|
Attention! I apologize, but it is automatic machine translation of the text. You can improve it if will send to me more correct version of the text or fix html pages via GITHUB repository.
What you need to know about cbsd
Cbsd represents an additional layer of abstraction over Jail framework and the part on FreeBSD functional A list of some of the functional involved in the cbsd:
- vnet (VIMAGE)
- zfs
- racct/rctl
- ipfw
- pf
- carp
- hastd
- auditd
Many of these subsystems are not directly related to the jail, however, allow cbsd (which is the connecting link between these components) to provide a system administrator more advanced and integrated system solutions for the problems.
Below provides information useful to the system administrator and describes the architecture cbsd more detail.
First, the official articles about FreeBSD Jails required for the study to understand what is a jail in the usual way.
Secondly, it is useful to know about the file system hierarchy cbsd. Let us agree to use the following naming documentation and values:
- Node - physical server / resource unit.
- Jail - isolated environment with its own set of software/services. They can be a server-side components (DNS, Apache / nginx, postfix) and graphic environment.
- Cloud - Farm/cluster of interconnected nodes, a full-fledged peer network (each node can do other tasks through cbsd)
- cbsd - an entity that has control over the particular node(s) and certain subsystems of FreeBSD, is able to provide a simplified and unified action (API) on the nodes or jails and provides ACL and setting permissions for cbsd customers
- $workdir - working directory on cbsd node is initialized through cbsd initenv the first run. Usually /usr/jails.
- $jname - Name some jails, participate in the example.
The most important data are located in $workdir/jails-data/$jname, as it is directly the root of the file system jails called $jname, if jail is created with the flag baserw=1, or contains the data of jail, which are superimposed on the standard $workdir/basejail/$basename in the directory ${workdir}/jails
Given that the base you can always get through the building source code, or by downloading from the repository. The other words, cbsd jail to migrate to any other project management of jails or use the basic functionality FreeBSD jail, the main thing - is to have a consistent data in this directory. Notes: if you use a jails type md, then the directory $workdir/jails-data/$jname will contain the image of the jail.
The second-largest in the directory hierarchy can act cbsd configuration files to create jail that are in the directory $workdir/jails-rcconf. In fact, every file is the configuration of a single jail for "jail -c" utility, but having additional cbsd-related parameters. These files can be edited with any editor when jail is stopped.
Other directories are not critical to the jail themselves. For example, the directory $workdir/jails-system serves as an additional storage overhead information to jails, for example it may be configurators services, as well as statistics on the traffic and congestion, the description of the jails and so on.
Inside information for the needs of the most cbsd resides in $workdir/db. For example, the information on the list of added nodes, inventory both the local and remote nodes, the database with the settings of the jails and so on.
Important in terms of security, is the directories ${workdir}/.rssh and ${workdir}/.ssh, which contains the private RSA keys with remote user cbsd nodes and a local respectively. Make sure that the data of these directories were not available to other users of the system. By default, the key can be read only by a system user cbsd.
A brief summary of the hierarchy cbsd
| ${workdir}/.rssh/ |
Directory for storage of private keys of remote nodes. The files are added and removed via the command cbsd node |
| ${workdir}/.ssh |
Here is kept private and a public key of the node itself. Formed during the initialization with the command cbsd initenv. It is from here will take the public key of remote hosts on the cbsd node mode=add command. Key file name is the md5 sum of the nodename. |
| ${workdir}/basejail |
Here are kept ready for use at the bases and kernels FreeBSD (the result of cbsd buildworld/buildkernel, cbsd installworld/installkernel or cbsd repo action=get sources=base/kernel) |
| ${workdir}/etc |
Configuration files needed to run cbsd |
| ${workdir}/export |
Default directory, which will be stored in a file exported by the jail (when the cbsd jexport jname=$jname, this directory will file $jname.img) |
| ${workdir}/import |
Default directory of which will be imported to jail (at cbsd jimport jname=$jname, will be deployed jail $jname) |
| ${workdir}/jails |
This directory contains the mount point for the root jails, who use baserw=0. |
| ${workdir}/jails-data |
This catalog have the jails data. It is these places need to backup jails (including fstab and rc.conf files). Also, if the jail use baserw=1, these directories are the root of the jail when it starts |
| ${workdir}/jails-fstab |
fstab file for the jails. The syntax for regular FreeBSD with the only exception that the path to the mount point is written relative to the root jail (record /usr/ports /usr/ports nullfs rw 0 0 in the file fstab.$jname means that of the master node directory /usr/ports will be mounted at startup in ${workdir}/jails/$jname/usr/ports) |
| ${workdir}/jails-rcconf |
rc.conf files for jail creation. These parameters can be changed at your editor, or via the command cbsd jset $jname param=val (eg cbsd jset jname=$jname ip="192.168.0.2/24"). To change these settings jail should be turned off. |
| ${workdir}/jails-system |
This catalog may contain some helper scripts related to the jail (eg wizards to configure, configurators, etc) as well as the preserved jail traffic when using ipfw and its description. This catalog participates in jimport/jexport operations and migration of jail |
| ${workdir}/var |
directory that contains system information cbsd. For example, in ${workdir}/var/db is an inventory of local and remote nodes if were added |
|
