I have attached an "alpha" patch in attachment that implements skeljail, which includes an "installskel" target to install a (hmm... as many as you wish and your hard disk allows) skeleton after buildworld.
In order to make use it, follow the following procedure: 0. make buildworld is a prerequisite to run "make installskel" so do it 1. make a directory. i.e. mkdir /vhosts/1 2. cd /usr/src && make installskel DESTDIR=/vhosts/1 3. (You may want to copy something like password database/first ssh keys into the jail. I have a "core.tbz" to do this) 4. Add configuration to /etc/rc.conf 5. Start the jail script as usual. This includes rebooting the host, or "/etc/rc.d/jail restart". To patch your existing system to get a test run of the patch, the following procedure is recommended (other ways may work, too): 0. cvsup to latest -CURRENT 1. on top level src tree (/usr/src), do patch < (the patch file) 2. make buildworld installworld (make sure you have latest kernel installed, of course) 3. cd /usr/src/etc/rc.d && make install (this can be accomplished in a different way by running mergemaster) Added rc.conf knobs: - jail_<X>_skel_enable=(YES|NO) Whether to enable skeleton jail. The default is NO. - jail_<X>_skel_root Where the skeleton should mount everything from. This can be / (the default), and you can specify something like /vhosts/templateRELENG_4 if you want a different release. - jail_<X>_skel_romounts Which directories we should mount from the jail_<X>_skel_root. The default value is "bin sbin lib libexec usr/bin usr/sbin usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/share". I've received some of quite impressive scripts from our user community and I will consult these scripts to find out if I have missed something important, and do further improvements over this version. Please let me know if there are any suggestions, flaws with this patch. Thanks in advance! Cheers, -- Xin LI <delphij delphij net> http://www.delphij.net/
Index: Makefile
===================================================================
RCS file: /home/ncvs/src/Makefile,v
retrieving revision 1.315
diff -u -r1.315 Makefile
--- Makefile 21 Dec 2004 09:59:39 -0000 1.315
+++ Makefile 1 Feb 2005 06:51:43 -0000
@@ -65,7 +65,7 @@
TGTS= all all-man buildkernel buildworld checkdpadd clean \
cleandepend cleandir depend distribute distributeworld everything \
hierarchy install installcheck installkernel installkernel.debug\
- reinstallkernel reinstallkernel.debug installworld \
+ reinstallkernel reinstallkernel.debug installskel installworld \
kernel-toolchain libraries lint maninstall \
obj objlink regress rerelease tags toolchain update \
_worldtmp _legacy _bootstrap-tools _cleanobj _obj \
@@ -79,6 +79,7 @@
.ORDER: buildworld installworld
.ORDER: buildworld distributeworld
.ORDER: buildworld buildkernel
+.ORDER: buildworld installskel
.ORDER: buildkernel installkernel
.ORDER: buildkernel installkernel.debug
.ORDER: buildkernel reinstallkernel
Index: Makefile.inc1
===================================================================
RCS file: /home/ncvs/src/Makefile.inc1,v
retrieving revision 1.473
diff -u -r1.473 Makefile.inc1
--- Makefile.inc1 20 Jan 2005 10:49:02 -0000 1.473
+++ Makefile.inc1 1 Feb 2005 16:49:29 -0000
@@ -516,6 +516,18 @@
rm -rf ${INSTALLTMP}
#
+# installskel
+#
+# Installs a minimum set of files that can support a mini-jail
+#
+installskel:
+ @echo "--------------------------------------------------------------"
+ @echo ">>> Making installskel"
+ @echo "--------------------------------------------------------------"
+ ${_+_}cd ${.CURDIR}; ${MAKE} hierarchy
+ ${_+_}cd ${.CURDIR}/etc; ${MAKE} distribution
+
+#
# reinstall
#
# If you have a build server, you can NFS mount the source and obj directories
Index: etc/rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.21
diff -u -r1.21 jail
--- etc/rc.d/jail 16 Jan 2005 03:12:03 -0000 1.21
+++ etc/rc.d/jail 1 Feb 2005 07:21:57 -0000
@@ -59,6 +59,14 @@
eval jail_procfs=\"\$jail_${_j}_procfs_enable\"
[ -z "${jail_procfs}" ] && jail_procfs="NO"
+ # Default settings for skel jail
+ eval jail_skel_enable=\"\$jail_${_j}_skel_enable\"
+ [ -z "${jail_skel_enable}" ] && jail_skel_enable="NO"
+ eval jail_skel_root=\"\$jail_${_j}_skel_root\"
+ [ -z "${jail_skel_root}" ] && jail_skel_root="/"
+ eval jail_skel_romounts=\"\$jail_${_j}_skel_romounts\"
+ [ -z "${jail_skel_romounts}" ] && jail_skel_romounts="bin sbin lib libexec usr/bin usr/sbin usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/share"
+
eval jail_mount=\"\$jail_${_j}_mount_enable\"
[ -z "${jail_mount}" ] && jail_mount="NO"
# "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified.
@@ -81,6 +89,9 @@
debug "$_j fstab: $jail_fstab"
debug "$_j exec start: $jail_exec_start"
debug "$_j exec stop: $jail_exec_stop"
+ debug "$_j skel enable: $jail_skel_enable"
+ debug "$_j skel mount-readonly: $jail_skel_romounts"
+ debug "$_j skel mount-readonly from: $jail_skel_root"
}
# set_sysctl rc_knob mib msg
@@ -136,6 +147,14 @@
[ -f "${jail_fstab}" ] || warn "${jail_fstab} does not exist"
umount -a -F "${jail_fstab}" >/dev/null 2>&1
fi
+ if checkyesno jail_skel_enable; then
+ for _mntpt in $jail_skel_romounts
+ do
+ if [ -d "${jail_rootdir}/${_mntpt}" ] ; then
+ umount -f ${jail_rootdir}/${_mntpt} > /dev/null 2>&1
+ fi
+ done
+ fi
}
jail_start()
@@ -155,6 +174,13 @@
for _jail in ${jail_list}
do
init_variables $_jail
+ if checkyesno jail_skel_enable; then
+ info "Mounting skeleton for jail ${_jail} from ${jail_skel_root}"
+ for _mntpt in $jail_skel_romounts
+ do
+ mount_nullfs -ordonly ${jail_skel_root}/${_mntpt} ${jail_rootdir}/${_mntpt} > /dev/null 2>&1
+ done
+ fi
if checkyesno jail_mount; then
info "Mounting fstab for jail ${_jail} (${jail_fstab})"
if [ ! -f "${jail_fstab}" ]; then
signature.asc
Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8?= =?UTF-8?Q?=E5=88=86?=
