Changeset View
Changeset View
Standalone View
Standalone View
zh_TW.UTF-8/books/handbook/book.xml
Context not available. | |||||
<!ENTITY pgpkey.davide SYSTEM "davide.key"> | <!ENTITY pgpkey.davide SYSTEM "davide.key"> | ||||
<!ENTITY pgpkey.davidxu SYSTEM "davidxu.key"> | <!ENTITY pgpkey.davidxu SYSTEM "davidxu.key"> | ||||
<!ENTITY pgpkey.db SYSTEM "db.key"> | <!ENTITY pgpkey.db SYSTEM "db.key"> | ||||
<!ENTITY pgpkey.dbaio SYSTEM "dbaio.key"> | |||||
<!ENTITY pgpkey.dbn SYSTEM "dbn.key"> | <!ENTITY pgpkey.dbn SYSTEM "dbn.key"> | ||||
<!ENTITY pgpkey.dchagin SYSTEM "dchagin.key"> | <!ENTITY pgpkey.dchagin SYSTEM "dchagin.key"> | ||||
<!ENTITY pgpkey.dcs SYSTEM "dcs.key"> | <!ENTITY pgpkey.dcs SYSTEM "dcs.key"> | ||||
Context not available. | |||||
<!ENTITY pgpkey.demon SYSTEM "demon.key"> | <!ENTITY pgpkey.demon SYSTEM "demon.key"> | ||||
<!ENTITY pgpkey.den SYSTEM "den.key"> | <!ENTITY pgpkey.den SYSTEM "den.key"> | ||||
<!ENTITY pgpkey.des SYSTEM "des.key"> | <!ENTITY pgpkey.des SYSTEM "des.key"> | ||||
<!ENTITY pgpkey.dexter SYSTEM "dexter.key"> | |||||
<!ENTITY pgpkey.dfr SYSTEM "dfr.key"> | <!ENTITY pgpkey.dfr SYSTEM "dfr.key"> | ||||
<!ENTITY pgpkey.dhartmei SYSTEM "dhartmei.key"> | <!ENTITY pgpkey.dhartmei SYSTEM "dhartmei.key"> | ||||
<!ENTITY pgpkey.dhn SYSTEM "dhn.key"> | <!ENTITY pgpkey.dhn SYSTEM "dhn.key"> | ||||
Context not available. | |||||
<!ENTITY pgpkey.emax SYSTEM "emax.key"> | <!ENTITY pgpkey.emax SYSTEM "emax.key"> | ||||
<!ENTITY pgpkey.erj SYSTEM "erj.key"> | <!ENTITY pgpkey.erj SYSTEM "erj.key"> | ||||
<!ENTITY pgpkey.erwin SYSTEM "erwin.key"> | <!ENTITY pgpkey.erwin SYSTEM "erwin.key"> | ||||
<!ENTITY pgpkey.eugen SYSTEM "eugen.key"> | |||||
<!ENTITY pgpkey.fabient SYSTEM "fabient.key"> | <!ENTITY pgpkey.fabient SYSTEM "fabient.key"> | ||||
<!ENTITY pgpkey.fanf SYSTEM "fanf.key"> | <!ENTITY pgpkey.fanf SYSTEM "fanf.key"> | ||||
<!ENTITY pgpkey.farrokhi SYSTEM "farrokhi.key"> | <!ENTITY pgpkey.farrokhi SYSTEM "farrokhi.key"> | ||||
Context not available. | |||||
<!ENTITY pgpkey.johans SYSTEM "johans.key"> | <!ENTITY pgpkey.johans SYSTEM "johans.key"> | ||||
<!ENTITY pgpkey.jon SYSTEM "jon.key"> | <!ENTITY pgpkey.jon SYSTEM "jon.key"> | ||||
<!ENTITY pgpkey.jonathan SYSTEM "jonathan.key"> | <!ENTITY pgpkey.jonathan SYSTEM "jonathan.key"> | ||||
<!ENTITY pgpkey.joneum SYSTEM "joneum.key"> | |||||
<!ENTITY pgpkey.josef SYSTEM "josef.key"> | <!ENTITY pgpkey.josef SYSTEM "josef.key"> | ||||
<!ENTITY pgpkey.jpaetzel SYSTEM "jpaetzel.key"> | <!ENTITY pgpkey.jpaetzel SYSTEM "jpaetzel.key"> | ||||
<!ENTITY pgpkey.jrm SYSTEM "jrm.key"> | <!ENTITY pgpkey.jrm SYSTEM "jrm.key"> | ||||
Context not available. | |||||
<!ENTITY pgpkey.rafan SYSTEM "rafan.key"> | <!ENTITY pgpkey.rafan SYSTEM "rafan.key"> | ||||
<!ENTITY pgpkey.rakuco SYSTEM "rakuco.key"> | <!ENTITY pgpkey.rakuco SYSTEM "rakuco.key"> | ||||
<!ENTITY pgpkey.ray SYSTEM "ray.key"> | <!ENTITY pgpkey.ray SYSTEM "ray.key"> | ||||
<!ENTITY pgpkey.rcyu SYSTEM "rcyu.key"> | |||||
<!ENTITY pgpkey.rdivacky SYSTEM "rdivacky.key"> | <!ENTITY pgpkey.rdivacky SYSTEM "rdivacky.key"> | ||||
<!ENTITY pgpkey.rea SYSTEM "rea.key"> | <!ENTITY pgpkey.rea SYSTEM "rea.key"> | ||||
<!ENTITY pgpkey.rees SYSTEM "rees.key"> | <!ENTITY pgpkey.rees SYSTEM "rees.key"> | ||||
Context not available. | |||||
<!ENTITY pgpkey.wollman SYSTEM "wollman.key"> | <!ENTITY pgpkey.wollman SYSTEM "wollman.key"> | ||||
<!ENTITY pgpkey.woodsb02 SYSTEM "woodsb02.key"> | <!ENTITY pgpkey.woodsb02 SYSTEM "woodsb02.key"> | ||||
<!ENTITY pgpkey.wosch SYSTEM "wosch.key"> | <!ENTITY pgpkey.wosch SYSTEM "wosch.key"> | ||||
<!ENTITY pgpkey.wulf SYSTEM "wulf.key"> | |||||
<!ENTITY pgpkey.wxs SYSTEM "wxs.key"> | <!ENTITY pgpkey.wxs SYSTEM "wxs.key"> | ||||
<!ENTITY pgpkey.xmj SYSTEM "xmj.key"> | <!ENTITY pgpkey.xmj SYSTEM "xmj.key"> | ||||
<!ENTITY pgpkey.xride SYSTEM "xride.key"> | <!ENTITY pgpkey.xride SYSTEM "xride.key"> | ||||
Context not available. | |||||
<year>2014</year> | <year>2014</year> | ||||
<year>2015</year> | <year>2015</year> | ||||
<year>2016</year> | <year>2016</year> | ||||
<year>2017</year> | |||||
<holder>The FreeBSD Documentation Project</holder> | <holder>The FreeBSD Documentation Project</holder> | ||||
</copyright> | </copyright> | ||||
Context not available. | |||||
<listitem> | <listitem> | ||||
<para><link xlink:href="http://www.ixsystems.com/">iXsystems</link> <indexterm> | <para><link xlink:href="http://www.ixsystems.com/">iXsystems</link> <indexterm> | ||||
<primary>iXsystems</primary> | <primary>iXsystems</primary> | ||||
</indexterm> - 統合存儲 (Unified Storage) 設備的 TrueNAS 產品線是以 FreeBSD 為基礎。除了該公司自己的商業產品外,iXsystems 也管理著 PC-BSD 和 FreeNAS 兩個開源計劃的開發。</para> | </indexterm> - 統合存儲 (Unified Storage) 設備的 TrueNAS 產品線是以 FreeBSD 為基礎。除了該公司自己的商業產品外,iXsystems 也管理著 TrueOS 和 FreeNAS 兩個開源計劃的開發。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
Context not available. | |||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para><link xlink:href="http://www.sandvine.com/">Sandvine</link> <indexterm> | <para xml:lang="en"><link xlink:href="http://www.sandvine.com/">Sandvine</link> | ||||
<indexterm xml:lang="en"> | |||||
<primary>Sandvine</primary> | <primary>Sandvine</primary> | ||||
</indexterm> - Sandvine 使用 FreeBSD 作為它們的高性能即時網路處理平台,來建立它們的智慧網路策略控制產品。</para> | </indexterm> - Sandvine uses FreeBSD as the basis of their | ||||
high performance real-time network processing platforms | |||||
that make up their intelligent network policy control | |||||
products.</para> | |||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
Context not available. | |||||
<para><link xlink:href="https://www.stormshield.eu">Stormshield</link> <indexterm> | <para><link xlink:href="https://www.stormshield.eu">Stormshield</link> <indexterm> | ||||
<primary>Stormshield</primary> | <primary>Stormshield</primary> | ||||
</indexterm> - Stormshield 網路安全設備使用了硬體化版本的 FreeBSD 做為基礎,BSD 授權條款讓我們我們的智慧財產與系統可以整合,並同時回饋大量有趣的發展給社群。</para> | </indexterm> - Stormshield 網路安全設備使用了硬體化版本的 FreeBSD 做為基礎,BSD 授權條款讓他們可將其智慧財產與系統整合並同時回饋大量有趣的發展給社群。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
Context not available. | |||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para><link xlink:href="http://www.pcbsd.org/">PC-BSD</link> <indexterm> | <para><link xlink:href="http://www.pcbsd.org/">TrueOS</link> <indexterm> | ||||
<primary>PC-BSD</primary> | <primary>TrueOS</primary> | ||||
</indexterm> - 訂製版本的 FreeBSD,裝備了給桌面使用者使用的圖型化工具來展示 FreeBSD 強大的功能給所有使用者,專門設計來緩解使用者在 Windows 與 OS X 間的過渡。</para> | </indexterm> - 訂製版本的 FreeBSD,裝備了給桌面使用者使用的圖型化工具來展示 FreeBSD 強大的功能給所有使用者,專門設計來緩解使用者在 Windows 與 OS X 間的過渡。</para> | ||||
</listitem> | </listitem> | ||||
Context not available. | |||||
<para>一般來說,本章所寫的安裝說明是針對 <trademark>i386</trademark> 和 <acronym>AMD64</acronym> 架構。如果可以用於其他平台,將會列表說明。 安裝程式和本章所敘述的內容可能會有些微差異,所以請將本章視為通用的指引,而不是完全照著來做。</para> | <para>一般來說,本章所寫的安裝說明是針對 <trademark>i386</trademark> 和 <acronym>AMD64</acronym> 架構。如果可以用於其他平台,將會列表說明。 安裝程式和本章所敘述的內容可能會有些微差異,所以請將本章視為通用的指引,而不是完全照著來做。</para> | ||||
<note> | <note> | ||||
<para>喜歡用圖形化安裝程式安裝 FreeBSD 的使用者, 可能會對 <application>pc-sysinstall</application> 有興趣,這是 PC-BSD 計畫所使用的。 他可以用來安裝圖形化桌面 (PC-BSD) 或是指令列版本的 FreeBSD。 細節請參考 PC-BSD 使用者 Handbook (<link xlink:href="http://wiki.pcbsd.org/index.php/Colophon">http://wiki.pcbsd.org/index.php/Colophon</link>)。</para> | <para>喜歡用圖形化安裝程式安裝 FreeBSD 的使用者, 可能會對 <application>pc-sysinstall</application> 有興趣,這是 TrueOS 計畫所使用的。 他可以用來安裝圖形化桌面 (TrueOS) 或是指令列版本的 FreeBSD。 細節請參考 TrueOS 使用者 Handbook (<link xlink:href="https://www.trueos.org/handbook/trueos.html">https://www.trueos.org/handbook/trueos.html</link>)。</para> | ||||
</note> | </note> | ||||
<para>讀完這章,您將了解︰</para> | <para>讀完這章,您將了解︰</para> | ||||
Context not available. | |||||
<step> | <step> | ||||
<title>取得 <application>Image Writer <trademark class="registered">Windows</trademark> 版</application></title> | <title>取得 <application>Image Writer <trademark class="registered">Windows</trademark> 版</application></title> | ||||
<para><application>Image Writer <trademark class="registered">Windows</trademark> 版</application> 是一個免費的應用程式,可以正確地將映像檔寫入隨身碟。 從 <uri xlink:href="https://launchpad.net/win32-image-writer/">https://launchpad.net/win32-image-writer/</uri> 下載,並解壓縮到一個資料夾。</para> | <para><application>Image Writer <trademark class="registered">Windows</trademark> 版</application> 是一個免費的應用程式,可以正確地將映像檔寫入隨身碟。可從 <uri xlink:href="https://sourceforge.net/projects/win32diskimager/">https://sourceforge.net/projects/win32diskimager/</uri> 下載,並解壓縮到一個資料夾。</para> | ||||
</step> | </step> | ||||
<step> | <step> | ||||
Context not available. | |||||
<para>有時在 <filename>/var/tmp</filename> 會需要較多的空間,當新軟體安裝,套件工具會從套件中取出暫存的複本置於 <filename>/var/tmp</filename>。若在 <filename>/var/tmp</filename> 沒有足夠的空間,要安裝大型軟體套件,例如 <application>Firefox</application>, <application>Apache OpenOffice</application> 或 <application>LibreOffice</application> 會很困難。</para> | <para>有時在 <filename>/var/tmp</filename> 會需要較多的空間,當新軟體安裝,套件工具會從套件中取出暫存的複本置於 <filename>/var/tmp</filename>。若在 <filename>/var/tmp</filename> 沒有足夠的空間,要安裝大型軟體套件,例如 <application>Firefox</application>, <application>Apache OpenOffice</application> 或 <application>LibreOffice</application> 會很困難。</para> | ||||
</note> | </note> | ||||
<para><filename>/usr</filename> 分割區會保存許多支持系統運作的檔案,包含 FreeBSD Port 套件集以及系統原始碼。這個分割區建議至少要有 2 GB 的空間。</para> | <para><filename>/usr</filename> 分割區保存了許多支持系統運作的檔案,包含 FreeBSD Port 套件集以及系統原始碼,這個分割區建議至少要有 2 GB 的空間。</para> | ||||
<para>在規劃分割區大小時,請牢記空間需求,當因某個分割區空間不足時要改使用其他分割區時會很麻煩。</para> | <para>在規劃分割區大小時,請牢記空間需求,當因某個分割區空間不足時要改使用其他分割區時會很麻煩。</para> | ||||
Context not available. | |||||
</mediaobject> | </mediaobject> | ||||
</figure> | </figure> | ||||
<para>選擇 <keycap>T</keycap> 來設定儲存池類型 (<literal>Pool Type</literal>) 以及要組成儲存池的磁碟。自動 <acronym>ZFS</acronym> 安裝程式目前僅支援建立單一頂層 vdev,除了在串連 (Stripe) 模式。要建立更複雜的儲存池,需使用 <xref linkend="bsdinstall-part-shell"/> 的操作來建立儲存池。安裝程式支援建立各種儲存池類型,包含串連 Stripe (不建議,沒有備援功能)、鏡像 Mirror (效能較佳,但可用空間較少) 以及 RAID-Z 1, 2, 與 3 (分別有能力承受同時 1, 2 與 3 個磁碟的損壞)。在選擇儲存池類型時會有提示顯示在螢幕的下方,提示所需要的磁碟數以及在使用 RAID-Z 時,每個配置最佳的磁碟數。</para> | <para>選擇 <keycap>T</keycap> 來設定儲存池類型 (<literal>Pool Type</literal>) 以及要組成儲存池的磁碟。自動 <acronym>ZFS</acronym> 安裝程式目前僅支援建立單一頂層 vdev,除了在串連 (Stripe) 模式。要建立更複雜的儲存池,需使用 <xref linkend="bsdinstall-part-shell"/> 的操作來建立儲存池。安裝程式支援建立各種儲存池類型,包含串連 Stripe (不建議,沒有備援功能)、鏡像 Mirror (效能較佳,但可用空間較少) 以及 RAID-Z 1, 2, 與 3 (分別有能力承受同時 1, 2 與 3 個磁碟的損壞)。在選擇儲存池類型時會在螢幕的下方提示所需的磁碟數量,以及在使用 RAID-Z 時,每種配置最佳的磁碟數。</para> | ||||
<figure xml:id="bsdinstall-zfs-vdev_type"> | <figure xml:id="bsdinstall-zfs-vdev_type"> | ||||
<title><acronym>ZFS</acronym> 儲存池類型</title> | <title><acronym>ZFS</acronym> 儲存池類型</title> | ||||
Context not available. | |||||
subversion16-<replaceable>1.6.23_4</replaceable> | subversion16-<replaceable>1.6.23_4</replaceable> | ||||
subversion17-<replaceable>1.7.16_2</replaceable></screen> | subversion17-<replaceable>1.7.16_2</replaceable></screen> | ||||
<para>套件名稱包含版本編號,且若 Port 使用 Python 為基礎,也會包含用來編譯該套件的 Python 版本。有些 Port 會有多個版本可使用,如 <application>subversion</application> ,因編譯選項不同,有多個版本可用,這個例子中即指靜態連結版本的 <application>subversion</application>。在指定要安裝的套件時,最好使用 Port 來源來指定該應用程式,Port 來源是指應用程式在 Port 樹中的路徑。再輸入一次 <command>pkg search</command> 並加上 <option>-o</option> 來列出每個套件來源:</para> | <para>套件名稱包含版本編號,且若 Port 使用 Python 為基礎,也會包含用來編譯該套件的 Python 版本。有些 Port 會有多個版本可使用,如 <application>Subversion</application> ,因編譯選項不同,有多個版本可用,這個例子中即指靜態連結版本的 <application>Subversion</application>。在指定要安裝的套件時,最好使用 Port 來源來指定該應用程式,Port 來源是指應用程式在 Port 樹中的路徑。再輸入一次 <command>pkg search</command> 並加上 <option>-o</option> 來列出每個套件來源:</para> | ||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg search -o <replaceable>subversion</replaceable></userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg search -o <replaceable>subversion</replaceable></userinput> | ||||
devel/git-subversion | devel/git-subversion | ||||
Context not available. | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>/usr/sbin/pkg</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>/usr/sbin/pkg</userinput></screen> | ||||
<para>您必須有網際網路連線供啟動程式使用。</para> | <para>您必須有可用的網際網路連線供啟動程式使用方可成功。</para> | ||||
<para>否則,要安裝 Port 套件,則須執行:</para> | <para>否則,要安裝 Port 套件,則須執行:</para> | ||||
Context not available. | |||||
<sect3> | <sect3> | ||||
<title>自訂 Port 安裝</title> | <title>自訂 Port 安裝</title> | ||||
<para>部份 Port 提供編譯選項,可用來開啟或關閉應用程式中的元件、安全選項、或其他允許自訂的項目。這類的應用程式例子包括 <package>www/firefox</package>, <package>security/gpgme</package> 以及 <package>mail/sylpheed-claws</package>。若 Port 相依的其他 Port 有可設定的選項時,預設的模式會提示使用者選擇選單中的選項,這可能會讓安裝的過程暫停讓使用者操作數次。要避免這個情況,可在 Port skeleton 中執行 <command>make config-recursive</command> 來一次設定所有選項。然後再執行 <command>make install [clean]</command> 編譯與安裝該 Port。</para> | <para>部份 Port 提供編譯選項,可用來開啟或關閉應用程式中的元件、安全選項、或其他允許自訂的項目。這類的應用程式例子包括 <package>www/firefox</package>, <package>security/gpgme</package> 以及 <package>mail/sylpheed-claws</package>。若 Port 相依的其他 Port 有可設定的選項時,預設的模式會提示使用者選擇選單中的選項,這可能會讓安裝的過程暫停讓使用者操作數次。要避免這個情況,可一次設定所有選項,只要在 Port skeleton 中執行 <command>make config-recursive</command>,然後再執行 <command>make install [clean]</command> 編譯與安裝該 Port。</para> | ||||
<tip> | <tip> | ||||
<para>使用 <buildtarget>config-recursive</buildtarget> 時,會使用 <buildtarget>all-depends-list</buildtarget> Target 來收集所有要設定 Port 清單。建議執行 <command>make config-recursive</command> 直到所有相依的 Port 選項都已定義,直到 Port 的選項畫面不會再出現,來確定所有相依的選項都已經設定。</para> | <para>使用 <buildtarget>config-recursive</buildtarget> 時,會使用 <buildtarget>all-depends-list</buildtarget> Target 來收集所有要設定 Port 清單。建議執行 <command>make config-recursive</command> 直到所有相依的 Port 選項都已定義,直到 Port 的選項畫面不會再出現,來確定所有相依的選項都已經設定。</para> | ||||
Context not available. | |||||
<term>視窗管理程式 (Window Manager)</term> | <term>視窗管理程式 (Window Manager)</term> | ||||
<listitem> | <listitem> | ||||
<para>X 並不規定螢幕上的視窗該長什麼樣、要如何移動滑鼠指標、 要用什麼鍵來在視窗切換、每個視窗的標題列長相,及是否該有關閉按鈕,等等。事實上,X 把這部分交給所謂的視窗管理程式來管理。可用的<link xlink:href="http://xwinman.org/">視窗管理程式有很多種</link>,每一種視窗管理程式都提供不同的使用介面風格:有些支援虛擬桌面,有些允許自訂組合鍵來管理桌面,有些有 <quote>開始</quote> 鈕,有些則是可更換佈景主題,可自行安裝新的佈景主題以更換外觀。 視窗管理程式可在 Port 套件集的 <filename>x11-wm</filename> 分類找到。</para> | <para>X 並不規定螢幕上的視窗該長什麼樣、要如何移動滑鼠指標、 要用什麼鍵來在視窗切換、每個視窗的標題列長相,及是否該有關閉按鈕,等等。事實上,X 把這部分交給所謂的視窗管理程式來管理。可用的<link xlink:href="http://www.xwinman.org/">視窗管理程式有很多種</link>,每一種視窗管理程式都提供不同的使用介面風格:有些支援虛擬桌面,有些允許自訂組合鍵來管理桌面,有些有 <quote>開始</quote> 鈕,有些則是可更換佈景主題,可自行安裝新的佈景主題以更換外觀。 視窗管理程式可在 Port 套件集的 <filename>x11-wm</filename> 分類找到。</para> | ||||
<para>每個視窗管理程式也各有其不同的設定機制,有些需要手動修改設定檔, 而有的則可透過圖型化工具來完成大部分的設定工作。</para> | <para>每個視窗管理程式也各有其不同的設定機制,有些需要手動修改設定檔, 而有的則可透過圖型化工具來完成大部分的設定工作。</para> | ||||
</listitem> | </listitem> | ||||
Context not available. | |||||
<para>編輯 <filename>local.conf</filename> 完之後,請確認有使用 <literal></fontconfig></literal> 標籤結尾,若沒有使用會讓所做的更改被忽略。</para> | <para>編輯 <filename>local.conf</filename> 完之後,請確認有使用 <literal></fontconfig></literal> 標籤結尾,若沒有使用會讓所做的更改被忽略。</para> | ||||
<para xml:lang="en">Users can add personalized settings by creating their own | <para>使用者可透過建立自己的 <filename>~/.config/fontconfig/fonts.conf</filename> 來加入個人化的設定,此檔案使用與上述說明相同的 <acronym>XML</acronym> 格式。</para> | ||||
<filename>~/.config/fontconfig/fonts.conf</filename>. This | |||||
file uses the same <acronym>XML</acronym> format described | |||||
above.</para> | |||||
<indexterm xml:lang="en"><primary>LCD screen</primary></indexterm> | <indexterm xml:lang="en"><primary>LCD screen</primary></indexterm> | ||||
<indexterm xml:lang="en"><primary>Fonts</primary> | <indexterm xml:lang="en"><primary>Fonts</primary> | ||||
Context not available. | |||||
<para>隨著 FreeBSD 優越的效能及穩定性越來越熱門,它同時適合作為每日使用的桌面系統。FreeBSD 套件或 Port 有超過 24,000 個可用的應用程式,可以簡單的建立一個自訂的桌面環境來執行各種不同的桌面應用程式。本章將示範如何安裝數個桌面應用程式,包含網頁瀏覽器、辦工軟體、文件閱覽程式以及財務軟體。</para> | <para>隨著 FreeBSD 優越的效能及穩定性越來越熱門,它同時適合作為每日使用的桌面系統。FreeBSD 套件或 Port 有超過 24,000 個可用的應用程式,可以簡單的建立一個自訂的桌面環境來執行各種不同的桌面應用程式。本章將示範如何安裝數個桌面應用程式,包含網頁瀏覽器、辦工軟體、文件閱覽程式以及財務軟體。</para> | ||||
<note> | <note> | ||||
<para>比起重頭設定,更偏好安裝預先編譯好桌面環境的 FreeBSD 版本的使用者可參考 <link xlink:href="http://www.pcbsd.org/">pcbsd.org 網站</link></para> | <para>比起重頭設定與編譯,較偏好使用 FreeBSD 桌面環境已預先編譯好版本的使用者可參考 <link xlink:href="http://www.trueos.org/">trueos.org 網站</link>。</para> | ||||
</note> | </note> | ||||
<para>在閱讀這章之前,你必須了解如何:</para> | <para>在閱讀這章之前,你必須了解如何:</para> | ||||
Context not available. | |||||
<sect1 xml:id="multimedia-synopsis"> | <sect1 xml:id="multimedia-synopsis"> | ||||
<title>概述</title> | <title>概述</title> | ||||
<para>FreeBSD 廣泛地支援各種音效卡, 讓您可以享受來自電腦上的高傳真音質(Hi-Fi), 此外還包括了錄製和播放 MPEG Audio Layer 3 (<acronym>MP3</acronym>)、 Waveform Audio File (<acronym>WAV</acronym>)、Ogg Vorbis 以及其他許多種格式聲音的能力。同時 FreeBSD Port 套件集也包含了許多可讓您可以錄音、編修音效以及控制 MIDI 配備的應用程式。</para> | <para>FreeBSD 廣泛地支援各種音效卡, 讓使用者可以享受來自電腦上的高傳真音質(Hi-Fi), 此外還包括了錄製和播放 MPEG Audio Layer 3 (<acronym>MP3</acronym>)、 Waveform Audio File (<acronym>WAV</acronym>)、Ogg Vorbis 以及其他許多種格式聲音的能力。同時 FreeBSD Port 套件集也包含了許多可讓您可以錄音、編修音效以及控制 MIDI 配備的應用程式。</para> | ||||
<para> FreeBSD 也能播放一般的視訊檔和 <acronym>DVD</acronym>。 FreeBSD Port 套件集中含有可編碼、轉換以及播放格種影像媒體的應用程式。</para> | <para> FreeBSD 也能播放一般的視訊檔和 <acronym>DVD</acronym>。 FreeBSD Port 套件集中含有可編碼、轉換以及播放格種影像媒體的應用程式。</para> | ||||
Context not available. | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>kldload linux</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>kldload linux</userinput></screen> | ||||
<para xml:lang="en">For 64-bit compatibility:</para> | <para>對 64-位元的相容性:</para> | ||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>kldload linux64</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>kldload linux64</userinput></screen> | ||||
Context not available. | |||||
<programlisting xml:lang="en">linux_enable="YES"</programlisting> | <programlisting xml:lang="en">linux_enable="YES"</programlisting> | ||||
<para xml:lang="en">On 64-bit machines, <filename>/etc/rc.d/abi</filename> will | <para>在 64-位元的機器上,<filename>/etc/rc.d/abi</filename> 會自動載入用來做 64-位元模擬的模組。</para> | ||||
automatically load the module for 64-bit emulation.</para> | |||||
<indexterm><primary>核心選項</primary> <secondary>COMPAT_LINUX</secondary></indexterm> | <indexterm><primary>核心選項</primary> <secondary>COMPAT_LINUX</secondary></indexterm> | ||||
Context not available. | |||||
<entry xml:lang="en">boot | <entry xml:lang="en">boot | ||||
<optional><replaceable>-options</replaceable></optional> | <optional><replaceable>-options</replaceable></optional> | ||||
<optional><replaceable>kernelname</replaceable></optional></entry> | <optional><replaceable>kernelname</replaceable></optional></entry> | ||||
<entry>使用指定的選項或核心名稱立即啟動核心。由指令列指定核心名稱前必須先執行 <command>unload</command>,否則會使用先前載入過的核心。若 <emphasis>kernelname</emphasis> 不是完整的路徑則會搜尋 <emphasis>/boot/kernel</emphasis> 及 <emphasis>/boot/modules</emphasis> 底下。</entry> | <entry>使用任何指定的選項或核心名稱立即啟動核心,要由指令列指定核心名稱必須先執行 <command>unload</command>,否則會使用先前載入過的核心。若 <emphasis>kernelname</emphasis> 不是完整的路徑則會搜尋 <emphasis>/boot/kernel</emphasis> 及 <emphasis>/boot/modules</emphasis> 底下。</entry> | ||||
</row> | </row> | ||||
<row> | <row> | ||||
Context not available. | |||||
<secondary>one-time passwords</secondary> | <secondary>one-time passwords</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">By default, FreeBSD includes support for One-time Passwords In | <para>預設 FreeBSD 已內建一次性密碼 (One-time Passwords In Everything, <acronym>OPIE</acronym>)。<acronym>OPIE</acronym> 設計用來避免重送攻擊 (Replay attack),重送攻擊指的是攻擊者發現了某位使用者的密碼,然後使用該密碼來存取系統。由於在 <acronym>OPIE</acronym> 的環境下,一組密碼只能被使用一次,被發現的密碼對攻擊者而言便沒有什麼作用。<acronym>OPIE</acronym> 使用了安全的加密方式與詰問/回應系統 (Challenge/response system) 來管理密碼。FreeBSD 在實作上預設採用 <acronym>MD5</acronym> 加密。</para> | ||||
Everything (<acronym>OPIE</acronym>). <acronym>OPIE</acronym> | |||||
is designed to prevent replay attacks, in which an attacker | |||||
discovers a user's password and uses it to access a system. | |||||
Since a password is only used once in <acronym>OPIE</acronym>, a | |||||
discovered password is of little use to an attacker. | |||||
<acronym>OPIE</acronym> uses a secure hash and a | |||||
challenge/response system to manage passwords. The FreeBSD | |||||
implementation uses the <acronym>MD5</acronym> hash by | |||||
default.</para> | |||||
<para xml:lang="en"><acronym>OPIE</acronym> uses three different types of | <para><acronym>OPIE</acronym> 使用了三種不同類型的密碼,第一種是一般的 <trademark class="registered">UNIX</trademark> 或 Kerberos 密碼,第二種是由 <command>opiekey</command> 所產生的一次性密碼,第三種是用來生一次性密碼的 <quote>秘密密碼 (Secret password)</quote>,秘密密碼與 <trademark class="registered">UNIX</trademark> 密碼無關且不應相同。</para> | ||||
passwords. The first is the usual <trademark class="registered">UNIX</trademark> or Kerberos password. | |||||
The second is the one-time password which is generated by | |||||
<command>opiekey</command>. The third type of password is the | |||||
<quote>secret password</quote> which is used to generate | |||||
one-time passwords. The secret password has nothing to do with, | |||||
and should be different from, the <trademark class="registered">UNIX</trademark> password.</para> | |||||
<para xml:lang="en">There are two other pieces of data that are important to | <para>對 <acronym>OPIE</acronym> 來說還有另外兩個部份的資料很重要。其中一個是<quote>種子碼 (Seed)</quote> 或稱<quote>金鑰 (Key)</quote>,由兩個字母與五個數字組成。另一個則是<quote>疊代次數 (Iteration count)</quote>,是一個介於 1 到 100 間的數字。<acronym>OPIE</acronym> 會將種子碼與秘密密碼串連後,套用 <acronym>MD5</acronym> 加密數次後 (根據疊代次數),再將結果轉換成六個簡短的英文單字來產生一次性密碼。認証系統會持續追蹤最後使用的一次性密碼,若使用者提供的密碼加密後與前一次的密碼相同則可通過認証。由於採用了單向的加密方式,若使用過的密碼被成功擷取也無法拿來產生之後的一次性密碼。疊代次數會在每一次登入成功之後減少,來保持使用者與登入程式間的同步。當疊代次數減少至 <literal>1</literal> 時,<acronym>OPIE</acronym> 便要重新初始化。</para> | ||||
<acronym>OPIE</acronym>. One is the <quote>seed</quote> or | |||||
<quote>key</quote>, consisting of two letters and five digits. | |||||
The other is the <quote>iteration count</quote>, a number | |||||
between 1 and 100. <acronym>OPIE</acronym> creates the one-time | |||||
password by concatenating the seed and the secret password, | |||||
applying the <acronym>MD5</acronym> hash as many times as | |||||
specified by the iteration count, and turning the result into | |||||
six short English words which represent the one-time password. | |||||
The authentication system keeps track of the last one-time | |||||
password used, and the user is authenticated if the hash of the | |||||
user-provided password is equal to the previous password. | |||||
Because a one-way hash is used, it is impossible to generate | |||||
future one-time passwords if a successfully used password is | |||||
captured. The iteration count is decremented after each | |||||
successful login to keep the user and the login program in sync. | |||||
When the iteration count gets down to <literal>1</literal>, | |||||
<acronym>OPIE</acronym> must be reinitialized.</para> | |||||
<para xml:lang="en">There are a few programs involved in this process. A | <para>這個整個程序會牽涉到幾個程式。傳送疊代次數、種子碼與秘密密碼來產生一組一次性密碼或數個一次性密碼的 <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry>。除了初始化 <acronym>OPIE</acronym> 之外,用來更改密碼、疊代次數或種子碼的 <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>。會讀取放在 <filename>/etc/opiekeys</filename> 的相關憑証檔來列出使用者目前的疊代次數與種子碼的 <citerefentry><refentrytitle>opieinfo</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> | ||||
one-time password, or a consecutive list of one-time passwords, | |||||
is generated by passing an iteration count, a seed, and a secret | |||||
password to <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry>. In addition to initializing | |||||
<acronym>OPIE</acronym>, <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry> is used to change | |||||
passwords, iteration counts, or seeds. The relevant credential | |||||
files in <filename>/etc/opiekeys</filename> are examined by | |||||
<citerefentry><refentrytitle>opieinfo</refentrytitle><manvolnum>1</manvolnum></citerefentry> which prints out the invoking user's current | |||||
iteration count and seed.</para> | |||||
<para xml:lang="en">This section describes four different sorts of operations. | <para>本章節將介紹四種不同的操作,第一是如何在安全連線下做第一次的一次性密碼設定,第二是如何使用在不安全的連線下使用 <command>opiepasswd</command>,第三是如何在不安全的連線下登入系統,第四是如何產生數個可以被記錄或列印下來在不安全的場所使的金鑰。</para> | ||||
The first is how to set up one-time-passwords for the first time | |||||
over a secure connection. The second is how to use | |||||
<command>opiepasswd</command> over an insecure connection. The | |||||
third is how to log in over an insecure connection. The fourth | |||||
is how to generate a number of keys which can be written down or | |||||
printed out to use at insecure locations.</para> | |||||
<sect2> | <sect2> | ||||
<title>初始化 <acronym>OPIE</acronym></title> | <title>初始化 <acronym>OPIE</acronym></title> | ||||
<para xml:lang="en">To initialize <acronym>OPIE</acronym> for the first time, | <para>第一次要初始化 <acronym>OPIE</acronym>,要在安全的場所執行以下指令:</para> | ||||
run this command from a secure location:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>opiepasswd -c</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>opiepasswd -c</userinput> | ||||
Adding unfurl: | Adding unfurl: | ||||
Context not available. | |||||
ID unfurl OTP key is 499 to4268 | ID unfurl OTP key is 499 to4268 | ||||
MOS MALL GOAT ARM AVID COED</screen> | MOS MALL GOAT ARM AVID COED</screen> | ||||
<para xml:lang="en">The <option>-c</option> sets console mode which assumes | <para><option>-c</option> 會設定採用假設指令在安全場所執行的 Console 模式,如在使用者掌控之中的電腦或者透過 <acronym>SSH</acronym> 連線到一台在使用者掌控之中的電腦。</para> | ||||
that the command is being run from a secure location, such as | |||||
a computer under the user's control or a | |||||
<acronym>SSH</acronym> session to a computer under the user's | |||||
control.</para> | |||||
<para xml:lang="en">When prompted, enter the secret password which will be | <para>提示出現後,輸入用來產生一次性登入金鑰的秘密密碼,應使用一個不容易被猜出來的密碼,且應與使用者登入帳號所使用的密碼不同,密碼必須介於 10 到 127 個字元長度之間,然後請記住這個密碼。</para> | ||||
used to generate the one-time login keys. This password | |||||
should be difficult to guess and should be different than the | |||||
password which is associated with the user's login account. | |||||
It must be between 10 and 127 characters long. Remember this | |||||
password.</para> | |||||
<para xml:lang="en">The <literal>ID</literal> line lists the login name | <para><literal>ID</literal> 行會列出登入名稱 (<literal>unfurl</literal>)、預設的疊代次數 (<literal>499</literal>) 以及預設的種子碼 (<literal>to4268</literal>)。在進行登入時,系統會記住這些參數並且顯示出來,這也代表不需要另外記錄這些資訊。最後一行會列出根據這些參數與秘密密碼所產生出來的一次性密碼,在下一次登入時便要使用這個一次性密碼。</para> | ||||
(<literal>unfurl</literal>), default iteration count | |||||
(<literal>499</literal>), and default seed | |||||
(<literal>to4268</literal>). When logging in, the system will | |||||
remember these parameters and display them, meaning that they | |||||
do not have to be memorized. The last line lists the | |||||
generated one-time password which corresponds to those | |||||
parameters and the secret password. At the next login, use | |||||
this one-time password.</para> | |||||
</sect2> | </sect2> | ||||
<sect2> | <sect2> | ||||
<title>不安全連線初始化</title> | <title>在不安全連線下做初始化</title> | ||||
<para xml:lang="en">To initialize or change the secret password on an | <para>要在不安全的系統上初始化或更改秘密密碼會需要某個可使用安全的連線的地方執行 <command>opiekey</command>,這可能是在某一台信任的主機上的 Shell。初始化需要設定疊代次數,100 可能是不錯的數字,種子碼可以自行指定或隨機產生,在不安全連線下要被初始化主機須使用 <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para> | ||||
insecure system, a secure connection is needed to some place | |||||
where <command>opiekey</command> can be run. This might be a | |||||
shell prompt on a trusted machine. An iteration count is | |||||
needed, where 100 is probably a good value, and the seed can | |||||
either be specified or the randomly-generated one used. On | |||||
the insecure connection, the machine being initialized, use | |||||
<citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>opiepasswd</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>opiepasswd</userinput> | ||||
Context not available. | |||||
ID mark OTP key is 499 gr4269 | ID mark OTP key is 499 gr4269 | ||||
LINE PAP MILK NELL BUOY TROY</screen> | LINE PAP MILK NELL BUOY TROY</screen> | ||||
<para xml:lang="en">To accept the default seed, press <keycap>Return</keycap>. | <para>要採用預設的種子碼,可直接按下 <keycap>Return</keycap> 做初始化。接著在輸入回應之前移到安全的連線然後給予相同的加密參數產生密碼:</para> | ||||
Before entering an access password, move over to the secure | |||||
connection and give it the same parameters:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey 498 to4268</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey 498 to4268</userinput> | ||||
Using the MD5 algorithm to compute response. | Using the MD5 algorithm to compute response. | ||||
Context not available. | |||||
Enter secret pass phrase: | Enter secret pass phrase: | ||||
GAME GAG WELT OUT DOWN CHAT</screen> | GAME GAG WELT OUT DOWN CHAT</screen> | ||||
<para xml:lang="en">Switch back over to the insecure connection, and copy the | <para>切換回不安全的連線,然後複製產生的一次性密碼貼上。</para> | ||||
generated one-time password over to the relevant | |||||
program.</para> | |||||
</sect2> | </sect2> | ||||
<sect2> | <sect2> | ||||
<title>產生單組一次性密碼</title> | <title>產生單組一次性密碼</title> | ||||
<para xml:lang="en">After initializing <acronym>OPIE</acronym> and logging in, | <para>在初始化 <acronym>OPIE</acronym> 之後進行登入會顯示如下的提示訊息:</para> | ||||
a prompt like this will be displayed:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>telnet example.com</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>telnet example.com</userinput> | ||||
Trying 10.0.0.1... | Trying 10.0.0.1... | ||||
Context not available. | |||||
otp-md5 498 gr4269 ext | otp-md5 498 gr4269 ext | ||||
Password: </screen> | Password: </screen> | ||||
<para xml:lang="en">The <acronym>OPIE</acronym> prompts provides a useful | <para><acronym>OPIE</acronym> 的提示提供了一個很有用的功能,若在密碼提示時按下 <keycap>Return</keycap>,便會開啟回應功能並顯示輸入的內容,這個功能在嘗試手工輸入列印出來的密碼時很有用。</para> | ||||
feature. If <keycap>Return</keycap> is pressed at the | |||||
password prompt, the prompt will turn echo on and display | |||||
what is typed. This can be useful when attempting to type in | |||||
a password by hand from a printout.</para> | |||||
<indexterm xml:lang="en"><primary>MS-DOS</primary></indexterm> | <indexterm xml:lang="en"><primary>MS-DOS</primary></indexterm> | ||||
<indexterm xml:lang="en"><primary>Windows</primary></indexterm> | <indexterm xml:lang="en"><primary>Windows</primary></indexterm> | ||||
<indexterm xml:lang="en"><primary>MacOS</primary></indexterm> | <indexterm xml:lang="en"><primary>MacOS</primary></indexterm> | ||||
<para xml:lang="en">At this point, generate the one-time password to answer | <para>此時,要產生一次性密碼來回應登入時的提示,這必須在受信任且可安全執行 <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry> 的系統上完成。這個指令有提供 <trademark class="registered">Windows</trademark>, <trademark class="registered">Mac!OS</trademark> 與 FreeBSD 版本,使用時需要疊代次數與種子碼做為在指令列的參數,剪下在要登入主機在登入時所提示的訊息。</para> | ||||
this login prompt. This must be done on a trusted system | |||||
where it is safe to run <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry>. There are versions | |||||
of this command for <trademark class="registered">Windows</trademark>, <trademark class="registered">Mac!OS</trademark> and FreeBSD. This command | |||||
needs the iteration count and the seed as command line | |||||
options. Use cut-and-paste from the login prompt on the | |||||
machine being logged in to.</para> | |||||
<para xml:lang="en">On the trusted system:</para> | <para>在信任的系統上執行:</para> | ||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey 498 to4268</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey 498 to4268</userinput> | ||||
Using the MD5 algorithm to compute response. | Using the MD5 algorithm to compute response. | ||||
Context not available. | |||||
Enter secret pass phrase: | Enter secret pass phrase: | ||||
GAME GAG WELT OUT DOWN CHAT</screen> | GAME GAG WELT OUT DOWN CHAT</screen> | ||||
<para xml:lang="en">Once the one-time password is generated, continue to log | <para>在產生一次性密碼後,回到登入畫面繼續登入。</para> | ||||
in.</para> | |||||
</sect2> | </sect2> | ||||
<sect2> | <sect2> | ||||
<title>產生多組一次性密碼</title> | <title>產生多組一次性密碼</title> | ||||
<para xml:lang="en">Sometimes there is no access to a trusted machine or | <para>有時會無法存取信任的主機或沒有安全的連線,在這種情況下,可以使用 <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry> 來預先產生多個一次性密碼,例如:</para> | ||||
secure connection. In this case, it is possible to use | |||||
<citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry> to generate a number of one-time passwords | |||||
beforehand. For example:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey -n 5 30 zz99999</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey -n 5 30 zz99999</userinput> | ||||
Using the MD5 algorithm to compute response. | Using the MD5 algorithm to compute response. | ||||
Context not available. | |||||
29: RIO ODIN GO BYE FURY TIC | 29: RIO ODIN GO BYE FURY TIC | ||||
30: GREW JIVE SAN GIRD BOIL PHI</screen> | 30: GREW JIVE SAN GIRD BOIL PHI</screen> | ||||
<para xml:lang="en">The <option>-n 5</option> requests five keys in sequence, | <para><option>-n 5</option> 會請求產生連續五個金鑰,而 <option>30</option> 則是指定最後一個疊代的編號。注意這些列印出的結果的順序與使用的順序<emphasis>相反</emphasis>。十足的偏執狂可能會想要用手寫下結果,否則就列印出清單。每一行會同時顯示疊代次數及一次性密碼,在密碼使用過後便可劃掉。</para> | ||||
and <option>30</option> specifies what the last iteration | |||||
number should be. Note that these are printed out in | |||||
<emphasis>reverse</emphasis> order of use. The really | |||||
paranoid might want to write the results down by hand; | |||||
otherwise, print the list. Each line shows both the iteration | |||||
count and the one-time password. Scratch off the passwords as | |||||
they are used.</para> | |||||
</sect2> | </sect2> | ||||
<sect2> | <sect2> | ||||
<title>限制使用 <trademark class="registered">UNIX</trademark> 密碼</title> | <title>限制使用 <trademark class="registered">UNIX</trademark> 密碼</title> | ||||
<para xml:lang="en"><acronym>OPIE</acronym> can restrict the use of <trademark class="registered">UNIX</trademark> | <para><acronym>OPIE</acronym> 可以根據登入階段的 IP 位置限制使用 <trademark class="registered">UNIX</trademark> 密碼,相關的檔案為 <filename>/etc/opieaccess</filename>,這個檔案預設便存在。請參考 <citerefentry><refentrytitle>opieaccess</refentrytitle><manvolnum>5</manvolnum></citerefentry> 來取得更多有關此檔案的資訊以及當使用時要考量的安全性問題。</para> | ||||
passwords based on the IP address of a login session. The | |||||
relevant file is <filename>/etc/opieaccess</filename>, which | |||||
is present by default. Refer to <citerefentry><refentrytitle>opieaccess</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |||||
information on this file and which security considerations to | |||||
be aware of when using it.</para> | |||||
<para xml:lang="en">Here is a sample <filename>opieaccess</filename>:</para> | <para>這裡有一個範本 <filename>opieaccess</filename>:</para> | ||||
<programlisting xml:lang="en">permit 192.168.0.0 255.255.0.0</programlisting> | <programlisting xml:lang="en">permit 192.168.0.0 255.255.0.0</programlisting> | ||||
<para xml:lang="en">This line allows users whose IP source address (which is | <para>這一行允許來源 IP 位址 (容易受到詐騙的位址) 符合指定值與遮罩的使用者在任何時間可使用 <trademark class="registered">UNIX</trademark> 密碼登入。</para> | ||||
vulnerable to spoofing) matches the specified value and mask, | |||||
to use <trademark class="registered">UNIX</trademark> passwords at any time.</para> | |||||
<para xml:lang="en">If no rules in <filename>opieaccess</filename> are | <para>若在 <filename>opieaccess</filename> 中沒有符合的規則,預設會拒絕非 <acronym>OPIE</acronym> 的登入。</para> | ||||
matched, the default is to deny non-<acronym>OPIE</acronym> | |||||
logins.</para> | |||||
</sect2> | </sect2> | ||||
</sect1> | </sect1> | ||||
Context not available. | |||||
<secondary>OpenSSH</secondary> | <secondary>OpenSSH</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en"><application>OpenSSH</application> is a set of network | <para><application>OpenSSH</application> 是一套網路連線工具,可安全的存取遠端的主機,此外,透過 <acronym>SSH</acronym> 連線可以建立 <acronym>TCP/IP</acronym> 連線通道或安全的轉送 <acronym>TCP/IP</acronym> 的封包。<application>OpenSSH</application> 會對所有傳輸的資料做加密,可有效的避免竊聽 (Eavesdropping)、或連線劫持 (Connection hijacking) 與其他網路層的攻擊。</para> | ||||
connectivity tools used to provide secure access to remote | |||||
machines. Additionally, <acronym>TCP/IP</acronym> connections | |||||
can be tunneled or forwarded securely through | |||||
<acronym>SSH</acronym> connections. | |||||
<application>OpenSSH</application> encrypts all traffic to | |||||
effectively eliminate eavesdropping, connection hijacking, and | |||||
other network-level attacks.</para> | |||||
<para xml:lang="en"><application>OpenSSH</application> is maintained by the | <para><application>OpenSSH</application> 由 OpenBSD 專案所維護且在 FreeBSD 預設會安裝,它可同時相容 <acronym>SSH</acronym> 版本 1 與 2 通訊協定。</para> | ||||
OpenBSD project and is installed by default in FreeBSD. It is | |||||
compatible with both <acronym>SSH</acronym> version 1 and 2 | |||||
protocols.</para> | |||||
<para xml:lang="en">When data is sent over the network in an unencrypted form, | <para>當以未加密的方式在網路上傳送資料時,任何在客戶端與伺服器之間的網路竊聽程式 (Network sniffer) 皆可竊取使用者/密碼資訊或者在連線階段傳送的資料,<application>OpenSSH</application> 提供了數種認証與加密方式來避免這種事情發生。更多有關 <application>OpenSSH</application> 的資訊可於 <link xlink:href="http://www.openssh.com/">http://www.openssh.com/</link> 取得。</para> | ||||
network sniffers anywhere in between the client and server can | |||||
steal user/password information or data transferred during the | |||||
session. <application>OpenSSH</application> offers a variety of | |||||
authentication and encryption methods to prevent this from | |||||
happening. More information about | |||||
<application>OpenSSH</application> is available from <link xlink:href="http://www.openssh.com/">http://www.openssh.com/</link>.</para> | |||||
<para xml:lang="en">This section provides an overview of the built-in client | <para>本節會簡單介紹如何使用內建的客戶端工具安全的存取其他系統及安全的傳輸檔案到 FreeBSD 系統,然後會說明如何設定在 FreeBSD 系統上的 <acronym>SSH</acronym> 伺服器。更多的資訊可於本章節所提及的操作手冊 (Man page) 取得。</para> | ||||
utilities to securely access other systems and securely transfer | |||||
files from a FreeBSD system. It then describes how to configure a | |||||
<acronym>SSH</acronym> server on a FreeBSD system. More | |||||
information is available in the man pages mentioned in this | |||||
chapter.</para> | |||||
<sect2> | <sect2> | ||||
<title>使用 SSH 客戶端工具</title> | <title>使用 SSH 客戶端工具</title> | ||||
Context not available. | |||||
<secondary>client</secondary> | <secondary>client</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">To log into a <acronym>SSH</acronym> server, use | <para>要登入一台 <acronym>SSH</acronym> 伺服器,可使用 <command>ssh</command> 然後指定在伺服器上存在的使用者名稱與 <acronym>IP</acronym> 位址或伺服器的主機名稱。若這是第一次連線到指定的伺服器,會提示該使用者伺服器的指紋做第一次檢驗:</para> | ||||
<command>ssh</command> and specify a username that exists on | |||||
that server and the <acronym>IP</acronym> address or hostname | |||||
of the server. If this is the first time a connection has | |||||
been made to the specified server, the user will be prompted | |||||
to first verify the server's fingerprint:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>ssh <replaceable>user@example.com</replaceable></userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>ssh <replaceable>user@example.com</replaceable></userinput> | ||||
The authenticity of host 'example.com (10.0.0.1)' can't be established. | The authenticity of host 'example.com (10.0.0.1)' can't be established. | ||||
Context not available. | |||||
Permanently added 'example.com' (ECDSA) to the list of known hosts. | Permanently added 'example.com' (ECDSA) to the list of known hosts. | ||||
Password for user@example.com: <userinput><replaceable>user_password</replaceable></userinput></screen> | Password for user@example.com: <userinput><replaceable>user_password</replaceable></userinput></screen> | ||||
<para xml:lang="en"><acronym>SSH</acronym> utilizes a key fingerprint system | <para><acronym>SSH</acronym> 會在客戶端連線時利用金鑰指紋 (Key fingerprint) 系統來驗證伺服器的真偽,當使用者在第一次連線時輸入 <literal>yes</literal> 接受了這個金鑰指紋,便會將該金鑰的複本儲存到使用者家目錄的 <filename>.ssh/known_hosts</filename>,未來嘗試登入時便會以這個存好的金鑰來驗證,若伺服器的金鑰與儲存的金鑰不同將會顯示警告訊息。若出現這個警告時,使用者應在繼續連線之前檢查金鑰變動的原因。</para> | ||||
to verify the authenticity of the server when the client | |||||
connects. When the user accepts the key's fingerprint by | |||||
typing <literal>yes</literal> when connecting for the first | |||||
time, a copy of the key is saved to | |||||
<filename>.ssh/known_hosts</filename> in the user's home | |||||
directory. Future attempts to login are verified against the | |||||
saved key and <command>ssh</command> will display an alert if | |||||
the server's key does not match the saved key. If this | |||||
occurs, the user should first verify why the key has changed | |||||
before continuing with the connection.</para> | |||||
<para xml:lang="en">By default, recent versions of | <para>最近版本的 <application>OpenSSH</application> 預設只會接受 <acronym>SSH</acronym>v2 的連線。客戶端預設會盡可能使用版本 2 的通訊協定,若伺服器不支援版本 2 的通訊協定便會向下相容版本 1 的協定。要強制 <command>ssh</command> 只能使用指定的通訊協定,可使用 <option>-1</option> 或 <option>-2</option>,其他的選項在 <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> 中有說明。</para> | ||||
<application>OpenSSH</application> only accept | |||||
<acronym>SSH</acronym>v2 connections. By default, the client | |||||
will use version 2 if possible and will fall back to version 1 | |||||
if the server does not support version 2. To force | |||||
<command>ssh</command> to only use the specified protocol, | |||||
include <option>-1</option> or <option>-2</option>. | |||||
Additional options are described in <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |||||
<indexterm xml:lang="en"> | <indexterm xml:lang="en"> | ||||
<primary>OpenSSH</primary> | <primary>OpenSSH</primary> | ||||
Context not available. | |||||
<primary><citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry></primary> | <primary><citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry></primary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">Use <citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry> to securely copy a file to or from a | <para>使用 <citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry> 可從遠端主機安全的複製一個檔案,以下範例會複製在遠端主機的 <filename>COPYRIGHT</filename> 到本地主機的目前目錄:</para> | ||||
remote machine. This example copies | |||||
<filename>COPYRIGHT</filename> on the remote system to a file | |||||
of the same name in the current directory of the local | |||||
system:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput> | ||||
Password for user@example.com: <userinput><replaceable>*******</replaceable></userinput> | Password for user@example.com: <userinput><replaceable>*******</replaceable></userinput> | ||||
Context not available. | |||||
00:00 | 00:00 | ||||
<prompt>#</prompt></screen> | <prompt>#</prompt></screen> | ||||
<para xml:lang="en">Since the fingerprint was already verified for this host, | <para>由於這個主機的指紋已驗證過,在提示用者輸入密碼之前伺服器的金鑰已自動檢查。</para> | ||||
the server's key is automatically checked before prompting for | |||||
the user's password.</para> | |||||
<para xml:lang="en">The arguments passed to <command>scp</command> are similar | <para>傳給 <command>scp</command> 的參數與傳給 <command>cp</command> 的參數相似。第一個參數是要複製的檔案,第二個參數是目地,由於檔案是透過網路取得,檔案參數需要使用 <option>user@host:<path_to_remote_file></option> 格式。注意,在 <command>scp</command> 要遞迴複製目錄是使用 <option>-r</option>,如同 <command>cp</command> 使用 <option>-R</option>。</para> | ||||
to <command>cp</command>. The file or files to copy is the | |||||
first argument and the destination to copy to is the second. | |||||
Since the file is fetched over the network, one or more of the | |||||
file arguments takes the form | |||||
<option>user@host:<path_to_remote_file></option>. Be | |||||
aware when copying directories recursively that | |||||
<command>scp</command> uses <option>-r</option>, whereas | |||||
<command>cp</command> uses <option>-R</option>.</para> | |||||
<para xml:lang="en">To open an interactive session for copying files, use | <para>要開啟可互動的連線來複製檔案可使用 <command>sftp</command>,請參考 <citerefentry><refentrytitle>sftp</refentrytitle><manvolnum>1</manvolnum></citerefentry> 來取得在 <command>sftp</command> 連線時可用的指令清單。</para> | ||||
<command>sftp</command>. Refer to <citerefentry><refentrytitle>sftp</refentrytitle><manvolnum>1</manvolnum></citerefentry> for a list of | |||||
available commands while in an <command>sftp</command> | |||||
session.</para> | |||||
<sect3 xml:id="security-ssh-keygen"> | <sect3 xml:id="security-ssh-keygen"> | ||||
<title>以金鑰為基礎的認證</title> | <title>以金鑰為基礎的認證</title> | ||||
<para xml:lang="en">Instead of using passwords, a client can be configured | <para>除了使用密碼之外,客戶端可以設定成使用金鑰來連線到遠端的主機。要產生 <acronym>RSA</acronym> 認証金鑰可使用 <command>ssh-keygen</command>。要產生成對的公鑰與私鑰,可指定金鑰的類型並依提示操作。建議使用容易記住但較難猜出的密碼來保護這個金鑰。</para> | ||||
to connect to the remote machine using keys. To generate | |||||
<acronym>RSA</acronym> | |||||
authentication keys, use <command>ssh-keygen</command>. To | |||||
generate a public and private key pair, specify the type of | |||||
key and follow the prompts. It is recommended to protect | |||||
the keys with a memorable, but hard to guess | |||||
passphrase.</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>ssh-keygen -t rsa</userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh-keygen -t rsa</userinput> | ||||
Generating public/private rsa key pair. | Generating public/private rsa key pair. | ||||
Context not available. | |||||
<calloutlist> | <calloutlist> | ||||
<callout arearefs="co-ssh-keygen-passphrase1"> | <callout arearefs="co-ssh-keygen-passphrase1"> | ||||
<para xml:lang="en">Type a passphrase here. It can contain spaces and | <para>在此輸入密碼,密碼不可含有空白或符號。</para> | ||||
symbols.</para> | |||||
</callout> | </callout> | ||||
<callout arearefs="co-ssh-keygen-passphrase2"> | <callout arearefs="co-ssh-keygen-passphrase2"> | ||||
<para xml:lang="en">Retype the passphrase to verify it.</para> | <para>再輸入一次密碼驗證。</para> | ||||
</callout> | </callout> | ||||
</calloutlist> | </calloutlist> | ||||
<para xml:lang="en">The private key | <para>私鑰會儲存於 <filename>~/.ssh/id_rsa</filename> 而公鑰會儲存於 <filename>~/.ssh/id_rsa.pub</filename>。<emphasis>公鑰</emphasis>必須複製到遠端主機的<filename>~/.ssh/authorized_keys</filename> 來讓以金鑰為基礎的認証可以運作。</para> | ||||
is stored in <filename>~/.ssh/id_rsa</filename> | |||||
and the public key | |||||
is stored in <filename>~/.ssh/id_rsa.pub</filename>. | |||||
The | |||||
<emphasis>public</emphasis> key must be copied to | |||||
<filename>~/.ssh/authorized_keys</filename> on the remote | |||||
machine for key-based authentication to | |||||
work.</para> | |||||
<warning> | <warning> | ||||
<para xml:lang="en">Many users believe that keys are secure by design and | <para>許多使用者認為金鑰的設計是安全的並在產生金鑰時未使用密碼,這樣的行為其實很<emphasis>危險</emphasis>。管理者可以手動查看私鑰來檢查金鑰對是否受密碼保護,如果私鑰檔案中包含 <literal>ENCRYPTED</literal> 字詞,則代表金鑰的擁有者有使用密碼。此外,要更進一步保護最終使用者的安全,可在公鑰檔案中放入 <literal>from</literal>,例如,在 <literal>ssh-rsa</literal> 前加上 <literal>from="192.168.10.5"</literal> 將只允許指定的使用者由該 IP 位址登入。</para> | ||||
will use a key without a passphrase. This is | |||||
<emphasis>dangerous</emphasis> behavior. An | |||||
administrator can verify that a key pair is protected by a | |||||
passphrase by viewing the private key manually. If the | |||||
private key file contains the word | |||||
<literal>ENCRYPTED</literal>, the key owner is using a | |||||
passphrase. In addition, to better secure end users, | |||||
<literal>from</literal> may be placed in the public key | |||||
file. For example, adding | |||||
<literal>from="192.168.10.5"</literal> in front of the | |||||
<literal>ssh-rsa</literal> | |||||
prefix will only allow that specific user to log in from | |||||
that <acronym>IP</acronym> address.</para> | |||||
</warning> | </warning> | ||||
<para xml:lang="en">The options and files vary with different versions of | <para>不同版本 <application>OpenSSH</application> 的選項與檔案會不同,要避免發生問題請參考 <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> | ||||
<application>OpenSSH</application>. | |||||
To avoid problems, consult <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |||||
<para xml:lang="en">If a passphrase is used, the user is prompted for | <para>若使用了密碼,在每次連線到伺服器時都會提示使用者輸入密碼。要將 <acronym>SSH</acronym> 金鑰載入到記憶體並讓每次連線時不必再輸入密碼,可使用 <citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry> 與 <citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> | ||||
the passphrase each time a connection is made to the server. | |||||
To load <acronym>SSH</acronym> keys into memory and remove | |||||
the need to type the passphrase each time, use | |||||
<citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry> and <citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |||||
<para xml:lang="en">Authentication is handled by | <para>認証可用 <command>ssh-agent</command> 來管理,只要將私鑰載入,<command>ssh-agent</command> 可用在執行其他應用程式,如 Shell 或視窗管理程式。</para> | ||||
<command>ssh-agent</command>, using the private keys that | |||||
are loaded into it. <command>ssh-agent</command> | |||||
can be used to launch another application like a | |||||
shell or a window manager.</para> | |||||
<para xml:lang="en">To use <command>ssh-agent</command> in a shell, start it | <para>要在 Shell 使用 <command>ssh-agent</command>,使用 Shell 做為參數來啟動 <command>ssh-agent</command>。執行 <command>ssh-add</command> 來加入識別碼,然後輸入私鑰的密碼。使用者將可使用 <command>ssh</command> 連線到任何有安裝對應公鑰的主機,例如:</para> | ||||
with a shell as an argument. Add the identity by | |||||
running <command>ssh-add</command> and entering the | |||||
passphrase for the private key. | |||||
The user will then be able to <command>ssh</command> | |||||
to any host that has the corresponding public key installed. | |||||
For example:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> ssh-agent <replaceable>csh</replaceable> | <screen xml:lang="en"><prompt>%</prompt> ssh-agent <replaceable>csh</replaceable> | ||||
<prompt>%</prompt> ssh-add | <prompt>%</prompt> ssh-add | ||||
Context not available. | |||||
<calloutlist> | <calloutlist> | ||||
<callout arearefs="co-ssh-agent-passphrase"> | <callout arearefs="co-ssh-agent-passphrase"> | ||||
<para xml:lang="en">Enter the passphrase for the key.</para> | <para>輸入金鑰的密碼。</para> | ||||
</callout> | </callout> | ||||
</calloutlist> | </calloutlist> | ||||
<para xml:lang="en">To use <command>ssh-agent</command> in | <para>要在 <application>Xorg</application> 使用 <command>ssh-agent</command> 可在 <filename>~/.xinitrc</filename> 加入一個設定項目,這可讓 <command>ssh-agent</command> 對所有在 <application>Xorg</application> 中執行的程式提供服務。<filename>~/.xinitrc</filename> 範例如下:</para> | ||||
<application>Xorg</application>, add an entry for it in | |||||
<filename>~/.xinitrc</filename>. This provides the | |||||
<command>ssh-agent</command> services to all programs | |||||
launched in <application>Xorg</application>. An example | |||||
<filename>~/.xinitrc</filename> might look like this:</para> | |||||
<programlisting xml:lang="en">exec ssh-agent <replaceable>startxfce4</replaceable></programlisting> | <programlisting xml:lang="en">exec ssh-agent <replaceable>startxfce4</replaceable></programlisting> | ||||
<para xml:lang="en">This launches <command>ssh-agent</command>, which in | <para>這會在每次啟動 <application>Xorg</application> 時,反過來先執行 <command>ssh-agent</command> 再由執行 <application>XFCE</application>,一但 <application>Xorg</application> 被重新啟動,要讓所有變更生效需執行 <command>ssh-add</command> 來載入所有的 <acronym>SSH</acronym> 金鑰。</para> | ||||
turn launches <application>XFCE</application>, every time | |||||
<application>Xorg</application> starts. Once | |||||
<application>Xorg</application> has been restarted so that | |||||
the changes can take effect, run <command>ssh-add</command> | |||||
to load all of the <acronym>SSH</acronym> keys.</para> | |||||
</sect3> | </sect3> | ||||
<sect3 xml:id="security-ssh-tunneling"> | <sect3 xml:id="security-ssh-tunneling"> | ||||
Context not available. | |||||
<secondary>tunneling</secondary> | <secondary>tunneling</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en"><application>OpenSSH</application> has the ability to | <para><application>OpenSSH</application> 可以建立一個通道 (Tunnel) 來封裝其他通訊協定到一個加密的連線。</para> | ||||
create a tunnel to encapsulate another protocol in an | |||||
encrypted session.</para> | |||||
<para xml:lang="en">The following command tells <command>ssh</command> to | <para>以下指令會告訴 <command>ssh</command> 建立一個供 <application>telnet</application> 使用的通道:</para> | ||||
create a tunnel for | |||||
<application>telnet</application>:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput> | ||||
<prompt>%</prompt></screen> | <prompt>%</prompt></screen> | ||||
<para xml:lang="en">This example uses the following options:</para> | <para>這個例子使用了以下選項:</para> | ||||
<variablelist> | <variablelist> | ||||
<varlistentry> | <varlistentry> | ||||
Context not available. | |||||
<term xml:lang="en"><option>-2</option></term> | <term xml:lang="en"><option>-2</option></term> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Forces <command>ssh</command> to use version 2 to | <para>強制 <command>ssh</command> 使用版本 2 的通訊協定連線到伺服器。</para> | ||||
connect to the server.</para> | |||||
</listitem> | </listitem> | ||||
</varlistentry> | </varlistentry> | ||||
Context not available. | |||||
<term xml:lang="en"><option>-N</option></term> | <term xml:lang="en"><option>-N</option></term> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Indicates no command, or tunnel only. If omitted, | <para>代表不需下指令、只建立通道。若省略這個選項 <command>ssh</command> 會初始化一個正常的連線。</para> | ||||
<command>ssh</command> initiates a normal | |||||
session.</para> | |||||
</listitem> | </listitem> | ||||
</varlistentry> | </varlistentry> | ||||
Context not available. | |||||
<term xml:lang="en"><option>-f</option></term> | <term xml:lang="en"><option>-f</option></term> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Forces <command>ssh</command> to run in the | <para>強制 <command>ssh</command> 在背景執行。</para> | ||||
background.</para> | |||||
</listitem> | </listitem> | ||||
</varlistentry> | </varlistentry> | ||||
Context not available. | |||||
<term xml:lang="en"><option>-L</option></term> | <term xml:lang="en"><option>-L</option></term> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Indicates a local tunnel in | <para>代表這是一個本地通道,使用 <replaceable>localport:remotehost:remoteport</replaceable> 格式。</para> | ||||
<replaceable>localport:remotehost:remoteport</replaceable> | |||||
format.</para> | |||||
</listitem> | </listitem> | ||||
</varlistentry> | </varlistentry> | ||||
Context not available. | |||||
<term xml:lang="en"><option>user@foo.example.com</option></term> | <term xml:lang="en"><option>user@foo.example.com</option></term> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">The login name to use on the specified remote | <para>在指定的遠端 <acronym>SSH</acronym> 伺服器要使用的登入名稱。</para> | ||||
<acronym>SSH</acronym> server.</para> | |||||
</listitem> | </listitem> | ||||
</varlistentry> | </varlistentry> | ||||
</variablelist> | </variablelist> | ||||
<para xml:lang="en">An <acronym>SSH</acronym> tunnel works by creating a | <para>SSH 通道會建立一個傾聽 <systemitem>localhost</systemitem> 指定 <literal>localport</literal> 的 Socket ,然後會透過 <acronym>SSH</acronym> 連線轉送任何在 <literal>localport</literal> 接收的連線。以這個例子來說在客戶端的 Port <literal>5023</literal> 會被轉送到遠端主機的 Port <literal>23</literal>,由於 Port 23 是由 <application>telnet</application> 使用,所以這會透過 <acronym>SSH</acronym> 通道建立一個加密的 <application>telnet</application> 連線。</para> | ||||
listen socket on <systemitem>localhost</systemitem> on the | |||||
specified <literal>localport</literal>. It then forwards | |||||
any connections received on <literal>localport</literal> via | |||||
the <acronym>SSH</acronym> connection to the specified | |||||
<literal>remotehost:remoteport</literal>. In the example, | |||||
port <literal>5023</literal> on the client is forwarded to | |||||
port <literal>23</literal> on the remote machine. Since | |||||
port 23 is used by <application>telnet</application>, this | |||||
creates an encrypted <application>telnet</application> | |||||
session through an <acronym>SSH</acronym> tunnel.</para> | |||||
<para xml:lang="en">This method can be used to wrap any number of insecure | <para>這個方法可用來包裝許多不安全的 <acronym>TCP</acronym> 通訊協定,例如 <acronym>SMTP</acronym>, <acronym>POP3</acronym> 以及 <acronym>FTP</acronym>,如下例所示。</para> | ||||
<acronym>TCP</acronym> protocols such as | |||||
<acronym>SMTP</acronym>, <acronym>POP3</acronym>, and | |||||
<acronym>FTP</acronym>, as seen in the following | |||||
examples.</para> | |||||
<example> | <example> | ||||
<title>建立供 <acronym>SMTP</acronym> 使用的安全通道</title> | <title>建立供 <acronym>SMTP</acronym> 使用的安全通道</title> | ||||
Context not available. | |||||
Escape character is '^]'. | Escape character is '^]'. | ||||
220 mailserver.example.com ESMTP</screen> | 220 mailserver.example.com ESMTP</screen> | ||||
<para xml:lang="en">This can be used in conjunction with | <para>這可配合 <command>ssh-keygen</command> 與另一個使用者帳號與來建立一個更無縫的 <acronym>SSH</acronym> 通道環境,可使用金鑰來代替手動輸入密碼,然後該通道便可以另一個使用者執行。</para> | ||||
<command>ssh-keygen</command> and additional user accounts | |||||
to create a more seamless <acronym>SSH</acronym> tunneling | |||||
environment. Keys can be used in place of typing a | |||||
password, and the tunnels can be run as a separate | |||||
user.</para> | |||||
</example> | </example> | ||||
<example> | <example> | ||||
<title>安全存取 <acronym>POP3</acronym> 伺服器</title> | <title>安全存取 <acronym>POP3</acronym> 伺服器</title> | ||||
<para xml:lang="en">In this example, there is an <acronym>SSH</acronym> | <para>在這個例子中有一個 <acronym>SSH</acronym> 伺服器會接受來自外部的連線,在同個網段下有一個郵件伺服器執行 <acronym>POP3</acronym> 伺服器。要使用較安全的方式檢查有沒有新郵件可建立一個 <acronym>SSH</acronym> 連線到 <acronym>SSH</acronym> 伺服器然後透過通道連線到郵件伺服器:</para> | ||||
server that accepts connections from the outside. On the | |||||
same network resides a mail server running a | |||||
<acronym>POP3</acronym> server. To check email in a | |||||
secure manner, create an <acronym>SSH</acronym> connection | |||||
to the <acronym>SSH</acronym> server and tunnel through to | |||||
the mail server:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput> | ||||
user@ssh-server.example.com's password: <userinput>******</userinput></screen> | user@ssh-server.example.com's password: <userinput>******</userinput></screen> | ||||
<para xml:lang="en">Once the tunnel is up and running, point the email | <para>一但通道啟動並執行後,指定郵件客戶端將 <acronym>POP3</acronym> 請求傳送到 <systemitem>localhost</systemitem> 的 Port 2110,這個連線將會被安全的透過通道轉送到 <systemitem>mail.example.com</systemitem>。</para> | ||||
client to send <acronym>POP3</acronym> requests to | |||||
<systemitem>localhost</systemitem> on port 2110. This | |||||
connection will be forwarded securely across the tunnel to | |||||
<systemitem>mail.example.com</systemitem>.</para> | |||||
</example> | </example> | ||||
<example> | <example> | ||||
<title>跳過防火牆</title> | <title>跳過防火牆</title> | ||||
<para xml:lang="en">Some firewalls | <para>有些防火牆會同時過濾傳入與傳出的連線。例如,防火牆很可能會限制來自遠端主機只能存取 Port 22 與 80 來只讓 <acronym>SSH</acronym> 與網頁瀏覽器連線,這會使得 Port 使用 22 或 80 以外的服務無法存取。</para> | ||||
filter both incoming and outgoing connections. For | |||||
example, a firewall might limit access from remote | |||||
machines to ports 22 and 80 to only allow | |||||
<acronym>SSH</acronym> and web surfing. This prevents | |||||
access to any other service which uses a port other than | |||||
22 or 80.</para> | |||||
<para xml:lang="en">The solution is to create an <acronym>SSH</acronym> | <para>這問題的解決方法是建立一個 <acronym>SSH</acronym> 連線到在防火牆防護之外主機然後使用該連線的通道連到想要使用的服務:</para> | ||||
connection to a machine outside of the network's firewall | |||||
and use it to tunnel to the desired service:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>8888:music.example.com:8000 user@unfirewalled-system.example.org</replaceable></userinput> | <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>8888:music.example.com:8000 user@unfirewalled-system.example.org</replaceable></userinput> | ||||
user@unfirewalled-system.example.org's password: <userinput>*******</userinput></screen> | user@unfirewalled-system.example.org's password: <userinput>*******</userinput></screen> | ||||
<para xml:lang="en">In this example, a streaming Ogg Vorbis client can now | <para>在這個例子中,串流 Ogg Vorbis 客戶端現在可以指向 <systemitem>localhost</systemitem> Port 8888,連線將會被轉送到 <systemitem>music.example.com</systemitem> 於 Port 8000,成功的跳過防火牆。</para> | ||||
be pointed to <systemitem>localhost</systemitem> port | |||||
8888, which will be forwarded over to | |||||
<systemitem>music.example.com</systemitem> on port 8000, | |||||
successfully bypassing the firewall.</para> | |||||
</example> | </example> | ||||
</sect3> | </sect3> | ||||
</sect2> | </sect2> | ||||
Context not available. | |||||
<secondary>enabling</secondary> | <secondary>enabling</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">In addition to providing built-in <acronym>SSH</acronym> | <para>除了提供內建的 <acronym>SSH</acronym> 客戶端工具外,還可以設定 FreeBSD 系統為一個 <acronym>SSH</acronym> 伺服器,以接受來自其他 <acronym>SSH</acronym> 客戶端的連線。</para> | ||||
client utilities, a FreeBSD system can be configured as an | |||||
<acronym>SSH</acronym> server, accepting connections from | |||||
other <acronym>SSH</acronym> clients.</para> | |||||
<para xml:lang="en">To see if <application>sshd</application> is operating, | <para>要查看 <application>sshd</application> 是否正在運作,可使用 <citerefentry><refentrytitle>service</refentrytitle><manvolnum>8</manvolnum></citerefentry> 指令:</para> | ||||
use the <citerefentry><refentrytitle>service</refentrytitle><manvolnum>8</manvolnum></citerefentry> command:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd status</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd status</userinput></screen> | ||||
<para xml:lang="en">If the service is not running, add the following line to | <para>若服務未執行,請加入下行到 <filename>/etc/rc.conf</filename>。</para> | ||||
<filename>/etc/rc.conf</filename>.</para> | |||||
<programlisting xml:lang="en">sshd_enable="YES"</programlisting> | <programlisting xml:lang="en">sshd_enable="YES"</programlisting> | ||||
<para xml:lang="en">This will start <application>sshd</application>, the | <para>這會讓下次系統開機時啟動 <application>OpenSSH</application> 的 Daemon 程式 <application>sshd</application>。若要立即啟動:</para> | ||||
daemon program for <application>OpenSSH</application>, the | |||||
next time the system boots. To start it now:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd start</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd start</userinput></screen> | ||||
<para xml:lang="en">The first time <application>sshd</application> starts on a | <para>在 FreeBSD 系統第一次啟動 <application>sshd</application> 時便會自動產生系統的主機金鑰且會顯示指紋在 Console 上,這個指紋可供使用者在第一次連線到伺服器時驗證用。</para> | ||||
FreeBSD system, the system's host keys will be automatically | |||||
created and the fingerprint will be displayed on the console. | |||||
Provide users with the fingerprint so that they can verify it | |||||
the first time they connect to the server.</para> | |||||
<para xml:lang="en">Refer to <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for the list of available options | <para>請參考 <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 可取得在啟動 <application>sshd</application> 時可用選項的清單以及更多完整有關認証、登入程序與各種設定檔的資訊。</para> | ||||
when starting <application>sshd</application> and a more | |||||
complete discussion about authentication, the login process, | |||||
and the various configuration files.</para> | |||||
<para xml:lang="en">At this point, the <application>sshd</application> should | <para>現在,<application>sshd</application> 應可供所有在系統上有使用者名稱及密碼的使用者使用。</para> | ||||
be available to all users with a username and password on | |||||
the system.</para> | |||||
</sect2> | </sect2> | ||||
<sect2> | <sect2> | ||||
<title>SSH 伺服器安全性</title> | <title>SSH 伺服器安全性</title> | ||||
<para xml:lang="en">While <application>sshd</application> is the most widely | <para>在 FreeBSD 廣泛使用 <application>sshd</application> 做為遠端管理基礎設施的同時,所有暴露在公有網路上的系統也會時常受到暴力攻擊 (Brute force attack) 與路過攻擊 (Drive by attack)。在本節會介紹一些可用來避免這些攻擊的參數。</para> | ||||
used remote administration facility for FreeBSD, brute force | |||||
and drive by attacks are common to any system exposed to | |||||
public networks. Several additional parameters are available | |||||
to prevent the success of these attacks and will be described | |||||
in this section.</para> | |||||
<para xml:lang="en">It is a good idea to limit which users can log into the | <para>使用在 <application>OpenSSH</application> 伺服器設定檔的 <literal>AllowUsers</literal> 關鍵字限制可以登入到 <acronym>SSH</acronym> 伺服器的使用者及來源是一個不錯的方式。例如要只允許來自 <systemitem class="ipaddress">192.168.1.32</systemitem> 的 <systemitem class="username">root</systemitem> 登入,可加入下行到 <filename>/etc/ssh/sshd_config</filename>:</para> | ||||
<acronym>SSH</acronym> server and from where using the | |||||
<literal>AllowUsers</literal> keyword in the | |||||
<application>OpenSSH</application> server configuration file. | |||||
For example, to only allow <systemitem class="username">root</systemitem> to log in from | |||||
<systemitem class="ipaddress">192.168.1.32</systemitem>, add | |||||
this line to <filename>/etc/ssh/sshd_config</filename>:</para> | |||||
<programlisting xml:lang="en">AllowUsers root@192.168.1.32</programlisting> | <programlisting xml:lang="en">AllowUsers root@192.168.1.32</programlisting> | ||||
<para xml:lang="en">To allow <systemitem class="username">admin</systemitem> | <para>要允許來自任何地方的 <systemitem class="username">admin</systemitem> 登入,可只列出使用者名稱,不指定 <acronym>IP</acronym> 位址:</para> | ||||
to log in from anywhere, list that user without specifying an | |||||
<acronym>IP</acronym> address:</para> | |||||
<programlisting xml:lang="en">AllowUsers admin</programlisting> | <programlisting xml:lang="en">AllowUsers admin</programlisting> | ||||
<para xml:lang="en">Multiple users should be listed on the same line, like | <para>有多位使用者也應列在同一行,例如:</para> | ||||
so:</para> | |||||
<programlisting xml:lang="en">AllowUsers root@192.168.1.32 admin</programlisting> | <programlisting xml:lang="en">AllowUsers root@192.168.1.32 admin</programlisting> | ||||
<para xml:lang="en">After making changes to | <para>在對 <filename>/etc/ssh/sshd_config</filename> 做完變更後,執行以下指令告訴 <application>sshd</application> 重新載入設定檔: | ||||
<filename>/etc/ssh/sshd_config</filename>, | </para> | ||||
tell <application>sshd</application> to reload its | |||||
configuration file by running:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd reload</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd reload</userinput></screen> | ||||
<note> | <note> | ||||
<para xml:lang="en">When this keyword is used, it is important to list each | <para>在使用了這個關鍵字時,列出每一位需要登入此主機的使用者很重要,任何未被在該行指定的使用者將無法登入。同時,在 <application>OpenSSH</application> 伺服器設定檔使用的關鍵字是區分大小寫的,若關鍵字未正確的拼寫 (含其大小寫),則將會被忽略,永遠要記得測試對這個檔案所做的更改來確保伺服器有如預期的方式運作。請參考 <citerefentry><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> 來檢查拼寫以及可用的關鍵字。</para> | ||||
user that needs to log into this machine. Any user that is | |||||
not specified in that line will be locked out. Also, the | |||||
keywords used in the <application>OpenSSH</application> | |||||
server configuration file are case-sensitive. If the | |||||
keyword is not spelled correctly, including its case, it | |||||
will be ignored. Always test changes to this file to make | |||||
sure that the edits are working as expected. Refer to | |||||
<citerefentry><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> to verify the spelling and use of the | |||||
available keywords.</para> | |||||
</note> | </note> | ||||
<para xml:lang="en">In addition, users may be forced to use two factor | <para>此外,使用者可能被強制要透過公鑰與私鑰使用雙重認證 (Two factor authentication)。當需要時,使用者可以透過使用 <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry> 產生一堆金鑰然後將公鑰傳送給管理者,這個金鑰檔會如以上在客戶端章節所述的被放在 <filename>authorized_keys</filename>。要強制使用者只能使用這個金鑰,可能需要設定以下選項:</para> | ||||
authentication via the use of a public and private key. When | |||||
required, the user may generate a key pair through the use | |||||
of <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry> and send the administrator the public | |||||
key. This key file will be placed in the | |||||
<filename>authorized_keys</filename> as described above in | |||||
the client section. To force the users to use keys only, | |||||
the following option may be configured:</para> | |||||
<programlisting xml:lang="en">AuthenticationMethods publickey</programlisting> | <programlisting xml:lang="en">AuthenticationMethods publickey</programlisting> | ||||
<tip> | <tip> | ||||
<para xml:lang="en">Do not confuse <filename>/etc/ssh/sshd_config</filename> | <para>請不要將 <filename>/etc/ssh/sshd_config</filename> 以及 <filename>/etc/ssh/ssh_config</filename> 搞混 (注意在第一節檔名有多出個 <literal>d</literal>),第一個檔案用來設定伺服器,而第二個檔案用來設定客戶端。請參考 <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> 來取得可用的客戶端設定清單。</para> | ||||
with <filename>/etc/ssh/ssh_config</filename> (note the | |||||
extra <literal>d</literal> in the first filename). The | |||||
first file configures the server and the second file | |||||
configures the client. Refer to <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a | |||||
listing of the available client settings.</para> | |||||
</tip> | </tip> | ||||
</sect2> | </sect2> | ||||
</sect1> | </sect1> | ||||
Context not available. | |||||
<secondary>Sudo</secondary> | <secondary>Sudo</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">System administrators often need the ability to grant | <para>系統管理者通常會要能夠授予額外的權限給其他使用者,以讓這些使用者可以執行需權限的工作。要讓團隊成員可以存取 FreeBSD 系統來完成其特定的工作對所有管理者都會帶來挑戰,這些團隊成員通常只需要比一般使用者多出一些存取權限便可作業,但他們總是會告訴管理者若沒有超級使用者的存取權便無法完成其工作。幸好,有工具可以管理這類的需求,這樣便不需提供這麼大的權限給一般使用者。</para> | ||||
enhanced permissions to users so they may perform privileged | |||||
tasks. The idea that team members are provided access | |||||
to a FreeBSD system to perform their specific tasks opens up unique | |||||
challenges to every administrator. These team members only | |||||
need a subset of access beyond normal end user levels; however, | |||||
they almost always tell management they are unable to | |||||
perform their tasks without superuser access. Thankfully, there | |||||
is no reason to provide such access to end users because tools | |||||
exist to manage this exact requirement.</para> | |||||
<para xml:lang="en">Up to this point, the security chapter has covered permitting | <para>到目前為止,安全性章節已說明了如何允許已授權的使用者存取以及嘗試防止未經授權的存取,而現在有另一個問題,是由已授權的使用者擁有權限存取系統資源造成的。在很多的情況,使用者會需要存取應用程式啟動 Script 的權限或是管理者團隊需要維護系統,以往會使用標準的使用者與群組、檔案權限、甚至是 <citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> 指令來管理存取權,但當應用程式需要更多存取權,更多使用者需要使用系統資源時,便需要更好的解決方案,目前最常用來解決此問題的應用程式便是 <application>Sudo</application>。</para> | ||||
access to authorized users and attempting to prevent unauthorized | |||||
access. Another problem arises once authorized users have access | |||||
to the system resources. In many cases, some users may need | |||||
access to application startup scripts, or a team of | |||||
administrators need to maintain the system. Traditionally, the | |||||
standard users and groups, file permissions, and even the | |||||
<citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> command would manage this access. And as applications | |||||
required more access, as more users needed to use system | |||||
resources, a better solution was required. The most used | |||||
application is currently <application>Sudo</application>.</para> | |||||
<para xml:lang="en"><application>Sudo</application> allows administrators | <para><application>Sudo</application> 讓管理者可以對系統指令的存取設下更嚴格的限制並提供進階的記錄功能。如同其他工具,它可自 Port 套件集取得,於其中的 <package role="port">security/sudo</package>,或使用 <citerefentry><refentrytitle>pkg</refentrytitle><manvolnum>8</manvolnum></citerefentry> 工具取得,若要使用 <citerefentry><refentrytitle>pkg</refentrytitle><manvolnum>8</manvolnum></citerefentry> 工具可:</para> | ||||
to configure more rigid access to system commands | |||||
and provide for some advanced logging features. | |||||
As a tool, it is available from the Ports Collection as | |||||
<package role="port">security/sudo</package> or by use of | |||||
the <citerefentry><refentrytitle>pkg</refentrytitle><manvolnum>8</manvolnum></citerefentry> utility. To use the <citerefentry><refentrytitle>pkg</refentrytitle><manvolnum>8</manvolnum></citerefentry> tool:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install sudo</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install sudo</userinput></screen> | ||||
<para xml:lang="en">After the installation is complete, the installed | <para>安裝完成之後,可用安裝的 <command>visudo</command> 以文字編輯器開啟設定檔,強烈建議使用 <command>visudo</command> 來編輯設定檔,由於它有內建的語法檢查程式可在檔案儲存之前檢驗是否有誤。</para> | ||||
<command>visudo</command> will open the configuration file with | |||||
a text editor. Using <command>visudo</command> is highly | |||||
recommended as it comes with a built in syntax checker to verify | |||||
there are no errors before the file is saved.</para> | |||||
<para xml:lang="en">The configuration file is made up of several small sections | <para>設定檔由個小節所組成,透過這些小節可做常廣泛的設定,在以下的範例中,網站應用程式維護人員 user1 需要啟動、停止與重新啟動名稱為 <replaceable>webservice</replaceable> 的網站應用程式 。要授權此使用者執行這些工作的權限,可加入此行到 <filename>/usr/local/etc/sudoers</filename> 的最後:</para> | ||||
which allow for extensive configuration. In the following | |||||
example, web application maintainer, user1, needs to start, | |||||
stop, and restart the web application known as | |||||
<replaceable>webservice</replaceable>. To | |||||
grant this user permission to perform these tasks, add | |||||
this line to the end of | |||||
<filename>/usr/local/etc/sudoers</filename>:</para> | |||||
<programlisting xml:lang="en">user1 ALL=(ALL) /usr/sbin/service webservice *</programlisting> | <programlisting xml:lang="en">user1 ALL=(ALL) /usr/sbin/service webservice *</programlisting> | ||||
<para xml:lang="en">The user may now start <replaceable>webservice</replaceable> | <para>現在使用者可使用此指令來啟動 <replaceable>webservice</replaceable>:</para> | ||||
using this command:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>sudo /usr/sbin/service <replaceable>webservice</replaceable> start</userinput></screen> | <screen xml:lang="en"><prompt>%</prompt> <userinput>sudo /usr/sbin/service <replaceable>webservice</replaceable> start</userinput></screen> | ||||
<para xml:lang="en">While this configuration allows a single user access to the | <para>雖然這項設定可以讓一位使用者存取 <application>webservice</application> 服務,但在大部份組織中會有一整個網站小組負責管理該服務,因此也可以一行來授予整個群組存取權,以下步驟會建立一個網站群組、加入使用者到這個群組,然後讓該群組中的所有成員能夠管理服務:</para> | ||||
<application>webservice</application> service; however, in most | |||||
organizations, there is an entire web team in charge of managing | |||||
the service. A single line can also give access to an entire | |||||
group. These steps will create a web group, add a user to this | |||||
group, and allow all members of the group to manage the | |||||
service:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupadd -g 6001 -n webteam</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupadd -g 6001 -n webteam</userinput></screen> | ||||
<para xml:lang="en">Using the same <citerefentry><refentrytitle>pw</refentrytitle><manvolnum>8</manvolnum></citerefentry> command, the user is added to | <para>同樣使用 <citerefentry><refentrytitle>pw</refentrytitle><manvolnum>8</manvolnum></citerefentry> 指令來加入該使用到 webteam 群組:</para> | ||||
the webteam group:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupmod -m user1 -n webteam</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupmod -m user1 -n webteam</userinput></screen> | ||||
<para xml:lang="en">Finally, this line in | <para>最後,在 <filename>/usr/local/etc/sudoers</filename> 中的這行設定可以讓 webteam 群組的所有成員可以管理 <replaceable>webservice</replaceable>:</para> | ||||
<filename>/usr/local/etc/sudoers</filename> allows any | |||||
member of the webteam group to manage | |||||
<replaceable>webservice</replaceable>:</para> | |||||
<programlisting xml:lang="en">%webteam ALL=(ALL) /usr/sbin/service webservice *</programlisting> | <programlisting xml:lang="en">%webteam ALL=(ALL) /usr/sbin/service webservice *</programlisting> | ||||
<para xml:lang="en">Unlike <citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <application>Sudo</application> | <para>與 <citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> 不同的是 <application>Sudo</application> 只需要一般使用者的密碼,這有一個使用者不需要共用密碼的優點,在大多數安全稽查都會發現共用密碼的問題且這種情況只有壞處可言。</para> | ||||
only requires the end user password. This adds an advantage where | |||||
users will not need shared passwords, a finding in most security | |||||
audits and just bad all the way around.</para> | |||||
<para xml:lang="en">Users permitted to run applications with | <para>使用 <application>Sudo</application> 允許使用者執行應用程式只需要輸入使用者自己的密碼,這更安全且提供比 <citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> 更佳的控制權,因為 <citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> 只要輸入 <systemitem class="username">root</systemitem> 密碼之後該使用者便可取得所有的 <systemitem class="username">root</systemitem> 權限。</para> | ||||
<application>Sudo</application> only enter their own passwords. | |||||
This is more secure and gives better control than <citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |||||
where the <systemitem class="username">root</systemitem> | |||||
password is entered and the user acquires all | |||||
<systemitem class="username">root</systemitem> | |||||
permissions.</para> | |||||
<tip> | <tip> | ||||
<para xml:lang="en">Most organizations are moving or have moved toward a two | <para>大多數組織已正在導入或已導入雙重認証 (Two factor authentication),在這個情境下使用者可以不用輸入密碼,<application>Sudo</application> 提供了 <literal>NOPASSWD</literal> 變數來供這個情境使用,可將該設定加入到上述的設定將可允許所有 <replaceable>webteam</replaceable> 群組的成員不需要輸入密碼便可管理該服務:</para> | ||||
factor authentication model. In these cases, the user may | |||||
not have a password to enter. <application>Sudo</application> | |||||
provides for these cases with the <literal>NOPASSWD</literal> | |||||
variable. Adding it to the configuration above | |||||
will allow all members of the <replaceable>webteam</replaceable> | |||||
group to manage the service without the password | |||||
requirement:</para> | |||||
<programlisting xml:lang="en">%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *</programlisting> | <programlisting xml:lang="en">%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *</programlisting> | ||||
</tip> | </tip> | ||||
Context not available. | |||||
<sect2 xml:id="security-sudo-loggin"> | <sect2 xml:id="security-sudo-loggin"> | ||||
<title>記錄輸出</title> | <title>記錄輸出</title> | ||||
<para xml:lang="en">An advantage to implementing | <para>採用 <application>Sudo</application> 的另一個優點是能夠開啟連線階段的記錄。使用內建立記錄機制與內含的 <application>sudoreplay</application> 指令,所有透過 <application>Sudo</application> 初始化的指令會被記錄下來供往後檢驗用。要開啟這個功能要加入預設記錄目錄的項目,在以下範例中使用了使用者變數來做目錄名稱,也還有許多其他記錄檔名稱慣例,可參考 <application>sudoreplay</application> 的操作手冊來取得進一步資訊。</para> | ||||
<application>Sudo</application> is the ability to enable | |||||
session logging. Using the built in log mechanisms | |||||
and the included <application>sudoreplay</application> | |||||
command, all commands initiated through | |||||
<application>Sudo</application> are logged for later | |||||
verification. To enable this feature, add a default log | |||||
directory entry, this example uses a user variable. | |||||
Several other log filename conventions exist, consult the | |||||
manual page for <application>sudoreplay</application> for | |||||
additional information.</para> | |||||
<programlisting xml:lang="en">Defaults iolog_dir=/var/log/sudo-io/%{user}</programlisting> | <programlisting xml:lang="en">Defaults iolog_dir=/var/log/sudo-io/%{user}</programlisting> | ||||
<tip> | <tip> | ||||
<para xml:lang="en">This directory will be created automatically after the | <para>這個目錄會在記錄功能設定之後自動建立,最好讓系統以預設的權限來建立目錄比較保險,除此之外,這個設定項目也會記錄使用 <application>sudoreplay</application> 指令的管理者,要更改設定請閱讀並取消在 <filename>sudoers</filename> 中記錄選項的註解。</para> | ||||
logging is configured. It is best to let the system create | |||||
directory with default permissions just to be safe. In | |||||
addition, this entry will also log administrators who use the | |||||
<application>sudoreplay</application> command. To change | |||||
this behavior, read and uncomment the logging options inside | |||||
<filename>sudoers</filename>.</para> | |||||
</tip> | </tip> | ||||
<para xml:lang="en">Once this directive has been added to the | <para>一旦這個設定加入至 <filename>sudoers</filename> 檔案之後,所有的使用者設定項目便可加上記錄存取動作的項目,在 <replaceable>webteam</replaceable> 項目加入額外設定之後的範例如下: </para> | ||||
<filename>sudoers</filename> file, any user configuration | |||||
can be updated with the request to log access. In the | |||||
example shown, the updated <replaceable>webteam</replaceable> | |||||
entry would have the following additional changes:</para> | |||||
<programlisting xml:lang="en">%webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice *</programlisting> | <programlisting xml:lang="en">%webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice *</programlisting> | ||||
<para xml:lang="en">From this point on, all <replaceable>webteam</replaceable> | <para>從此之後,所有 <replaceable>webteam</replaceable> 修改 <replaceable>webservice</replaceable> 應用程式狀態的成員將會被記錄下來。要列出先前與目前連線階段的記錄可:</para> | ||||
members altering the status of the | |||||
<replaceable>webservice</replaceable> application | |||||
will be logged. The list of previous and current sessions | |||||
can be displayed with:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>sudoreplay -l</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>sudoreplay -l</userinput></screen> | ||||
<para xml:lang="en">In the output, to replay a specific session, search for the | <para>在輸出結果中要重播指定連線階段的記錄可搜尋 <literal>TSID=</literal> 項目,然後傳送給 <application>sudoreplay</application> 且不加其他選項便可以一般速度重播連線階段,例如:</para> | ||||
<literal>TSID=</literal> entry, and pass that to | |||||
<application>sudoreplay</application> with no other options to | |||||
replay the session at normal speed. For example:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>sudoreplay user1/00/00/02</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>sudoreplay user1/00/00/02</userinput></screen> | ||||
<warning> | <warning> | ||||
<para xml:lang="en">While sessions are logged, any administrator is | <para>雖然所有連線階段都會被記錄,但任何管理者都可以移除連線階段,使得沒人知道它們做了什麼事,所以非常值得在入侵偵測系統 (<acronym>IDS</acronym>) 或類似的軟體加入每日檢查,以便在有人為修改時通知其他管理人員。</para> | ||||
able to remove sessions and leave only a question of why they | |||||
had done so. It is worthwhile to add a daily check | |||||
through an intrusion detection system (<acronym>IDS</acronym>) | |||||
or similar software so that other administrators are alerted | |||||
to manual alterations.</para> | |||||
</warning> | </warning> | ||||
<para xml:lang="en">The <command>sudoreplay</command> is extremely extendable. | <para><command>sudoreplay</command> 的擴充空間非常大,請參考說明文件來取得更多資訊。</para> | ||||
Consult the documentation for more information.</para> | |||||
</sect2> | </sect2> | ||||
</sect1> | </sect1> | ||||
</chapter> | </chapter> | ||||
Context not available. | |||||
<para>這個機制一般會用在記憶卡與 <acronym>USB</acronym> 隨身碟,也可用在任何 Block 裝置,包含光碟機或 <acronym>iSCSI</acronym> <acronym>LUN</acronym>。</para> | <para>這個機制一般會用在記憶卡與 <acronym>USB</acronym> 隨身碟,也可用在任何 Block 裝置,包含光碟機或 <acronym>iSCSI</acronym> <acronym>LUN</acronym>。</para> | ||||
</sect2> | </sect2> | ||||
<sect2> | |||||
<title><acronym>USB</acronym> 大容量儲存目標</title> | |||||
<note> | |||||
<para><citerefentry><refentrytitle>cfumass</refentrytitle><manvolnum>4</manvolnum></citerefentry> 驅動程式是一個在 FreeBSD!12.0 之後才可用的 <acronym>USB</acronym> 裝置模式驅動程式。</para> | |||||
</note> | |||||
<para xml:lang="en">When running on <acronym>USB</acronym> | |||||
<acronym>OTG</acronym>-compliant hardware like that built into | |||||
many embedded boards, the FreeBSD <acronym>USB</acronym> stack | |||||
can run in <emphasis>device mode</emphasis>. Device mode | |||||
makes it possible for the computer to present itself as | |||||
different kinds of <acronym>USB</acronym> device classes, | |||||
including serial ports, network adapters, and mass storage. A | |||||
<acronym>USB</acronym> host like a laptop or desktop computer | |||||
is able to access them just like physical | |||||
<acronym>USB</acronym> devices.</para> | |||||
<para xml:lang="en">The <citerefentry><refentrytitle>usb_template</refentrytitle><manvolnum>4</manvolnum></citerefentry> kernel module allows the | |||||
<acronym>USB</acronym> stack to switch between host-side and | |||||
device-side automatically, depending on what is connected to | |||||
the <acronym>USB</acronym> port. Connecting a | |||||
<acronym>USB</acronym> device like a memory stick to the | |||||
<acronym>USB</acronym> <acronym>OTG</acronym> port causes FreeBSD | |||||
to switch to host mode. Connecting a <acronym>USB</acronym> | |||||
host like a computer causes FreeBSD to switch to device | |||||
mode.</para> | |||||
<para xml:lang="en">What FreeBSD presents to the <acronym>USB</acronym> host | |||||
depends on the <varname>hw.usb.template</varname> sysctl. See | |||||
<citerefentry><refentrytitle>usb_template</refentrytitle><manvolnum>4</manvolnum></citerefentry> for the list of available values. Note | |||||
that for the host to notice the configuration change, it must | |||||
be either physically disconnected and reconnected, or forced | |||||
to rescan the <acronym>USB</acronym> bus in a system-specific | |||||
way. When FreeBSD is running on the host, <citerefentry vendor="current"><refentrytitle>usbconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |||||
<command>reset</command> can be used. This also must be done | |||||
after loading <filename>usb_template.ko</filename> if the | |||||
<acronym>USB</acronym> host was already connected to the | |||||
<acronym>USB</acronym> <acronym>OTG</acronym> socket.</para> | |||||
<para xml:lang="en">The <varname>hw.usb.template</varname> sysctl | |||||
is set to 0 by default, making FreeBSD work as a | |||||
<acronym>USB</acronym> Mass Storage target. Both | |||||
<citerefentry><refentrytitle>usb_template</refentrytitle><manvolnum>4</manvolnum></citerefentry> and <citerefentry><refentrytitle>cfumass</refentrytitle><manvolnum>4</manvolnum></citerefentry> kernel modules must | |||||
be loaded. <citerefentry><refentrytitle>cfumass</refentrytitle><manvolnum>4</manvolnum></citerefentry> interfaces to the CTL subsystem, | |||||
the same one that is used for <acronym>iSCSI</acronym> or | |||||
Fibre Channel targets. On the host side, | |||||
<acronym>USB</acronym> Mass Storage initiators can only access | |||||
a single <acronym>LUN</acronym>, | |||||
<acronym>LUN</acronym> 0.</para> | |||||
<para xml:lang="en"><acronym>USB</acronym> Mass Storage does not require the | |||||
<citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> daemon to be running, although it can be used if | |||||
desired. This is different from <acronym>iSCSI</acronym>. | |||||
Thus, there are two ways to configure the target: | |||||
<citerefentry><refentrytitle>ctladm</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or <citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Both require the | |||||
<filename>cfumass.ko</filename> kernel module to be loaded. | |||||
The module can be loaded manually:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>kldload cfumass</userinput></screen> | |||||
<para xml:lang="en">If <filename>cfumass.ko</filename> has not been built into | |||||
the kernel, <filename>/boot/loader.conf</filename> can be set | |||||
to load the module at boot:</para> | |||||
<programlisting xml:lang="en">cfumass_load="YES"</programlisting> | |||||
<para xml:lang="en">A <acronym>LUN</acronym> can be created without the | |||||
<citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> daemon:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>ctladm create -b block -o file=/data/target0</userinput></screen> | |||||
<para xml:lang="en">This presents the contents of the image file | |||||
<filename>/data/target0</filename> as a <acronym>LUN</acronym> | |||||
to the <acronym>USB</acronym> host. The file must exist | |||||
before executing the command. To configure the | |||||
<acronym>LUN</acronym> at system startup, add the command to | |||||
<filename>/etc/rc.local</filename>.</para> | |||||
<para xml:lang="en"><citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> can also be used to manage | |||||
<acronym>LUN</acronym>s. Create | |||||
<filename>/etc/ctl.conf</filename>, add a line to | |||||
<filename>/etc/rc.conf</filename> to make sure <citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> is | |||||
automatically started at boot, and then start the | |||||
daemon.</para> | |||||
<para xml:lang="en">This is an example of a simple | |||||
<filename>/etc/ctl.conf</filename> configuration file. Refer | |||||
to <citerefentry><refentrytitle>ctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a more complete description of the | |||||
options.</para> | |||||
<programlisting xml:lang="en">target naa.50015178f369f092 { | |||||
lun 0 { | |||||
path /data/target0 | |||||
size 4G | |||||
} | |||||
}</programlisting> | |||||
<para xml:lang="en">The example creates a single target with a single | |||||
<acronym>LUN</acronym>. The | |||||
<literal>naa.50015178f369f092</literal> is a device identifier | |||||
composed of 32 random hexadecimal digits. The | |||||
<literal>path</literal> line defines the full path to a file | |||||
or zvol backing the <acronym>LUN</acronym>. That file must | |||||
exist before starting <citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The second line is | |||||
optional and specifies the size of the | |||||
<acronym>LUN</acronym>.</para> | |||||
<para xml:lang="en">To make sure the <citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> daemon is started at | |||||
boot, add this line to | |||||
<filename>/etc/rc.conf</filename>:</para> | |||||
<programlisting xml:lang="en">ctld_enable="YES"</programlisting> | |||||
<para xml:lang="en">To start <citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> now, run this command:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>service ctld start</userinput></screen> | |||||
<para>當 <citerefentry><refentrytitle>ctld</refentrytitle><manvolnum>8</manvolnum></citerefentry> Daemon 啟動後,它會讀取 <filename>/etc/ctl.conf</filename>,若這個檔案在 Daemon 啟動之後才做修改,要重新載入變更的內容才能立即生效:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>service ctld reload</userinput></screen> | |||||
</sect2> | |||||
</sect1> | </sect1> | ||||
<sect1 xml:id="creating-cds"> | <sect1 xml:id="creating-cds"> | ||||
Context not available. | |||||
<chapter version="5.0" xml:id="geom"> | <chapter version="5.0" xml:id="geom"> | ||||
<info> | <info> | ||||
<title xml:lang="en">GEOM: Modular Disk Transformation Framework</title> | <title>GEOM: 模組化磁碟轉換框架</title> | ||||
<authorgroup> | <authorgroup> | ||||
<author xml:lang="en"> | <author xml:lang="en"> | ||||
Context not available. | |||||
<see><acronym>GEOM</acronym></see> | <see><acronym>GEOM</acronym></see> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">In FreeBSD, the <acronym>GEOM</acronym> framework permits | <para>在 FreeBSD 中,<acronym>GEOM</acronym> 可允許對類別做存取與控制,例如:主開機記錄 (Master Boot Record) 與 <acronym>BSD</acronym> 標籤,透過利用提供者,或在 <filename>/dev</filename> 中的磁碟裝置。透過支援各種 <acronym>RAID</acronym> 的配置,<acronym>GEOM</acronym> 透明的提供了對作業系統與作業系統工具的存取。</para> | ||||
access and control to classes, such as Master Boot Records and | |||||
<acronym>BSD</acronym> labels, through the use of providers, or | |||||
the disk devices in <filename>/dev</filename>. By supporting | |||||
various software <acronym>RAID</acronym> configurations, | |||||
<acronym>GEOM</acronym> transparently provides access to the | |||||
operating system and operating system utilities.</para> | |||||
<para xml:lang="en">This chapter covers the use of disks under the | <para xml:lang="en">This chapter covers the use of disks under the | ||||
<acronym>GEOM</acronym> framework in FreeBSD. This includes the | <acronym>GEOM</acronym> framework in FreeBSD. This includes the | ||||
Context not available. | |||||
<sect1 xml:id="virtualization-guest-virtualbox"> | <sect1 xml:id="virtualization-guest-virtualbox"> | ||||
<title>在 <trademark>VirtualBox</trademark> 使用 FreeBSD 作為客端</title> | <title>在 <trademark>VirtualBox</trademark> 使用 FreeBSD 作為客端</title> | ||||
<para xml:lang="en">FreeBSD works well as a guest in | <para>在 <application><trademark>VirtualBox</trademark></application> 中使用 FreeBSD 做為客端系統也可運作的很好,虛擬化軟體可支援最常見的幾個作業系統,這當然也包含 FreeBSD。</para> | ||||
<application><trademark>VirtualBox</trademark></application>. The virtualization | |||||
software is available for most common operating systems, | |||||
including FreeBSD itself.</para> | |||||
<para xml:lang="en">The <application><trademark>VirtualBox</trademark></application> guest additions | <para><application><trademark>VirtualBox</trademark></application> guest additions 支援以下功能:</para> | ||||
provide support for:</para> | |||||
<itemizedlist> | <itemizedlist> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Clipboard sharing.</para> | <para>剪貼簿共享。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Mouse pointer integration.</para> | <para>滑鼠指標整合。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Host time synchronization.</para> | <para>主機時間同步。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Window scaling.</para> | <para>視窗縮放。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en">Seamless mode.</para> | <para>無痕模式。</para> | ||||
</listitem> | </listitem> | ||||
</itemizedlist> | </itemizedlist> | ||||
<note> | <note> | ||||
<para xml:lang="en">These commands are run in the FreeBSD guest.</para> | <para>以下指令均是在 FreeBSD 客端中執行。</para> | ||||
</note> | </note> | ||||
<para xml:lang="en">First, install the | <para>首先,在 FreeBSD 客端安裝 <package>emulators/virtualbox-ose-additions</package> 套件或 Port,以下指令會安裝 Port:</para> | ||||
<package>emulators/virtualbox-ose-additions</package> package | |||||
or port in the FreeBSD guest. This will install the port:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/emulators/virtualbox-ose-additions && make install clean</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/emulators/virtualbox-ose-additions && make install clean</userinput></screen> | ||||
<para xml:lang="en">Add these lines to <filename>/etc/rc.conf</filename>:</para> | <para>加入下行到 <filename>/etc/rc.conf</filename>:</para> | ||||
<programlisting xml:lang="en">vboxguest_enable="YES" | <programlisting xml:lang="en">vboxguest_enable="YES" | ||||
vboxservice_enable="YES"</programlisting> | vboxservice_enable="YES"</programlisting> | ||||
<para xml:lang="en">If <citerefentry><refentrytitle>ntpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or <citerefentry><refentrytitle>ntpdate</refentrytitle><manvolnum>8</manvolnum></citerefentry> is used, disable host | <para>若有使用 <citerefentry><refentrytitle>ntpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 或 <citerefentry><refentrytitle>ntpdate</refentrytitle><manvolnum>8</manvolnum></citerefentry>,便可關閉主機時間同步功能:</para> | ||||
time synchronization:</para> | |||||
<programlisting xml:lang="en">vboxservice_flags="--disable-timesync"</programlisting> | <programlisting xml:lang="en">vboxservice_flags="--disable-timesync"</programlisting> | ||||
<para xml:lang="en"><application>Xorg</application> will automatically recognize | <para><application>Xorg</application> 會自動辨識 <literal>vboxvideo</literal> 驅動程式,也可手動在 <filename>/etc/X11/xorg.conf</filename> 中輸入:</para> | ||||
the <literal>vboxvideo</literal> driver. It can also be | |||||
manually entered in | |||||
<filename>/etc/X11/xorg.conf</filename>:</para> | |||||
<programlisting xml:lang="en">Section "Device" | <programlisting xml:lang="en">Section "Device" | ||||
Identifier "Card0" | Identifier "Card0" | ||||
Context not available. | |||||
BoardName "VirtualBox Graphics Adapter" | BoardName "VirtualBox Graphics Adapter" | ||||
EndSection</programlisting> | EndSection</programlisting> | ||||
<para xml:lang="en">To use the <literal>vboxmouse</literal> driver, adjust the | <para>要使用 <literal>vboxmouse</literal> 驅動程式,可調整在 <filename>/etc/X11/xorg.conf</filename> 中與滑鼠相關的一節:</para> | ||||
mouse section in <filename>/etc/X11/xorg.conf</filename>:</para> | |||||
<programlisting xml:lang="en">Section "InputDevice" | <programlisting xml:lang="en">Section "InputDevice" | ||||
Identifier "Mouse0" | Identifier "Mouse0" | ||||
Context not available. | |||||
Driver "vboxmouse" | Driver "vboxmouse" | ||||
EndSection</programlisting> | EndSection</programlisting> | ||||
<para xml:lang="en"><acronym>HAL</acronym> users should create the following | <para><acronym>HAL</acronym> 的使用者應建立以下 <filename>/usr/local/etc/hal/fdi/policy/90-vboxguest.fdi</filename> 或複製自 <filename>/usr/local/share/hal/fdi/policy/10osvendor/90-vboxguest.fdi</filename>:</para> | ||||
<filename>/usr/local/etc/hal/fdi/policy/90-vboxguest.fdi</filename> | |||||
or copy it from | |||||
<filename>/usr/local/share/hal/fdi/policy/10osvendor/90-vboxguest.fdi</filename>:</para> | |||||
<programlisting xml:lang="en"><?xml version="1.0" encoding="utf-8"?> | <programlisting xml:lang="en"><?xml version="1.0" encoding="utf-8"?> | ||||
<!-- | <!-- | ||||
Context not available. | |||||
<sect1 xml:id="virtualization-host-virtualbox"> | <sect1 xml:id="virtualization-host-virtualbox"> | ||||
<title>以 FreeBSD 作為主端安裝 <application>VirtualBox</application> </title> | <title>以 FreeBSD 作為主端安裝 <application>VirtualBox</application> </title> | ||||
<para xml:lang="en"><application><trademark>VirtualBox</trademark></application> is an actively | <para><application><trademark>VirtualBox</trademark></application> 是一套積極開發、完整的虛擬化套件,適用大多數作業系統,包含 <trademark class="registered">Windows</trademark>, <trademark class="registered">Mac!OS</trademark>, <trademark class="registered">Linux</trademark> 與 FreeBSD,它同樣能夠執行類 <trademark class="registered">Windows</trademark> 或 <trademark class="registered">UNIX</trademark> 的客端系統。它是以開源軟體的方式發佈,但閉源元件可獨立在擴充包中使用,這些元件包含對 USB 2.0 裝置的支援。更多資訊可在 <link xlink:href="http://www.virtualbox.org/wiki/Downloads"><application><trademark>VirtualBox</trademark></application> wiki 的 <quote>Downloads</quote> 頁面</link>。目前,這些擴充套件並不支援 FreeBSD。</para> | ||||
developed, complete virtualization package, that is available | |||||
for most operating systems including <trademark class="registered">Windows</trademark>, <trademark class="registered">Mac!OS</trademark>, <trademark class="registered">Linux</trademark> | |||||
and FreeBSD. It is equally capable of running <trademark class="registered">Windows</trademark> or | |||||
<trademark class="registered">UNIX</trademark>-like guests. It is released as open source software, but | |||||
with closed-source components available in a separate extension | |||||
pack. These components include support for USB 2.0 devices. | |||||
More information may be found on the <link xlink:href="http://www.virtualbox.org/wiki/Downloads"><quote>Downloads</quote> | |||||
page of the <application><trademark>VirtualBox</trademark></application> | |||||
wiki</link>. Currently, these extensions are not available | |||||
for FreeBSD.</para> | |||||
<sect2 xml:id="virtualization-virtualbox-install"> | <sect2 xml:id="virtualization-virtualbox-install"> | ||||
<title>安裝 <trademark>VirtualBox</trademark></title> | <title>安裝 <trademark>VirtualBox</trademark></title> | ||||
<para xml:lang="en"><application><trademark>VirtualBox</trademark></application> is available as a | <para><application><trademark>VirtualBox</trademark></application> 可於 <package>emulators/virtualbox-ose</package> 以 FreeBSD 套件或 Port 的方式取得。要安裝 Port 可使用以下指令:</para> | ||||
FreeBSD package or port in | |||||
<package>emulators/virtualbox-ose</package>. The port can be | |||||
installed using these commands:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/emulators/virtualbox-ose</userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/emulators/virtualbox-ose</userinput> | ||||
<prompt>#</prompt> <userinput>make install clean</userinput></screen> | <prompt>#</prompt> <userinput>make install clean</userinput></screen> | ||||
<para xml:lang="en">One useful option in the port's configuration menu is the | <para>在 Port 的設定選單中 <literal>GuestAdditions</literal> 相關程式是最有用的選項之一,這些程式可在客端作業系統提供數個有用的功能,如滑鼠指標整合 (允許滑鼠在主端與客端之間移動,不需要按特殊快速鍵來切換) 與較快的影像繪圖速度,特別是在 <trademark class="registered">Windows</trademark> 的客端系統。Guest additions 可在客端系統安裝完之後的 <guimenu>Devices</guimenu> 選單找到。</para> | ||||
<literal>GuestAdditions</literal> suite of programs. These | |||||
provide a number of useful features in guest operating | |||||
systems, like mouse pointer integration (allowing the mouse to | |||||
be shared between host and guest without the need to press a | |||||
special keyboard shortcut to switch) and faster video | |||||
rendering, especially in <trademark class="registered">Windows</trademark> guests. The guest | |||||
additions are available in the <guimenu>Devices</guimenu> | |||||
menu, after the installation of the guest is finished.</para> | |||||
<para xml:lang="en">A few configuration changes are needed before | <para>還有一些設定需要在 <application><trademark>VirtualBox</trademark></application> 第一次啟動端做修改,Port 會安裝一個核心模組在 <filename>/boot/modules</filename>,該模組必須在核心中載入:</para> | ||||
<application><trademark>VirtualBox</trademark></application> is started for the | |||||
first time. The port installs a kernel module in | |||||
<filename>/boot/modules</filename> which | |||||
must be loaded into the running kernel:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>kldload vboxdrv</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>kldload vboxdrv</userinput></screen> | ||||
<para xml:lang="en">To ensure the module is always loaded after a reboot, | <para>要確保該模組在重新開機後會載入,可加入下行到 <filename>/boot/loader.conf</filename>:</para> | ||||
add this line to | |||||
<filename>/boot/loader.conf</filename>:</para> | |||||
<programlisting xml:lang="en">vboxdrv_load="YES"</programlisting> | <programlisting xml:lang="en">vboxdrv_load="YES"</programlisting> | ||||
<para xml:lang="en">To use the kernel modules that allow bridged or host-only | <para>要使用可支援橋接或僅限主端 (Host-only) 的網路,可加入下行到 <filename>/etc/rc.conf</filename>,然後重新啟動電腦:</para> | ||||
networking, add this line to | |||||
<filename>/etc/rc.conf</filename> and reboot the | |||||
computer:</para> | |||||
<programlisting xml:lang="en">vboxnet_enable="YES"</programlisting> | <programlisting xml:lang="en">vboxnet_enable="YES"</programlisting> | ||||
<para xml:lang="en">The <systemitem class="groupname">vboxusers</systemitem> | <para>在安裝 <application><trademark>VirtualBox</trademark></application> 的過程中會建立 <systemitem class="groupname">vboxusers</systemitem> 群組,所有需要存取 <application><trademark>VirtualBox</trademark></application> 的使用者均需要加入成為此群組的成員,<command>pw</command> 可用來加入新的成員:</para> | ||||
group is created during installation of | |||||
<application><trademark>VirtualBox</trademark></application>. All users that need | |||||
access to <application><trademark>VirtualBox</trademark></application> will have to | |||||
be added as members of this group. <command>pw</command> can | |||||
be used to add new members:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupmod vboxusers -m <replaceable>yourusername</replaceable></userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupmod vboxusers -m <replaceable>yourusername</replaceable></userinput></screen> | ||||
<para xml:lang="en">The default permissions for | <para><filename>/dev/vboxnetctl</filename> 的預設權限是受限的,需要更改後才可使用橋接網路:</para> | ||||
<filename>/dev/vboxnetctl</filename> are restrictive and need | |||||
to be changed for bridged networking:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>chown root:vboxusers /dev/vboxnetctl</userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>chown root:vboxusers /dev/vboxnetctl</userinput> | ||||
<prompt>#</prompt> <userinput>chmod 0660 /dev/vboxnetctl</userinput></screen> | <prompt>#</prompt> <userinput>chmod 0660 /dev/vboxnetctl</userinput></screen> | ||||
<para xml:lang="en">To make this permissions change permanent, add these | <para>要永久變更權限,可加入下列幾行到 <filename>/etc/devfs.conf</filename>:</para> | ||||
lines to <filename>/etc/devfs.conf</filename>:</para> | |||||
<programlisting xml:lang="en">own vboxnetctl root:vboxusers | <programlisting xml:lang="en">own vboxnetctl root:vboxusers | ||||
perm vboxnetctl 0660</programlisting> | perm vboxnetctl 0660</programlisting> | ||||
<para xml:lang="en">To launch <application><trademark>VirtualBox</trademark></application>, | <para>要執行 <application><trademark>VirtualBox</trademark></application>,可在 <application>Xorg</application> 工作階段輸入:</para> | ||||
type from a <application>Xorg</application> session:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>VirtualBox</userinput></screen> | <screen xml:lang="en"><prompt>%</prompt> <userinput>VirtualBox</userinput></screen> | ||||
<para xml:lang="en">For more information on configuring and using | <para>要取得更多有關設定與使用 <application><trademark>VirtualBox</trademark></application> 的資訊,請參考 <link xlink:href="http://www.virtualbox.org">官方網站</link>。供 FreeBSD 特定的資訊與疑難排解操作指示,可參考 <link xlink:href="http://wiki.FreeBSD.org/VirtualBox">FreeBSD wiki 中相關的頁面</link>。</para> | ||||
<application><trademark>VirtualBox</trademark></application>, refer to the | |||||
<link xlink:href="http://www.virtualbox.org">official | |||||
website</link>. For FreeBSD-specific information and | |||||
troubleshooting instructions, refer to the <link xlink:href="http://wiki.FreeBSD.org/VirtualBox">relevant | |||||
page in the FreeBSD wiki</link>.</para> | |||||
</sect2> | </sect2> | ||||
<sect2 xml:id="virtualization-virtualbox-usb-support"> | <sect2 xml:id="virtualization-virtualbox-usb-support"> | ||||
<title><trademark>VirtualBox</trademark> USB 支援</title> | <title><trademark>VirtualBox</trademark> USB 支援</title> | ||||
<para xml:lang="en">The <application><trademark>VirtualBox</trademark></application> extension | <para><application><trademark>VirtualBox</trademark></application> 擴充包目前不支援 FreeBSD 主端系統,沒有這個擴充包,FreeBSD 主端系統無法傳遞 <acronym>USB</acronym> 埠給客端作業系統。</para> | ||||
pack is not available for FreeBSD hosts. Without the extension | |||||
pack, the FreeBSD host cannot pass <acronym>USB</acronym> | |||||
ports through to guest operating systems.</para> | |||||
</sect2> | </sect2> | ||||
<sect2 xml:id="virtualization-virtualbox-host-dvd-cd-access"> | <sect2 xml:id="virtualization-virtualbox-host-dvd-cd-access"> | ||||
<title><trademark>VirtualBox</trademark> Host <acronym>DVD</acronym>/<acronym>CD</acronym> 存取</title> | <title><trademark>VirtualBox</trademark> Host <acronym>DVD</acronym>/<acronym>CD</acronym> 存取</title> | ||||
<para xml:lang="en">Access to the host | <para>透過共享實體磁碟機可讓客端系統能夠存取主端系統的 <acronym>DVD</acronym>/<acronym>CD</acronym> 磁碟機。在 <trademark>VirtualBox</trademark> 中,這個功能可在虛擬機器設定中的儲存 (Storage) 視窗中設定。若需要,可先建立一個空的 <acronym>IDE</acronym> <acronym>CD</acronym>/<acronym>DVD</acronym> 裝置,然後在跳出的選單中選擇要做為虛擬 <acronym>CD</acronym>/<acronym>DVD</acronym> 磁碟機的主端磁碟機,此時會出現一個標籤為 <literal>Passthrough</literal> 的核選方塊,勾選這個核選方塊可讓虛擬機器直接使用該硬體,例如,音樂 <acronym>CD</acronym> 或燒錄機只會在有勾選此選項時能夠運作。</para> | ||||
<acronym>DVD</acronym>/<acronym>CD</acronym> drives from | |||||
guests is achieved through the sharing of the physical drives. | |||||
Within <trademark>VirtualBox</trademark>, this is set up from the Storage window in | |||||
the Settings of the virtual machine. If needed, create an | |||||
empty <acronym>IDE</acronym> | |||||
<acronym>CD</acronym>/<acronym>DVD</acronym> device first. | |||||
Then choose the Host Drive from the popup menu for the virtual | |||||
<acronym>CD</acronym>/<acronym>DVD</acronym> drive selection. | |||||
A checkbox labeled <literal>Passthrough</literal> will appear. | |||||
This allows the virtual machine to use the hardware directly. | |||||
For example, audio <acronym>CD</acronym>s or the burner will | |||||
only function if this option is selected.</para> | |||||
<para xml:lang="en"><acronym>HAL</acronym> needs to run for | <para><application><trademark>VirtualBox</trademark></application> <acronym>DVD</acronym>/<acronym>CD</acronym> 功能要能運作需要執行 <acronym>HAL</acronym>,因此需在 <filename>/etc/rc.conf</filename> 中開啟,若該服務尚未啟動,則啟動它:</para> | ||||
<application><trademark>VirtualBox</trademark></application> | |||||
<acronym>DVD</acronym>/<acronym>CD</acronym> functions to | |||||
work, so enable it in <filename>/etc/rc.conf</filename> and | |||||
start it if it is not already running:</para> | |||||
<programlisting xml:lang="en">hald_enable="YES"</programlisting> | <programlisting xml:lang="en">hald_enable="YES"</programlisting> | ||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>service hald start</userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>service hald start</userinput></screen> | ||||
<para xml:lang="en">In order for users to be able to use | <para>為了讓使用者能夠使用 <application><trademark>VirtualBox</trademark></application> <acronym>DVD</acronym>/<acronym>CD</acronym> 功能,這些使用者需要存取 <filename>/dev/xpt0</filename>, <filename>/dev/cd<replaceable>N</replaceable></filename> 以及 <filename>/dev/pass<replaceable>N</replaceable></filename>,這通常可讓這些使用者成為 <systemitem class="groupname">operator</systemitem> 的成員來達成。對這些裝置的權限必須加入下行到 <filename>/etc/devfs.conf</filename> 來修正:</para> | ||||
<application><trademark>VirtualBox</trademark></application> | |||||
<acronym>DVD</acronym>/<acronym>CD</acronym> functions, they | |||||
need access to <filename>/dev/xpt0</filename>, | |||||
<filename>/dev/cd<replaceable>N</replaceable></filename>, and | |||||
<filename>/dev/pass<replaceable>N</replaceable></filename>. | |||||
This is usually achieved by making the user a member of | |||||
<systemitem class="groupname">operator</systemitem>. | |||||
Permissions to these devices have to be corrected by adding | |||||
these lines to <filename>/etc/devfs.conf</filename>:</para> | |||||
<programlisting xml:lang="en">perm cd* 0660 | <programlisting xml:lang="en">perm cd* 0660 | ||||
perm xpt0 0660 | perm xpt0 0660 | ||||
Context not available. | |||||
<acronym>BSD</acronym>-licensed hypervisor became part of the | <acronym>BSD</acronym>-licensed hypervisor became part of the | ||||
base system with FreeBSD 10.0-RELEASE. This hypervisor supports a | base system with FreeBSD 10.0-RELEASE. This hypervisor supports a | ||||
number of guests, including FreeBSD, OpenBSD, and many <trademark class="registered">Linux</trademark> | number of guests, including FreeBSD, OpenBSD, and many <trademark class="registered">Linux</trademark> | ||||
distributions. Currently, <application>bhyve</application> only | distributions. By default, <application>bhyve</application> | ||||
supports a serial console and does not emulate a graphical | provides access to serial console and does not emulate a | ||||
console. Virtualization offload features of newer | graphical console. Virtualization offload features of newer | ||||
<acronym>CPU</acronym>s are used to avoid the legacy methods of | <acronym>CPU</acronym>s are used to avoid the legacy methods of | ||||
translating instructions and manually managing memory | translating instructions and manually managing memory | ||||
mappings.</para> | mappings.</para> | ||||
Context not available. | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>bhyvectl --destroy --vm=<replaceable>linuxguest</replaceable></userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>bhyvectl --destroy --vm=<replaceable>linuxguest</replaceable></userinput></screen> | ||||
</sect2> | </sect2> | ||||
<sect2 xml:id="virtualization-bhyve-uefi"> | |||||
<title>使用 <acronym>UEFI</acronym> 韌體開機 <application>bhyve</application> 虛擬機器</title> | |||||
<para xml:lang="en">In addition to <application>bhyveload</application> and | |||||
<application>grub-bhyve</application>, the | |||||
<application>bhyve</application> hypervisor can also boot | |||||
virtual machines using the <acronym>UEFI</acronym> userspace | |||||
firmware. This option may support guest operating systems | |||||
that are not supported by the other loaders.</para> | |||||
<para xml:lang="en">In order to make use of the <acronym>UEFI</acronym> | |||||
support in <application>bhyve</application>, first obtain the | |||||
<acronym>UEFI</acronym> firmware images. This can be done | |||||
by installing <package>sysutils/bhyve-firmware</package> | |||||
port or package.</para> | |||||
<para xml:lang="en">With the firmware in place, add the flags | |||||
<option>-l bootrom,<replaceable>/path/to/firmware</replaceable></option> | |||||
to your <application>bhyve</application> command line. | |||||
The actual <application>bhyve</application> command may look | |||||
like this:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \ | |||||
-s 2:0,virtio-net,<replaceable>tap1</replaceable> -s 3:0,virtio-blk,<replaceable>./disk.img</replaceable> \ | |||||
-s 4:0,ahci-cd,<replaceable>./install.iso</replaceable> -c <replaceable>4</replaceable> -m <replaceable>1024M</replaceable> \ | |||||
-l bootrom,<replaceable>/usr/local/share/uefi-firmware/BHYVE_UEFI.fd</replaceable> \ | |||||
<replaceable>guest</replaceable></userinput></screen> | |||||
<para xml:lang="en"><package>sysutils/bhyve-firmware</package> also contains a | |||||
<acronym>CSM</acronym>-enabled firmware, to boot guests with no | |||||
<acronym>UEFI</acronym> support in legacy | |||||
<acronym>BIOS</acronym> mode:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \ | |||||
-s 2:0,virtio-net,<replaceable>tap1</replaceable> -s 3:0,virtio-blk,<replaceable>./disk.img</replaceable> \ | |||||
-s 4:0,ahci-cd,<replaceable>./install.iso</replaceable> -c <replaceable>4</replaceable> -m <replaceable>1024M</replaceable> \ | |||||
-l bootrom,<replaceable>/usr/local/share/uefi-firmware/BHYVE_UEFI_CSM.fd</replaceable> \ | |||||
<replaceable>guest</replaceable></userinput></screen> | |||||
</sect2> | |||||
<sect2 xml:id="virtualization-bhyve-framebuffer"> | |||||
<title>供 <application>bhyve</application> 客端用的圖型化 <acronym>UEFI</acronym> Framebuffer </title> | |||||
<para xml:lang="en">The <acronym>UEFI</acronym> firmware support is particularly | |||||
useful with predominantly graphical guest operating systems | |||||
such as Microsoft <trademark class="registered">Windows</trademark>.</para> | |||||
<para xml:lang="en">Support for the UEFI-GOP framebuffer may also be enabled | |||||
with the <option>-s 29,fbuf,tcp=<replaceable>0.0.0.0:5900</replaceable></option> | |||||
flags. The framebuffer resolution may be configured with | |||||
<option>w=<replaceable>800</replaceable></option> and | |||||
<option>h=<replaceable>600</replaceable></option>, and | |||||
<application>bhyve</application> can be instructed to wait for | |||||
a <acronym>VNC</acronym> connection before booting the guest | |||||
by adding <option>wait</option>. The framebuffer may be | |||||
accessed from the host or over the network via the | |||||
<acronym>VNC</acronym> protocol.</para> | |||||
<para><application>bhyve</application> 指令的結果會如下:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>bhyve -AHP -s 0:0,hostbridge -s 31:0,lpc \ | |||||
-s 2:0,virtio-net,<replaceable>tap1</replaceable> -s 3:0,virtio-blk,<replaceable>./disk.img</replaceable> \ | |||||
-s 4:0,ahci-cd,<replaceable>./install.iso</replaceable> -c <replaceable>4</replaceable> -m <replaceable>1024M</replaceable> \ | |||||
-s 29,fbuf,tcp=<replaceable>0.0.0.0:5900</replaceable>,w=<replaceable>800</replaceable>,h=<replaceable>600</replaceable>,wait \ | |||||
-l bootrom,<replaceable>/usr/local/share/uefi-firmware/BHYVE_UEFI.fd</replaceable> \ | |||||
<replaceable>guest</replaceable></userinput></screen> | |||||
<para xml:lang="en">Note, in BIOS emulation mode, the framebuffer will cease | |||||
receiving updates once control is passed from firmware to | |||||
guest operating system.</para> | |||||
</sect2> | |||||
<sect2 xml:id="virtualization-bhyve-zfs"> | <sect2 xml:id="virtualization-bhyve-zfs"> | ||||
<title>在 <application>bhyve</application> Guests 使用 <acronym>ZFS</acronym></title> | <title>在 <application>bhyve</application> 客端使用 <acronym>ZFS</acronym></title> | ||||
<para xml:lang="en">If <acronym>ZFS</acronym> is available on the host | <para xml:lang="en">If <acronym>ZFS</acronym> is available on the host | ||||
machine, using <acronym>ZFS</acronym> volumes | machine, using <acronym>ZFS</acronym> volumes | ||||
Context not available. | |||||
<sect1 xml:id="updating-upgrading-synopsis"> | <sect1 xml:id="updating-upgrading-synopsis"> | ||||
<title>概述</title> | <title>概述</title> | ||||
<para>FreeBSD 在每次的發佈之間持續在開發。有些人喜歡官方發佈的版本,有些人則喜歡持續同步使用最新的開發版本。雖然如此,即使是官方發佈的版本仍時常會有安全性與其他緊急修復的更新。無論使用哪種版本,FreeBSD 都提供所有必要的工具來讓系統保持最新版,而且可以輕易升級不同版本。本章將說明如何追蹤開發版本的系統及保持 FreeBSD 系統維持新版的基本工具。</para> | <para>FreeBSD 在每次的發佈之間持續在開發。有些人偏好正式發佈的版本,也有另一群人喜歡使用最新的開發版本。然而,即使是正式發佈的版本也時常會有安全性與其他緊急修復的更新,因此,無論使用哪種版本,FreeBSD 都提供所有必要的工具來讓系統能維持最新的版本,且讓各種版本都能簡單的升級。本章將說明如何追蹤開發版本的系統及讓 FreeBSD 系統維持最新版本的基本工具。</para> | ||||
<para>讀完這章,您將了解︰</para> | <para>讀完這章,您將了解︰</para> | ||||
<itemizedlist> | <itemizedlist> | ||||
<listitem> | <listitem> | ||||
<para>如何使用 <application>freebsd-update</application>, <application>Subversion</application> 來讓 FreeBSD 系統保持新版。</para> | <para>如何使用 <application>freebsd-update</application>, <application>Subversion</application> 來維持 FreeBSD 系統為最新版。</para> | ||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
Context not available. | |||||
<see>updating-upgrading</see> | <see>updating-upgrading</see> | ||||
</indexterm> | </indexterm> | ||||
<para>即時套用安全性更新並升級到新發佈的作業系統對管理一個持續運作的系統是重要的。FreeBSD 內含可以執行這兩項任務的工具程式,叫做 <command>freebsd-update</command>。</para> | <para>隨時套用安全性更新以及升級到新發佈的作業系統版本對管理一個持續運作的系統是非常重要的任務,FreeBSD 內含可以執行這兩項任務的工具程式,叫做 <command>freebsd-update</command>。</para> | ||||
<para>這個工具程式支援使用 Binary 對 FreeBSD 做安全性與和錯誤更新,不需要手動編譯和安裝修補 (Patch) 或新核心。目前由安全性團隊提供支援的 Binary 更新可用於所有的架構和發行版。支援的發行版清單及各自的支援期限列於 <uri xlink:href="http://www.FreeBSD.org/security/">http://www.FreeBSD.org/security/</uri>。</para> | <para>這個工具程式支援使用 Binary 對 FreeBSD 做安全性與和錯誤更新,不需要手動編譯和安裝修補 (Patch) 或新核心。目前由安全性團隊提供支援的 Binary 更新可用於所有的架構和發行版。支援的發行版清單及各自的支援期限列於 <uri xlink:href="http://www.FreeBSD.org/security/">http://www.FreeBSD.org/security/</uri>。</para> | ||||
Context not available. | |||||
# will have any local changes merged into the version from the new release. | # will have any local changes merged into the version from the new release. | ||||
MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting> | MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting> | ||||
<para>列出 <command>freebsd-update</command> 應嘗試合併的設定檔目錄。 檔案合併程序是指一系列類似 <citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> 做的 <citerefentry><refentrytitle>diff</refentrytitle><manvolnum>1</manvolnum></citerefentry> 修補動作, 但是選項比較少。 合併的動作包含接受、開啟編輯器,或讓 <command>freebsd-update</command> 中止。 如果有疑慮,請先備份 <filename>/etc</filename>,然後再接受合併。 更多關於 <command>mergemaster</command> 的資訊, 參見 <xref linkend="mergemaster"/>。</para> | <para>列出 <command>freebsd-update</command> 應嘗試合併的設定檔目錄。 檔案合併程序是指一系列類似 <citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> 做的 <citerefentry><refentrytitle>diff</refentrytitle><manvolnum>1</manvolnum></citerefentry> 修補動作, 但是選項比較少。 合併的動作包含接受、開啟編輯器,或讓 <command>freebsd-update</command> 中止。 如果有疑慮,請先備份 <filename>/etc</filename>,然後再接受合併。 更多關於 <command>mergemaster</command> 的資訊, 參見 <citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry>。</para> | ||||
<programlisting xml:lang="en"># Directory in which to store downloaded updates and temporary | <programlisting xml:lang="en"># Directory in which to store downloaded updates and temporary | ||||
# files used by FreeBSD Update. | # files used by FreeBSD Update. | ||||
Context not available. | |||||
</listitem> | </listitem> | ||||
</orderedlist> | </orderedlist> | ||||
</sect2> | </sect2> | ||||
<sect2 xml:id="stable"> | |||||
<title>使用 FreeBSD-STABLE</title> | |||||
<para>主要發行版便是使用 FreeBSD-STABLE 這個開發分支所產生。變更進入這個分支的速度比較慢,並假設這些變更已經先在 FreeBSD-CURRENT 測試過。但這 <emphasis>仍然</emphasis> 是一個開發分支,而且 FreeBSD-STABLE 的原始碼在任何時候都有可能不適合一般的使用。它只是另一個開發分支,並非專門提供給終端使用者使用。若沒有替代資源可供測試的使用者應該改使用最新的 FreeBSD 發行版。</para> | |||||
<para>有興趣追蹤或對 FreeBSD 開發流程貢獻的人,尤其是對 FreeBSD 接下來的發行版相關內容有興趣的人,應該考慮追蹤 FreeBSD-STABLE。</para> | |||||
<para>儘管 FreeBSD-STABLE 分支應該在任何時候均能正確編譯、執行,但是並不保証不會有問題。因為使用 FreeBSD-STABLE 的人比 FreeBSD-CURRENT 多,有時無可避免地會在 FreeBSD-STABLE 發現在 FreeBSD-CURRENT 並非顯而易見的錯誤和極端的狀況。也因此,我們並不建議盲目追蹤 FreeBSD-STABLE。 特別重要的是 <emphasis>不要</emphasis> 在尚未使用開發或測試環境對程式碼做完整的測試之前,升級任何上線的伺服器為 FreeBSD-STABLE。</para> | |||||
<para>若要追蹤 FreeBSD-STABLE:</para> | |||||
<indexterm xml:lang="en"> | |||||
<primary>-STABLE</primary> | |||||
<secondary>using</secondary> | |||||
</indexterm> | |||||
<orderedlist> | |||||
<listitem> | |||||
<para>加入 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-stable">freebsd-stable</link> 郵遞論壇來隨時瞭解 FreeBSD-STABLE 編譯的相依關係或是任何其他需特別注意的議題。開發者在評估一些有爭議的修正或更新時,也會先在這裡發信公告,讓使用者有機會可以對提案的更改提出問題。</para> | |||||
<para>加入 <application>svn</application> 相關郵遞論壇來追蹤該分支的修訂。 例如,要追蹤 9-STABLE 分支的使用者應該加入 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-stable-9">svn-src-stable-9</link> 郵遞論壇。這個郵遞論壇會記錄每一次修改的提交項目,以及可能產生的副作用的相關資訊。</para> | |||||
<para>要加入這兩個郵遞論壇,請前往 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo">http://lists.FreeBSD.org/mailman/listinfo</link> 點選要訂閱的郵遞論壇,並依照網頁指示的步驟操作。要追蹤整個原始碼樹,不單只有 FreeBSD-CURRENT 的變更,可訂閱 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-all">svn-src-all</link> 郵遞論壇。</para> | |||||
</listitem> | |||||
<listitem> | |||||
<para>要安裝新的 FreeBSD-STABLE 系統, 可從 <link linkend="mirrors">FreeBSD 鏡像站</link> 或從 FreeBSD-STABLE 每個月的快照 (Snapshot) 來安裝最新的 FreeBSD-STABLE 發行版。請參考 <link xlink:href="@@URL_RELPREFIX@@/snapshots/">www.freebsd.org/snapshots</link> 來取得更多有關快照的資訊。</para> | |||||
<para>要編譯或升級已經安裝的 FreeBSD 系統至 FreeBSD-STABLE,可使用 <link linkend="svn">svn</link> <indexterm> | |||||
<primary>Subversion</primary> | |||||
</indexterm> 來取得欲安裝分支的原始碼。分支的名稱列在 <link xlink:href="@@URL_RELPREFIX@@/releng/">www.freebsd.org/releng</link>,例如 <literal>stable/9</literal>。</para> | |||||
</listitem> | |||||
<listitem> | |||||
<para>在編譯或升級到 FreeBSD-STABLE <indexterm> | |||||
<primary>-STABLE</primary> | |||||
<secondary>compiling</secondary> | |||||
</indexterm> 之前 , 請仔細閱讀 <filename>/usr/src/Makefile</filename> 並依照 <xref linkend="makeworld"/> 的指示操作。閱讀 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-stable">FreeBSD-STABLE 郵遞論壇</link> 以及 <filename>/usr/src/UPDATING</filename> 來了解升級的相關資訊,有時會含有升級下一個發行版的必要資訊。</para> | |||||
</listitem> | |||||
</orderedlist> | |||||
</sect2> | |||||
</sect1> | </sect1> | ||||
<sect1 xml:id="synching"> | <sect1 xml:id="updating-src"> | ||||
<title>同步原始碼</title> | <title>從原始碼更新 FreeBSD</title> | ||||
<para>有多許方法可以更新 FreeBSD 的原始碼,本節將說明主要的方法 <application>Subversion</application>。</para> | <para>從編譯原始碼來更新 FreeBSD 比起用 Binary 更新有幾項優點,在編譯程式碼時可以自訂選項來充分運用特定硬體,部份基礎系統可以使用非預設的設定值編譯,或是在不需要或不想要的時候跳過編譯。使用編譯的程序來更新系統比起安裝 Binary 來更新會耗時許多,但能夠完整自訂一個量身定做版本的 FreeBSD。</para> | ||||
<warning> | <sect2 xml:id="updating-src-quick-start"> | ||||
<para>雖然有可能只更新部份原始碼樹,但是正式支援的更新步驟是更新整個樹並重新編譯所有在使用者空間 (User space) 中的程式,例如在 <filename>/bin</filename> 和 <filename>/sbin</filename> 中的程式及核心原始碼。只更新部份的原始碼樹,例如:只更新核心或使用者空間的程式的做法經常會導致編譯錯誤、核心錯誤或資料損毀的問題。</para> | <title>快速開始</title> | ||||
</warning> | |||||
<indexterm xml:lang="en"> | <para>這是從原始碼編譯來更新 FreeBSD 的標準步驟快速的參考,稍後的章節會更詳細的說明這個程序。</para> | ||||
<primary>Subversion</primary> | |||||
</indexterm> | |||||
<para xml:lang="en"><application>Subversion</application> uses the | |||||
<emphasis>pull</emphasis> model of updating sources. The user, | |||||
or a <command>cron</command> script, invokes the | |||||
<command>svn</command> program which updates the local version | |||||
of the source. <application>Subversion</application> is the | |||||
preferred method for updating local source trees as updates are | |||||
up-to-the-minute and the user controls when updates are | |||||
downloaded. It is easy to restrict updates to specific files or | |||||
directories and the requested updates are generated on the fly | |||||
by the server. How to synchronize source using | |||||
<application>Subversion</application> is described in <xref linkend="svn"/>.</para> | |||||
<para xml:lang="en">If a user inadvertently wipes out portions of the local | |||||
archive, <application>Subversion</application> will detect and | |||||
rebuild the damaged portions during an update.</para> | |||||
</sect1> | |||||
<sect1 xml:id="makeworld"> | |||||
<title>重新編譯 World</title> | |||||
<indexterm xml:lang="en"> | |||||
<primary>Rebuilding <quote>world</quote></primary> | |||||
</indexterm> | |||||
<para>當本地的原始碼樹已與特定版本的 FreeBSD 如 FreeBSD-STABLE 或 FreeBSD-CURRENT 同步以後,便可使用原始碼樹來重新編譯系統。這個程序即為重新編譯 World。</para> | |||||
<para>在重新編譯 World <emphasis>之前</emphasis>,請確定已完成以下工作:</para> | |||||
<procedure> | |||||
<title>編譯 World <emphasis>之前</emphasis> 要完成的工作</title> | |||||
<step> | |||||
<para>備份所有重要的資料到另一個系統或可卸除的媒體,檢查備份的完整性並在手中保留一份可開機的安裝媒體。如何強調都不足夠說明在重新編譯系統 <emphasis>之前</emphasis> 備份系統的重要性。即便重新編譯 World 已變成簡單的一件事,也難免會有原始碼樹失誤導致系統無法開機的時候。您可能永遠都用不上備份,但最好確保安全而非後悔。</para> | |||||
</step> | |||||
<step> | |||||
<indexterm xml:lang="en"><primary>mailing list</primary></indexterm> | |||||
<para>回顧最近 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-stable">freebsd-stable</link> 或 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-current">freebsd-current</link> 中的項目,依您所追蹤的分支決定。注意任何已知的問題以及會被影響的系統。若已知的問題影響您已同步的原始碼版本,請等候表明問題已被解決的 <quote>全部解決 (all clear)</quote> 公告發佈,然後重新同步原始碼並確認本地的原始碼版本已含有所需的修正。</para> | |||||
</step> | |||||
<step> | |||||
<para>閱讀 <filename>/usr/src/UPDATING</filename> 了解該版本的原始碼是否有必要的額外步驟要完成。 這個檔案中會包含有關潛藏問題的重要資訊,並且可能會要求執行某些指令。大多升級需要完成指定的額外步驟,例如:在安裝新 World 前重新命名或刪除指定檔案,這些步驟會列在檔案最後,明確說明目前建議的升級順序。若 <filename>UPDATING</filename> 中有與本章相矛盾的步驟,請以 <filename>UPDATING</filename> 為準並應遵循其內容。</para> | |||||
</step> | |||||
</procedure> | |||||
<warning> | |||||
<title>不要使用 <command>make world</command></title> | |||||
<para>部份舊版的文件建議使用 <command>make world</command>。然而該指令跳過了部份重要的步驟,應僅供專家使用。大多數的情況使用 <command>make world</command> 都是錯的,並應使用此處說明的程序。</para> | |||||
</warning> | |||||
<sect2 xml:id="canonical-build"> | |||||
<title>流程概述</title> | |||||
<para>編譯 World 流程會假設您是依照 <xref linkend="synching"/> 指示取得最近版本的原始碼來升級舊版的 FreeBSD。</para> | |||||
<para>在 FreeBSD,<quote>world</quote> 一詞包含了核心,核心系統 Binary,程式庫,原始碼以及內建的編譯器。這些元件編譯與安裝的順序非常重要。</para> | |||||
<para>舉例來說,舊的編譯器可能有問題而無法編譯新的核心。新的核心需使用新的編譯器來編譯,因此新的編譯器必需先編譯,但在新核心編譯前並不一定要安裝。</para> | |||||
<para>新的 World 可能需要使用新的核心功能,所以必須在新的 World 安裝之前先安裝新的核心。舊的 World 也可能在新的核心上無法正常執行,所以必須在新的核心安裝完之後 | |||||
馬上安裝新的 World。</para> | |||||
<para>有一部份設定必須在新的 World 安裝前變更,但其他的部份在之前變更則可能會破壞舊的 World。因此會使用到兩種不同的設定升級步驟。大部份情況,更新程序只會取代或新增檔案,不會刪除已存在的舊檔案。當這可能會造成問題時 <filename>/usr/src/UPDATING</filename> 便會說明需要手動刪除的檔案以及操作的步驟。</para> | |||||
<para>這些問題會影響接下來的建議升級順序。</para> | |||||
<note> | |||||
<para>將執行 <command>make</command> 的輸出儲存到檔案是不錯的辦法,若發生錯誤時,便可複製錯誤訊息張貼到 FreeBSD 郵遞論壇。</para> | |||||
<para>最簡單的方式是使用 <command>script</command> 並透過參數指定要儲存所有輸出的檔案名稱。請不要儲存輸出到 <filename>/tmp</filename>,因這個目錄可能在下次重新開機後被清除。儲存檔案最好的地方是 <filename>/var/tmp</filename>。在重新編譯 World 之前執行這個指令,並在流程完成後輸入 <userinput>exit</userinput>:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>script <replaceable>/var/tmp/mw.out</replaceable></userinput> | |||||
Script started, output file is /var/tmp/mw.out</screen> | |||||
</note> | |||||
<procedure> | <procedure> | ||||
<title>編譯 World 流程概述</title> | |||||
<para>編譯 World 流程中使用的指令應依此處指定的順序執行。本節將摘要各指令的功能。</para> | |||||
<step> | <step> | ||||
<para>若編譯 World 流程先前已在系統執行過,先前編譯的結果可能遺留在 <filename>/usr/obj</filename>。要加速新的編譯 World 流程及節省處理相依問題的時間,若此目錄存在,請移除此目錄:</para> | <title>更新並編譯</title> | ||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>chflags -R noschg /usr/obj/*</userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>svn update /usr/src</userinput> <co xml:id="updating-src-qs-svnup"/> | ||||
<prompt>#</prompt> <userinput>rm -rf /usr/obj</userinput></screen> | <emphasis>check <filename>/usr/src/UPDATING</filename></emphasis> <co xml:id="updating-src-qs-review-updating"/> | ||||
</step> | <prompt>#</prompt> <userinput>cd /usr/src</userinput> <co xml:id="updating-src-qs-cd"/> | ||||
<prompt>#</prompt> <userinput>make -j<replaceable>4</replaceable> buildworld</userinput> <co xml:id="updating-src-qs-buildworld"/> | |||||
<prompt>#</prompt> <userinput>make -j<replaceable>4</replaceable> kernel</userinput> <co xml:id="updating-src-qs-kernel"/> | |||||
<prompt>#</prompt> <userinput>shutdown -r now</userinput> <co xml:id="updating-src-qs-reboot"/> | |||||
<prompt>#</prompt> <userinput>cd /usr/src</userinput> <co xml:id="updating-src-qs-cd2"/> | |||||
<prompt>#</prompt> <userinput>make installworld</userinput> <co xml:id="updating-src-qs-installworld"/> | |||||
<prompt>#</prompt> <userinput>mergemaster -Ui</userinput> <co xml:id="updating-src-qs-mergemaster"/> | |||||
<prompt>#</prompt> <userinput>shutdown -r now</userinput> <co xml:id="updating-src-qs-shutdown"/></screen> | |||||
<step> | <calloutlist> | ||||
<para>編譯新的編譯器及一些相關工具,然後使用新的編譯器編譯新的 World。編譯的結果會儲存到 <filename>/usr/obj</filename>。</para> | <callout arearefs="updating-src-qs-svnup"> | ||||
<para>取得最新版本的原始碼,請參考 <xref linkend="updating-src-obtaining-src"/> 來了解更多取得與更新原始碼的資訊。</para> | |||||
</callout> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | <callout arearefs="updating-src-qs-review-updating"> | ||||
<prompt>#</prompt> <userinput>make buildworld</userinput></screen> | <para>從原始碼編譯之前與之後任何需要手動操作步驟會在 <filename>/usr/src/UPDATING</filename> 中有說明。</para> | ||||
</step> | </callout> | ||||
<step> | <callout arearefs="updating-src-qs-cd"> | ||||
<para>使用在 <filename>/usr/obj</filename> 中的新編譯器來編譯新的核心,來確保不會發生編譯器與核心不相容的問題。因某些記憶體結構可能有修改,這個步驟是必要的,若核心與原始碼的版本不同,<command>ps</command> 及 <command>top</command> 這類的程式會無法運作。</para> | <para>前往原始碼目錄。</para> | ||||
</callout> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make buildkernel</userinput></screen> | <callout arearefs="updating-src-qs-buildworld"> | ||||
</step> | <para>編譯世界 (World),即除了核心 (Kernel) 外的所有東西。</para> | ||||
</callout> | |||||
<step> | <callout arearefs="updating-src-qs-kernel"> | ||||
<para>安裝新的核心與新的核心模組,讓開機時可以使用新的核心。這個指令可在多使用者模式執行,除非 <varname>kern.securelevel</varname> 設定在 <literal>1</literal> 以上 <emphasis>且</emphasis> 在核心 Binary 有設定 <literal>noschg</literal> 或類似的旗標 (Flag),請先讓系統進入單使用者模式。請參考 <citerefentry><refentrytitle>init</refentrytitle><manvolnum>8</manvolnum></citerefentry> 取得有關 <varname>kern.securelevel</varname> 的詳細資訊以及 <citerefentry><refentrytitle>chflags</refentrytitle><manvolnum>1</manvolnum></citerefentry> 取得有關各種檔案旗標的詳細資訊。</para> | <para>編譯並安裝核心,此動作等同於同時做 <buildtarget>buildkernel</buildtarget> <buildtarget>installkernel</buildtarget>。</para> | ||||
</callout> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make installkernel</userinput></screen> | <callout arearefs="updating-src-qs-reboot"> | ||||
</step> | <para xml:lang="en">Reboot the system to the new kernel.</para> | ||||
</callout> | |||||
<step> | <callout arearefs="updating-src-qs-cd2"> | ||||
<para>讓系統進入單使用者模組來減少升級任何已在執行中的 Binary 所產生的問題,同樣也可減少在新核心上執行舊 World 的問題。</para> | <para>前往原始碼目錄。</para> | ||||
</callout> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>shutdown now</userinput></screen> | <callout arearefs="updating-src-qs-installworld"> | ||||
<para>安裝世界。</para> | |||||
</callout> | |||||
<para>進入單使用者模式後,若系統磁碟格式為 UFS 請執行以下指令:</para> | <callout arearefs="updating-src-qs-mergemaster"> | ||||
<para>更新與合併在 <filename>/etc/</filename> 中的設定檔案。</para> | |||||
</callout> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>mount -u /</userinput> | <callout arearefs="updating-src-qs-shutdown"> | ||||
<prompt>#</prompt> <userinput>mount -a -t ufs</userinput> | <para>重新啟動系統以使用新編譯好的世界與核心。</para> | ||||
<prompt>#</prompt> <userinput>swapon -a</userinput></screen> | </callout> | ||||
</calloutlist> | |||||
<para>若系統磁碟格式為 ZFS,則需執行以下兩個指令。此範例假設 zpool 名稱為 <literal>zroot</literal>:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs set readonly=off zroot</userinput> | |||||
<prompt>#</prompt> <userinput>zfs mount -a</userinput></screen> | |||||
</step> | </step> | ||||
<step> | |||||
<para>選用:若想要使用 US 英文以外的鍵盤對應表,可以使用 <citerefentry><refentrytitle>kbdmap</refentrytitle><manvolnum>1</manvolnum></citerefentry> 來變更:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>kbdmap</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>接著,不論那一種檔案系統,若 <acronym>CMOS</acronym> 時鐘設定為本地時間 (若 <citerefentry><refentrytitle>date</refentrytitle><manvolnum>1</manvolnum></citerefentry> 顯示不正確的時間與時區),請執行:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>adjkerntz -i</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>重新編譯 World 不會直接更新某些目錄中的設定檔,如 <filename>/etc</filename>, <filename>/var</filename> 以及 <filename>/usr</filename>。接下來的步驟是更新一部份的設定檔到 <filename>/etc</filename> 來準備安裝新的 World。以下指令只會比對影響 <buildtarget>installworld</buildtarget> 是否成功執行的必要檔案。例如,這個步驟會可能會加入新版 FreeBSD 的新群組、系統帳號或啟動 Script。為了讓 <buildtarget>installworld</buildtarget> 步驟可以使用任何新的系統帳號、群組與 Script,這是個必要的步驟。請參考 <xref linkend="mergemaster"/> 來取得更多有關此指令的詳細操作說明:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>mergemaster -p</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>從 <filename>/usr/obj</filename> 安裝新 World 與系統 Binary。</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | |||||
<prompt>#</prompt> <userinput>make installworld</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>更新任何剩下的設定檔。</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>mergemaster -iF</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>刪除任何過時的檔案。這很重要,因為若檔案遺留在磁碟上可能會造成問題。</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make delete-old</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>現在需要完整重新啟動來載入新的核心、新的 World 與新的設定檔。</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>reboot</userinput></screen> | |||||
</step> | |||||
<step> | |||||
<para>確認所有已安裝的 Port 在舊的程式庫移除前已依照 <xref linkend="ports-upgrading"/> 的說明重新編譯。當重新編譯完成後,移除過時的程式庫來避免與新的程式庫發生衝突。有關此步驟更詳細的說明請參考 <xref linkend="make-delete-old"/>。</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make delete-old-libs</userinput></screen> | |||||
</step> | |||||
</procedure> | </procedure> | ||||
<indexterm xml:lang="en"><primary>single-user mode</primary></indexterm> | |||||
<para>若系統允許停機一小段時間,請考慮以單使用者模式編譯系統來替代在多使用者模組編譯系統,然後進入單使用者模式來完成安裝。重新安裝系統會觸及到很多重要的系統檔案,所有的標準系統 Binary、程式庫以及引用檔。在執行中的系統更換這些檔案,特別是有使用者在使用時,是自找麻煩。</para> | |||||
</sect2> | </sect2> | ||||
<sect2 xml:id="src-updating"> | <sect2 xml:id="updating-src-preparing"> | ||||
<title>設定檔</title> | <title>準備原始碼更新</title> | ||||
<indexterm xml:lang="en"> | <para>閱讀 <filename>/usr/src/UPDATING</filename>,從原始碼編譯之前與之後任何需要手動操作步驟會在此檔案中說明。</para> | ||||
<primary><filename>make.conf</filename></primary> | |||||
</indexterm> | |||||
<para xml:lang="en">This build world process uses several configuration | |||||
files.</para> | |||||
<para xml:lang="en">The <filename>Makefile</filename> located in | |||||
<filename>/usr/src</filename> describes how the programs that | |||||
comprise FreeBSD should be built and the order in which they | |||||
should be built.</para> | |||||
<para xml:lang="en">The options available to <command>make</command> are | |||||
described in <citerefentry><refentrytitle>make.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and some common examples are | |||||
included in | |||||
<filename>/usr/share/examples/etc/make.conf</filename>. Any | |||||
options which are added to <filename>/etc/make.conf</filename> | |||||
will control the how <command>make</command> runs and builds | |||||
programs. These options take effect every time | |||||
<command>make</command> is used, including compiling | |||||
applications from the Ports Collection, compiling custom C | |||||
programs, or building the FreeBSD operating system. Changes to | |||||
some settings can have far-reaching and potentially surprising | |||||
effects. Read the comments in both locations and keep in mind | |||||
that the defaults have been chosen for a combination of | |||||
performance and safety.</para> | |||||
<indexterm xml:lang="en"> | |||||
<primary><filename>src.conf</filename></primary> | |||||
</indexterm> | |||||
<para xml:lang="en">How the operating system is built from source code is | |||||
controlled by <filename>/etc/src.conf</filename>. Unlike | |||||
<filename>/etc/make.conf</filename>, the contents of | |||||
<filename>/etc/src.conf</filename> only take effect when the | |||||
FreeBSD operating system itself is being built. Descriptions of | |||||
the many options available for this file are shown in | |||||
<citerefentry><refentrytitle>src.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Be cautious about disabling seemingly | |||||
unneeded kernel modules and build options. Sometimes there | |||||
are unexpected or subtle interactions.</para> | |||||
</sect2> | </sect2> | ||||
<sect2 xml:id="make-buildworld"> | <sect2 xml:id="updating-src-obtaining-src"> | ||||
<title>變數與目標</title> | <title>更新原始碼</title> | ||||
<para xml:lang="en">The general format for using <command>make</command> is as | <para>FreeBSD 的原始碼位於 <filename>/usr/src/</filename>,較建議透過 <application>Subversion</application> 版本控制系統來更新這份原始碼,要確認原始碼已在版本控制系統的管控下可:</para> | ||||
follows:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make -<replaceable>x</replaceable> -D<replaceable>VARIABLE</replaceable> <replaceable>target</replaceable></userinput></screen> | <screen xml:lang="en"><prompt>#</prompt> <userinput>svn info /usr/src</userinput> | ||||
Path: /usr/src | |||||
Working Copy Root Path: /usr/src | |||||
...</screen> | |||||
<para xml:lang="en">In this example, | <para>此結果代表 <filename>/usr/src/</filename> 已在版本控制系統的管控下並且可以使用 <citerefentry><refentrytitle>svn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 來更新:</para> | ||||
<option>-<replaceable>x</replaceable></option> is an option | |||||
passed to <command>make</command>. Refer to <citerefentry><refentrytitle>make</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |||||
examples of the available options.</para> | |||||
<para xml:lang="en">To pass a variable, specify the variable name with | <screen xml:id="synching" xml:lang="en"><prompt>#</prompt> <userinput>svn update /usr/src</userinput></screen> | ||||
<option>-D<replaceable>VARIABLE</replaceable></option>. The | |||||
behavior of the <filename>Makefile</filename> is controlled by | |||||
variables. These can either be set in | |||||
<filename>/etc/make.conf</filename> or they can be specified | |||||
when using <command>make</command>. For example, this | |||||
variable specifies that profiled libraries should not be | |||||
built:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make -DNO_PROFILE <replaceable>target</replaceable></userinput></screen> | <para>若該目錄最近沒有更新過,可能會需要一些時間來完成更新動作。在更新完成之後,原始碼便為最新版本,並可開始依下一章節的說明來編譯程序。</para> | ||||
<para xml:lang="en">It corresponds with this setting in | <note xml:id="updating-src-obtaining-src-checkout"> | ||||
<filename>/etc/make.conf</filename>:</para> | <title>取得原始碼</title> | ||||
<programlisting xml:lang="en">NO_PROFILE= true # Avoid compiling profiled libraries</programlisting> | <para>若輸出結果顯示 <literal>'/usr/src' is not a working copy</literal> 代表有缺少檔案或原始碼是採用其他方式安裝,若是如此,便需重新取出 (checkout) 原始碼。</para> | ||||
<para xml:lang="en">The <replaceable>target</replaceable> tells | <table xml:id="updating-src-obtaining-src-repopath"> | ||||
<command>make</command> what to do and the | <title>FreeBSD 版本與檔案庫路徑</title> | ||||
<filename>Makefile</filename> defines the available targets. | |||||
Some targets are used by the build process to break out the | |||||
steps necessary to rebuild the system into a number of | |||||
sub-steps.</para> | |||||
<para xml:lang="en">Having separate options is useful for two reasons. First, | <tgroup cols="3"> | ||||
it allows for a build that does not affect any components of a | <thead> | ||||
running system. Because of this, | <row> | ||||
<buildtarget xml:lang="en">buildworld</buildtarget> can be safely run on a | <entry><command>uname -r</command> 的輸出結果</entry> | ||||
machine running in multi-user mode. It is still recommended | <entry>檔案庫路徑</entry> | ||||
that <buildtarget xml:lang="en">installworld</buildtarget> be run in part in | <entry>說明</entry> | ||||
single-user mode, though.</para> | </row> | ||||
</thead> | |||||
<para xml:lang="en">Secondly, it allows <acronym>NFS</acronym> mounts to be | <tbody> | ||||
used to upgrade multiple machines on a network, as described | <row> | ||||
in <xref linkend="small-lan"/>.</para> | <entry xml:lang="en"><literal><replaceable>X.Y</replaceable>-RELEASE</literal></entry> | ||||
<entry xml:lang="en"><literal>base/releng/</literal><replaceable>X.Y</replaceable></entry> | |||||
<entry>發佈版本加上關鍵的安全性與錯誤修正,較建議大多數使用者使用這個分支。</entry> | |||||
</row> | |||||
<para xml:lang="en">It is possible to specify <option>-j</option> which will | <row> | ||||
cause <command>make</command> to spawn several simultaneous | <entry xml:lang="en"><literal><replaceable>X.Y</replaceable>-STABLE</literal></entry> | ||||
processes. Since much of the compiling process is | <entry xml:lang="en"><literal>base/stable/</literal><replaceable>X</replaceable></entry> | ||||
<acronym>I/O</acronym>-bound rather than | <entry> | ||||
<acronym>CPU</acronym>-bound, this is useful on both single | <para>發佈版本加上所有在該分支上其他開發中的程式,<emphasis>STABLE</emphasis> 代表不會更改應用程式 Binary 介面 (Applications Binary Interface, <acronym>ABI</acronym>),所以在先前版本所編譯的軟體仍可以正常運作,舉例來說,被編譯在 FreeBSD 10.1 可執行的軟體在編譯完 FreeBSD 10-STABLE 之後仍可以執行。</para> | ||||
<acronym>CPU</acronym> and multi-<acronym>CPU</acronym> | |||||
machines.</para> | |||||
<para xml:lang="en">On a single-<acronym>CPU</acronym> machine, run the | <para>STABLE 分支偶爾也會有錯誤或無法相容的問題會影響使用者,雖然這些問題通常會很快的被修正。</para> | ||||
following command to have up to 4 processes running at any one | </entry> | ||||
time. Empirical evidence posted to the mailing lists shows | </row> | ||||
this generally gives the best performance benefit.</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make -j4 buildworld</userinput></screen> | <row> | ||||
<entry xml:lang="en"><literal><replaceable>X</replaceable>-CURRENT</literal></entry> | |||||
<entry xml:lang="en"><literal>base/head/</literal></entry> | |||||
<entry>最新未發佈的 FreeBSD 開發版本,CURRENT 分支可能會有重大錯誤或不相容的問題,只建議進階的使用者使用。</entry> | |||||
</row> | |||||
</tbody> | |||||
</tgroup> | |||||
</table> | |||||
<para xml:lang="en">On a multi-<acronym>CPU</acronym> machine, try values | <para>查看 FreeBSD 目前使用的版本可使用 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para> | ||||
between <literal>6</literal> and <literal>10</literal> to see | |||||
how they speed things up.</para> | |||||
<indexterm xml:lang="en"> | <screen xml:lang="en"><prompt>#</prompt> <userinput>uname -r</userinput> | ||||
<primary>rebuilding <quote>world</quote></primary> | 10.3-RELEASE</screen> | ||||
<secondary>timings</secondary> | |||||
</indexterm> | |||||
<note> | <para xml:lang="en">Based on | ||||
<para xml:lang="en">If any variables were specified to <command>make | <xref linkend="updating-src-obtaining-src-repopath"/>, the | ||||
buildworld</command>, specify the same variables to | source used to update <literal>10.3-RELEASE</literal> has | ||||
<command>make installworld</command>. However, | a repository path of <literal>base/releng/10.3</literal>. | ||||
<option>-j</option> must <emphasis>never</emphasis> be used | That path is used when checking out the source:</para> | ||||
with <buildtarget xml:lang="en">installworld</buildtarget>.</para> | |||||
<para xml:lang="en">For example, if this command was used:</para> | <screen xml:lang="en"><prompt>#</prompt> <userinput>mv /usr/src /usr/src.bak</userinput> <co xml:id="updating-src-obtaining-src-mv"/> | ||||
<prompt>#</prompt> <userinput>svn checkout https://svn.freebsd.org/base/<replaceable>releng/10.3</replaceable> /usr/src</userinput> <co xml:id="updating-src-obtaining-src-checkout-cmd"/></screen> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make -DNO_PROFILE buildworld</userinput></screen> | <calloutlist> | ||||
<callout arearefs="updating-src-obtaining-src-mv"> | |||||
<para>將舊的目錄移到其他地方,若沒有在這個目錄做過任何本地修改,可直接刪除這個目錄。</para> | |||||
</callout> | |||||
<para xml:lang="en">Install the results with:</para> | <callout arearefs="updating-src-obtaining-src-checkout-cmd"> | ||||
<para>將從 <xref linkend="updating-src-obtaining-src-repopath"/> 查到的路徑加到檔案庫 <acronym>URL</acronym> 之後。第三個參數用來存放本地系統原始碼的目標目錄。</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make -DNO_PROFILE installworld</userinput></screen> | </callout> | ||||
</calloutlist> | |||||
<para xml:lang="en">Otherwise, the second command will try to install | |||||
profiled libraries that were not built during the | |||||
<command>make buildworld</command> phase.</para> | |||||
</note> | </note> | ||||
</sect2> | </sect2> | ||||
<sect2 xml:id="mergemaster"> | <sect2 xml:id="updating-src-building"> | ||||
<info> | <title>從原始碼編譯</title> | ||||
<title>合併設定檔</title> | |||||
<authorgroup> | <para xml:id="makeworld">編譯世界 (<emphasis>world</emphasis>) 即編譯整個作業系統除了核心 (Kernel),要先做這個動作以便提供最新的工具來編譯核心,接著便可編譯核心:</para> | ||||
<author xml:lang="en"> | |||||
<personname> | |||||
<firstname>Tom</firstname> | |||||
<surname>Rhodes</surname> | |||||
</personname> | |||||
<contrib>Contributed by </contrib> | |||||
</author> | |||||
</authorgroup> | |||||
</info> | |||||
<indexterm xml:lang="en"> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | ||||
<primary> | <prompt>#</prompt> <userinput>make buildworld</userinput> | ||||
<command>mergemaster</command> | <prompt>#</prompt> <userinput>make buildkernel</userinput></screen> | ||||
</primary> | |||||
</indexterm> | |||||
<para xml:lang="en">FreeBSD provides the <citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> Bourne script to aid | <para>編譯完的程式會寫入至 <filename>/usr/obj</filename>。</para> | ||||
in determining the differences between the configuration files | |||||
in <filename>/etc</filename>, and the configuration files in | |||||
<filename>/usr/src/etc</filename>. This is the recommended | |||||
solution for keeping the system configuration files up to date | |||||
with those located in the source tree.</para> | |||||
<para xml:lang="en">Before using <command>mergemaster</command>, it is | <para>以上這些均為基本的步驟,用來控制編譯的其他選項在以下章節會說明。</para> | ||||
recommended to first copy the existing | |||||
<filename>/etc</filename> somewhere safe. Include | |||||
<option>-R</option> which does a recursive copy and | |||||
<option>-p</option> which preserves times and the ownerships | |||||
on files:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cp -Rp /etc /etc.old</userinput></screen> | <sect3 xml:id="updating-src-building-clean-build"> | ||||
<title>執行清除編譯</title> | |||||
<para xml:lang="en">When run, <command>mergemaster</command> builds a | <para>部份 FreeBSD 編譯系統版本會保留先前編譯的程式於暫存的物件目錄 <filename>/usr/obj</filename>,避免重新編譯那些尚未更動過的程式碼可加速後續的編譯動作,若要強制重新編譯所有東西可在開始編譯前使用 <buildtarget>cleanworld</buildtarget>:</para> | ||||
temporary root environment, from <filename>/</filename> down, | |||||
and populates it with various system configuration files. | |||||
Those files are then compared to the ones currently installed | |||||
in the system. Files that differ will be shown in | |||||
<citerefentry><refentrytitle>diff</refentrytitle><manvolnum>1</manvolnum></citerefentry> format, with the <option>+</option> sign | |||||
representing added or modified lines, and <option>-</option> | |||||
representing lines that will be either removed completely or | |||||
replaced with a new file. Refer to <citerefentry><refentrytitle>diff</refentrytitle><manvolnum>1</manvolnum></citerefentry> for more | |||||
information about how file differences are shown.</para> | |||||
<para xml:lang="en">Next, <command>mergemaster</command> will display each | <screen xml:lang="en"><prompt>#</prompt> <userinput>make cleanworld</userinput></screen> | ||||
file that differs, and present options to: delete the new | </sect3> | ||||
file, referred to as the temporary file, install the temporary | |||||
file in its unmodified state, merge the temporary file with | |||||
the currently installed file, or view the results | |||||
again.</para> | |||||
<para xml:lang="en">Choosing to delete the temporary file will tell | <sect3 xml:id="updating-src-building-jobs"> | ||||
<command>mergemaster</command> to keep the current file | <title>設定工作數量</title> | ||||
unchanged and to delete the new version. This option is not | |||||
recommended. To get help at any time, type | |||||
<keycap>?</keycap> at the <command>mergemaster</command> | |||||
prompt. If the user chooses to skip a file, it will be | |||||
presented again after all other files have been dealt | |||||
with.</para> | |||||
<para xml:lang="en">Choosing to install the unmodified temporary file will | <para>在多核處理器上增加編譯工作的數量可增加編譯速度,可使用 <command>sysctl hw.ncpu</command> 來查看有多少核心,不同處理器使用不同版本的 FreeBSD 編譯系統,所以唯一能了解不同工作數量對編譯速度影響的方式便是測試。在一開始可考慮選擇一個介於 1/2 到 2 倍核心數之間的數值,工作的數量可使用 <option>-j</option> 來指定。</para> | ||||
replace the current file with the new one. For most | |||||
unmodified files, this is the best option.</para> | |||||
<para xml:lang="en">Choosing to merge the file will present a text editor, and | <example xml:id="updating-src-building-jobs-example"> | ||||
the contents of both files. The files can be merged by | <title>增加編譯工作數</title> | ||||
reviewing both files side by side on the screen, and choosing | |||||
parts from both to create a finished product. When the files | |||||
are compared side by side, <keycap>l</keycap> selects the left | |||||
contents and <keycap>r</keycap> selects contents from the | |||||
right. The final output will be a file consisting of both | |||||
parts, which can then be installed. This option is | |||||
customarily used for files where settings have been modified | |||||
by the user.</para> | |||||
<para xml:lang="en">Choosing to view the results again will redisplay the file | <para>使用四個工作來編譯世界與核心:</para> | ||||
differences.</para> | |||||
<para xml:lang="en">After <command>mergemaster</command> is done with the | <screen xml:lang="en"><prompt>#</prompt> <userinput>make -j4 buildworld buildkernel</userinput></screen> | ||||
system files, it will prompt for other options. It may prompt | </example> | ||||
to rebuild the password file and will finish up with an option | </sect3> | ||||
to remove left-over temporary files.</para> | |||||
<!-- | |||||
Probably not needed as changes should be minimal and mergemaster does | |||||
a good job of merging. | |||||
<tip> | |||||
<title>Name the New Root Directory | |||||
(<filename>/var/tmp/root</filename>) | |||||
with a Time Stamp, so You Can Easily Compare Differences | |||||
Between Versions</title> | |||||
<para>Frequently rebuilding world entails frequently | <sect3 xml:id="updating-src-building-only-kernel"> | ||||
updating <filename>/etc</filename> | <title>只編譯核心</title> | ||||
as well, which can be a bit of a chore.</para> | |||||
<para>To speed up this process, use the following | <para>若原始碼有更動,便須執行 <buildtarget>buildworld</buildtarget>,完成之後,便可隨時執行 <buildtarget>buildkernel</buildtarget> 來編譯核心,若要只編譯核心可:</para> | ||||
procedure to keep a copy of the last set of changed files | |||||
that were merged into <filename>/etc</filename>.</para> | |||||
<procedure> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | ||||
<step> | <prompt>#</prompt> <userinput>make buildkernel</userinput></screen> | ||||
<para>Make the world as normal. When updating | </sect3> | ||||
<filename>/etc</filename> and the | |||||
other directories, give the target directory a name | |||||
based on the current date:</para> | |||||
<screen>&prompt.root; <userinput>mkdir /var/tmp/root-20130214</userinput> | <sect3 xml:id="updating-src-building-custom-kernel"> | ||||
&prompt.root; <userinput>cd /usr/src/etc</userinput> | <title>編譯自訂核心</title> | ||||
&prompt.root; <userinput>make DESTDIR=/var/tmp/root-20130214 \ | |||||
distrib-dirs distribution</userinput></screen> | |||||
</step> | |||||
<step> | <para>標準的 FreeBSD 核心是以一個名為 <filename>GENERIC</filename> 的<emphasis>核心設定檔 (Kernel config file)</emphasis>為基礎,<filename>GENERIC</filename> 核心中內含了所有最常用的裝置驅動程式與選項,有時這個檔案對編譯自訂核心也非常有用,可根據其來加入或移除裝置驅動程式或選項來滿足特定需求。</para> | ||||
<para>Merge in the changes from this directory as | |||||
outlined above. <emphasis>Do not</emphasis> remove | |||||
the <filename>/var/tmp/root-20130214</filename> | |||||
directory when you have finished.</para> | |||||
</step> | |||||
<step> | <para>例如,要開發一個 <acronym>RAM</acronym> 受到嚴重限制的小型嵌入式電腦,便可移除不需要的裝置驅動程式或選項來縮小核心。</para> | ||||
<para>After downloading the latest version of the | |||||
source and remaking it, follow step 1. Create a new | |||||
directory, which reflects the new date. This example | |||||
uses | |||||
<filename>/var/tmp/root-20130221</filename>.</para> | |||||
</step> | |||||
<step> | <para>核心設定檔位於 <filename>/usr/src/sys/<replaceable>arch</replaceable>/conf/</filename>,其中使用的 <replaceable>arch</replaceable> 即為 <command>uname -m</command> 輸出的結果,大部份的電腦為 <literal>amd64</literal>,那其設定檔目錄則為 <filename>/usr/src/sys/<replaceable>amd64</replaceable>/conf/</filename>。</para> | ||||
<para>Use &man.diff.1; to see the differences that have | |||||
been made in the intervening week by creating a | |||||
recursive diff between the two directories:</para> | |||||
<screen>&prompt.root; <userinput>cd /var/tmp</userinput> | <tip> | ||||
&prompt.root; <userinput>diff -r root-20130214 root-20130221</userinput></screen> | <para><filename>/usr/src</filename> 可以被刪除或重建,所以較建議將自訂核心設定檔放在另一個目錄,如 <filename>/root</filename>,並將核心設定檔以連結放至 <filename>conf</filename> 目錄,若該目錄被刪除或覆寫,便可重新建立一個新的核心設定的連結。</para> | ||||
</tip> | |||||
<para>Typically, this will be a much smaller set of | <para>自訂設定檔可由複製 <filename>GENERIC</filename> 設定檔來建立,在此範例,新的自訂核心要用在儲存伺服器,所以將其命名為 <filename>STORAGESERVER</filename>:</para> | ||||
differences than those between | |||||
<filename>/var/tmp/root-20130221/etc</filename> and | |||||
<filename>/etc</filename>. Because the set of | |||||
differences is smaller, it is easier to migrate those | |||||
changes across into <filename>/etc</filename>.</para> | |||||
</step> | |||||
<step> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cp /usr/src/sys/amd64/conf/GENERIC /root/STORAGESERVER</userinput> | ||||
<para>When finished, remove the older of the two | <prompt>#</prompt> <userinput>cd /usr/src/sys/amd64/conf</userinput> | ||||
<filename>/var/tmp/root-*</filename> | <prompt>#</prompt> <userinput>ln -s /root/STORAGESERVER .</userinput></screen> | ||||
directories:</para> | |||||
<screen>&prompt.root; <userinput>rm -rf /var/tmp/root-20130214</userinput></screen> | <para>接著編譯 <filename>/root/STORAGESERVER</filename>,要加入或移除裝置或選項可見 <citerefentry><refentrytitle>config</refentrytitle><manvolnum>5</manvolnum></citerefentry>。</para> | ||||
</step> | |||||
<step> | <para>自訂核心要在指令列設定 <varname>KERNCONF</varname> 為核心設定檔來編譯:</para> | ||||
<para>Repeat this process whenever merging | |||||
in changes to <filename>/etc</filename>.</para> | |||||
</step> | |||||
</procedure> | |||||
<para>Use &man.date.1; to automate the generation of the | <screen xml:lang="en"><prompt>#</prompt> <userinput>make buildkernel KERNCONF=STORAGESERVER</userinput></screen> | ||||
directory names:</para> | </sect3> | ||||
<screen>&prompt.root; <userinput>mkdir /var/tmp/root-`date "+%Y%m%d"`</userinput></screen> | |||||
</tip> | |||||
--> | |||||
</sect2> | </sect2> | ||||
<sect2 xml:id="make-delete-old"> | <sect2 xml:id="updating-src-installing"> | ||||
<info> | <title>安裝編譯好的程式</title> | ||||
<title>刪除過時的檔案及程式庫</title> | |||||
<authorgroup> | <para>在完成 <buildtarget>buildworld</buildtarget> 與 <buildtarget>buildkernel</buildtarget> 兩個步驟之後,便可安裝新的核心與世界:</para> | ||||
<author xml:lang="en"> | |||||
<personname> | |||||
<firstname>Anton</firstname> | |||||
<surname>Shterenlikht</surname> | |||||
</personname> | |||||
<contrib>Based on notes provided by </contrib> | |||||
</author> | |||||
</authorgroup> | |||||
</info> | |||||
<indexterm xml:lang="en"> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | ||||
<primary>Deleting obsolete files and directories</primary> | <prompt>#</prompt> <userinput>make installkernel</userinput> | ||||
</indexterm> | <prompt>#</prompt> <userinput>shutdown -r now</userinput> | ||||
<prompt>#</prompt> <userinput>cd /usr/src</userinput> | |||||
<prompt>#</prompt> <userinput>make installworld</userinput> | |||||
<prompt>#</prompt> <userinput>shutdown -r now</userinput></screen> | |||||
<para xml:lang="en">As a part of the FreeBSD development lifecycle, files and | <para>若使用自訂核心,則同樣須設定 <varname>KERNCONF</varname> 來使用新的自訂核心:</para> | ||||
their contents occasionally become obsolete. This may be | |||||
because functionality is implemented elsewhere, the version | |||||
number of the library has changed, or it was removed from the | |||||
system entirely. These obsoleted files, libraries, and | |||||
directories should be removed when updating the system. | |||||
This ensures that the system is not cluttered with old files | |||||
which take up unnecessary space on the storage and backup | |||||
media. Additionally, if the old library has a security or | |||||
stability issue, the system should be updated to the newer | |||||
library to keep it safe and to prevent crashes caused by the | |||||
old library. Files, directories, and libraries which are | |||||
considered obsolete are listed in | |||||
<filename>/usr/src/ObsoleteFiles.inc</filename>. The | |||||
following instructions should be used to remove obsolete files | |||||
during the system upgrade process.</para> | |||||
<para xml:lang="en">After the <command>make installworld</command> and the | |||||
subsequent <command>mergemaster</command> have finished | |||||
successfully, check for obsolete files and libraries:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | ||||
<prompt>#</prompt> <userinput>make check-old</userinput></screen> | <prompt>#</prompt> <userinput>make installkernel KERNCONF=STORAGESERVER</userinput> | ||||
<prompt>#</prompt> <userinput>shutdown -r now</userinput> | |||||
<para xml:lang="en">If any obsolete files are found, they can be deleted using | <prompt>#</prompt> <userinput>cd /usr/src</userinput> | ||||
the following command:</para> | <prompt>#</prompt> <userinput>make installworld</userinput> | ||||
<prompt>#</prompt> <userinput>shutdown -r now</userinput></screen> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make delete-old</userinput></screen> | |||||
<para xml:lang="en">A prompt is displayed before deleting each obsolete file. | |||||
To skip the prompt and let the system remove these files | |||||
automatically, use | |||||
<varname>BATCH_DELETE_OLD_FILES</varname>:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make -DBATCH_DELETE_OLD_FILES delete-old</userinput></screen> | |||||
<para xml:lang="en">The same goal can be achieved by piping these commands | |||||
through <command>yes</command>:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>yes|make delete-old</userinput></screen> | |||||
<warning> | |||||
<title xml:lang="en">Warning</title> | |||||
<para xml:lang="en">Deleting obsolete files will break applications that | |||||
still depend on those obsolete files. This is especially | |||||
true for old libraries. In most cases, the programs, ports, | |||||
or libraries that used the old library need to be recompiled | |||||
before <command>make delete-old-libs</command> is | |||||
executed.</para> | |||||
</warning> | |||||
<para xml:lang="en">Utilities for checking shared library dependencies include | |||||
<package>sysutils/libchk</package> and | |||||
<package>sysutils/bsdadminscripts</package>.</para> | |||||
<para xml:lang="en">Obsolete shared libraries can conflict with newer | |||||
libraries, causing messages like these:</para> | |||||
<screen xml:lang="en">/usr/bin/ld: warning: libz.so.4, needed by /usr/local/lib/libtiff.so, may conflict with libz.so.5 | |||||
/usr/bin/ld: warning: librpcsvc.so.4, needed by /usr/local/lib/libXext.so, may conflict with librpcsvc.so.5</screen> | |||||
<para xml:lang="en">To solve these problems, determine which port installed | |||||
the library:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg which /usr/local/lib/libtiff.so</userinput> | |||||
/usr/local/lib/libtiff.so was installed by package tiff-3.9.4 | |||||
<prompt>#</prompt> <userinput>pkg which /usr/local/lib/libXext.so</userinput> | |||||
/usr/local/lib/libXext.so was installed by package libXext-1.1.1,1</screen> | |||||
<para xml:lang="en">Then deinstall, rebuild, and reinstall the port. To | |||||
automate this process, | |||||
<package>ports-mgmt/portmaster</package> can be used. After | |||||
all ports are rebuilt and no longer use the old libraries, | |||||
delete the old libraries using the following command:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>make delete-old-libs</userinput></screen> | |||||
<para xml:lang="en">If something goes wrong, it is easy to rebuild a | |||||
particular piece of the system. For example, if | |||||
<filename>/etc/magic</filename> was accidentally deleted as | |||||
part of the upgrade or merge of <filename>/etc</filename>, | |||||
<command>file</command> will stop working. To fix this, | |||||
run:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src/usr.bin/file</userinput> | |||||
<prompt>#</prompt> <userinput>make all install</userinput></screen> | |||||
</sect2> | </sect2> | ||||
<sect2 xml:id="updating-questions"> | <sect2 xml:id="updating-src-completing"> | ||||
<title>常見問題</title> | <title>完成更新</title> | ||||
<variablelist> | <para>還有最後一些的工作要做來完成更新,任何修改過的設定檔要與新版本的設定檔合併、移除找到的過時程式庫,然後重新啟動系統。</para> | ||||
<varlistentry> | |||||
<term>每個變更是否都需要重新編譯 World?</term> | |||||
<listitem> | <sect3 xml:id="updating-src-completing-merge-mergemaster"> | ||||
<para xml:lang="en">It depends upon the nature of the change. For | <title>使用 <citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> 合併設定檔案</title> | ||||
example, if <application>svn</application> only shows | |||||
the following files as being updated:</para> | |||||
<screen xml:lang="en"><filename>src/games/cribbage/instr.c</filename> | <para><citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> 可簡單的將修改過的系統設定檔與新版設定檔合併。</para> | ||||
<filename>src/games/sail/pl_main.c</filename> | |||||
<filename>src/release/sysinstall/config.c</filename> | |||||
<filename>src/release/sysinstall/media.c</filename> | |||||
<filename>src/share/mk/bsd.port.mk</filename></screen> | |||||
<para xml:lang="en">it probably is not worth rebuilding the entire | <para>使用 <option>-Ui</option>,<citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> 會自動更新那些未被使用者修改過的設定檔並安裝尚不存在的檔案:</para> | ||||
world. Instead, go into the appropriate sub-directories | |||||
and run <command>make all install</command>. But if | |||||
something major changes, such as | |||||
<filename>src/lib/libc/stdlib</filename>, consider | |||||
rebuilding world.</para> | |||||
<para xml:lang="en">Some users rebuild world every fortnight and let | <screen xml:lang="en"><prompt>#</prompt> <userinput>mergemaster -Ui</userinput></screen> | ||||
changes accumulate over that fortnight. Others only | |||||
re-make those things that have changed and are careful | |||||
to spot all the dependencies. It all depends on how | |||||
often a user wants to upgrade and whether they are | |||||
tracking FreeBSD-STABLE or FreeBSD-CURRENT.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
<varlistentry> | <para>若檔案需要手動合併,會有互動式介面可讓使用者選擇要保留那一邊的檔案,請參考 <citerefentry><refentrytitle>mergemaster</refentrytitle><manvolnum>8</manvolnum></citerefentry> 取得更多資訊。</para> | ||||
<term>什麼會造成有很多信號 11<indexterm> | </sect3> | ||||
<primary>signal 11</primary> | |||||
</indexterm> (或其他信號) 錯誤的編譯失敗?</term> | |||||
<listitem> | <sect3 xml:id="updating-src-completing-check-old"> | ||||
<para xml:lang="en">This normally indicates a hardware problem. | <title>檢查過時的檔案與程式庫</title> | ||||
Building world is an effective way to stress test | |||||
hardware, especially memory. A sure indicator of a | |||||
hardware issue is when <application>make</application> | |||||
is restarted and it dies at a different point in the | |||||
process.</para> | |||||
<para xml:lang="en">To resolve this error, swap out the components in | <para>部份廢棄的檔案或目錄可以在更新之後保留,可使用以下指令找出這些檔案:</para> | ||||
the machine, starting with RAM, to determine which | |||||
component is failing.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
<varlistentry> | <screen xml:lang="en"><prompt>#</prompt> <userinput>make check-old</userinput></screen> | ||||
<term>完成編譯後是可否移除 <filename>/usr/obj</filename>?</term> | |||||
<listitem> | <para>並用以下指令刪除:</para> | ||||
<para xml:lang="en">This directory contains all the object files that | |||||
were produced during the compilation phase. Normally, | |||||
one of the first steps in the <command>make | |||||
buildworld</command> process is to remove this | |||||
directory and start afresh. Keeping | |||||
<filename>/usr/obj</filename> around when finished makes | |||||
little sense, and its removal frees up a approximately | |||||
2GB of disk space.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
<varlistentry> | <screen xml:lang="en"><prompt>#</prompt> <userinput>make delete-old</userinput></screen> | ||||
<term>是否能繼續中斷的編譯?</term> | |||||
<listitem> | <para>部份廢棄的程式庫也可以保留下來,可使用以下指令來偵測這些程式庫:</para> | ||||
<para xml:lang="en">This depends on how far into the process the | |||||
problem occurs. In general, <command>make | |||||
buildworld</command> builds new copies of essential | |||||
tools and the system libraries. These tools and | |||||
libraries are then installed, used to rebuild | |||||
themselves, and are installed again. The rest of the | |||||
system is then rebuilt with the new system | |||||
tools.</para> | |||||
<para xml:lang="en">During the last stage, it is fairly safe to run | <screen xml:lang="en"><prompt>#</prompt> <userinput>make check-old-libs</userinput></screen> | ||||
these commands as they will not undo the work of the | |||||
previous <command>make buildworld</command>:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> | <para>並使用以下指令刪除</para> | ||||
<prompt>#</prompt> <userinput>make -DNO_CLEAN all</userinput></screen> | |||||
<para xml:lang="en">If this message appears:</para> | <screen xml:lang="en"><prompt>#</prompt> <userinput>make delete-old-libs</userinput></screen> | ||||
<screen xml:lang="en">-------------------------------------------------------------- | <para>那些仍使用舊程式庫的程式將在刪除程式庫之後無法正常運作,而這些程式須要在刪除舊程式庫之後重新編譯或更換。</para> | ||||
Building everything.. | |||||
--------------------------------------------------------------</screen> | |||||
<para xml:lang="en">in the <command>make buildworld</command> output, | <tip> | ||||
it is probably fairly safe to do so.</para> | <para>當確認所有舊檔案或目錄可安全的刪除時,要避免刪除每一個檔案時均需按下 <keycap>y</keycap> 與 <keycap>Enter</keycap> 鍵可在指令設定 <varname>BATCH_DELETE_OLD_FILES</varname>,例如:</para> | ||||
<para xml:lang="en">If that message is not displayed, it is always | <screen xml:lang="en"><prompt>#</prompt> <userinput>make BATCH_DELETE_OLD_FILES=yes delete-old-libs</userinput></screen> | ||||
better to be safe than sorry and to restart the build | </tip> | ||||
from scratch.</para> | </sect3> | ||||
</listitem> | |||||
</varlistentry> | |||||
<varlistentry> | <sect3 xml:id="updating-src-completing-restart"> | ||||
<term>有可能加速編譯 World 的速度嗎?</term> | <title>更新後重新啟動</title> | ||||
<listitem> | <para>更新之後的最後一個步驟便是重新啟動電腦,來讓所有的變更生效:</para> | ||||
<para xml:lang="en">Several actions can speed up the build world | |||||
process. For example, the entire process can be run | |||||
from single-user mode. However, this will prevent users | |||||
from having access to the system until the process is | |||||
complete.</para> | |||||
<para xml:lang="en">Careful file system design or the use of ZFS | <screen xml:lang="en"><prompt>#</prompt> <userinput>shutdown -r now</userinput></screen> | ||||
datasets can make a difference. Consider putting | </sect3> | ||||
<filename>/usr/src</filename> and | |||||
<filename>/usr/obj</filename> on | |||||
separate file systems. If possible, place the file | |||||
systems on separate disks on separate disk controllers. | |||||
When mounting <filename>/usr/src</filename>, use | |||||
<option>noatime</option> which prevents the file system | |||||
from recording the file access time. If <filename>/usr/src</filename> is not on its | |||||
own file system, consider remounting <filename>/usr</filename> with | |||||
<option>noatime</option>.</para> | |||||
<para xml:lang="en">The file system holding <filename>/usr/obj</filename> can be mounted | |||||
or remounted with <option>async</option> so that disk | |||||
writes happen asynchronously. The write completes | |||||
immediately, and the data is written to the disk a few | |||||
seconds later. This allows writes to be clustered | |||||
together, and can provide a dramatic performance | |||||
boost.</para> | |||||
<warning> | |||||
<para xml:lang="en">Keep in mind that this option makes the file | |||||
system more fragile. With this option, there is an | |||||
increased chance that, should power fail, the file | |||||
system will be in an unrecoverable state when the | |||||
machine restarts.</para> | |||||
<para xml:lang="en">If <filename>/usr/obj</filename> is the only | |||||
directory on this file system, this is not a problem. | |||||
If you have other, valuable data on the same file | |||||
system, ensure that there are verified backups before | |||||
enabling this option.</para> | |||||
</warning> | |||||
<para xml:lang="en">Turn off profiling by setting | |||||
<quote>NO_PROFILE=true</quote> in | |||||
<filename>/etc/make.conf</filename>.</para> | |||||
<para xml:lang="en">Pass <option>-j<replaceable>n</replaceable></option> | |||||
to <citerefentry><refentrytitle>make</refentrytitle><manvolnum>1</manvolnum></citerefentry> to run multiple processes in parallel. | |||||
This usually helps on both single- and multi-processor | |||||
machines.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
<varlistentry> | |||||
<term>若發生錯誤時該怎麼辦?</term> | |||||
<listitem> | |||||
<para xml:lang="en">First, make absolutely sure that the environment has | |||||
no extraneous cruft from earlier builds:</para> | |||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>chflags -R noschg /usr/obj/usr</userinput> | |||||
<prompt>#</prompt> <userinput>rm -rf /usr/obj/usr</userinput> | |||||
<prompt>#</prompt> <userinput>cd /usr/src</userinput> | |||||
<prompt>#</prompt> <userinput>make cleandir</userinput> | |||||
<prompt>#</prompt> <userinput>make cleandir</userinput></screen> | |||||
<para xml:lang="en">Yes, <command>make cleandir</command> really should | |||||
be run twice.</para> | |||||
<para xml:lang="en">Then, restart the whole process, starting with | |||||
<command>make buildworld</command>.</para> | |||||
<para xml:lang="en">If problems persist, send the error and the output | |||||
of <command>uname -a</command> to <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-questions">FreeBSD general questions mailing list</link>. Be | |||||
prepared to answer other questions about the | |||||
setup!</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
</variablelist> | |||||
</sect2> | </sect2> | ||||
</sect1> | </sect1> | ||||
Context not available. | |||||
<secondary>installing multiple machines</secondary> | <secondary>installing multiple machines</secondary> | ||||
</indexterm> | </indexterm> | ||||
<para xml:lang="en">When multiple machines need to track the same source tree, | <para>當有多部主機需要追蹤相同的原始碼樹,要在每一部主機的系統下載原始碼與重新編譯所有的東西會耗費不少磁碟空間、網路頻寬與 <acronym>CPU</acronym> 運算,要解決這個問題的方法是先在一部主機上做完大部份的工作,而其餘的主機透過 <acronym>NFS</acronym> 掛載使用編譯完的成果。本節會介紹如何做這件事。要取得更多有關使用 <acronym>NFS</acronym> 的資訊請參考 <xref linkend="network-nfs"/>。</para> | ||||
it is a waste of disk space, network bandwidth, and | |||||
<acronym>CPU</acronym> cycles to have each system download the | |||||
sources and rebuild everything. The solution is to have one | |||||
machine do most of the work, while the rest of the machines | |||||
mount that work via <acronym>NFS</acronym>. This section | |||||
outlines a method of doing so. For more information about using | |||||
<acronym>NFS</acronym>, refer to <xref linkend="network-nfs"/>.</para> | |||||
<para xml:lang="en">First, identify a set of machines which will run the same | <para>首先,要先確認要執行同一組 Binary 的一群主機,這群主機又稱作 <firstterm>建置集 (Build set)</firstterm>,其中每部主機可以有自己的自訂核心,但會執行相同的 Userland binary。建置集中需挑選一部做為<firstterm>建置主機 (Build machine)</firstterm>,這部主機將會拿來編譯 World 與核心 (Kernel),理想情況下,要挑選一部速度較快、有足夠的 <acronym>CPU</acronym> 能夠執行 <command>make buildworld</command> 與 <command>make buildkernel</command> 的主機。</para> | ||||
set of binaries, known as a <firstterm>build set</firstterm>. | |||||
Each machine can have a custom kernel, but will run the same | |||||
userland binaries. From that set, choose a machine to be the | |||||
<firstterm>build machine</firstterm> that the world and kernel | |||||
are built on. Ideally, this is a fast machine that has | |||||
sufficient spare <acronym>CPU</acronym> to run <command>make | |||||
buildworld</command> and <command>make | |||||
buildkernel</command>.</para> | |||||
<para xml:lang="en">Select a machine to be the <firstterm>test | <para>再挑選一部主機做為<firstterm>測試主機 (Test machine)</firstterm>,這部主機,要在將系統更新上正式運作的環境前做測試,這<emphasis>必須</emphasis>一部能夠承受服務停止一段時間的主機,它也可是同時是建置主機,但不是一定要。</para> | ||||
machine</firstterm>, which will test software updates before | |||||
they are put into production. This <emphasis>must</emphasis> be | |||||
a machine that can afford to be down for an extended period of | |||||
time. It can be the build machine, but need not be.</para> | |||||
<para xml:lang="en">All the machines in this build set need to mount | <para>所有在此建置集中的主機需要透過 <acronym>NFS</acronym> 掛載在建置主機上的 <filename>/usr/obj</filename> 與 <filename>/usr/src</filename>。在有多個建置集時,<filename>/usr/src</filename> 也應放在其中一部建置主機,然後由其他主機使用 <acronym>NFS</acronym> 掛載。</para> | ||||
<filename>/usr/obj</filename> and <filename>/usr/src</filename> | |||||
from the build machine via <acronym>NFS</acronym>. For multiple | |||||
build sets, <filename>/usr/src</filename> should be on one build | |||||
machine, and <acronym>NFS</acronym> mounted on the rest.</para> | |||||
<para xml:lang="en">Ensure that <filename>/etc/make.conf</filename> and | <para>確保在建置集中的所有主機的 <filename>/etc/make.conf</filename> 及 <filename>/etc/src.conf</filename> 與建置主機一致,這是由於建置主機必須編譯整個基礎系統 (Base system) 給所有建置集中的主機安裝。此外,每一部建置主機應在 <filename>/etc/make.conf</filename> 使用 <varname>KERNCONF</varname> 設定其核心名稱,且建置主機應列出所有要編譯的核心名稱在 <varname>KERNCONF</varname>,並且把自己要用的核心放在第一個。建置主機也必須有每部主機的核心設定檔在其 <filename>/usr/src/sys/<replaceable>arch</replaceable>/conf</filename>。</para> | ||||
<filename>/etc/src.conf</filename> on all the machines in the | |||||
build set agree with the build machine. That means that the | |||||
build machine must build all the parts of the base system that | |||||
any machine in the build set is going to install. Also, each | |||||
build machine should have its kernel name set with | |||||
<varname>KERNCONF</varname> in | |||||
<filename>/etc/make.conf</filename>, and the build machine | |||||
should list them all in its <varname>KERNCONF</varname>, | |||||
listing its own kernel first. The build machine must have the | |||||
kernel configuration files for each machine in its <filename>/usr/src/sys/<replaceable>arch</replaceable>/conf</filename>.</para> | |||||
<para xml:lang="en">On the build machine, build the kernel and world as | <para>在建置主機上,編譯核心與 World 如 <xref linkend="makeworld"/> 所述,但不要在建置主機上安裝所有編譯好的東西,而是要將編譯好的核心安裝到測試主機,在測試主機透過 <acronym>NFS</acronym> 掛載 <filename>/usr/src</filename> 及 <filename>/usr/obj</filename>。然後執行 <command>shutdown now</command> 進入單使用者模式來安裝新的核心與 World 並如同往常執行 <command>mergemaster</command>。完成之後,重新開機回到正常的多使用者模式運作。</para> | ||||
described in <xref linkend="makeworld"/>, but do not install | |||||
anything on the build machine. Instead, install the built | |||||
kernel on the test machine. On the test machine, mount | |||||
<filename>/usr/src</filename> and | |||||
<filename>/usr/obj</filename> via <acronym>NFS</acronym>. Then, | |||||
run <command>shutdown now</command> to go to single-user mode in | |||||
order to install the new kernel and world and run | |||||
<command>mergemaster</command> as usual. When done, reboot to | |||||
return to normal multi-user operations.</para> | |||||
<para xml:lang="en">After verifying that everything on the test machine is | <para>在測試主機上檢驗完所有東西皆運作正常之後,使用相同的程序將編譯好的結果安裝到在建置集中的其他主機。</para> | ||||
working properly, use the same procedure to install the new | |||||
software on each of the other machines in the build set.</para> | |||||
<para xml:lang="en">The same methodology can be used for the ports tree. The | <para>同樣的方法也可用在 Port 樹,第一個步驟是透過 <acronym>NFS</acronym> 共享 <filename>/usr/ports</filename> 給所有在建置集中的主機。要設定 <filename>/etc/make.conf</filename> 使用共享的 distfiles,可設定 <varname>DISTDIR</varname> 為由 <acronym>NFS</acronym> 掛載對應到的使用者 <systemitem class="username">root</systemitem> 可寫入的通用共享目錄。每一台主機應設定 <varname>WRKDIRPREFIX</varname> 到一個本地的編譯目錄,若 Port 要在本地編譯。或者,若建置系統要編譯並散佈套件到建置集中的主機可在建置系統上設定 <varname>PACKAGES</varname> 到一個類似 <varname>DISTDIR</varname> 的目錄。</para> | ||||
first step is to share <filename>/usr/ports</filename> via | |||||
<acronym>NFS</acronym> to all the machines in the build set. To | |||||
configure <filename>/etc/make.conf</filename> to share | |||||
distfiles, set <varname>DISTDIR</varname> to a common shared | |||||
directory that is writable by whichever user <systemitem class="username">root</systemitem> is mapped to by the | |||||
<acronym>NFS</acronym> mount. Each machine should set | |||||
<varname>WRKDIRPREFIX</varname> to a local build directory, if | |||||
ports are to be built locally. Alternately, if the build system | |||||
is to build and distribute packages to the machines in the build | |||||
set, set <varname>PACKAGES</varname> on the build system to a | |||||
directory similar to <varname>DISTDIR</varname>.</para> | |||||
</sect1> | </sect1> | ||||
</chapter> | </chapter> | ||||
Context not available. | |||||
<para xml:lang="en">The SHA-256 <acronym>RR</acronym> can now be compared | <para xml:lang="en">The SHA-256 <acronym>RR</acronym> can now be compared | ||||
to the digest in <link xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>. | to the digest in <link xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>. | ||||
To be absolutely sure that the key has not been tampered | To be absolutely sure that the key has not been tampered | ||||
with the data in the <acronym>XML</acronym> file can be | with the data in the <acronym>XML</acronym> file should be | ||||
verified using the <acronym>PGP</acronym> signature in | verified using a proper <acronym>PGP</acronym> signature.</para> | ||||
<link xlink:href="https://data.iana.org/root-anchors/root-anchors.asc">https://data.iana.org/root-anchors/root-anchors.asc</link>.</para> | |||||
<para xml:lang="en">Next, the key must be formatted properly. This | <para xml:lang="en">Next, the key must be formatted properly. This | ||||
differs a little between <acronym>BIND</acronym> versions | differs a little between <acronym>BIND</acronym> versions | ||||
Context not available. | |||||
<para xml:lang="en">A FreeBSD system can also be configured to act as a | <para xml:lang="en">A FreeBSD system can also be configured to act as a | ||||
<application>Samba</application> server by installing the | <application>Samba</application> server by installing the | ||||
<package>net/samba43</package> port or package. This allows the | <package>net/samba43</package> port or package. This allows the | ||||
administrator to create <acronym>SMB</acronym>/<acronym>CIFS</acronym>shares on | administrator to create <acronym>SMB</acronym>/<acronym>CIFS</acronym> | ||||
shares on | |||||
the FreeBSD system which can be accessed by clients running | the FreeBSD system which can be accessed by clients running | ||||
<trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> or the <application>Samba</application> | <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> or the <application>Samba</application> | ||||
client libraries.</para> | client libraries.</para> | ||||
Context not available. | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>ifconfig | grep -B3 -i wireless</userinput></screen> | <screen xml:lang="en"><prompt>%</prompt> <userinput>ifconfig | grep -B3 -i wireless</userinput></screen> | ||||
<para xml:lang="en">On FreeBSD!11 or higher, use this command | |||||
instead:</para> | |||||
<screen xml:lang="en"><prompt>%</prompt> <userinput>sysctl net.wlan.devices</userinput></screen> | |||||
<para xml:lang="en">If a wireless adapter is not listed, an additional | <para xml:lang="en">If a wireless adapter is not listed, an additional | ||||
kernel module might be required, or it might be a model | kernel module might be required, or it might be a model | ||||
not supported by FreeBSD.</para> | not supported by FreeBSD.</para> | ||||
Context not available. | |||||
scanning for access points and the 802.11 protocol | scanning for access points and the 802.11 protocol | ||||
handshakes required to arrange communication:</para> | handshakes required to arrange communication:</para> | ||||
<screen xml:lang="en"><prompt>#</prompt> <userinput>wlandebug -i <replaceable>ath0</replaceable> +scan+auth+debug+assoc</userinput> | <screen xml:lang="en"><prompt>#</prompt> <userinput>wlandebug -i <replaceable>wlan0</replaceable> +scan+auth+debug+assoc</userinput> | ||||
net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan></screen> | net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan></screen> | ||||
<para xml:lang="en">Many useful statistics are maintained by the 802.11 | <para xml:lang="en">Many useful statistics are maintained by the 802.11 | ||||
Context not available. | |||||
</listitem> | </listitem> | ||||
<listitem> | <listitem> | ||||
<para xml:lang="en"><link xlink:href="http://www.sixxs.net">SixXS</link> | |||||
offers tunnels with end-points all around the | |||||
globe.</para> | |||||
</listitem> | |||||
<listitem> | |||||
<para xml:lang="en"><link xlink:href="http://www.tunnelbroker.net">Hurricane | <para xml:lang="en"><link xlink:href="http://www.tunnelbroker.net">Hurricane | ||||
Electric</link> offers tunnels with end-points all | Electric</link> offers tunnels with end-points all | ||||
around the globe.</para> | around the globe.</para> | ||||
Context not available. |