Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 2014 16:39:24 +0000 (UTC)
From:      Dru Lavigne <dru@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r44518 - head/en_US.ISO8859-1/books/handbook/jails
Message-ID:  <201404101639.s3AGdOBh024778@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: dru
Date: Thu Apr 10 16:39:24 2014
New Revision: 44518
URL: http://svnweb.freebsd.org/changeset/doc/44518

Log:
  White space fix only. Translators can ignore.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/jails/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/jails/chapter.xml	Thu Apr 10 15:07:29 2014	(r44517)
+++ head/en_US.ISO8859-1/books/handbook/jails/chapter.xml	Thu Apr 10 16:39:24 2014	(r44518)
@@ -5,97 +5,91 @@
     $FreeBSD$
 -->
 <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="jails">
-  <info><title>Jails</title>
+  <info>
+    <title>Jails</title>
+
     <authorgroup>
-      <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed by </contrib></author>
+      <author><personname><firstname>Matteo</firstname><surname>Riondato</surname></personname><contrib>Contributed
+	by </contrib></author>
     </authorgroup>
   </info>
 
-  
-
   <indexterm><primary>jails</primary></indexterm>
 
   <sect1 xml:id="jails-synopsis">
     <title>Synopsis</title>
 
-    <para>Since system administration is a difficult
-      task, many tools have been developed to make life easier for
-      the administrator.  These tools often enhance
-      the way systems are installed, configured, and
-      maintained.  One of the tools which can be used to enhance the security
-      of a &os; system is <firstterm>jails</firstterm>.  Jails have
-      been available since &os;&nbsp;4.X and continue to be
-      enhanced in their
-      usefulness, performance, reliability, and security.</para>
-
-      <para>Jails build upon the &man.chroot.2; concept, which is used to
-	change the root directory of a set of processes, creating a
-	safe environment, separate from the rest of the system.
-	Processes created in the chrooted environment can not access
-	files or resources outside of it.  For that reason,
-	compromising a service running in a chrooted environment
-	should not allow the attacker to compromise the entire system.
-	However, a chroot has several limitations.  It is suited to easy tasks which do not
-	require much flexibility or complex, advanced features.  Over time
-	many ways have
-	been found to escape from a chrooted environment, making it
-	a less than ideal solution for
-	securing services.</para>
-
-      <para>Jails improve on the concept of the traditional
-	chroot environment in several ways.  In a traditional
-	chroot environment, processes are only limited in the
-	part of the file system they can access.  The rest of the
-	system resources, system users, running
-	processes, and the networking subsystem are shared by the
-	chrooted processes and the processes of the host system.
-	Jails expand this model by virtualizing access to the
-	file system, the set of users, and the networking
-	subsystem.  More
-	fine-grained controls are available for tuning the
-	access of a jailed environment.</para>
+    <para>Since system administration is a difficult task, many tools
+      have been developed to make life easier for the administrator.
+      These tools often enhance the way systems are installed,
+      configured, and maintained.  One of the tools which can be used
+      to enhance the security of a &os; system is
+      <firstterm>jails</firstterm>.  Jails have been available since
+      &os;&nbsp;4.X and continue to be enhanced in their usefulness,
+      performance, reliability, and security.</para>
+
+    <para>Jails build upon the &man.chroot.2; concept, which is used
+      to change the root directory of a set of processes, creating a
+      safe environment, separate from the rest of the system.
+      Processes created in the chrooted environment can not access
+      files or resources outside of it.  For that reason, compromising
+      a service running in a chrooted environment should not allow the
+      attacker to compromise the entire system.  However, a chroot has
+      several limitations.  It is suited to easy tasks which do not
+      require much flexibility or complex, advanced features.  Over
+      time many ways have been found to escape from a chrooted
+      environment, making it a less than ideal solution for securing
+      services.</para>
+
+    <para>Jails improve on the concept of the traditional chroot
+      environment in several ways.  In a traditional chroot
+      environment, processes are only limited in the part of the file
+      system they can access.  The rest of the system resources,
+      system users, running processes, and the networking subsystem
+      are shared by the chrooted processes and the processes of the
+      host system.  Jails expand this model by virtualizing access to
+      the file system, the set of users, and the networking subsystem.
+      More fine-grained controls are available for tuning the access
+      of a jailed environment.</para>
 
-      <para>A jail is characterized by four elements:</para>
+    <para>A jail is characterized by four elements:</para>
 
-      <itemizedlist>
-	<listitem>
-	  <para>A directory subtree: the starting point from
-	    which a jail is entered.  Once inside the jail, a process
-	    is not permitted to escape outside of this subtree.</para>
-	</listitem>
+    <itemizedlist>
+      <listitem>
+	<para>A directory subtree: the starting point from which a
+	  jail is entered.  Once inside the jail, a process is not
+	  permitted to escape outside of this subtree.</para>
+      </listitem>
 
-	<listitem>
-	  <para>A hostname: which will be used
-	    by the jail.</para>
-	</listitem>
+      <listitem>
+	<para>A hostname: which will be used by the jail.</para>
+      </listitem>
 
-	<listitem>
-	  <para>An <acronym>IP</acronym> address: which is
-	    assigned to the jail.  The <acronym>IP</acronym> address of a jail is
-	    often an alias address for an existing network
-	    interface.</para>
-	</listitem>
+      <listitem>
+	<para>An <acronym>IP</acronym> address: which is assigned to
+	  the jail.  The <acronym>IP</acronym> address of a jail is
+	  often an alias address for an existing network
+	  interface.</para>
+      </listitem>
 
-	<listitem>
-	  <para>A command: the path name of an executable to
-	    run inside the jail.  The path is relative to the
-	    root directory of the jail environment.</para>
-	</listitem>
-      </itemizedlist>
+      <listitem>
+	<para>A command: the path name of an executable to run inside
+	  the jail.  The path is relative to the root directory of the
+	  jail environment.</para>
+      </listitem>
+    </itemizedlist>
 
-      <para>Jails have their own set of users
-	and their own <systemitem class="username">root</systemitem> account which
-	are limited
-	to the jail environment.
-	The <systemitem class="username">root</systemitem>
-	account of a jail is not allowed to perform operations
-	to the system outside of the associated jail
-	environment.</para>
-
-    <para>This chapter provides an overview of jail terminology
-      are how to use &os; jails.  Jails are a powerful
-      tool for system administrators, but their basic usage can also
-      be useful for advanced users.</para>
+    <para>Jails have their own set of users and their own <systemitem
+	class="username">root</systemitem> account which are limited
+      to the jail environment.  The <systemitem
+	class="username">root</systemitem> account of a jail is not
+      allowed to perform operations to the system outside of the
+      associated jail environment.</para>
+
+    <para>This chapter provides an overview of jail terminology are
+      how to use &os; jails.  Jails are a powerful tool for system
+      administrators, but their basic usage can also be useful for
+      advanced users.</para>
 
     <para>After reading this chapter, you will know:</para>
 
@@ -110,25 +104,24 @@
       </listitem>
 
       <listitem>
-	<para>The basics of jail administration, both from inside
-	  and outside the jail.</para>
+	<para>The basics of jail administration, both from inside and
+	  outside the jail.</para>
       </listitem>
     </itemizedlist>
 
     <important>
       <para>Jails are a powerful tool, but they are not a security
-	panacea.  While it
-	is not possible for a jailed process to break out on its own,
-	there are several ways in which an unprivileged user outside
-	the jail can cooperate with a privileged user inside the jail
-	to obtain elevated privileges in the host
-	environment.</para>
+	panacea.  While it is not possible for a jailed process to
+	break out on its own, there are several ways in which an
+	unprivileged user outside the jail can cooperate with a
+	privileged user inside the jail to obtain elevated privileges
+	in the host environment.</para>
 
       <para>Most of these attacks can be mitigated by ensuring that
 	the jail root is not accessible to unprivileged users in the
-	host environment.  As a general rule, untrusted
-	users with privileged access to a jail should not be given
-	access to the host environment.</para>
+	host environment.  As a general rule, untrusted users with
+	privileged access to a jail should not be given access to the
+	host environment.</para>
     </important>
   </sect1>
 
@@ -268,8 +261,8 @@
 
     <para>Once a jail is installed, it can be started by using the
       &man.jail.8; utility.  The &man.jail.8; utility takes four
-      mandatory arguments which are described in the
-      <xref linkend="jails-synopsis"/>.  Other arguments may be specified
+      mandatory arguments which are described in the <xref
+	linkend="jails-synopsis"/>.  Other arguments may be specified
       too, e.g., to run the jailed process with the credentials of a
       specific user.  The
       <option><replaceable>command</replaceable></option> argument
@@ -324,8 +317,8 @@ jail_<replaceable>www</replaceable>_devf
       </step>
     </procedure>
 
-    <para>&man.service.8; can be used to
-      start or stop a jail by hand, if an entry for it exists in
+    <para>&man.service.8; can be used to start or stop a jail by hand,
+      if an entry for it exists in
       <filename>rc.conf</filename>:</para>
 
     <screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput>
@@ -418,16 +411,17 @@ jail_<replaceable>www</replaceable>_devf
 
       <para>These variables can be used by the system administrator of
 	the <emphasis>host system</emphasis> to add or remove some of
-	the limitations imposed by default on the
-	<systemitem class="username">root</systemitem> user.  Note that there are some
-	limitations which cannot be removed.  The
-	<systemitem class="username">root</systemitem> user is not allowed to mount or
-	unmount file systems from within a &man.jail.8;.  The
-	<systemitem class="username">root</systemitem> inside a jail may not load or unload
-	&man.devfs.8; rulesets, set firewall rules, or do many other
-	administrative tasks which require modifications of in-kernel
-	data, such as setting the <varname>securelevel</varname> of
-	the kernel.</para>
+	the limitations imposed by default on the <systemitem
+	  class="username">root</systemitem> user.  Note that there
+	are some limitations which cannot be removed.  The
+	<systemitem class="username">root</systemitem> user is not
+	allowed to mount or unmount file systems from within a
+	&man.jail.8;.  The <systemitem
+	  class="username">root</systemitem> inside a jail may not
+	load or unload &man.devfs.8; rulesets, set firewall rules, or
+	do many other administrative tasks which require modifications
+	of in-kernel data, such as setting the
+	<varname>securelevel</varname> of the kernel.</para>
 
       <para>The base system of &os; contains a basic set of tools for
 	viewing information about the active jails, and attaching to a
@@ -446,10 +440,10 @@ jail_<replaceable>www</replaceable>_devf
 	  <para>Attach to a running jail, from its host system, and
 	    run a command inside the jail or perform administrative
 	    tasks inside the jail itself.  This is especially useful
-	    when the <systemitem class="username">root</systemitem> user wants to cleanly
-	    shut down a jail.  The &man.jexec.8; utility can also be
-	    used to start a shell in a jail to do administration in
-	    it; for example:</para>
+	    when the <systemitem class="username">root</systemitem>
+	    user wants to cleanly shut down a jail.  The &man.jexec.8;
+	    utility can also be used to start a shell in a jail to do
+	    administration in it; for example:</para>
 
 	  <screen>&prompt.root; <userinput>jexec <replaceable>1</replaceable> tcsh</userinput></screen>
 	</listitem>
@@ -462,10 +456,9 @@ jail_<replaceable>www</replaceable>_devf
 
       <para>Among the many third-party utilities for jail
 	administration, one of the most complete and useful is
-	<package>sysutils/jailutils</package>.  It is
-	a set of small applications that contribute to &man.jail.8;
-	management.  Please refer to its web page for more
-	information.</para>
+	<package>sysutils/jailutils</package>.  It is a set of small
+	applications that contribute to &man.jail.8; management.
+	Please refer to its web page for more information.</para>
     </sect2>
   </sect1>
 
@@ -474,7 +467,8 @@ jail_<replaceable>www</replaceable>_devf
     <title>Updating Multiple Jails</title>
 
 	<authorgroup>
-	  <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed by </contrib></author>
+	  <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed
+	    by </contrib></author>
 	</authorgroup>
 	<authorgroup>
 	<author>
@@ -496,191 +490,176 @@ jail_<replaceable>www</replaceable>_devf
       </authorgroup>
       </info>
 
-	<para>The management of multiple jails can become
-	  problematic
-	  because every jail has to be rebuilt from scratch whenever
-	  it is upgraded.  This can be
-	  time consuming and tedious if a lot of jails are
-	  created and manually updated.</para>
-
-	<para>This section demonstrates one method to resolve this issue by
-	  safely sharing as much as is possible between jails
-	  using read-only &man.mount.nullfs.8; mounts, so that
-	  updating is simpler.  This makes it more attractive to put single services,
-	  such as <acronym>HTTP</acronym>, <acronym>DNS</acronym>,
-	  and <acronym>SMTP</acronym>, into
-	  individual jails.  Additionally,
-	  it provides a simple way to add, remove, and
-	  upgrade jails.</para>
+    <para>The management of multiple jails can become problematic
+      because every jail has to be rebuilt from scratch whenever it is
+      upgraded.  This can be time consuming and tedious if a lot of
+      jails are created and manually updated.</para>
+
+    <para>This section demonstrates one method to resolve this issue
+      by safely sharing as much as is possible between jails using
+      read-only &man.mount.nullfs.8; mounts, so that updating is
+      simpler.  This makes it more attractive to put single services,
+      such as <acronym>HTTP</acronym>, <acronym>DNS</acronym>, and
+      <acronym>SMTP</acronym>, into individual jails.  Additionally,
+      it provides a simple way to add, remove, and upgrade
+      jails.</para>
+
+    <note>
+      <para>Simpler solutions exist, such as
+	<package>sysutils/ezjail</package>, which provides an easier
+	method of administering &os; jails and is not as sophisticated
+	as this setup.</para>
+    </note>
 
-	<note>
-	  <para>Simpler solutions exist,
-	    such as
-	    <package>sysutils/ezjail</package>, which
-	    provides an easier method of administering &os; jails and
-	    is not as sophisticated as this setup.</para>
-	</note>
+    <para>The goals of the setup described in this section are:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para>Create a simple and easy to understand jail structure
+	  that does not require running a full installworld on each
+	  and every jail.</para>
+      </listitem>
+
+      <listitem>
+	<para>Make it easy to add new jails or remove existing
+	  ones.</para>
+      </listitem>
+
+      <listitem>
+	<para>Make it easy to update or upgrade existing jails.</para>
+      </listitem>
+
+      <listitem>
+	<para>Make it possible to run a customized &os; branch.</para>
+      </listitem>
 
-	<para>The goals of the setup described in this section
-	  are:</para>
+      <listitem>
+	<para>Be paranoid about security, reducing as much as
+	  possible the possibility of compromise.</para>
+      </listitem>
+
+      <listitem>
+	<para>Save space and inodes, as much as possible.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>This design relies on a single, read-only master template
+      which is mounted into each jail and one read-write device per
+      jail.  A device can be a separate physical disc, a partition, or
+      a vnode backed memory device.  This example uses read-write
+      <application>nullfs</application> mounts.</para>
 
-	<itemizedlist>
-	  <listitem>
-	    <para>Create a simple and easy to understand jail
-	      structure that does not require
-	      running a full installworld on each and every
-	      jail.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Make it easy to add new jails or remove existing
-	      ones.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Make it easy to update or upgrade existing
-	      jails.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Make it possible to run a customized &os;
-	      branch.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Be paranoid about security, reducing as much as
-	      possible the possibility of compromise.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Save space and inodes, as much as possible.</para>
-	  </listitem>
-	</itemizedlist>
-
-	<para>This design relies
-	  on a single, read-only master template which is
-	  mounted into each jail and one read-write device per jail.
-	  A device can be a separate physical disc, a partition, or a
-	  vnode backed memory device.  This example
-	  uses read-write <application>nullfs</application>
-	  mounts.</para>
-
-	<para>The file system layout is as follows:</para>
-
-	<itemizedlist>
-	  <listitem>
-	    <para>The jails are based under the
-	    <filename>/home</filename> partition.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Each jail will be mounted under the
-	      <filename>/home/j</filename>
-	      directory.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>The template for each jail and the read-only
-	      partition for all of the jails is <filename>/home/j/mroot</filename>.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>A blank directory will be created for each jail
-	      under the <filename>/home/j</filename>
-	      directory.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Each jail will have a
-	      <filename>/s</filename> directory
-	      that will be linked to the read-write portion of the
-	      system.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Each jail will have its own read-write system that
-	      is based upon <filename>/home/j/skel</filename>.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>The read-write portion of each jail
-	      will be created in <filename>/home/js</filename>.</para>
-	  </listitem>
-	</itemizedlist>
+    <para>The file system layout is as follows:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para>The jails are based under the
+	  <filename>/home</filename> partition.</para>
+      </listitem>
+
+      <listitem>
+	<para>Each jail will be mounted under the
+	  <filename>/home/j</filename> directory.</para>
+      </listitem>
+
+      <listitem>
+	<para>The template for each jail and the read-only partition
+	  for  all of the jails is
+	  <filename>/home/j/mroot</filename>.</para>
+      </listitem>
+
+      <listitem>
+	<para>A blank directory will be created for each jail under
+	  the <filename>/home/j</filename> directory.</para>
+      </listitem>
+
+      <listitem>
+	<para>Each jail will have a <filename>/s</filename> directory
+	  that will be linked to the read-write portion of the
+	  system.</para>
+      </listitem>
+
+      <listitem>
+	<para>Each jail will have its own read-write system that is
+	  based upon <filename>/home/j/skel</filename>.</para>
+      </listitem>
+
+      <listitem>
+	<para>The read-write portion of each jail will be created in
+	  <filename>/home/js</filename>.</para>
+      </listitem>
+    </itemizedlist>
 
 	<!-- Insert an image or drawing here to illustrate the example. -->
 
-      <sect2 xml:id="jails-service-jails-template">
-	<title>Creating the Template</title>
+    <sect2 xml:id="jails-service-jails-template">
+      <title>Creating the Template</title>
 
-	<para>This section describes the steps needed to create
-	  the master template.</para>
+      <para>This section describes the steps needed to create the
+	master template.</para>
 
-	<para>It is recommended to first update the host &os; system to
-	  the latest -RELEASE branch using the instructions in
-	  <xref linkend="makeworld"/>.
-	  Additionally, this template uses the
-	  <package>sysutils/cpdup</package> package or port
-	  and <application>portsnap</application>
-	  will be used to download the &os; Ports Collection.</para>
-
-	<procedure>
-	  <step>
-	    <para>First, create a directory structure for the
-	      read-only file system which will contain the &os;
-	      binaries for the jails.  Then, change directory to the
-	      &os; source tree and install the read-only file system
-	      to the jail template:</para>
+      <para>It is recommended to first update the host &os; system to
+	the latest -RELEASE branch using the instructions in <xref
+	  linkend="makeworld"/>.  Additionally, this template uses the
+	<package>sysutils/cpdup</package> package or port and
+	<application>portsnap</application> will be used to download
+	the &os; Ports Collection.</para>
+
+      <procedure>
+	<step>
+	  <para>First, create a directory structure for the read-only
+	    file system which will contain the &os; binaries for the
+	    jails.  Then, change directory to the &os; source tree and
+	    install the read-only file system to the jail
+	    template:</para>
 
-	    <screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput>
+	  <screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput>
 &prompt.root; <userinput>cd /usr/src</userinput>
 &prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Next, prepare a &os; Ports Collection for the jails
-	      as well as a &os; source tree, which is required for
-	      <application>mergemaster</application>:</para>
+	<step>
+	  <para>Next, prepare a &os; Ports Collection for the jails as
+	    well as a &os; source tree, which is required for
+	    <application>mergemaster</application>:</para>
 
-	    <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
+	  <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
 &prompt.root; <userinput>mkdir usr/ports</userinput>
 &prompt.root; <userinput>portsnap -p /home/j/mroot/usr/ports fetch extract</userinput>
 &prompt.root; <userinput>cpdup /usr/src /home/j/mroot/usr/src</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Create a skeleton for the read-write portion of the
-	      system:</para>
+	<step>
+	  <para>Create a skeleton for the read-write portion of the
+	    system:</para>
 
-	    <screen>&prompt.root; <userinput>mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles</userinput>
+	  <screen>&prompt.root; <userinput>mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles</userinput>
 &prompt.root; <userinput>mv etc /home/j/skel</userinput>
 &prompt.root; <userinput>mv usr/local /home/j/skel/usr-local</userinput>
 &prompt.root; <userinput>mv tmp /home/j/skel</userinput>
 &prompt.root; <userinput>mv var /home/j/skel</userinput>
 &prompt.root; <userinput>mv root /home/j/skel</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Use <application>mergemaster</application> to
-	      install missing configuration files.  Then, remove the
-	      the extra directories that
-	      <application>mergemaster</application> creates:</para>
+	<step>
+	  <para>Use <application>mergemaster</application> to install
+	    missing configuration files.  Then, remove the the extra
+	    directories that <application>mergemaster</application>
+	    creates:</para>
 
-	    <screen>&prompt.root; <userinput>mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i</userinput>
+	  <screen>&prompt.root; <userinput>mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i</userinput>
 &prompt.root; <userinput>cd /home/j/skel</userinput>
 &prompt.root; <userinput>rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Now, symlink the read-write file system to the
-	      read-only file system.  Ensure that the
-	      symlinks are created in the correct
-	      <filename>s/</filename> locations as
-	      the creation of directories in the
-	      wrong locations will cause the installation to
-	      fail.</para>
+	<step>
+	  <para>Now, symlink the read-write file system to the
+	    read-only file system.  Ensure that the symlinks are
+	    created in the correct <filename>s/</filename> locations
+	    as the creation of directories in the wrong locations will
+	    cause the installation to fail.</para>
 
-	    <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
+	  <screen>&prompt.root; <userinput>cd /home/j/mroot</userinput>
 &prompt.root; <userinput>mkdir s</userinput>
 &prompt.root; <userinput>ln -s s/etc etc</userinput>
 &prompt.root; <userinput>ln -s s/home home</userinput>
@@ -690,61 +669,59 @@ jail_<replaceable>www</replaceable>_devf
 &prompt.root; <userinput>ln -s s/distfiles usr/ports/distfiles</userinput>
 &prompt.root; <userinput>ln -s s/tmp tmp</userinput>
 &prompt.root; <userinput>ln -s s/var var</userinput></screen>
-	  </step>
+	</step>
+
+	<step>
+	  <para>As a last step, create a generic
+	    <filename>/home/j/skel/etc/make.conf</filename> containing
+	    this line:</para>
+
+	  <programlisting>WRKDIRPREFIX?=  /s/portbuild</programlisting>
+
+	  <para>This makes it possible to compile &os; ports inside
+	    each jail.  Remember that the ports directory is part of
+	    the read-only system.  The custom path for
+	    <literal>WRKDIRPREFIX</literal> allows builds to be done
+	    in the read-write portion of every jail.</para>
+	</step>
+      </procedure>
+    </sect2>
+
+    <sect2 xml:id="jails-service-jails-creating">
+      <title>Creating Jails</title>
 
-	  <step>
-	    <para>As a last step, create a generic
-	      <filename>/home/j/skel/etc/make.conf</filename> containing
-	      this line:</para>
-
-	    <programlisting>WRKDIRPREFIX?=  /s/portbuild</programlisting>
-
-	    <para>This
-	      makes it possible to compile &os; ports inside
-	      each jail.  Remember that the ports directory is part of
-	      the read-only system.  The custom path for
-	      <literal>WRKDIRPREFIX</literal> allows builds to be done
-	      in the read-write portion of every jail.</para>
-	  </step>
-	</procedure>
-      </sect2>
-
-      <sect2 xml:id="jails-service-jails-creating">
-	<title>Creating Jails</title>
-
-	<para>The jail template can now be used to
-	  setup and configure the jails in
-	  <filename>/etc/rc.conf</filename>.  This example
-	  demonstrates the creation of 3 jails: <literal>NS</literal>,
-	  <literal>MAIL</literal> and <literal>WWW</literal>.</para>
-
-	<procedure>
-	  <step>
-	    <para>Add the following lines to
-	      <filename>/etc/fstab</filename>, so that the
-	      read-only template for the jails and the read-write
-	      space will be available in the respective jails:</para>
+      <para>The jail template can now be used to setup and configure
+	the jails in <filename>/etc/rc.conf</filename>.  This example
+	demonstrates the creation of 3 jails: <literal>NS</literal>,
+	<literal>MAIL</literal> and <literal>WWW</literal>.</para>
+
+      <procedure>
+	<step>
+	  <para>Add the following lines to
+	    <filename>/etc/fstab</filename>, so that the read-only
+	    template for the jails and the read-write space will be
+	    available in the respective jails:</para>
 
-	    <programlisting>/home/j/mroot   /home/j/ns     nullfs  ro  0   0
+	  <programlisting>/home/j/mroot   /home/j/ns     nullfs  ro  0   0
 /home/j/mroot   /home/j/mail   nullfs  ro  0   0
 /home/j/mroot   /home/j/www    nullfs  ro  0   0
 /home/js/ns     /home/j/ns/s   nullfs  rw  0   0
 /home/js/mail   /home/j/mail/s nullfs  rw  0   0
 /home/js/www    /home/j/www/s  nullfs  rw  0   0</programlisting>
 
-	      <para>To prevent
-		<application>fsck</application> from checking
-		<application>nullfs</application> mounts during boot and
-		<application>dump</application> from backing up the
-		read-only nullfs mounts of the jails, the last two
-		columns are both set to <literal>0</literal>.</para>
-	  </step>
-
-	  <step>
-	    <para>Configure the jails in
-	      <filename>/etc/rc.conf</filename>:</para>
+	  <para>To prevent
+	    <application>fsck</application> from checking
+	    <application>nullfs</application> mounts during boot and
+	    <application>dump</application> from backing up the
+	    read-only nullfs mounts of the jails, the last two
+	    columns are both set to <literal>0</literal>.</para>
+	</step>
+
+	<step>
+	  <para>Configure the jails in
+	    <filename>/etc/rc.conf</filename>:</para>
 
-	    <programlisting>jail_enable="YES"
+	  <programlisting>jail_enable="YES"
 jail_set_hostname_allow="NO"
 jail_list="ns mail www"
 jail_ns_hostname="ns.example.org"
@@ -760,167 +737,164 @@ jail_www_ip="62.123.43.14"
 jail_www_rootdir="/usr/home/j/www"
 jail_www_devfs_enable="YES"</programlisting>
 
-	      <para>The
-		<varname>jail_<replaceable>name</replaceable>_rootdir</varname>
-		variable is set to
-		<filename class="directory">/usr/home</filename>
-		instead of
-		<filename class="directory">/home</filename> because
-		the physical path of
-		<filename class="directory">/home</filename>
-		on a default &os; installation is
-		<filename class="directory">/usr/home</filename>.  The
-		<varname>jail_<replaceable>name</replaceable>_rootdir</varname>
-		variable must <emphasis>not</emphasis> be set to a
-		path which includes a symbolic link, otherwise the
-		jails will refuse to start.</para>
-	  </step>
-
-	  <step>
-	    <para>Create the required mount points for the read-only
-	      file system of each jail:</para>
-
-	    <screen>&prompt.root; <userinput>mkdir /home/j/ns /home/j/mail /home/j/www</userinput></screen>
-	  </step>
-
-	  <step>
-	    <para>Install the read-write template into each jail using
-	      <package>sysutils/cpdup</package>:</para>
+	  <para>The
+	    <varname>jail_<replaceable>name</replaceable>_rootdir</varname>
+	    variable is set to
+	    <filename class="directory">/usr/home</filename> instead
+	    of <filename class="directory">/home</filename> because
+	    the physical path of <filename
+	      class="directory">/home</filename> on a default &os;
+	    installation is <filename
+	      class="directory">/usr/home</filename>.  The
+	    <varname>jail_<replaceable>name</replaceable>_rootdir</varname>
+	    variable must <emphasis>not</emphasis> be set to a path
+	    which includes a symbolic link, otherwise the jails will
+	    refuse to start.</para>
+	</step>
+
+	<step>
+	  <para>Create the required mount points for the read-only
+	    file system of each jail:</para>
+
+	  <screen>&prompt.root; <userinput>mkdir /home/j/ns /home/j/mail /home/j/www</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Install the read-write template into each jail using
+	    <package>sysutils/cpdup</package>:</para>
 	    <!-- keramida: Why is cpdup required here?  Doesn't cpio(1)
 	     already include adequate functionality for performing this
 	     job *and* have the advantage of being part of the base
 	     system of FreeBSD? -->
 
-	    <screen>&prompt.root; <userinput>mkdir /home/js</userinput>
+	  <screen>&prompt.root; <userinput>mkdir /home/js</userinput>
 &prompt.root; <userinput>cpdup /home/j/skel /home/js/ns</userinput>
 &prompt.root; <userinput>cpdup /home/j/skel /home/js/mail</userinput>
 &prompt.root; <userinput>cpdup /home/j/skel /home/js/www</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>In this phase, the jails are built and prepared to
-	      run.  First, mount the required file systems for each
-	      jail, and then start them:</para>
+	<step>
+	  <para>In this phase, the jails are built and prepared to
+	    run.  First, mount the required file systems for each
+	    jail, and then start them:</para>
 
-	    <screen>&prompt.root; <userinput>mount -a</userinput>
+	  <screen>&prompt.root; <userinput>mount -a</userinput>
 &prompt.root; <userinput>service jail start</userinput></screen>
-	  </step>
-	</procedure>
+	</step>
+      </procedure>
 
-	<para>The jails should be running now.  To check if they have
-	  started correctly, use <command>jls</command>.  Its output
-	  should be similar to the following:</para>
+      <para>The jails should be running now.  To check if they have
+	started correctly, use <command>jls</command>.  Its output
+	should be similar to the following:</para>
 
-	<screen>&prompt.root; <userinput>jls</userinput>
+      <screen>&prompt.root; <userinput>jls</userinput>
    JID  IP Address      Hostname                      Path
      3  192.168.3.17    ns.example.org                /home/j/ns
      2  192.168.3.18    mail.example.org              /home/j/mail
      1  62.123.43.14    www.example.org               /home/j/www</screen>
 
-	<para>At this point, it should be possible to log onto each
-	  jail, add new users, or configure daemons.  The
-	  <literal>JID</literal> column indicates the jail
-	  identification number of each running jail.  Use the
-	  following command to perform administrative tasks
-	  in the jail whose <acronym>JID</acronym> is <literal>3</literal>:</para>
-
-	<screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen>
-      </sect2>
-
-      <sect2 xml:id="jails-service-jails-upgrading">
-	<title>Upgrading</title>
-
-	<para>The design of this setup
-	  provides an easy way to upgrade existing jails while
-	  minimizing their downtime.  Also, it
-	  provides a way to roll back to the older version should a
-	  problem occur.</para>
-
-	<procedure>
-	  <step>
-	    <para>The first step is to upgrade the host system.
-	      Then, create a new temporary read-only
-	      template in <filename>/home/j/mroot2</filename>.</para>
+      <para>At this point, it should be possible to log onto each
+	jail, add new users, or configure daemons.  The
+	<literal>JID</literal> column indicates the jail
+	identification number of each running jail.  Use the following
+	command to perform administrative tasks in the jail whose
+	<acronym>JID</acronym> is <literal>3</literal>:</para>
+
+      <screen>&prompt.root; <userinput>jexec 3 tcsh</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="jails-service-jails-upgrading">
+      <title>Upgrading</title>
+
+      <para>The design of this setup provides an easy way to upgrade
+	existing jails while minimizing their downtime.  Also, it
+	provides a way to roll back to the older version should a
+	problem occur.</para>
+
+      <procedure>
+	<step>
+	  <para>The first step is to upgrade the host system.  Then,
+	    create a new temporary read-only template in
+	    <filename>/home/j/mroot2</filename>.</para>
 
-	    <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput>
+	  <screen>&prompt.root; <userinput>mkdir /home/j/mroot2</userinput>
 &prompt.root; <userinput>cd /usr/src</userinput>
 &prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot2</userinput>
 &prompt.root; <userinput>cd /home/j/mroot2</userinput>
 &prompt.root; <userinput>cpdup /usr/src usr/src</userinput>
 &prompt.root; <userinput>mkdir s</userinput></screen>
 
-	    <para>The <buildtarget>installworld</buildtarget>
-	      creates a few unnecessary directories, which should be
-	      removed:</para>
+	  <para>The <buildtarget>installworld</buildtarget> creates a
+	    few unnecessary directories, which should be
+	    removed:</para>
 
-	    <screen>&prompt.root; <userinput>chflags -R 0 var</userinput>
+	  <screen>&prompt.root; <userinput>chflags -R 0 var</userinput>
 &prompt.root; <userinput>rm -R etc var root usr/local tmp</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Recreate the read-write symlinks for the master file
-	      system:</para>
+	<step>
+	  <para>Recreate the read-write symlinks for the master file
+	    system:</para>
 
-	    <screen>&prompt.root; <userinput>ln -s s/etc etc</userinput>
+	  <screen>&prompt.root; <userinput>ln -s s/etc etc</userinput>
 &prompt.root; <userinput>ln -s s/root root</userinput>
 &prompt.root; <userinput>ln -s s/home home</userinput>
 &prompt.root; <userinput>ln -s ../s/usr-local usr/local</userinput>
 &prompt.root; <userinput>ln -s ../s/usr-X11R6 usr/X11R6</userinput>
 &prompt.root; <userinput>ln -s s/tmp tmp</userinput>
 &prompt.root; <userinput>ln -s s/var var</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Next, stop the jails:</para>
+	<step>
+	  <para>Next, stop the jails:</para>
 
-	    <screen>&prompt.root; <userinput>service jail stop</userinput></screen>
-	  </step>
+	  <screen>&prompt.root; <userinput>service jail stop</userinput></screen>
+	</step>
 
-	  <step>
-	    <para>Unmount the original file systems as the read-write
-	      systems are attached to the read-only system
-	      (<filename>/s</filename>):</para>
+	<step>
+	  <para>Unmount the original file systems as the read-write
+	    systems are attached to the read-only system
+	    (<filename>/s</filename>):</para>
 	    <!-- keramida: Shouldn't we suggest a short script-based
 	     loop here, instead of tediously copying the same commands
 	     multiple times? -->
 
-	    <screen>&prompt.root; <userinput>umount /home/j/ns/s</userinput>
+	  <screen>&prompt.root; <userinput>umount /home/j/ns/s</userinput>
 &prompt.root; <userinput>umount /home/j/ns</userinput>
 &prompt.root; <userinput>umount /home/j/mail/s</userinput>
 &prompt.root; <userinput>umount /home/j/mail</userinput>
 &prompt.root; <userinput>umount /home/j/www/s</userinput>
 &prompt.root; <userinput>umount /home/j/www</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>Move the old read-only file system and replace it
-	      with the new one.  This will serve as a backup and
-	      archive of the old read-only file system should
-	      something go wrong.  The naming convention used here
-	      corresponds to when a new read-only file system has been
-	      created.  Move the original &os; Ports Collection over
-	      to the new file system to save some space and
-	      inodes:</para>
+	<step>
+	  <para>Move the old read-only file system and replace it with
+	    the new one.  This will serve as a backup and archive of
+	    the old read-only file system should something go wrong.
+	    The naming convention used here corresponds to when a new
+	    read-only file system has been created.  Move the original
+	    &os; Ports Collection over to the new file system to save
+	    some space and inodes:</para>
 
-	    <screen>&prompt.root; <userinput>cd /home/j</userinput>
+	  <screen>&prompt.root; <userinput>cd /home/j</userinput>
 &prompt.root; <userinput>mv mroot mroot.20060601</userinput>
 &prompt.root; <userinput>mv mroot2 mroot</userinput>
 &prompt.root; <userinput>mv mroot.20060601/usr/ports mroot/usr</userinput></screen>
-	  </step>
+	</step>
 
-	  <step>
-	    <para>At this point the new read-only template is ready,
-	      so the only remaining task is to remount the file
-	      systems and start the jails:</para>
+	<step>
+	  <para>At this point the new read-only template is ready, so
+	    the only remaining task is to remount the file systems and
+	    start the jails:</para>
 
-	    <screen>&prompt.root; <userinput>mount -a</userinput>
+	  <screen>&prompt.root; <userinput>mount -a</userinput>
 &prompt.root; <userinput>service jail start</userinput></screen>
-	  </step>
-	</procedure>
+	</step>
+      </procedure>
 
-	<para>Use <command>jls</command> to check if the jails started correctly.
-	  Run <command>mergemaster</command> in each jail to update the
-	  configuration files.</para>
+      <para>Use <command>jls</command> to check if the jails started
+	correctly.  Run <command>mergemaster</command> in each jail to

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404101639.s3AGdOBh024778>