608 lines
17 KiB
Groff
608 lines
17 KiB
Groff
.Dd January 15, 2011
|
|
.Dt EZJAIL-ADMIN 8 USD
|
|
.Os FreeBSD
|
|
.Sh NAME
|
|
.Nm ezjail-admin
|
|
.Nd Administrate ezjail environment
|
|
.Sh SYNOPSIS
|
|
.Nm Cm install
|
|
.Op Fl mMpPsS
|
|
.Op Fl h Ar host
|
|
.Op Fl r Ar release
|
|
.Nm
|
|
.Cm create
|
|
.Op Fl bx
|
|
.Op Fl f Ar flavour
|
|
.Op Fl r Ar jailroot
|
|
.Op Fl a Ar archive
|
|
.Op Fl c Ar jailtype Fl s Ar imagesize Op Fl C Ar attachargs
|
|
.Bk -words
|
|
.Ar jailname ipaddress Ns Op Ar ,ipaddress2,...
|
|
.Ek
|
|
.Nm
|
|
.Cm console
|
|
.Op Fl f
|
|
.Op Fl e Ar command
|
|
.Ar jailname
|
|
.Nm
|
|
.Cm list
|
|
.Nm
|
|
.Cm start | stop | restart | cryptostart Ar jailname...
|
|
.Nm
|
|
.Cm config
|
|
.Op Fl r Ar run | norun
|
|
.Op Fl n Ar newname
|
|
.Op Fl i Ar attach | detach | fsck
|
|
.Op Fl z Ar newdataset
|
|
.Op Fl c Ar newcpuset
|
|
.Op Fl f Ar newfib
|
|
.Ar jailname
|
|
.Nm
|
|
.Cm delete
|
|
.Op Fl wf
|
|
.Ar jailname
|
|
.Nm
|
|
.Cm archive
|
|
.Op Fl Af
|
|
.Op Fl a Ar archive
|
|
.Op Fl d Ar archivedir
|
|
.Ar jailname...
|
|
.Nm
|
|
.Cm restore
|
|
.Op Fl f
|
|
.Op Fl d Ar archivedir
|
|
.Ar archive | jailname...
|
|
.Nm
|
|
.Cm update
|
|
.Op Fl s Ar sourcetree | sourceosversion
|
|
.Op Fl p
|
|
.Fl b | Fl i | Fl P | Fl u | Fl U
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility is used to manage the ezjail environment and all the jails inside the
|
|
ezjail scope. This man page describes the invocation of
|
|
.Nm .
|
|
Refer to
|
|
.Xr ezjail 7
|
|
in order to get an introduction to the usage of ezjail, as well as
|
|
usage examples.
|
|
.Pp
|
|
The description of some options ends with
|
|
.Sq Variable: Dq Li $ezjail_abcd .
|
|
This means that the default value of the option may be overridden by setting
|
|
this variable in
|
|
.Xr ezjail.conf 5 .
|
|
.Ss Nm Cm install
|
|
This function sub-command is normally run once in the life of the ezjail
|
|
environment. It allocates the directory structure used by ezjail and populates
|
|
the base jail using the minimal distribution set from a FreeBSD FTP server.
|
|
.Pp
|
|
The default location for ezjail's basejail is in
|
|
.Pa /usr/jails ,
|
|
so be sure you have enough space there (a FreeBSD base release without man
|
|
pages, sources and ports is around 120MB). This location may be modified in
|
|
.Xr ezjail.conf 5 .
|
|
.Pp
|
|
See also
|
|
.Nm
|
|
.Cm update
|
|
to install the base jail from source, as well as a method to update
|
|
the base jail using
|
|
.Xr freebsd-update 8 .
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl m
|
|
Fetch and install man pages (ca. 10MB).
|
|
.It Fl M
|
|
Fetch and install man pages, without (re)installing the base jail. May be used
|
|
to add the man pages to the base jail after the initial installation.
|
|
.It Fl s
|
|
Fetch and install sources (ca. 450MB).
|
|
.It Fl S
|
|
Fetch and install sources, without (re)installing the base jail.
|
|
.It Fl p
|
|
Invoke the
|
|
.Xr portsnap 8
|
|
utility to fetch and extract a FreeBSD ports tree from
|
|
.Li portsnap.FreeBSD.org
|
|
(ca. 475MB). When a ports tree is added to the base jail, a modified
|
|
.Pa make.conf
|
|
containing reasonable values to function in the jailed environment is added to
|
|
the new jail template so all jails created from the new jail template will
|
|
have a working ports environment. See the appendix
|
|
.%B Using Portsnap
|
|
in the
|
|
.%B FreeBSD Handbook
|
|
for details or
|
|
.Xr portsnap 8 .
|
|
.It Fl P
|
|
Fetch and extract a ports tree, without (re)installing the base jail.
|
|
.It Fl h Ar host
|
|
Set the remote host to fetch FreeBSD distribution sets from. If absent the
|
|
default host
|
|
.Li ftp.FreeBSD.org
|
|
is used. Variable:
|
|
.Dq Li $ezjail_ftphost .
|
|
.Pp
|
|
It is possible to install from the
|
|
.Li disc1
|
|
CDRom, or an extracted -RELEASE directory, by specifying the
|
|
.Ar host
|
|
argument as
|
|
.Pa file://path/to/source .
|
|
.It Fl r Ar release
|
|
Install this release of FreeBSD in the base jail, instead of the version
|
|
returned by
|
|
.Dq Li uname -r
|
|
on the host system. Note that the FreeBSD FTP servers usually provide only
|
|
-RELEASE versions, not -STABLE nor -CURRENT versions; you will be prompted for
|
|
confirmation when trying to install a non -RELEASE version. If you want to
|
|
install a -CURRENT version, you may have to compile from source the base jail;
|
|
see the
|
|
.Nm Cm update
|
|
sub-command for this.
|
|
.El
|
|
.Ss Nm Cm create
|
|
Create a new jail inside ezjail's scope. It either copies the new jail
|
|
directory tree template or an ezjail archive directory tree to new jail root
|
|
directory,
|
|
.Pa /usr/jails/ Ns Ar jailname
|
|
by default. Jailname and IP address are mandatory parameters.
|
|
.Pp
|
|
When a new jail is created, a corresponding new
|
|
.Pa /etc/fstab. Ns Ar jailname
|
|
file is also created, with a
|
|
.Xr nullfs 5
|
|
mount giving access to the base jail from the new jail.
|
|
.Pp
|
|
The following operands are mandatory:
|
|
.Bl -tag -width indent
|
|
.It Ar jailname
|
|
The name of the jail. It is customary to use the network name of the jail,
|
|
such as
|
|
.Dq Li jail1.example.com
|
|
(or maybe simply
|
|
.Dq Li jail1 ) ,
|
|
but really any name may be used.
|
|
.Pp
|
|
It is an error to have several jails of the same name, note that due to
|
|
ezjail's internal jailname sanitation,
|
|
.Dq Li sand-box.com
|
|
and
|
|
.Dq Li sand_box_com
|
|
are considered identical. Some names such as
|
|
.Dq Li basejail
|
|
and
|
|
.Dq Li flavours
|
|
are reserved for ezjails internal administrative purposes.
|
|
.It Ar ipaddress Ns Op Ar ,ipaddress2,...
|
|
The IP address or addresses of the jail. Since FreeBSD 7.2, it is possible to
|
|
assign several several IPv4 or IPv6 addresses to a jail, by separating them
|
|
with commas. Previous versions of FreeBSD allowed only a single IPv4 address
|
|
per jail.
|
|
.Pp
|
|
The addresses of the jail are not configured on the host.
|
|
.Nm
|
|
will display a warning if the requested address is not found on any interface,
|
|
and the jail will probably not start.
|
|
.Pp
|
|
It is common to bind jails to loopback addresses, so they provide services
|
|
visible to other jails only.
|
|
.El
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl r Ar jailroot
|
|
Use this name as the directory name of the new jail. Without this option, it
|
|
is derived from the jail's name. If this option is given and does not start
|
|
with a '/', it is interpreted as relative to ezjail's root directory
|
|
.Pa (/usr/jails
|
|
by default). If a specified jailroot path lies outside the ezjail root
|
|
directory, a soft link is created inside
|
|
.Pa /usr/jails/
|
|
pointing to the location of the newly created jail.
|
|
.It Fl a Ar archive
|
|
Restore a jail from an archive created with
|
|
.Nm Cm archive .
|
|
The archive files are kept in
|
|
.Pa /usr/jails/ezjail_archives
|
|
by default. Use
|
|
.Pa -
|
|
to restore an archive from the standard input.
|
|
.Pp
|
|
You will probably need to tidy up things inside an ezjail if you migrate it
|
|
between different ezjail environments. This may include (but is not limited
|
|
to) reinstalling ports or packages for different CPUs or library versions. You
|
|
may also need to copy some libraries from the source host's base jail.
|
|
.Pp
|
|
See also
|
|
.Nm Cm restore ,
|
|
if you only want to revert to an old jail's state from an archive on the same
|
|
release version.
|
|
.It Fl x
|
|
This flag indicates that a jail root directory for that jail already exists.
|
|
In this case, ezjail will only import the jail to its control directory. Sanity
|
|
checks are performed.
|
|
.It Fl f Ar flavour
|
|
Install the requested
|
|
.Ar flavour
|
|
in the new jail. Refer to
|
|
.Xr ezjail 7
|
|
for more details on flavours.
|
|
.Pp
|
|
This option may not be used with the
|
|
.Fl a
|
|
option.
|
|
.It Fl c Cm simple | bde | eli | zfs
|
|
Create an image jail of the given type.
|
|
.Pp
|
|
.Cm simple, bde No and Cm eli
|
|
image jails are file backed memory discs attached as
|
|
.Xr md 4
|
|
devices, so the jail can never grow beyond its allocated size and can
|
|
even be mounted read only. The jail will be stored in a file named
|
|
.Ar jailname Ns Pa .img ,
|
|
unless
|
|
.Fl r Ar jailroot
|
|
is given, in which case the jail is stored in
|
|
.Ar jailroot Ns Pa .img .
|
|
.Pp
|
|
Both
|
|
.Cm bde No and Cm eli
|
|
jails use the
|
|
.Xr geom 4
|
|
framework to encrypt all data written to the image file using
|
|
.Xr gbde 4
|
|
(for
|
|
.Cm bde )
|
|
or
|
|
.Xr geli 8
|
|
(for
|
|
.Cm eli ) .
|
|
.Pp
|
|
Unless you pass some options to the encryption geom commands using the
|
|
.Fl C
|
|
parameter, you will be prompted for a passphrase to protect the crypto
|
|
image. Note that, since starting normal encrypted image jails requires user
|
|
interaction to enter the passphrase, they will
|
|
.Cm NOT automatically be started at boot time. No Use
|
|
.Cm ezjail-admin startcrypto No to manually start all crypto image jails.
|
|
.Pp
|
|
A
|
|
.Cm zfs
|
|
jail is backed with a
|
|
.Xr zfs 8
|
|
filesystem, whose initial quota is given with the
|
|
.Fl s
|
|
option. The filesystem is created in the
|
|
.Dq Li $ezjail_jailzfs
|
|
parent filesystem and by default compressed using the lzjb method, as set in
|
|
the
|
|
.Dq Li ezjail_zfs_jail_properies
|
|
variable, both values configured in
|
|
.Xr ezjail.conf 5
|
|
.Pp
|
|
In each case, the
|
|
.Fl s
|
|
flag is mandatory when creating such a jail. An empty directory (without the
|
|
.Pa .img
|
|
suffix in the case of file-based jails) will be created and used as a mount
|
|
point when running the jail.
|
|
.It Fl s Ar imagesize
|
|
Allocate this size to the jail. Without an unit, the size is in bytes. The
|
|
valid suffix values are b/B for blocks (i. e. 512 bytes), k/K for kilobytes,
|
|
m/M for megabytes, and g/G for gigabytes. As a reference point, a newly
|
|
created jail requires 2 MB.
|
|
.Pp
|
|
It is not possible to increase the size of file-based jails after their
|
|
creation, short of creating a new image jail with a larger size.
|
|
.It Fl C Ar imageopt
|
|
Pass this argument to
|
|
.Xr gbde 8
|
|
or
|
|
.Xr geli 8
|
|
when initialising crypto image jails. The
|
|
.Fl P No and Fl K
|
|
(and
|
|
.Fl L
|
|
for
|
|
.Xr gbde 4 )
|
|
options will be translated and passed to the respective attach command when
|
|
starting the jail. You will have to escape parameters with single ticks to
|
|
protect them from shell expansion.
|
|
.It Fl i
|
|
Synonym of
|
|
.Fl c Cm simple .
|
|
.It Fl b
|
|
Tell ezjail that starting this jail would block unattended reboots. This may
|
|
happen when certain services need private SSL keys that require the user to
|
|
interactively enter a passphrase. The jail is then not automatically started
|
|
at boot time.
|
|
.El
|
|
.Ss Nm Cm console
|
|
Attach your console to the selected jail. You are logged in as root by
|
|
default.
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl f
|
|
Start the jail if it is not running yet.
|
|
.It Fl e Ar command
|
|
Use
|
|
.Ar command
|
|
instead of the default
|
|
.Dq /usr/bin/login -f root .
|
|
loogin command. A one time change to use a different user can be
|
|
accomplished by using
|
|
.Fl e Qq Li /usr/bin/login -f user .
|
|
Variable:
|
|
.Dq Li $ezjail_default_execute .
|
|
.El
|
|
.Ss Nm Cm list
|
|
List all jails inside ezjail's scope. They are sorted by the order they start
|
|
up, as defined by
|
|
.Xr rcorder 1 .
|
|
.Pp
|
|
The first column is the status flag consisting of 2 or 3 letters. The first
|
|
letter is the type of jail:
|
|
.Bl -tag -width 4n -offset indent -compact
|
|
.It Sy D
|
|
Directory tree based jail.
|
|
.It Sy I
|
|
File-based jail.
|
|
.It Sy E
|
|
Geli encrypted file-based jail.
|
|
.It Sy B
|
|
Bde encrypted file-based jail.
|
|
.It Sy Z
|
|
ZFS filesystem-based jail.
|
|
.El
|
|
.Pp
|
|
The second letter is the status of the jail:
|
|
.Bl -tag -width 4n -offset indent -compact
|
|
.It Sy R
|
|
The jail is running.
|
|
.It Sy A
|
|
The image of the jail is mounted, but the jail is not running.
|
|
.It Sy S
|
|
The jail is stopped.
|
|
.El
|
|
.Pp
|
|
If present, the third letter,
|
|
.Sy N ,
|
|
means that the jail is not automatically started.
|
|
.Pp
|
|
The following columns are the JID (when it is running), the IP addresses, the name and the full path directory name of the jail.
|
|
.Ss Nm Cm start | restart | stop | startcrypto Op Ar jailname ...
|
|
.Pp
|
|
This is a shortcut to the
|
|
.Xr rc 8
|
|
.Cm ezjail
|
|
script. Refer to
|
|
.Xr ezjail 7
|
|
section
|
|
.Pa Starting jails
|
|
for details.
|
|
.Pp
|
|
Note that, if ezjail is not enabled in
|
|
.Xr rc.conf 5
|
|
with
|
|
.Dq Li ezjail_enable= Ns Qq Li YES ,
|
|
nothing happens.
|
|
.Pp
|
|
Since starting crypto image jails requires interaction with the administrator, they are not run at
|
|
boot time. Use
|
|
.Cm startcrypto No to run them all at once.
|
|
.Ss Nm Cm config Ar jailname
|
|
Manage parameters of specific ezjails. For running jails, most of the
|
|
configuration changes described below will not be applied until the next time
|
|
the jail is restarted.
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl r Cm run | norun
|
|
Set the jail to be automatically started or not on boot.
|
|
.It Fl n Ar newname
|
|
Rename the jail. Unless a custom root directory was given with the
|
|
.Fl r
|
|
flag when creating the jail, the root directory will be renamed as well. A
|
|
running jail may not be renamed.
|
|
.It Fl i Cm attach | detach | fsck
|
|
Only valid for stopped image jails. Attaching a jail means making the content
|
|
of the root of the jail accessible from the host. No other sub-commands will
|
|
function on an jail while its image is attached. With
|
|
.Cm fsck ,
|
|
the image jail is attached,
|
|
.Xr fsck 8
|
|
is run, then the image jail is detached. You can only fsck image based jails.
|
|
.It Fl z Ar newdataset
|
|
Set the given ZFS dataset to be mounted inside the jail file system
|
|
when it is started.
|
|
.It Fl f Ar newfib
|
|
Change the FIB of the jail (see
|
|
.Xr setfib 2 ) .
|
|
.It Fl c Ar newcpuset
|
|
Change the CPU affinity set of the jail (see
|
|
.Xr cpuset 2 ) .
|
|
.El
|
|
.Ss Nm Cm delete Ar jailname
|
|
Delete a jail. By default, this command only deletes ezjail's control file for
|
|
the selected jail as well as
|
|
.Pa /etc/fstab. Ns Ar jailname .
|
|
The
|
|
.Pa /usr/jails/ Ns Ar jailname
|
|
directory is not deleted.
|
|
.Pp
|
|
.Bl -tag -width indent
|
|
.It Fl f
|
|
Stop the jail before deleting it.
|
|
.It Fl w
|
|
Delete the directory or the file backing the jail.
|
|
.El
|
|
.Ss Nm Cm archive Op jailname
|
|
Create a backup of one or all jails. The jail's root directory tree is backed
|
|
up as a
|
|
.Xr pax 1
|
|
archive. By default, the jail needs to be stopped.
|
|
.Bl -tag -width indent
|
|
.It Fl A
|
|
Archive all jails. You must neither specify an archivename nor a jailname in
|
|
this case.
|
|
.It Fl a Ar archivename
|
|
Use this name for the archive file. If absent, the archive file name is
|
|
derived from the jail name, with the current date and time appended to the
|
|
archive's file name. Use
|
|
.Pa -
|
|
to write to stdout.
|
|
.It Fl d Ar directory
|
|
Save the archive in this directory. If this option is not given and
|
|
.Dq Li $ezjail_archivedir
|
|
is not set, the archive is saved in the default directory.
|
|
Variable:
|
|
.Dq Li $ezjail_archivedir .
|
|
.It Fl f
|
|
Archive the jail even when it is running.
|
|
.El
|
|
.Pp
|
|
Use
|
|
.Nm Cm restore
|
|
or
|
|
.Nm Cm create Fl a Ar archive
|
|
to restore an archive.
|
|
.Ss Nm Cm restore
|
|
Create new ezjails from archived versions. It tries to collect all
|
|
information necessary to do that without user interaction from the
|
|
user.
|
|
.Pp
|
|
The following operand is mandatory:
|
|
.Bl -tag -width indent
|
|
.It Ar archive | jailname
|
|
Restore this jail. If only the jail name is given,
|
|
.Nm
|
|
will use the most recent archive file matching the name you specified.
|
|
To restore an older version, specify the complete archive file name
|
|
(file name with the date and time of the archive appended to it).
|
|
.El
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl d Ar archivedir
|
|
Search the archive file in this directory. If this option is not given, the
|
|
archive is searched in
|
|
.Dq Li $ezjail_archivedir .
|
|
.It Fl f
|
|
Restore the archive even if running on a host different from
|
|
where it was archived. Be default,
|
|
.Nm
|
|
will refuse to restore an archive if the archived host system's hostname,
|
|
its FreeBSD version or CPU architecture do not match the current host.
|
|
.El
|
|
.Ss Nm Cm update
|
|
Updates ezjail's basejail, or in the
|
|
.Fl b
|
|
or
|
|
.Fl i
|
|
case, install a FreeBSD world from source to be used as basejail.
|
|
.Pp
|
|
Exactly one of the following operand must be specified:
|
|
.Bl -tag -width indent
|
|
.It Fl b
|
|
Build a world from source and install it as the (updated) basejail.
|
|
.Dq make buildworld ; make installworld
|
|
by default using the sources located at
|
|
.Pa /usr/src
|
|
(but see the
|
|
.Fl s
|
|
option).
|
|
.Pp
|
|
As the old basejail is not deleted, but merely overwritten, this usually
|
|
leaves all jails in a state where they still find older versions of libraries
|
|
they were linked against.
|
|
.It Fl i
|
|
As above but only perform a
|
|
.Dq make installworld ,
|
|
assuming the world has already been built. That is highly likely since it is
|
|
recommended to update the basejail along with the host system.
|
|
.It Fl u
|
|
Use
|
|
.Xr freebsd-update 8
|
|
to update the basejail. Note that as
|
|
.Xr freebsd-update 8
|
|
uses
|
|
.Dq Li uname -r
|
|
to determine the currently running system, the base jail and the host
|
|
need to be updated at the same time, without rebooting on the new
|
|
kernel in the meantime.
|
|
.It Fl U
|
|
Use
|
|
.Xr freebsd-update 8
|
|
to upgrade the basejail to the hosts operating system version, or a version
|
|
you may pass freebsd-update's call to
|
|
.Dq uname -r
|
|
via the
|
|
.Pa UNAME_r
|
|
environment variable. Since there currently is no way of infering the
|
|
osversion currently installed in the basejail, you need to remember the
|
|
original osversion and pass it to this script using the
|
|
.Fl s
|
|
option.
|
|
.It Fl P
|
|
Install only the ports tree, assuming the basejail has already been
|
|
created. This can be done while jails are running. The
|
|
.Xr portsnap 8
|
|
utility is invoked to do the actual work.
|
|
.El
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl p
|
|
Give the new basejail a copy of FreeBSD's ports tree. The
|
|
.Xr portsnap 8
|
|
utility is invoked to do the actual work.
|
|
.It Fl s Ar sourcedir | sourceosversion
|
|
In the
|
|
.Fl b No and Fl i No case: Use the sources in
|
|
.Ar sourcedir
|
|
instead of
|
|
.Pa /usr/src .
|
|
Variable:
|
|
.Dq Li $ezjail_sourcetree .
|
|
.Pp
|
|
In the
|
|
.Fl U No case: Pass this release tag to
|
|
.Xr freebsd-update 8
|
|
as the source OS version of the basejail.
|
|
.El
|
|
.Pp
|
|
See the
|
|
.Cm install
|
|
sub command to install the basejail from binary packages.
|
|
.Pp
|
|
If the basejail is managed in its own ZFS filesystem, a snapshot of that
|
|
filesystem is taken first.
|
|
.Sh FILES
|
|
.Pa EZJAIL_PREFIX/bin/ezjail-admin
|
|
.br
|
|
.Pa EZJAIL_PREFIX/etc/rc.d/ezjail
|
|
.br
|
|
.Pa EZJAIL_PREFIX/etc/ezjail.conf
|
|
.br
|
|
.Pa EZJAIL_PREFIX/share/examples/ezjail/
|
|
.br
|
|
.Pa EZJAIL_PREFIX/etc/ezjail/*
|
|
.br
|
|
.Pa /usr/etc/fstab.*
|
|
.Sh SEE ALSO
|
|
.Xr ezjail 7 ,
|
|
.Xr ezjail.conf 8 ,
|
|
.Xr jail 8 ,
|
|
.Xr devfs 5 ,
|
|
.Xr fdescfs 5 ,
|
|
.Xr procfs 5 ,
|
|
.Xr portsnap 8 .
|
|
.Sh AUTHOR
|
|
.An Dirk Engling
|
|
.Aq erdgeist@erdgeist.org .
|