + jail is entered. Once inside the jail, a process is not + permitted to escape outside of this subtree.</para> + </listitem> - <listitem> - <para>A hostname: which will be used - by the jail.</para> - </listitem> + <listitem> + <para>A hostname: which will be used by the jail.</para> + </listitem> - <listitem> - <para>An <acronym>IP</acronym> address: which is - assigned to the jail. The <acronym>IP</acronym> address of a jail is - often an alias address for an existing network - interface.</para> - </listitem> + <listitem> + <para>An <acronym>IP</acronym> address: which is assigned to + the jail. The <acronym>IP</acronym> address of a jail is + often an alias address for an existing network + interface.</para> + </listitem> - <listitem> - <para>A command: the path name of an executable to - run inside the jail. The path is relative to the - root directory of the jail environment.</para> - </listitem> - </itemizedlist> + <listitem> + <para>A command: the path name of an executable to run inside + the jail. The path is relative to the root directory of the + jail environment.</para> + </listitem> + </itemizedlist> - <para>Jails have their own set of users - and their own <systemitem class="username">root</systemitem> account which - are limited - to the jail environment. - The <systemitem class="username">root</systemitem> - account of a jail is not allowed to perform operations - to the system outside of the associated jail - environment.</para> - - <para>This chapter provides an overview of jail terminology - are how to use &os; jails. Jails are a powerful - tool for system administrators, but their basic usage can also - be useful for advanced users.</para> + <para>Jails have their own set of users and their own <systemitem + class="username">root</systemitem> account which are limited + to the jail environment. The <systemitem + class="username">root</systemitem> account of a jail is not + allowed to perform operations to the system outside of the + associated jail environment.</para> + + <para>This chapter provides an overview of jail terminology are + how to use &os; jails. Jails are a powerful tool for system + administrators, but their basic usage can also be useful for + advanced users.</para> <para>After reading this chapter, you will know:</para> @@ -110,25 +104,24 @@ </listitem> <listitem> - <para>The basics of jail administration, both from inside - and outside the jail.</para> + <para>The basics of jail administration, both from inside and + outside the jail.</para> </listitem> </itemizedlist> <important> <para>Jails are a powerful tool, but they are not a security - panacea. While it - is not possible for a jailed process to break out on its own, - there are several ways in which an unprivileged user outside - the jail can cooperate with a privileged user inside the jail - to obtain elevated privileges in the host - environment.</para> + panacea. While it is not possible for a jailed process to + break out on its own, there are several ways in which an + unprivileged user outside the jail can cooperate with a + privileged user inside the jail to obtain elevated privileges + in the host environment.</para> <para>Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the - host environment. As a general rule, untrusted - users with privileged access to a jail should not be given - access to the host environment.</para> + host environment. As a general rule, untrusted users with + privileged access to a jail should not be given access to the + host environment.</para> </important> </sect1> @@ -268,8 +261,8 @@ <para>Once a jail is installed, it can be started by using the &man.jail.8; utility. The &man.jail.8; utility takes four - mandatory arguments which are described in the - <xref linkend="jails-synopsis"/>. Other arguments may be specified + mandatory arguments which are described in the <xref + linkend="jails-synopsis"/>. Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The <option><replaceable>command</replaceable></option> argument @@ -324,8 +317,8 @@ jail_<replaceable>www</replaceable>_devf </step> </procedure> - <para>&man.service.8; can be used to - start or stop a jail by hand, if an entry for it exists in + <para>&man.service.8; can be used to start or stop a jail by hand, + if an entry for it exists in <filename>rc.conf</filename>:</para> <screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput> @@ -418,16 +411,17 @@ jail_<replaceable>www</replaceable>_devf <para>These variables can be used by the system administrator of the <emphasis>host system</emphasis> to add or remove some of - the limitations imposed by default on the - <systemitem class="username">root</systemitem> user. Note that there are some - limitations which cannot be removed. The - <systemitem class="username">root</systemitem> user is not allowed to mount or - unmount file systems from within a &man.jail.8;. The - <systemitem class="username">root</systemitem> inside a jail may not load or unload - &man.devfs.8; rulesets, set firewall rules, or do many other - administrative tasks which require modifications of in-kernel - data, such as setting the <varname>securelevel</varname> of - the kernel.</para> + the limitations imposed by default on the <systemitem + class="username">root</systemitem> user. Note that there + are some limitations which cannot be removed. The + <systemitem class="username">root</systemitem> user is not + allowed to mount or unmount file systems from within a + &man.jail.8;. The <systemitem + class="username">root</systemitem> inside a jail may not + load or unload &man.devfs.8; rulesets, set firewall rules, or + do many other administrative tasks which require modifications + of in-kernel data, such as setting the + <varname>securelevel</varname> of the kernel.</para> <para>The base system of &os; contains a basic set of tools for viewing information about the active jails, and attaching to a @@ -446,10 +440,10 @@ jail_<replaceable>www</replaceable>_devf <para>Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful - when the <systemitem class="username">root</systemitem> user wants to cleanly - shut down a jail. The &man.jexec.8; utility can also be - used to start a shell in a jail to do administration in - it; for example:</para> + when the <systemitem class="username">root</systemitem> + user wants to cleanly shut down a jail. The &man.jexec.8; + utility can also be used to start a shell in a jail to do + administration in it; for example:</para> <screen>&prompt.root; <userinput>jexec <replaceable>1</replaceable> tcsh</userinput></screen> </listitem> @@ -462,10 +456,9 @@ jail_<replaceable>www</replaceable>_devf <para>Among the many third-party utilities for jail administration, one of the most complete and useful is - <package>sysutils/jailutils</package>. It is - a set of small applications that contribute to &man.jail.8; - management. Please refer to its web page for more - information.</para> + <package>sysutils/jailutils</package>. It is a set of small + applications that contribute to &man.jail.8; management. + Please refer to its web page for more information.</para> </sect2> </sect1> @@ -474,7 +467,8 @@ jail_<replaceable>www</replaceable>_devf <title>Updating Multiple Jails</title> <authorgroup> - <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed by </contrib></author> + <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed + by </contrib></author> </authorgroup> <authorgroup> <author> @@ -496,191 +490,176 @@ jail_<replaceable>www</replaceable>_devf </authorgroup> </info> - <para>The management of multiple jails can become - problematic - because every jail has to be rebuilt from scratch whenever - it is upgraded. This can be - time consuming and tedious if a lot of jails are - created and manually updated.</para> - - <para>This section demonstrates one method to resolve this issue by - safely sharing as much as is possible between jails - using read-only &man.mount.nullfs.8; mounts, so that - updating is simpler. This makes it more attractive to put single services, - such as <acronym>HTTP</acronym>, <acronym>DNS</acronym>, - and <acronym>SMTP</acronym>, into - individual jails. Additionally, - it provides a simple way to add, remove, and - upgrade jails.</para> + <para>The management of multiple jails can become problematic + because every jail has to be rebuilt from scratch whenever it is + upgraded. This can be time consuming and tedious if a lot of + jails are created and manually updated.</para> + + <para>This section demonstrates one method to resolve this issue + by safely sharing as much as is possible between jails using + read-only &man.mount.nullfs.8; mounts, so that updating is + simpler. This makes it more attractive to put single services, + such as <acronym>HTTP</acronym>, <acronym>DNS</acronym>, and + <acronym>SMTP</acronym>, into individual jails. Additionally, + it provides a simple way to add, remove, and upgrade + jails.</para> + + <note> + <para>Simpler solutions exist, such as + <package>sysutils/ezjail</package>, which provides an easier + method of administering &os; jails and is not as sophisticated + as this setup.</para> + </note> - <note> - <para>Simpler solutions exist, - such as - <package>sysutils/ezjail</package>, which - provides an easier method of administering &os; jails and - is not as sophisticated as this setup.</para> - </note> + <para>The goals of the setup described in this section are:</para> + + <itemizedlist> + <listitem> + <para>Create a simple and easy to understand jail structure + that does not require running a full installworld on each + and every jail.</para> + </listitem> + + <listitem> + <para>Make it easy to add new jails or remove existing + ones.</para> + </listitem> + + <listitem> + <para>Make it easy to update or upgrade existing jails.</para> + </listitem> + + <listitem> + <para>Make it possible to run a customized &os; branch.</para> + </listitem> - <para>The goals of the setup described in this section - are:</para> + <listitem> + <para>Be paranoid about security, reducing as much as + possible the possibility of compromise.</para> + </listitem> + + <listitem> + <para>Save space and inodes, as much as possible.</para> + </listitem> + </itemizedlist> + + <para>This design relies on a single, read-only master template + which is mounted into each jail and one read-write device per + jail. A device can be a separate physical disc, a partition, or + a vnode backed memory device. This example uses read-write + <application>nullfs</application> mounts.</para> - <itemizedlist> - <listitem> - <para>Create a simple and easy to understand jail - structure that does not require - running a full installworld on each and every - jail.</para> - </listitem> - - <listitem> - <para>Make it easy to add new jails or remove existing - ones.</para> - </listitem> - - <listitem> - <para>Make it easy to update or upgrade existing - jails.</para> - </listitem> - - <listitem> - <para>Make it possible to run a customized &os; - branch.</para> - </listitem> - - <listitem> - <para>Be paranoid about security, reducing as much as - possible the possibility of compromise.</para> - </listitem> - - <listitem> - <para>Save space and inodes, as much as possible.</para> - </listitem> - </itemizedlist> - - <para>This design relies - on a single, read-only master template which is - mounted into each jail and one read-write device per jail. - A device can be a separate physical disc, a partition, or a - vnode backed memory device. This example - uses read-write <application>nullfs</application> - mounts.</para> - - <para>The file system layout is as follows:</para> - - <itemizedlist> - <listitem> - <para>The jails are based under the - <filename>/home</filename> partition.</para> - </listitem> - - <listitem> - <para>Each jail will be mounted under the - <filename>/home/j</filename> - directory.</para> - </listitem> - - <listitem> - <para>The template for each jail and the read-only - partition for all of the jails is <filename>/home/j/mroot</filename>.</para> - </listitem> - - <listitem> - <para>A blank directory will be created for each jail - under the <filename>/home/j</filename> - directory.</para> - </listitem> - - <listitem> - <para>Each jail will have a - <filename>/s</filename> directory - that will be linked to the read-write portion of the - system.</para> - </listitem> - - <listitem> - <para>Each jail will have its own read-write system that - is based upon <filename>/home/j/skel</filename>.</para> - </listitem> - - <listitem> - <para>The read-write portion of each jail - will be created in <filename>/home/js</filename>.</para> - </listitem> - </itemizedlist> + <para>The file system layout is as follows:</para> + + <itemizedlist> + <listitem> + <para>The jails are based under the + <filename>/home</filename> partition.</para> + </listitem> + + <listitem> + <para>Each jail will be mounted under the + <filename>/home/j</filename> directory.</para> + </listitem> + + <listitem> + <para>The template for each jail and the read-only partition + for all of the jails is + <filename>/home/j/mroot</filename>.</para> + </listitem> + + <listitem> + <para>A blank directory will be created for each jail under + the <filename>/home/j</filename> directory.</para> + </listitem> + + <listitem> + <para>Each jail will have a <filename>/s</filename> directory + that will be linked to the read-write portion of the + system.</para> + </listitem> + + <listitem> + <para>Each jail will have its own read-write system that is + based upon <filename>/home/j/skel</filename>.</para> + </listitem> + + <listitem> + <para>The read-write portion of each jail will be created in + <filename>/home/js</filename>.</para> + </listitem> + </itemizedlist> <!-- Insert an image or drawing here to illustrate the example. --> - <sect2 xml:id="jails-service-jails-template"> - <title>Creating the Template</title> + <sect2 xml:id="jails-service-jails-template"> + <title>Creating the Template</title> - <para>This section describes the steps needed to create - the master template.</para> + <para>This section describes the steps needed to create the + master template.</para> - <para>It is recommended to first update the host &os; system to - the latest -RELEASE branch using the instructions in - <xref linkend="makeworld"/>. - Additionally, this template uses the - <package>sysutils/cpdup</package> package or port - and <application>portsnap</application> - will be used to download the &os; Ports Collection.</para> - - <procedure> - <step> - <para>First, create a directory structure for the - read-only file system which will contain the &os; - binaries for the jails. Then, change directory to the - &os; source tree and install the read-only file system - to the jail template:</para> + <para>It is recommended to first update the host &os; system to + the latest -RELEASE branch using the instructions in <xref + linkend="makeworld"/>. Additionally, this template uses the + <package>sysutils/cpdup</package> package or port and + <application>portsnap</application> will be used to download + the &os; Ports Collection.</para> + + <procedure> + <step> + <para>First, create a directory structure for the read-only + file system which will contain the &os; binaries for the + jails. Then, change directory to the &os; source tree and + install the read-only file system to the jail + template:</para> - <screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput> + <screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput> &prompt.root; <userinput>cd /usr/src</userinput> &prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot</userinput></screen> - </step> + </step> - <step> - <para>Next, prepare a &os; Ports Collection for the jails - as well as a &os; source tree, which is required for - <application>mergemaster</application>:</para> + <step> + <para>Next, prepare a &os; Ports Collection for the jails as + well as a &os; source tree, which is required for + <application>mergemaster</application>:</para> - <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput> + <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput> &prompt.root; <userinput>mkdir usr/ports</userinput> &prompt.root; <userinput>portsnap -p /home/j/mroot/usr/ports fetch extract</userinput> &prompt.root; <userinput>cpdup /usr/src /home/j/mroot/usr/src</userinput></screen> - </step> + </step> - <step> - <para>Create a skeleton for the read-write portion of the - system:</para> + <step> + <para>Create a skeleton for the read-write portion of the + system:</para> - <screen>&prompt.root; <userinput>mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles</userinput> + <screen>&prompt.root; <userinput>mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles</userinput> &prompt.root; <userinput>mv etc /home/j/skel</userinput> &prompt.root; <userinput>mv usr/local /home/j/skel/usr-local</userinput> &prompt.root; <userinput>mv tmp /home/j/skel</userinput> &prompt.root; <userinput>mv var /home/j/skel</userinput> &prompt.root; <userinput>mv root /home/j/skel</userinput></screen> - </step> + </step> - <step> - <para>Use <application>mergemaster</application> to - install missing configuration files. Then, remove the - the extra directories that - <application>mergemaster</application> creates:</para> + <step> + <para>Use <application>mergemaster</application> to install + missing configuration files. Then, remove the the extra + directories that <application>mergemaster</application> + creates:</para> - <screen>&prompt.root; <userinput>mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i</userinput> + <screen>&prompt.root; <userinput>mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i</userinput> &prompt.root; <userinput>cd /home/j/skel</userinput> &prompt.root; <userinput>rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev</userinput></screen> - </step> + </step> - <step> - <para>Now, symlink the read-write file system to the - read-only file system. Ensure that the - symlinks are created in the correct - <filename>s/</filename> locations as - the creation of directories in the - wrong locations will cause the installation to - fail.</para> + <step> + <para>Now, symlink the read-write file system to the + read-only file system. Ensure that the symlinks are + created in the correct <filename>s/</filename> locations + as the creation of directories in the wrong locations will + cause the installation to fail.</para> - <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput> + <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput> &prompt.root; <userinput>mkdir s</userinput> &prompt.root; <userinput>ln -s s/etc etc</userinput> &prompt.root; <userinput>ln -s s/home home</userinput> @@ -690,61 +669,59 @@ jail_<replaceable>www</replaceable>_devf &prompt.root; <userinput>ln -s s/distfiles usr/ports/distfiles</userinput> &prompt.root; <userinput>ln -s s/tmp tmp</userinput> &prompt.root; <userinput>ln -s s/var var</userinput></screen> - </step> + </step> + + <step> + <para>As a last step, create a generic + <filename>/home/j/skel/etc/make.conf</filename> containing + this line:</para> + + <programlisting>WRKDIRPREFIX?= /s/portbuild</programlisting> + + <para>This makes it possible to compile &os; ports inside + each jail. Remember that the ports directory is part of + the read-only system. The custom path for + <literal>WRKDIRPREFIX</literal> allows builds to be done + in the read-write portion of every jail.</para> + </step> + </procedure> + </sect2> + + <sect2 xml:id="jails-service-jails-creating"> + <title>Creating Jails</title> - <step> - <para>As a last step, create a generic - <filename>/home/j/skel/etc/make.conf</filename> containing - this line:</para> - - <programlisting>WRKDIRPREFIX?= /s/portbuild</programlisting> - - <para>This - makes it possible to compile &os; ports inside - each jail. Remember that the ports directory is part of - the read-only system. The custom path for - <literal>WRKDIRPREFIX</literal> allows builds to be done - in the read-write portion of every jail.</para> - </step> - </procedure> - </sect2> - - <sect2 xml:id="jails-service-jails-creating"> - <title>Creating Jails</title> - - <para>The jail template can now be used to - setup and configure the jails in - <filename>/etc/rc.conf</filename>. This example - demonstrates the creation of 3 jails: <literal>NS</literal>, - <literal>MAIL</literal> and <literal>WWW</literal>.</para> - - <procedure> - <step> - <para>Add the following lines to - <filename>/etc/fstab</filename>, so that the - read-only template for the jails and the read-write - space will be available in the respective jails:</para> + <para>The jail template can now be used to setup and configure + the jails in <filename>/etc/rc.conf</filename>. This example + demonstrates the creation of 3 jails: <literal>NS</literal>, + <literal>MAIL</literal> and <literal>WWW</literal>.</para> + + <procedure> + <step> + <para>Add the following lines to + <filename>/etc/fstab</filename>, so that the read-only + template for the jails and the read-write space will be + available in the respective jails:</para> - <programlisting>/home/j/mroot /home/j/ns nullfs ro 0 0 + <programlisting>/home/j/mroot /home/j/ns nullfs ro 0 0 /home/j/mroot /home/j/mail nullfs ro 0 0 /home/j/mroot /home/j/www nullfs ro 0 0 /home/js/ns /home/j/ns/s nullfs rw 0 0 /home/js/mail /home/j/mail/s nullfs rw 0 0 /home/js/www /home/j/www/s nullfs rw 0 0</programlisting> - <para>To prevent - <application>fsck</application> from checking - <application>nullfs</application> mounts during boot and - <application>dump</application> from backing up the - read-only nullfs mounts of the jails, the last two - columns are both set to <literal>0</literal>.</para> - </step> - - <step> - <para>Configure the jails in - <filename>/etc/rc.conf</filename>:</para> + <para>To prevent + <application>fsck</application> from checking + <application>nullfs</application> mounts during boot and + <application>dump</application> from backing up the + read-only nullfs mounts of the jails, the last two + columns are both set to <literal>0</literal>.</para> + </step> + + <step> + <para>Configure the jails in + <filename>/etc/rc.conf</filename>:</para> - <programlisting>jail_enable="YES" + <programlisting>jail_enable="YES" jail_set_hostname_allow="NO" jail_list="ns mail www" jail_ns_hostname="ns.example.org" @@ -760,167 +737,164 @@ jail_www_ip="62.123.43.14" jail_www_rootdir="/usr/home/j/www" jail_www_devfs_enable="YES"</programlisting> - <para>The - <varname>jail_<replaceable>name</replaceable>_rootdir</varname> - variable is set to - <filename class="directory">/usr/home</filename> - instead of - <filename class="directory">/home</filename> because - the physical path of - <filename class="directory">/home</filename> - on a default &os; installation is - <filename class="directory">/usr/home</filename>. The - <varname>jail_<replaceable>name</replaceable>_rootdir</varname> - variable must <emphasis>not</emphasis> be set to a - path which includes a symbolic link, otherwise the - jails will refuse to start.</para> - </step> - - <step> - <para>Create the required mount points for the read-only - file system of each jail:</para> - - <screen>&prompt.root; <userinput>mkdir /home/j/ns /home/j/mail /home/j/www</userinput></screen> - </step> - - <step> - <para>Install the read-write template into each jail using - <package>sysutils/cpdup</package>:</para> + <para>The + <varname>jail_<replaceable>name</replaceable>_rootdir</varname> + variable is set to + <filename class="directory">/usr/home</filename> instead + of <filename class="directory">/home</filename> because + the physical path of <filename + class="directory">/home</filename> on a default &os; + installation is <filename + class="directory">/usr/home</filename>. The + <varname>jail_<replaceable>name</replaceable>_rootdir</varname> + variable must <emphasis>not</emphasis> be set to a path + which includes a symbolic link, otherwise the jails will + refuse to start.</para> + </step> + + <step> + <para>Create the required mount points for the read-only + file system of each jail:</para> + + <screen>&prompt.root; <userinput>mkdir /home/j/ns /home/j/mail /home/j/www</userinput></screen> + </step> + + <step> + <para>Install the read-write template into each jail using + <package>sysutils/cpdup</package>:</para> <!-- keramida: Why is cpdup required here? Doesn't cpio(1) already include adequate functionality for performing this job *and* have the advantage of being part of the base system of FreeBSD? --> - <screen>&prompt.root; <userinput>mkdir /home/js</userinput> + <screen>&prompt.root; <userinput>mkdir /home/js</userinput> &prompt.root; <userinput>cpdup /home/j/skel /home/js/ns</userinput> &prompt.root; <userinput>cpdup /home/j/skel /home/js/mail</userinput> &prompt.root; <userinput>cpdup /home/j/skel /home/js/www</userinput></screen> - </step> + </step> - <step> - <para>In this phase, the jails are built and prepared to - run. First, mount the required file systems for each - jail, and then start them:</para> + <step> + <para>In this phase, the jails are built and prepared to + run. First, mount the required file systems for each + jail, and then start them:</para> - <screen>&prompt.root; <userinput>mount -a</userinput> + <screen>&prompt.root; <userinput>mount -a</userinput> &prompt.root; <userinput>service jail start</userinput></screen> - </step> - </procedure> + </step> + </procedure> - <para>The jails should be running now. To check if they have - started correctly, use <command>jls</command>. Its output - should be similar to the following:</para> + <para>The jails should be running now. To check if they have + started correctly, use <command>jls</command>. Its output + should be similar to the following:</para> - <screen>&prompt.root; <userinput>jls</userinput> + <screen>&prompt.root; <userinput>jls</userinput> JID IP Address Hostname Path 3 192.168.3.17 ns.example.org /home/j/ns 2 192.168.3.18 mail.example.org /home/j/mail 1 62.123.43.14 www.example.org /home/j/www</screen> - <para>At this point, it should be possible to log onto each - jail, add new users, or configure daemons. The - <literal>JID</literal> column indicates the jail - identification number of each running jail. Use the - following command to perform administrative tasks - in the jail whose <acronym>JID</acronym> is <literal>3</literal>:</para> - - <screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen> - </sect2> - - <sect2 xml:id="jails-service-jails-upgrading"> - <title>Upgrading</title> - - <para>The design of this setup - provides an easy way to upgrade existing jails while - minimizing their downtime. Also, it - provides a way to roll back to the older version should a - problem occur.</para> - - <procedure> - <step> - <para>The first step is to upgrade the host system. - Then, create a new temporary read-only - template in <filename>/home/j/mroot2</filename>.</para> + <para>At this point, it should be possible to log onto each + jail, add new users, or configure daemons. The + <literal>JID</literal> column indicates the jail + identification number of each running jail. Use the following + command to perform administrative tasks in the jail whose + <acronym>JID</acronym> is <literal>3</literal>:</para> + + <screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen> + </sect2> + + <sect2 xml:id="jails-service-jails-upgrading"> + <title>Upgrading</title> + + <para>The design of this setup provides an easy way to upgrade + existing jails while minimizing their downtime. Also, it + provides a way to roll back to the older version should a + problem occur.</para> + + <procedure> + <step> + <para>The first step is to upgrade the host system. Then, + create a new temporary read-only template in + <filename>/home/j/mroot2</filename>.</para> - <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput> + <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput> &prompt.root; <userinput>cd /usr/src</userinput> &prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot2</userinput> &prompt.root; <userinput>cd /home/j/mroot2</userinput> &prompt.root; <userinput>cpdup /usr/src usr/src</userinput> &prompt.root; <userinput>mkdir s</userinput></screen> - <para>The <buildtarget>installworld</buildtarget> - creates a few unnecessary directories, which should be - removed:</para> + <para>The <buildtarget>installworld</buildtarget> creates a + few unnecessary directories, which should be + removed:</para> - <screen>&prompt.root; <userinput>chflags -R 0 var</userinput> + <screen>&prompt.root; <userinput>chflags -R 0 var</userinput> &prompt.root; <userinput>rm -R etc var root usr/local tmp</userinput></screen> - </step> + </step> - <step> - <para>Recreate the read-write symlinks for the master file - system:</para> + <step> + <para>Recreate the read-write symlinks for the master file + system:</para> - <screen>&prompt.root; <userinput>ln -s s/etc etc</userinput> + <screen>&prompt.root; <userinput>ln -s s/etc etc</userinput> &prompt.root; <userinput>ln -s s/root root</userinput> &prompt.root; <userinput>ln -s s/home home</userinput> &prompt.root; <userinput>ln -s ../s/usr-local usr/local</userinput> &prompt.root; <userinput>ln -s ../s/usr-X11R6 usr/X11R6</userinput> &prompt.root; <userinput>ln -s s/tmp tmp</userinput> &prompt.root; <userinput>ln -s s/var var</userinput></screen> - </step> + </step> - <step> - <para>Next, stop the jails:</para> + <step> + <para>Next, stop the jails:</para> - <screen>&prompt.root; <userinput>service jail stop</userinput></screen> - </step> + <screen>&prompt.root; <userinput>service jail stop</userinput></screen> + </step> - <step> - <para>Unmount the original file systems as the read-write - systems are attached to the read-only system - (<filename>/s</filename>):</para> + <step> + <para>Unmount the original file systems as the read-write + systems are attached to the read-only system + (<filename>/s</filename>):</para> <!-- keramida: Shouldn't we suggest a short script-based loop here, instead of tediously copying the same commands multiple times? --> - <screen>&prompt.root; <userinput>umount /home/j/ns/s</userinput> + <screen>&prompt.root; <userinput>umount /home/j/ns/s</userinput> &prompt.root; <userinput>umount /home/j/ns</userinput> &prompt.root; <userinput>umount /home/j/mail/s</userinput> &prompt.root; <userinput>umount /home/j/mail</userinput> &prompt.root; <userinput>umount /home/j/www/s</userinput> &prompt.root; <userinput>umount /home/j/www</userinput></screen> - </step> + </step> - <step> - <para>Move the old read-only file system and replace it - with the new one. This will serve as a backup and - archive of the old read-only file system should - something go wrong. The naming convention used here - corresponds to when a new read-only file system has been - created. Move the original &os; Ports Collection over - to the new file system to save some space and - inodes:</para> + <step> + <para>Move the old read-only file system and replace it with + the new one. This will serve as a backup and archive of + the old read-only file system should something go wrong. + The naming convention used here corresponds to when a new + read-only file system has been created. Move the original + &os; Ports Collection over to the new file system to save + some space and inodes:</para> - <screen>&prompt.root; <userinput>cd /home/j</userinput> + <screen>&prompt.root; <userinput>cd /home/j</userinput> &prompt.root; <userinput>mv mroot mroot.20060601</userinput> &prompt.root; <userinput>mv mroot2 mroot</userinput> &prompt.root; <userinput>mv mroot.20060601/usr/ports mroot/usr</userinput></screen> - </step> + </step> - <step> - <para>At this point the new read-only template is ready, - so the only remaining task is to remount the file - systems and start the jails:</para> + <step> + <para>At this point the new read-only template is ready, so + the only remaining task is to remount the file systems and + start the jails:</para> - <screen>&prompt.root; <userinput>mount -a</userinput> + <screen>&prompt.root; <userinput>mount -a</userinput> &prompt.root; <userinput>service jail start</userinput></screen> - </step> - </procedure> + </step> + </procedure> - <para>Use <command>jls</command> to check if the jails started correctly. - Run <command>mergemaster</command> in each jail to update the - configuration files.</para> + <para>Use <command>jls</command> to check if the jails started + correctly. Run <command>mergemaster</command> in each jail to *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404101639.s3AGdOBh024778>