From owner-svn-doc-all@FreeBSD.ORG Thu Apr 10 16:39:25 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 153926A1; Thu, 10 Apr 2014 16:39:25 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 01206179A; Thu, 10 Apr 2014 16:39:25 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AGdONM024779; Thu, 10 Apr 2014 16:39:24 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3AGdOBh024778; Thu, 10 Apr 2014 16:39:24 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404101639.s3AGdOBh024778@svn.freebsd.org> From: Dru Lavigne Date: Thu, 10 Apr 2014 16:39:24 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44518 - head/en_US.ISO8859-1/books/handbook/jails X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 16:39:25 -0000 Author: dru Date: Thu Apr 10 16:39:24 2014 New Revision: 44518 URL: http://svnweb.freebsd.org/changeset/doc/44518 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Thu Apr 10 15:07:29 2014 (r44517) +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Thu Apr 10 16:39:24 2014 (r44518) @@ -5,97 +5,91 @@ $FreeBSD$ --> - Jails + + Jails + - MatteoRiondatoContributed by + MatteoRiondatoContributed + by - - jails Synopsis - Since system administration is a difficult - task, many tools have been developed to make life easier for - the administrator. These tools often enhance - the way systems are installed, configured, and - maintained. One of the tools which can be used to enhance the security - of a &os; system is jails. Jails have - been available since &os; 4.X and continue to be - enhanced in their - usefulness, performance, reliability, and security. - - Jails build upon the &man.chroot.2; concept, which is used to - change the root directory of a set of processes, creating a - safe environment, separate from the rest of the system. - Processes created in the chrooted environment can not access - files or resources outside of it. For that reason, - compromising a service running in a chrooted environment - should not allow the attacker to compromise the entire system. - However, a chroot has several limitations. It is suited to easy tasks which do not - require much flexibility or complex, advanced features. Over time - many ways have - been found to escape from a chrooted environment, making it - a less than ideal solution for - securing services. - - Jails improve on the concept of the traditional - chroot environment in several ways. In a traditional - chroot environment, processes are only limited in the - part of the file system they can access. The rest of the - system resources, system users, running - processes, and the networking subsystem are shared by the - chrooted processes and the processes of the host system. - Jails expand this model by virtualizing access to the - file system, the set of users, and the networking - subsystem. More - fine-grained controls are available for tuning the - access of a jailed environment. + Since system administration is a difficult task, many tools + have been developed to make life easier for the administrator. + These tools often enhance the way systems are installed, + configured, and maintained. One of the tools which can be used + to enhance the security of a &os; system is + jails. Jails have been available since + &os; 4.X and continue to be enhanced in their usefulness, + performance, reliability, and security. + + Jails build upon the &man.chroot.2; concept, which is used + to change the root directory of a set of processes, creating a + safe environment, separate from the rest of the system. + Processes created in the chrooted environment can not access + files or resources outside of it. For that reason, compromising + a service running in a chrooted environment should not allow the + attacker to compromise the entire system. However, a chroot has + several limitations. It is suited to easy tasks which do not + require much flexibility or complex, advanced features. Over + time many ways have been found to escape from a chrooted + environment, making it a less than ideal solution for securing + services. + + Jails improve on the concept of the traditional chroot + environment in several ways. In a traditional chroot + environment, processes are only limited in the part of the file + system they can access. The rest of the system resources, + system users, running processes, and the networking subsystem + are shared by the chrooted processes and the processes of the + host system. Jails expand this model by virtualizing access to + the file system, the set of users, and the networking subsystem. + More fine-grained controls are available for tuning the access + of a jailed environment. - A jail is characterized by four elements: + A jail is characterized by four elements: - - - A directory subtree: the starting point from - which a jail is entered. Once inside the jail, a process - is not permitted to escape outside of this subtree. - + + + A directory subtree: the starting point from which a + jail is entered. Once inside the jail, a process is not + permitted to escape outside of this subtree. + - - A hostname: which will be used - by the jail. - + + A hostname: which will be used by the jail. + - - An IP address: which is - assigned to the jail. The IP address of a jail is - often an alias address for an existing network - interface. - + + An IP address: which is assigned to + the jail. The IP address of a jail is + often an alias address for an existing network + interface. + - - A command: the path name of an executable to - run inside the jail. The path is relative to the - root directory of the jail environment. - - + + A command: the path name of an executable to run inside + the jail. The path is relative to the root directory of the + jail environment. + + - Jails have their own set of users - and their own root account which - are limited - to the jail environment. - The root - account of a jail is not allowed to perform operations - to the system outside of the associated jail - environment. - - This chapter provides an overview of jail terminology - are how to use &os; jails. Jails are a powerful - tool for system administrators, but their basic usage can also - be useful for advanced users. + Jails have their own set of users and their own root account which are limited + to the jail environment. The root account of a jail is not + allowed to perform operations to the system outside of the + associated jail environment. + + This chapter provides an overview of jail terminology are + how to use &os; jails. Jails are a powerful tool for system + administrators, but their basic usage can also be useful for + advanced users. After reading this chapter, you will know: @@ -110,25 +104,24 @@ - The basics of jail administration, both from inside - and outside the jail. + The basics of jail administration, both from inside and + outside the jail. Jails are a powerful tool, but they are not a security - panacea. While it - is not possible for a jailed process to break out on its own, - there are several ways in which an unprivileged user outside - the jail can cooperate with a privileged user inside the jail - to obtain elevated privileges in the host - environment. + panacea. While it is not possible for a jailed process to + break out on its own, there are several ways in which an + unprivileged user outside the jail can cooperate with a + privileged user inside the jail to obtain elevated privileges + in the host environment. Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the - host environment. As a general rule, untrusted - users with privileged access to a jail should not be given - access to the host environment. + host environment. As a general rule, untrusted users with + privileged access to a jail should not be given access to the + host environment. @@ -268,8 +261,8 @@ Once a jail is installed, it can be started by using the &man.jail.8; utility. The &man.jail.8; utility takes four - mandatory arguments which are described in the - . Other arguments may be specified + mandatory arguments which are described in the . Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The argument @@ -324,8 +317,8 @@ jail_www_devf - &man.service.8; can be used to - start or stop a jail by hand, if an entry for it exists in + &man.service.8; can be used to start or stop a jail by hand, + if an entry for it exists in rc.conf: &prompt.root; service jail start www @@ -418,16 +411,17 @@ jail_www_devf These variables can be used by the system administrator of the host system to add or remove some of - the limitations imposed by default on the - root user. Note that there are some - limitations which cannot be removed. The - root user is not allowed to mount or - unmount file systems from within a &man.jail.8;. The - root inside a jail may not load or unload - &man.devfs.8; rulesets, set firewall rules, or do many other - administrative tasks which require modifications of in-kernel - data, such as setting the securelevel of - the kernel. + the limitations imposed by default on the root user. Note that there + are some limitations which cannot be removed. The + root user is not + allowed to mount or unmount file systems from within a + &man.jail.8;. The root inside a jail may not + load or unload &man.devfs.8; rulesets, set firewall rules, or + do many other administrative tasks which require modifications + of in-kernel data, such as setting the + securelevel of the kernel. The base system of &os; contains a basic set of tools for viewing information about the active jails, and attaching to a @@ -446,10 +440,10 @@ jail_www_devf Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful - when the root user wants to cleanly - shut down a jail. The &man.jexec.8; utility can also be - used to start a shell in a jail to do administration in - it; for example: + when the root + user wants to cleanly shut down a jail. The &man.jexec.8; + utility can also be used to start a shell in a jail to do + administration in it; for example: &prompt.root; jexec 1 tcsh @@ -462,10 +456,9 @@ jail_www_devf Among the many third-party utilities for jail administration, one of the most complete and useful is - sysutils/jailutils. It is - a set of small applications that contribute to &man.jail.8; - management. Please refer to its web page for more - information. + sysutils/jailutils. It is a set of small + applications that contribute to &man.jail.8; management. + Please refer to its web page for more information. @@ -474,7 +467,8 @@ jail_www_devf Updating Multiple Jails - DanielGerzoContributed by + DanielGerzoContributed + by @@ -496,191 +490,176 @@ jail_www_devf - The management of multiple jails can become - problematic - because every jail has to be rebuilt from scratch whenever - it is upgraded. This can be - time consuming and tedious if a lot of jails are - created and manually updated. - - This section demonstrates one method to resolve this issue by - safely sharing as much as is possible between jails - using read-only &man.mount.nullfs.8; mounts, so that - updating is simpler. This makes it more attractive to put single services, - such as HTTP, DNS, - and SMTP, into - individual jails. Additionally, - it provides a simple way to add, remove, and - upgrade jails. + The management of multiple jails can become problematic + because every jail has to be rebuilt from scratch whenever it is + upgraded. This can be time consuming and tedious if a lot of + jails are created and manually updated. + + This section demonstrates one method to resolve this issue + by safely sharing as much as is possible between jails using + read-only &man.mount.nullfs.8; mounts, so that updating is + simpler. This makes it more attractive to put single services, + such as HTTP, DNS, and + SMTP, into individual jails. Additionally, + it provides a simple way to add, remove, and upgrade + jails. + + + Simpler solutions exist, such as + sysutils/ezjail, which provides an easier + method of administering &os; jails and is not as sophisticated + as this setup. + - - Simpler solutions exist, - such as - sysutils/ezjail, which - provides an easier method of administering &os; jails and - is not as sophisticated as this setup. - + The goals of the setup described in this section are: + + + + Create a simple and easy to understand jail structure + that does not require running a full installworld on each + and every jail. + + + + Make it easy to add new jails or remove existing + ones. + + + + Make it easy to update or upgrade existing jails. + + + + Make it possible to run a customized &os; branch. + - The goals of the setup described in this section - are: + + Be paranoid about security, reducing as much as + possible the possibility of compromise. + + + + Save space and inodes, as much as possible. + + + + This design relies on a single, read-only master template + which is mounted into each jail and one read-write device per + jail. A device can be a separate physical disc, a partition, or + a vnode backed memory device. This example uses read-write + nullfs mounts. - - - Create a simple and easy to understand jail - structure that does not require - running a full installworld on each and every - jail. - - - - Make it easy to add new jails or remove existing - ones. - - - - Make it easy to update or upgrade existing - jails. - - - - Make it possible to run a customized &os; - branch. - - - - Be paranoid about security, reducing as much as - possible the possibility of compromise. - - - - Save space and inodes, as much as possible. - - - - This design relies - on a single, read-only master template which is - mounted into each jail and one read-write device per jail. - A device can be a separate physical disc, a partition, or a - vnode backed memory device. This example - uses read-write nullfs - mounts. - - The file system layout is as follows: - - - - The jails are based under the - /home partition. - - - - Each jail will be mounted under the - /home/j - directory. - - - - The template for each jail and the read-only - partition for all of the jails is /home/j/mroot. - - - - A blank directory will be created for each jail - under the /home/j - directory. - - - - Each jail will have a - /s directory - that will be linked to the read-write portion of the - system. - - - - Each jail will have its own read-write system that - is based upon /home/j/skel. - - - - The read-write portion of each jail - will be created in /home/js. - - + The file system layout is as follows: + + + + The jails are based under the + /home partition. + + + + Each jail will be mounted under the + /home/j directory. + + + + The template for each jail and the read-only partition + for all of the jails is + /home/j/mroot. + + + + A blank directory will be created for each jail under + the /home/j directory. + + + + Each jail will have a /s directory + that will be linked to the read-write portion of the + system. + + + + Each jail will have its own read-write system that is + based upon /home/j/skel. + + + + The read-write portion of each jail will be created in + /home/js. + + - - Creating the Template + + Creating the Template - This section describes the steps needed to create - the master template. + This section describes the steps needed to create the + master template. - It is recommended to first update the host &os; system to - the latest -RELEASE branch using the instructions in - . - Additionally, this template uses the - sysutils/cpdup package or port - and portsnap - will be used to download the &os; Ports Collection. - - - - First, create a directory structure for the - read-only file system which will contain the &os; - binaries for the jails. Then, change directory to the - &os; source tree and install the read-only file system - to the jail template: + It is recommended to first update the host &os; system to + the latest -RELEASE branch using the instructions in . Additionally, this template uses the + sysutils/cpdup package or port and + portsnap will be used to download + the &os; Ports Collection. + + + + First, create a directory structure for the read-only + file system which will contain the &os; binaries for the + jails. Then, change directory to the &os; source tree and + install the read-only file system to the jail + template: - &prompt.root; mkdir /home/j /home/j/mroot + &prompt.root; mkdir /home/j /home/j/mroot &prompt.root; cd /usr/src &prompt.root; make installworld DESTDIR=/home/j/mroot - + - - Next, prepare a &os; Ports Collection for the jails - as well as a &os; source tree, which is required for - mergemaster: + + Next, prepare a &os; Ports Collection for the jails as + well as a &os; source tree, which is required for + mergemaster: - &prompt.root; cd /home/j/mroot + &prompt.root; cd /home/j/mroot &prompt.root; mkdir usr/ports &prompt.root; portsnap -p /home/j/mroot/usr/ports fetch extract &prompt.root; cpdup /usr/src /home/j/mroot/usr/src - + - - Create a skeleton for the read-write portion of the - system: + + Create a skeleton for the read-write portion of the + system: - &prompt.root; mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles + &prompt.root; mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles &prompt.root; mv etc /home/j/skel &prompt.root; mv usr/local /home/j/skel/usr-local &prompt.root; mv tmp /home/j/skel &prompt.root; mv var /home/j/skel &prompt.root; mv root /home/j/skel - + - - Use mergemaster to - install missing configuration files. Then, remove the - the extra directories that - mergemaster creates: + + Use mergemaster to install + missing configuration files. Then, remove the the extra + directories that mergemaster + creates: - &prompt.root; mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i + &prompt.root; mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i &prompt.root; cd /home/j/skel &prompt.root; rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev - + - - Now, symlink the read-write file system to the - read-only file system. Ensure that the - symlinks are created in the correct - s/ locations as - the creation of directories in the - wrong locations will cause the installation to - fail. + + Now, symlink the read-write file system to the + read-only file system. Ensure that the symlinks are + created in the correct s/ locations + as the creation of directories in the wrong locations will + cause the installation to fail. - &prompt.root; cd /home/j/mroot + &prompt.root; cd /home/j/mroot &prompt.root; mkdir s &prompt.root; ln -s s/etc etc &prompt.root; ln -s s/home home @@ -690,61 +669,59 @@ jail_www_devf &prompt.root; ln -s s/distfiles usr/ports/distfiles &prompt.root; ln -s s/tmp tmp &prompt.root; ln -s s/var var - + + + + As a last step, create a generic + /home/j/skel/etc/make.conf containing + this line: + + WRKDIRPREFIX?= /s/portbuild + + This makes it possible to compile &os; ports inside + each jail. Remember that the ports directory is part of + the read-only system. The custom path for + WRKDIRPREFIX allows builds to be done + in the read-write portion of every jail. + + + + + + Creating Jails - - As a last step, create a generic - /home/j/skel/etc/make.conf containing - this line: - - WRKDIRPREFIX?= /s/portbuild - - This - makes it possible to compile &os; ports inside - each jail. Remember that the ports directory is part of - the read-only system. The custom path for - WRKDIRPREFIX allows builds to be done - in the read-write portion of every jail. - - - - - - Creating Jails - - The jail template can now be used to - setup and configure the jails in - /etc/rc.conf. This example - demonstrates the creation of 3 jails: NS, - MAIL and WWW. - - - - Add the following lines to - /etc/fstab, so that the - read-only template for the jails and the read-write - space will be available in the respective jails: + The jail template can now be used to setup and configure + the jails in /etc/rc.conf. This example + demonstrates the creation of 3 jails: NS, + MAIL and WWW. + + + + Add the following lines to + /etc/fstab, so that the read-only + template for the jails and the read-write space will be + available in the respective jails: - /home/j/mroot /home/j/ns nullfs ro 0 0 + /home/j/mroot /home/j/ns nullfs ro 0 0 /home/j/mroot /home/j/mail nullfs ro 0 0 /home/j/mroot /home/j/www nullfs ro 0 0 /home/js/ns /home/j/ns/s nullfs rw 0 0 /home/js/mail /home/j/mail/s nullfs rw 0 0 /home/js/www /home/j/www/s nullfs rw 0 0 - To prevent - fsck from checking - nullfs mounts during boot and - dump from backing up the - read-only nullfs mounts of the jails, the last two - columns are both set to 0. - - - - Configure the jails in - /etc/rc.conf: + To prevent + fsck from checking + nullfs mounts during boot and + dump from backing up the + read-only nullfs mounts of the jails, the last two + columns are both set to 0. + + + + Configure the jails in + /etc/rc.conf: - jail_enable="YES" + jail_enable="YES" jail_set_hostname_allow="NO" jail_list="ns mail www" jail_ns_hostname="ns.example.org" @@ -760,167 +737,164 @@ jail_www_ip="62.123.43.14" jail_www_rootdir="/usr/home/j/www" jail_www_devfs_enable="YES" - The - jail_name_rootdir - variable is set to - /usr/home - instead of - /home because - the physical path of - /home - on a default &os; installation is - /usr/home. The - jail_name_rootdir - variable must not be set to a - path which includes a symbolic link, otherwise the - jails will refuse to start. - - - - Create the required mount points for the read-only - file system of each jail: - - &prompt.root; mkdir /home/j/ns /home/j/mail /home/j/www - - - - Install the read-write template into each jail using - sysutils/cpdup: + The + jail_name_rootdir + variable is set to + /usr/home instead + of /home because + the physical path of /home on a default &os; + installation is /usr/home. The + jail_name_rootdir + variable must not be set to a path + which includes a symbolic link, otherwise the jails will + refuse to start. + + + + Create the required mount points for the read-only + file system of each jail: + + &prompt.root; mkdir /home/j/ns /home/j/mail /home/j/www + + + + Install the read-write template into each jail using + sysutils/cpdup: - &prompt.root; mkdir /home/js + &prompt.root; mkdir /home/js &prompt.root; cpdup /home/j/skel /home/js/ns &prompt.root; cpdup /home/j/skel /home/js/mail &prompt.root; cpdup /home/j/skel /home/js/www - + - - In this phase, the jails are built and prepared to - run. First, mount the required file systems for each - jail, and then start them: + + In this phase, the jails are built and prepared to + run. First, mount the required file systems for each + jail, and then start them: - &prompt.root; mount -a + &prompt.root; mount -a &prompt.root; service jail start - - + + - The jails should be running now. To check if they have - started correctly, use jls. Its output - should be similar to the following: + The jails should be running now. To check if they have + started correctly, use jls. Its output + should be similar to the following: - &prompt.root; jls + &prompt.root; jls JID IP Address Hostname Path 3 192.168.3.17 ns.example.org /home/j/ns 2 192.168.3.18 mail.example.org /home/j/mail 1 62.123.43.14 www.example.org /home/j/www - At this point, it should be possible to log onto each - jail, add new users, or configure daemons. The - JID column indicates the jail - identification number of each running jail. Use the - following command to perform administrative tasks - in the jail whose JID is 3: - - &prompt.root; jexec 3 tcsh - - - - Upgrading - - The design of this setup - provides an easy way to upgrade existing jails while - minimizing their downtime. Also, it - provides a way to roll back to the older version should a - problem occur. - - - - The first step is to upgrade the host system. - Then, create a new temporary read-only - template in /home/j/mroot2. + At this point, it should be possible to log onto each + jail, add new users, or configure daemons. The + JID column indicates the jail + identification number of each running jail. Use the following + command to perform administrative tasks in the jail whose + JID is 3: + + &prompt.root; jexec 3 tcsh + + + + Upgrading + + The design of this setup provides an easy way to upgrade + existing jails while minimizing their downtime. Also, it + provides a way to roll back to the older version should a + problem occur. + + + + The first step is to upgrade the host system. Then, + create a new temporary read-only template in + /home/j/mroot2. - &prompt.root; mkdir /home/j/mroot2 + &prompt.root; mkdir /home/j/mroot2 &prompt.root; cd /usr/src &prompt.root; make installworld DESTDIR=/home/j/mroot2 &prompt.root; cd /home/j/mroot2 &prompt.root; cpdup /usr/src usr/src &prompt.root; mkdir s - The installworld - creates a few unnecessary directories, which should be - removed: + The installworld creates a + few unnecessary directories, which should be + removed: - &prompt.root; chflags -R 0 var + &prompt.root; chflags -R 0 var &prompt.root; rm -R etc var root usr/local tmp - + - - Recreate the read-write symlinks for the master file - system: + + Recreate the read-write symlinks for the master file + system: - &prompt.root; ln -s s/etc etc + &prompt.root; ln -s s/etc etc &prompt.root; ln -s s/root root &prompt.root; ln -s s/home home &prompt.root; ln -s ../s/usr-local usr/local &prompt.root; ln -s ../s/usr-X11R6 usr/X11R6 &prompt.root; ln -s s/tmp tmp &prompt.root; ln -s s/var var - + - - Next, stop the jails: + + Next, stop the jails: - &prompt.root; service jail stop - + &prompt.root; service jail stop + - - Unmount the original file systems as the read-write - systems are attached to the read-only system - (/s): + + Unmount the original file systems as the read-write + systems are attached to the read-only system + (/s): - &prompt.root; umount /home/j/ns/s + &prompt.root; umount /home/j/ns/s &prompt.root; umount /home/j/ns &prompt.root; umount /home/j/mail/s &prompt.root; umount /home/j/mail &prompt.root; umount /home/j/www/s &prompt.root; umount /home/j/www - + - - Move the old read-only file system and replace it - with the new one. This will serve as a backup and - archive of the old read-only file system should - something go wrong. The naming convention used here - corresponds to when a new read-only file system has been - created. Move the original &os; Ports Collection over - to the new file system to save some space and - inodes: + + Move the old read-only file system and replace it with + the new one. This will serve as a backup and archive of + the old read-only file system should something go wrong. + The naming convention used here corresponds to when a new + read-only file system has been created. Move the original + &os; Ports Collection over to the new file system to save + some space and inodes: - &prompt.root; cd /home/j + &prompt.root; cd /home/j &prompt.root; mv mroot mroot.20060601 &prompt.root; mv mroot2 mroot &prompt.root; mv mroot.20060601/usr/ports mroot/usr - + - - At this point the new read-only template is ready, - so the only remaining task is to remount the file - systems and start the jails: + + At this point the new read-only template is ready, so + the only remaining task is to remount the file systems and + start the jails: - &prompt.root; mount -a + &prompt.root; mount -a &prompt.root; service jail start - - + + - Use jls to check if the jails started correctly. - Run mergemaster in each jail to update the - configuration files. + Use jls to check if the jails started + correctly. Run mergemaster in each jail to *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***