Date: Sat, 20 May 2006 15:21:00 +0800 From: Xin LI <delphij@delphij.net> To: freebsd-rc <freebsd-rc@freebsd.org> Cc: Ruslan Ermilov <ru@FreeBSD.org>, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: [PATCH FOR REVIEW] Implementation of skeleton jail Message-ID: <1148109661.952.26.camel@spirit>
next in thread | raw e-mail | index | archive | help
--=-G8bjTm799TE2Zwvazs4l
Content-Type: multipart/mixed; boundary="=-CvtWJFjMbskxW/CB0lDN"
--=-CvtWJFjMbskxW/CB0lDN
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi, folks,
Here is an implementation of what I call it "skeleton jail". The idea
is that it is more or less to be common that we do not want to actually
copy of the base system (sometimes even other stuff) across zillions of
jails.
The skeleton jail is an approach that makes management of such jails
easier, by making use of mount_nullfs(8) to make read-only shadow or
read-write shadow from the so-called "skeleton root".
For instance, by default the skeleton jail would mount the following
directories from the skeleton root (/) to the jail:
bin -> ${_root}/bin
sbin -> ${_root}/sbin
lib -> ${_root}/lib
libexec -> ${_root}/libexec
usr/bin -> ${_root}/usr/bin
usr/sbin -> ${_root}/usr/sbin
usr/include -> ${_root}/usr/include
usr/lib -> ${_root}/usr/lib
usr/libdata -> ${_root}/usr/libdata
usr/libexec -> ${_root}/usr/libexec
usr/sbin -> ${_root}/sbin
usr/share -> ${_root}/share
In order to create the environment that is suitable for the skeleton
jail (say, create the directory hierarchy, populate the /etc/ stuff,
etc, but not the actual installworld), I have added a new target
"installskel" to src/Makefile which will help the work.
There are four variables that can be set in either system level default
or per-jail way:
- _skel_enable
Whether to raise the jail from a skeleton root. The default is NO
- _skel_root
The place of skeleton root. The default is "/"
- _skel_romounts
Which directories (relative to the skeleton root) should be mounted
read-only to the skeleton jail. The default is shown above.
- _skel_rwmounts
Which directories (relative to the skeleton root) should be mounted
read-write to the skeleton jail. The default is nothing, but a
potential useful option might be "/usr/ports", except for security
concerns.
To try out the patch:
- Apply the patch.
- Do a full "make buildworld" and potentially "make installworld" so
that your system is fresh.
- Install the patched jail script into /etc/rc.d/ (e.g. can be done
with rm /etc/rc.d/jail && mergemaster -i)
- Create a directory, i.e. "/vhosts/skeltest"
- Do a "make installskel DESTDIR=3D/vhosts/skeltest"
- Add the following stuff into /etc/rc.conf:
jail_enable=3D"YES"
jail_list=3D"skeltest"
jail_skeltest_rootdir=3D"/vhosts/skeltest"
jail_skeltest_hostname=3D"skeltest.example.com"
jail_skeltest_ip=3D"127.0.0.1"
jail_skeltest_devfs_enable=3D"YES"
jail_skeltest_exec=3D"/bin/sh /etc/rc"
- Do a "/etc/rc.d/jail start skeltest" or reboot to see the jail up.
Comments?
Cheers,
--=20
Xin LI <delphij delphij net> http://www.delphij.net/
--=-CvtWJFjMbskxW/CB0lDN
Content-Disposition: attachment; filename=patch-skel
Content-Type: text/x-patch; name=patch-skel; charset=ISO-8859-1
Content-Transfer-Encoding: base64
SW5kZXg6IE1ha2VmaWxlDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvTWFr
ZWZpbGUsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjMyOQ0KZGlmZiAtdSAtcjEuMzI5IE1ha2Vm
aWxlDQotLS0gTWFrZWZpbGUJMTEgTWF5IDIwMDYgMTg6NTQ6MTYgLTAwMDAJMS4zMjkNCisrKyBN
YWtlZmlsZQkxNSBNYXkgMjAwNiAwMjowNDoxMyAtMDAwMA0KQEAgLTcxLDcgKzcxLDcgQEANCiAJ
Y2xlYW4gY2xlYW5kZXBlbmQgY2xlYW5kaXIgZGVsZXRlLW9sZCBkZWxldGUtb2xkLWxpYnMgZGVw
ZW5kIFwNCiAJZGlzdHJpYnV0ZSBkaXN0cmlidXRld29ybGQgZGlzdHJpYi1kaXJzIGRpc3RyaWJ1
dGlvbiBldmVyeXRoaW5nIFwNCiAJaGllcmFyY2h5IGluc3RhbGwgaW5zdGFsbGNoZWNrIGluc3Rh
bGxrZXJuZWwgaW5zdGFsbGtlcm5lbC5kZWJ1Z1wNCi0JcmVpbnN0YWxsa2VybmVsIHJlaW5zdGFs
bGtlcm5lbC5kZWJ1ZyBpbnN0YWxsd29ybGQgXA0KKwlyZWluc3RhbGxrZXJuZWwgcmVpbnN0YWxs
a2VybmVsLmRlYnVnIGluc3RhbGxza2VsIGluc3RhbGx3b3JsZCBcDQogCWtlcm5lbC10b29sY2hh
aW4gbGlicmFyaWVzIGxpbnQgbWFuaW5zdGFsbCBcDQogCW9iaiBvYmpsaW5rIHJlZ3Jlc3MgcmVy
ZWxlYXNlIHNob3djb25maWcgdGFncyB0b29sY2hhaW4gdXBkYXRlIFwNCiAJX3dvcmxkdG1wIF9s
ZWdhY3kgX2Jvb3RzdHJhcC10b29scyBfY2xlYW5vYmogX29iaiBcDQpAQCAtODYsNiArODYsNyBA
QA0KIC5PUkRFUjogYnVpbGR3b3JsZCBpbnN0YWxsd29ybGQNCiAuT1JERVI6IGJ1aWxkd29ybGQg
ZGlzdHJpYnV0ZXdvcmxkDQogLk9SREVSOiBidWlsZHdvcmxkIGJ1aWxka2VybmVsDQorLk9SREVS
OiBidWlsZHdvcmxkIGluc3RhbGxza2VsDQogLk9SREVSOiBidWlsZGtlcm5lbCBpbnN0YWxsa2Vy
bmVsDQogLk9SREVSOiBidWlsZGtlcm5lbCBpbnN0YWxsa2VybmVsLmRlYnVnDQogLk9SREVSOiBi
dWlsZGtlcm5lbCByZWluc3RhbGxrZXJuZWwNCkluZGV4OiBNYWtlZmlsZS5pbmMxDQo9PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvTWFrZWZpbGUuaW5jMSx2DQpyZXRyaWV2aW5n
IHJldmlzaW9uIDEuNTQ2DQpkaWZmIC11IC1yMS41NDYgTWFrZWZpbGUuaW5jMQ0KLS0tIE1ha2Vm
aWxlLmluYzEJMTcgTWF5IDIwMDYgMDk6MzM6MDUgLTAwMDAJMS41NDYNCisrKyBNYWtlZmlsZS5p
bmMxCTE4IE1heSAyMDA2IDAzOjQ0OjIwIC0wMDAwDQpAQCAtNTQ1LDYgKzU0NSwxOCBAQA0KIAly
bSAtcmYgJHtJTlNUQUxMVE1QfQ0KIA0KICMNCisjIGluc3RhbGxza2VsDQorIw0KKyMgSW5zdGFs
bHMgYSBtaW5pbXVtIHNldCBvZiBmaWxlcyB0aGF0IGNhbiBzdXBwb3J0IGEgc2tlbC1qYWlsDQor
Iw0KK2luc3RhbGxza2VsOg0KKwlAZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0iDQorCUBlY2hvICI+Pj4gTWFraW5nIGlu
c3RhbGxza2VsIg0KKwlAZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0iDQorCSR7XytffWNkICR7LkNVUkRJUn07ICR7TUFL
RX0gLWYgTWFrZWZpbGUuaW5jMSBoaWVyYXJjaHkNCisJJHtfK199Y2QgJHsuQ1VSRElSfS9ldGM7
ICR7TUFLRX0gZGlzdHJpYnV0aW9uDQorDQorIw0KICMgcmVpbnN0YWxsDQogIw0KICMgSWYgeW91
IGhhdmUgYSBidWlsZCBzZXJ2ZXIsIHlvdSBjYW4gTkZTIG1vdW50IHRoZSBzb3VyY2UgYW5kIG9i
aiBkaXJlY3Rvcmllcw0KSW5kZXg6IGV0Yy9kZWZhdWx0cy9yYy5jb25mDQo9PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpS
Q1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvZXRjL2RlZmF1bHRzL3JjLmNvbmYsdg0KcmV0cmlldmlu
ZyByZXZpc2lvbiAxLjI4NA0KZGlmZiAtdSAtcjEuMjg0IHJjLmNvbmYNCi0tLSBldGMvZGVmYXVs
dHMvcmMuY29uZgkxNyBNYXkgMjAwNiAwOTozMzowNSAtMDAwMAkxLjI4NA0KKysrIGV0Yy9kZWZh
dWx0cy9yYy5jb25mCTIwIE1heSAyMDA2IDA2OjQyOjM1IC0wMDAwDQpAQCAtNTU0LDYgKzU1NCwx
MCBAQA0KICNqYWlsX2V4YW1wbGVfZGV2ZnNfcnVsZXNldD0icnVsZXNldF9uYW1lIgkjIGRldmZz
IHJ1bGVzZXQgdG8gYXBwbHkgdG8gamFpbA0KICNqYWlsX2V4YW1wbGVfZnN0YWI9IiIJCQkJIyBm
c3RhYig1KSBmb3IgbW91bnQvdW1vdW50DQogI2phaWxfZXhhbXBsZV9mbGFncz0iLWwgLVUgcm9v
dCIJCSMgZmxhZ3MgZm9yIGphaWwoOCkNCisjamFpbF9leGFtcGxlX3NrZWxfZW5hYmxlPSJOTyIJ
CQkjIFN0YXJ0IGphaWwgZnJvbSBhIHNrZWxldG9uIChpLmUuIC8pDQorI2phaWxfZXhhbXBsZV9z
a2VsX3Jvb3Q9Ii8iCQkJIyBUaGUgcm9vdCBvZiB0aGUgamFpbCBza2VsZXRvbg0KKyNqYWlsX2V4
YW1wbGVfc2tlbF9yb21vdW50cz0iIgkJCSMgTW91bnQgcmVhZC1vbmx5IGNvcHkgZnJvbSB0aGUg
c2tlbGV0b24gcm9vdA0KKyNqYWlsX2V4YW1wbGVfc2tlbF9yd21vdW50cz0iL3Vzci9wb3J0cyIJ
IyBNb3VudCByZWFkLXdyaXRlIGNvcHkgZnJvbSB0aGUgc2tlbGV0b24gcm9vdA0KIA0KICMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
DQogIyMjIERlZmluZSBzb3VyY2VfcmNfY29uZnMsIHRoZSBtZWNoYW5pc20gdXNlZCBieSAvZXRj
L3JjLiogIyMNCkluZGV4OiBldGMvcmMuZC9qYWlsDQo9PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hv
bWUvbmN2cy9zcmMvZXRjL3JjLmQvamFpbCx2DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMzINCmRp
ZmYgLXUgLXIxLjMyIGphaWwNCi0tLSBldGMvcmMuZC9qYWlsCTExIE1heSAyMDA2IDE0OjIzOjQz
IC0wMDAwCTEuMzINCisrKyBldGMvcmMuZC9qYWlsCTIwIE1heSAyMDA2IDA2OjUzOjEwIC0wMDAw
DQpAQCAtNjgsNiArNjgsMTYgQEANCiAJZXZhbCBfZmxhZ3M9XCJcJHtqYWlsXyR7X2p9X2ZsYWdz
Oi0ke2phaWxfZmxhZ3N9fVwiDQogCVsgLXogIiR7X2ZsYWdzfSIgXSAmJiBfZmxhZ3M9Ii1sIC1V
IHJvb3QiDQogDQorCSMgRGVmYXVsdCBzZXR0aW5ncyBmb3Igc2tlbCBqYWlsDQorCWV2YWwgX3Nr
ZWxfZW5hYmxlPVwiXCR7amFpbF8ke19qfV9za2VsX2VuYWJsZTotJHtqYWlsX3NrZWxfZW5hYmxl
fX1cIg0KKwlbIC16ICIke19za2VsX2VuYWJsZX0iIF0gJiYgX3NrZWxfZW5hYmxlPSJOTyINCisJ
ZXZhbCBfc2tlbF9yb290PVwiXCR7amFpbF8ke19qfV9za2VsX3Jvb3Q6LSR7amFpbF9za2VsX3Jv
b3R9fVwiDQorCVsgLXogIiR7X3NrZWxfcm9vdH0iIF0gJiYgX3NrZWxfcm9vdD0iLyINCisJZXZh
bCBfc2tlbF9yb21vdW50cz1cIlwke2phaWxfJHtfan1fc2tlbF9yb21vdW50czotJHtqYWlsX3Nr
ZWxfcm9tb3VudHN9fVwiDQorCVsgLXogIiR7X3NrZWxfcm9tb3VudHN9IiBdICYmIF9za2VsX3Jv
bW91bnRzPSJiaW4gc2JpbiBsaWIgbGliZXhlYyB1c3IvYmluIHVzci9zYmluIHVzci9pbmNsdWRl
IHVzci9saWIgdXNyL2xpYmRhdGEgdXNyL2xpYmV4ZWMgdXNyL3NiaW4gdXNyL3NoYXJlIg0KKwll
dmFsIF9za2VsX3J3bW91bnRzPVwiXCR7amFpbF8ke19qfV9za2VsX3J3bW91bnRzOi17amFpbF9z
a2VsX3J3bW91bnRzfX1cIg0KKwlbIC16ICIke19za2VsX3J3bW91bnRzfSIgXSAmJiBfc2tlbF9y
d21vdW50cz0iIg0KKw0KIAkjIERlYnVnZ2luZyBhaWQNCiAJIw0KIAlkZWJ1ZyAiJF9qIGRldmZz
IGVuYWJsZTogJF9kZXZmcyINCkBAIC04Niw2ICs5NiwxMCBAQA0KIAlkZWJ1ZyAiJF9qIGV4ZWMg
c3RhcnQ6ICRfZXhlY19zdGFydCINCiAJZGVidWcgIiRfaiBleGVjIHN0b3A6ICRfZXhlY19zdG9w
Ig0KIAlkZWJ1ZyAiJF9qIGZsYWdzOiAkX2ZsYWdzIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgZW5hYmxl
OiAkX3NrZWxfZW5hYmxlIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgbW91bnQtcmVhZG9ubHk6ICRfc2tl
bF9yb21vdW50cyINCisJZGVidWcgIiRfaiBza2VsIG1vdW50LXJlYWR3cml0ZTogJF9za2VsX3J3
bW91bnRzIg0KKwlkZWJ1ZyAiJF9qIHNrZWwgbW91bnQgc2tlbGV0b24gZnJvbTogJF9za2VsX3Jv
b3QiDQogDQogCWlmIFsgLXogIiR7X2hvc3RuYW1lfSIgXTsgdGhlbg0KIAkJZXJyIDMgIiRuYW1l
OiBObyBob3N0bmFtZSBoYXMgYmVlbiBkZWZpbmVkIGZvciAke19qfSINCkBAIC0xNTIsNiArMTY2
LDIwIEBADQogCQlbIC1mICIke19mc3RhYn0iIF0gfHwgd2FybiAiJHtfZnN0YWJ9IGRvZXMgbm90
IGV4aXN0Ig0KIAkJdW1vdW50IC1hIC1GICIke19mc3RhYn0iID4vZGV2L251bGwgMj4mMQ0KIAlm
aQ0KKwlpZiBjaGVja3llc25vIF9za2VsX2VuYWJsZTsgdGhlbg0KKwkJZm9yIF9tbnRwdCBpbiAk
X3NrZWxfcm9tb3VudHMNCisJCWRvDQorCQkJaWYgWyAtZCAiJHtfcm9vdGRpcn0vJHtfbW50cHR9
IiBdIDsgdGhlbg0KKwkJCQl1bW91bnQgLWYgJHtfcm9vdGRpcn0vJHtfbW50cHR9ID4gL2Rldi9u
dWxsIDI+JjENCisJCQlmaQ0KKwkJZG9uZQ0KKwkJZm9yIF9tbnRwdCBpbiAkX3NrZWxfcndtb3Vu
dHMNCisJCWRvDQorCQkJaWYgWyAtZCAiJHtfcm9vdGRpcn0vJHtfbW50cHR9IiBdIDsgdGhlbg0K
KwkJCQl1bW91bnQgLWYgJHtfcm9vdGRpcn0vJHtfbW50cHR9ID4gL2Rldi9udWxsIDI+JjENCisJ
CQlmaQ0KKwkJZG9uZQ0KKwlmaQ0KIH0NCiANCiBqYWlsX3N0YXJ0KCkNCkBAIC0xODUsNiArMjEz
LDI0IEBADQogCQkJZmkNCiAJCQltb3VudCAtYSAtRiAiJHtfZnN0YWJ9Ig0KIAkJZmkNCisJCWlm
IGNoZWNreWVzbm8gX3NrZWxfZW5hYmxlOyB0aGVuDQorCQkJaW5mbyAiTW91bnRpbmcgc2tlbGV0
b24gZm9yIGphaWwgJHtfamFpbH0gZnJvbSAke19za2VsX3Jvb3R9Ig0KKwkJCWZvciBfbW50cHQg
aW4gJHtfc2tlbF9yb21vdW50c30gJHtza2VsX3J3bW91bnRzfQ0KKwkJCWRvDQorCQkJCWlmIFsg
ISAtZCAiJHtfcm9vdGRpcn0vJHtfbW50cHR9IiBdIDsgdGhlbg0KKwkJCQkJZGVidWcgQ3JlYXRp
bmcgbWlzc2luZyBkaXJlY3RvcnkgJHtfcm9vdGRpcn0vJHtfbW50cHR9DQorCQkJCQlta2RpciAt
cCAke19yb290ZGlyfS8ke19tbnRwdH0NCisJCQkJZmkNCisJCQlkb25lDQorCQkJZm9yIF9tbnRw
dCBpbiAke19za2VsX3JvbW91bnRzfQ0KKwkJCWRvDQorCQkJCW1vdW50X251bGxmcyAtb3Jkb25s
eSAke19za2VsX3Jvb3R9LyR7X21udHB0fSAke19yb290ZGlyfS8ke19tbnRwdH0gPiAvZGV2L251
bGwgMj4mMQ0KKwkJCWRvbmUNCisJCQlmb3IgX21udHB0IGluICR7X3NrZWxfcndtb3VudHN9DQor
CQkJZG8NCisJCQkJbW91bnRfbnVsbGZzICR7X3NrZWxfcm9vdH0vJHtfbW50cHR9ICR7X3Jvb3Rk
aXJ9LyR7X21udHB0fSA+IC9kZXYvbnVsbCAyPiYxDQorCQkJZG9uZQ0KKwkJZmkNCiAJCWlmIGNo
ZWNreWVzbm8gX2RldmZzOyB0aGVuDQogCQkJIyBJZiBkZXZmcyBpcyBhbHJlYWR5IG1vdW50ZWQg
aGVyZSwgc2tpcCBpdC4NCiAJCQlkZiAtdCBkZXZmcyAiJHtfZGV2ZGlyfSIgPi9kZXYvbnVsbA0K
--=-CvtWJFjMbskxW/CB0lDN--
--=-G8bjTm799TE2Zwvazs4l
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?=
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQBEbsNchcUczkLqiksRAunoAJ9Jj/rn9m4dE5uXCaKml+DM8ieJegCfU3J2
d+NX/FgkCXlz9Oh5WD+6OFg=
=fbK7
-----END PGP SIGNATURE-----
--=-G8bjTm799TE2Zwvazs4l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1148109661.952.26.camel>