diff options
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/jails/chapter.xml')
| -rw-r--r-- | en_US.ISO8859-1/books/handbook/jails/chapter.xml | 155 |
1 files changed, 70 insertions, 85 deletions
diff --git a/en_US.ISO8859-1/books/handbook/jails/chapter.xml b/en_US.ISO8859-1/books/handbook/jails/chapter.xml index 06e09b74c9..39f803f448 100644 --- a/en_US.ISO8859-1/books/handbook/jails/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/jails/chapter.xml @@ -4,22 +4,18 @@ $FreeBSD$ --> -<chapter id="jails"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="jails"> + <info><title>Jails</title> <authorgroup> - <author> - <firstname>Matteo</firstname> - <surname>Riondato</surname> - <contrib>Contributed by </contrib> - </author> + <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed by </contrib></author> </authorgroup> - </chapterinfo> + </info> - <title>Jails</title> + <indexterm><primary>jails</primary></indexterm> - <sect1 id="jails-synopsis"> + <sect1 xml:id="jails-synopsis"> <title>Synopsis</title> <para>This chapter will provide an explanation of what &os; jails @@ -84,7 +80,7 @@ </itemizedlist> </sect1> - <sect1 id="jails-terms"> + <sect1 xml:id="jails-terms"> <title>Terms Related to Jails</title> <para>To facilitate better understanding of parts of the &os; @@ -145,7 +141,7 @@ </variablelist> </sect1> - <sect1 id="jails-intro"> + <sect1 xml:id="jails-intro"> <title>Introduction</title> <para>Since system administration is a difficult and perplexing @@ -164,7 +160,7 @@ subsystem. Their development still goes on, enhancing their usefulness, performance, reliability, and security.</para> - <sect2 id="jails-what"> + <sect2 xml:id="jails-what"> <title>What is a Jail</title> <para>BSD-like operating systems have had &man.chroot.2; since @@ -236,21 +232,21 @@ </itemizedlist> <para>Apart from these, jails can have their own set of users - and their own <username>root</username> user. Naturally, the - powers of the <username>root</username> user are limited + and their own <systemitem class="username">root</systemitem> user. Naturally, the + powers of the <systemitem class="username">root</systemitem> user are limited within the jail environment and, from the point of view of the - host system, the jail <username>root</username> user is not an - omnipotent user. In addition, the <username>root</username> + host system, the jail <systemitem class="username">root</systemitem> user is not an + omnipotent user. In addition, the <systemitem class="username">root</systemitem> user of a jail is not allowed to perform critical operations to the system outside of the associated &man.jail.8; environment. More information about capabilities and - restrictions of the <username>root</username> user will be + restrictions of the <systemitem class="username">root</systemitem> user will be discussed in <xref linkend="jails-tuning"/> below.</para> </sect2> </sect1> - <sect1 id="jails-build"> + <sect1 xml:id="jails-build"> <title>Creating and Controlling Jails</title> <para>Some administrators divide jails into the following two @@ -261,24 +257,23 @@ is not affected by it. The &man.jail.8; manual page is quite clear about the procedure for building a jail:</para> - <screen>&prompt.root; <userinput>setenv D <replaceable>/here/is/the/jail</replaceable></userinput> -&prompt.root; <userinput>mkdir -p $D</userinput> <co id="jailpath"/> + <screen>&prompt.root; <userinput>setenv D /here/is/the/jail</userinput> +&prompt.root; <userinput>mkdir -p $D</userinput> <co xml:id="jailpath"/> &prompt.root; <userinput>cd /usr/src</userinput> -&prompt.root; <userinput>make buildworld</userinput> <co id="jailbuildworld"/> -&prompt.root; <userinput>make installworld DESTDIR=$D</userinput> <co id="jailinstallworld"/> -&prompt.root; <userinput>make distribution DESTDIR=$D</userinput> <co id="jaildistrib"/> -&prompt.root; <userinput>mount -t devfs devfs $D/dev</userinput> <co id="jaildevfs"/></screen> +&prompt.root; <userinput>make buildworld</userinput> <co xml:id="jailbuildworld"/> +&prompt.root; <userinput>make installworld DESTDIR=$D</userinput> <co xml:id="jailinstallworld"/> +&prompt.root; <userinput>make distribution DESTDIR=$D</userinput> <co xml:id="jaildistrib"/> +&prompt.root; <userinput>mount -t devfs devfs $D/dev</userinput> <co xml:id="jaildevfs"/></screen> <calloutlist> <callout arearefs="jailpath"> <para>Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be - <filename - class="directory">/usr/jail/<replaceable>jailname</replaceable></filename>, + <filename>/usr/jail/jailname</filename>, where <replaceable>jailname</replaceable> is the hostname identifying the jail. The - <filename class="directory">/usr/</filename> file system + <filename>/usr/</filename> file system usually has enough space for the jail file system, which for <quote>complete</quote> jails is, essentially, a replication of every file present in a default installation of the &os; @@ -300,14 +295,14 @@ </callout> <callout arearefs="jaildistrib"> - <para>The <maketarget>distribution</maketarget> target for + <para>The <buildtarget>distribution</buildtarget> target for <application>make</application> installs every needed configuration file. In simple words, it installs every installable file of - <filename class="directory">/usr/src/etc/</filename> to the - <filename class="directory">/etc</filename> directory of the + <filename>/usr/src/etc/</filename> to the + <filename>/etc</filename> directory of the jail environment: - <filename class="directory">$D/etc/</filename>.</para> + <filename>$D/etc/</filename>.</para> </callout> <callout arearefs="jaildevfs"> @@ -385,8 +380,8 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep start or stop a jail by hand, if an entry for it exists in <filename>rc.conf</filename>:</para> - <screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput> -&prompt.root; <userinput>service jail stop <replaceable>www</replaceable></userinput></screen> + <screen>&prompt.root; <userinput>service jail start www</userinput> +&prompt.root; <userinput>service jail stop www</userinput></screen> <para>A clean way to shut down a &man.jail.8; is not available at the moment. This is because commands normally used to @@ -401,7 +396,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep manual page.</para> </sect1> - <sect1 id="jails-tuning"> + <sect1 xml:id="jails-tuning"> <title>Fine Tuning and Administration</title> <para>There are several options which can be set for any jail, and @@ -424,7 +419,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep </listitem> </itemizedlist> - <sect2 id="jails-tuning-utilities"> + <sect2 xml:id="jails-tuning-utilities"> <title>System Tools for Jail Tuning in &os;</title> <para>Fine tuning of a jail's configuration is mostly done by @@ -476,11 +471,11 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep <para>These variables can be used by the system administrator of the <emphasis>host system</emphasis> to add or remove some of the limitations imposed by default on the - <username>root</username> user. Note that there are some + <systemitem class="username">root</systemitem> user. Note that there are some limitations which cannot be removed. The - <username>root</username> user is not allowed to mount or + <systemitem class="username">root</systemitem> user is not allowed to mount or unmount file systems from within a &man.jail.8;. The - <username>root</username> inside a jail may not load or unload + <systemitem class="username">root</systemitem> inside a jail may not load or unload &man.devfs.8; rulesets, set firewall rules, or do many other administrative tasks which require modifications of in-kernel data, such as setting the <varname>securelevel</varname> of @@ -503,49 +498,43 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep <para>Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful - when the <username>root</username> user wants to cleanly + when the <systemitem class="username">root</systemitem> user wants to cleanly shut down a jail. The &man.jexec.8; utility can also be used to start a shell in a jail to do administration in it; for example:</para> - <screen>&prompt.root; <userinput>jexec <replaceable>1</replaceable> tcsh</userinput></screen> + <screen>&prompt.root; <userinput>jexec 1 tcsh</userinput></screen> </listitem> </itemizedlist> </sect2> - <sect2 id="jails-tuning-admintools"> + <sect2 xml:id="jails-tuning-admintools"> <title>High-Level Administrative Tools in the &os; Ports Collection</title> <para>Among the many third-party utilities for jail administration, one of the most complete and useful is - <filename role="package">sysutils/jailutils</filename>. It is + <package>sysutils/jailutils</package>. It is a set of small applications that contribute to &man.jail.8; management. Please refer to its web page for more information.</para> </sect2> </sect1> - <sect1 id="jails-application"> + <sect1 xml:id="jails-application"> <title>Application of Jails</title> - <sect2 id="jails-service-jails"> - <sect2info> + <sect2 xml:id="jails-service-jails"> + <info><title>Service Jails</title> <authorgroup> - <author> - <firstname>Daniel</firstname> - <surname>Gerzo</surname> - <contrib>Contributed by </contrib> - <!-- 15. May 2007 --> - </author> + <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed by </contrib></author> </authorgroup> - </sect2info> + </info> - <title>Service Jails</title> + <para>This section is based upon an idea originally presented by - &a.simon.email; at <ulink - url="http://simon.nitro.dk/service-jails.html"></ulink>, and + &a.simon.email; at <uri xlink:href="http://simon.nitro.dk/service-jails.html">http://simon.nitro.dk/service-jails.html</uri>, and an updated article written by Ken Tom <email>locals@gmail.com</email>. This section illustrates how to set up a &os; system that adds an additional layer of @@ -554,7 +543,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep information provided earlier in this chapter has been well understood.</para> - <sect3 id="jails-service-jails-design"> + <sect3 xml:id="jails-service-jails-design"> <title>Design</title> <para>One of the major problems with jails is the management @@ -570,7 +559,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep usage of its features. If the presented steps below look too complicated, it is advised to take a look at a simpler system such as - <filename role="package">sysutils/ezjail</filename>, which + <package>sysutils/ezjail</package>, which provides an easier method of administering &os; jails and is not as sophisticated as this setup.</para> </warning> @@ -641,45 +630,43 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep <itemizedlist> <listitem> <para>Each jail will be mounted under the - <filename class="directory">/home/j</filename> + <filename>/home/j</filename> directory.</para> </listitem> <listitem> - <para><filename class="directory">/home/j/mroot</filename> + <para><filename>/home/j/mroot</filename> is the template for each jail and the read-only partition for all of the jails.</para> </listitem> <listitem> <para>A blank directory will be created for each jail - under the <filename class="directory">/home/j</filename> + under the <filename>/home/j</filename> directory.</para> </listitem> <listitem> <para>Each jail will have a - <filename class="directory">/s</filename> directory, + <filename>/s</filename> directory, that will be linked to the read-write portion of the system.</para> </listitem> <listitem> <para>Each jail shall have its own read-write system that - is based upon <filename - class="directory">/home/j/skel</filename>.</para> + is based upon <filename>/home/j/skel</filename>.</para> </listitem> <listitem> <para>Each jailspace (read-write portion of each jail) - shall be created in <filename - class="directory">/home/js</filename>.</para> + shall be created in <filename>/home/js</filename>.</para> </listitem> </itemizedlist> <note> <para>This assumes that the jails are based under the - <filename class="directory">/home</filename> partition. + <filename>/home</filename> partition. This can, of course, be changed to anything else, but this change will have to be reflected in each of the examples below.</para> @@ -687,7 +674,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep <!-- Insert an image or drawing here to illustrate the example. --> </sect3> - <sect3 id="jails-service-jails-template"> + <sect3 xml:id="jails-service-jails-template"> <title>Creating the Template</title> <para>This section will describe the steps needed to create @@ -696,16 +683,15 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep <para>It is always a good idea to update the &os; system to the latest -RELEASE branch. Check the corresponding - Handbook <ulink - url="&url.books.handbook;/makeworld.html">Chapter</ulink> + Handbook <link xlink:href="&url.books.handbook;/makeworld.html">Chapter</link> to accomplish this task. In the case the update is not feasible, the buildworld will be required in order to be able to proceed. Additionally, the - <filename role="package">sysutils/cpdup</filename> package + <package>sysutils/cpdup</package> package will be required. We will use the &man.portsnap.8; utility to download the &os; Ports Collection. The Handbook - <ulink url="&url.books.handbook;/portsnap.html">Portsnap - Chapter</ulink> is always good reading for + <link xlink:href="&url.books.handbook;/portsnap.html">Portsnap + Chapter</link> is always good reading for newcomers.</para> <procedure> @@ -759,7 +745,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep <para>Now, symlink the read-write file system to the read-only file system. Please make sure that the symlinks are created in the correct - <filename class="directory">s/</filename> locations. + <filename>s/</filename> locations. Real directories or the creation of directories in the wrong locations will cause the installation to fail.</para> @@ -793,7 +779,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep </procedure> </sect3> - <sect3 id="jails-service-jails-creating"> + <sect3 xml:id="jails-service-jails-creating"> <title>Creating Jails</title> <para>Now that we have a complete &os; jail template, we can @@ -855,13 +841,13 @@ jail_www_devfs_enable="YES"</programlisting> <para>The reason why the <varname>jail_<replaceable>name</replaceable>_rootdir</varname> variable is set to - <filename class="directory">/usr/home</filename> + <filename>/usr/home</filename> instead of - <filename class="directory">/home</filename> is that + <filename>/home</filename> is that the physical path of the - <filename class="directory">/home</filename> directory + <filename>/home</filename> directory on a default &os; installation is - <filename class="directory">/usr/home</filename>. The + <filename>/usr/home</filename>. The <varname>jail_<replaceable>name</replaceable>_rootdir</varname> variable must <emphasis>not</emphasis> be set to a path which includes a symbolic link, otherwise the @@ -882,7 +868,7 @@ jail_www_devfs_enable="YES"</programlisting> <step> <para>Install the read-write template into each jail. Note the use of - <filename role="package">sysutils/cpdup</filename>, + <package>sysutils/cpdup</package>, which helps to ensure that a correct copy is done of each directory:</para> <!-- keramida: Why is cpdup required here? Doesn't cpio(1) @@ -927,7 +913,7 @@ jail_www_devfs_enable="YES"</programlisting> <screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen> </sect3> - <sect3 id="jails-service-jails-upgrading"> + <sect3 xml:id="jails-service-jails-upgrading"> <title>Upgrading</title> <para>In time, there will be a need to upgrade the system to a @@ -944,8 +930,7 @@ jail_www_devfs_enable="YES"</programlisting> <step> <para>The first step is to upgrade the host system in the usual manner. Then create a new temporary read-only - template in <filename - class="directory">/home/j/mroot2</filename>.</para> + template in <filename>/home/j/mroot2</filename>.</para> <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput> &prompt.root; <userinput>cd /usr/src</userinput> @@ -954,7 +939,7 @@ jail_www_devfs_enable="YES"</programlisting> &prompt.root; <userinput>cpdup /usr/src usr/src</userinput> &prompt.root; <userinput>mkdir s</userinput></screen> - <para>The <maketarget>installworld</maketarget> run + <para>The <buildtarget>installworld</buildtarget> run creates a few unnecessary directories, which should be removed:</para> @@ -997,7 +982,7 @@ jail_www_devfs_enable="YES"</programlisting> <note> <para>The read-write systems are attached to the read-only system - (<filename class="directory">/s</filename>) and must + (<filename>/s</filename>) and must be unmounted first.</para> </note> </step> |