Jails
(→Minor edit) |
(→Creating the jail) |
||
| Line 16: | Line 16: | ||
# mkdir /usr/jail/skel /usr/jail/skel/home /usr/jail/skel/distfiles | # mkdir /usr/jail/skel /usr/jail/skel/home /usr/jail/skel/distfiles | ||
| + | # cd /usr/jail/mroot | ||
# mv etc /usr/jail/skel | # mv etc /usr/jail/skel | ||
# mv usr/local /usr/jail/skel/usr-local | # mv usr/local /usr/jail/skel/usr-local | ||
| Line 25: | Line 26: | ||
# rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev | # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev | ||
# cd /usr/jail/mroot | # cd /usr/jail/mroot | ||
| − | # mkdir | + | # mkdir usr/ports |
# mkdir s | # mkdir s | ||
# ln -s s/etc etc | # ln -s s/etc etc | ||
| Line 31: | Line 32: | ||
# ln -s s/root root | # ln -s s/root root | ||
# ln -s ../s/usr-local usr/local | # ln -s ../s/usr-local usr/local | ||
| − | # ln -s ../s/usr- | + | # ln -s ../s/usr-local usr/X11R6 |
# ln -s ../../s/distfiles usr/ports/distfiles | # ln -s ../../s/distfiles usr/ports/distfiles | ||
# ln -s s/tmp tmp | # ln -s s/tmp tmp | ||
| Line 46: | Line 47: | ||
In /etc/rc.conf set | In /etc/rc.conf set | ||
rpcbind_enable="NO" | rpcbind_enable="NO" | ||
| − | |||
Revision as of 06:08, 9 September 2007
A dedicated machine for a server is a costly thing. For a server which is not often used, it is desirable to still be able to use the same machine, but without the drawbacks of having all the servers on one installation. These are sometimes limited via chrooted servers. A better way is with the help of a jail.
Creating the jail
Install cpdup ({PORTSDIR}/sysutils/cpdup)
# pkg_add -r cpdup
Alternatively if that doesn't work try:
# cd {PORTSDIR}/sysutils/cpdup && make install clean
Next create a template:
# mkdir /usr/jail /usr/jail/mroot # cd /usr/src # make installworld DESTDIR=/usr/jail/mroot # cpdup /usr/src /usr/jail/mroot/usr/src
# mkdir /usr/jail/skel /usr/jail/skel/home /usr/jail/skel/distfiles # cd /usr/jail/mroot # mv etc /usr/jail/skel # mv usr/local /usr/jail/skel/usr-local # mv tmp /usr/jail/skel # mv var /usr/jail/skel # mv root /usr/jail/skel # mergemaster -t /usr/jail/skel/var/tmp/temproot -D /usr/jail/skel -i # cd /usr/jail/skel # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev # cd /usr/jail/mroot # mkdir usr/ports # mkdir s # ln -s s/etc etc # ln -s s/home home # ln -s s/root root # ln -s ../s/usr-local usr/local # ln -s ../s/usr-local usr/X11R6 # ln -s ../../s/distfiles usr/ports/distfiles # ln -s s/tmp tmp # ln -s s/var var
Edit /etc/rc.conf:
jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list="{server1} {server2}"
jail_devfs_enable="YES"
Search man 5 rc.conf for more jail settings If you would like to have some standard configuration settings for (almost) all jails modify the files in /usr/jail/skel. (e.g. /etc/resolve.conf) In /etc/rc.conf set
rpcbind_enable="NO"
Create a jail skeleton
# mkdir /usr/jails
For every server:
- Edit /etc/fstab on your host system:
/usr/jail/mroot /usr/jail/{server} nullfs ro 0 0 /usr/jails/{server} /usr/jail/{server}/s nullfs rw 0 0
- Create the mount-points
- mkdir /usr/jail/{server}
- cpdup /usr/jail/skel /usr/jails/{server}
- Edit /etc/rc.conf:
jail_{server}_hostname="server.example.org"
jail_{server}_ip="192.168.x.x"
jail_{server}_rootdir="/usr/jail/{server}"
Finally mount the jails and start them.
# mount -a # /etc/rc.d/jail start
They should be running now and you should be able to see them by typing:
jls
If you wish to access the system type:
jexec tcsh {JID}
One often creates a build jail in which one creates the packages for the separate jails creating less "pollution" in your jails. One can now install the packages for the jail.
For more information see:
man 8 jail
