From owner-freebsd-jail@freebsd.org Mon Feb 22 01:30:07 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE47EAAFD62 for ; Mon, 22 Feb 2016 01:30:06 +0000 (UTC) (envelope-from ari@ish.com.au) Received: from mail14.tpgi.com.au (smtp-out14.tpgi.com.au [220.244.226.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL SHA256 CA - G3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 806421EF2 for ; Mon, 22 Feb 2016 01:30:05 +0000 (UTC) (envelope-from ari@ish.com.au) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Mon, 22 Feb 2016 12:13:42 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail14.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id u1M1De7m029834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 22 Feb 2016 12:13:42 +1100 Received: from ip-136.ish.com.au ([203.29.62.136]:59374) by fish.ish.com.au with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1aXf49-0002eK-1X for freebsd-jail@freebsd.org; Mon, 22 Feb 2016 12:13:33 +1100 X-CTCH-RefID: str=0001.0A090203.56CA60BD.0032:SCFSTAT29393324, ss=1, re=-4.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 To: freebsd-jail From: Aristedes Maniatis Subject: Jail management X-Enigmail-Draft-Status: N1110 Message-ID: Date: Mon, 22 Feb 2016 12:13:32 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JEC4XxAf0MKIGgeSV80L2lcWQUnLTbIwr" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2016 01:30:07 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JEC4XxAf0MKIGgeSV80L2lcWQUnLTbIwr Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I've been using FreeBSD jails (with ezjail) for many years and they work = very well. However I'm now reaching a critical mass (30+ jails) where I w= ant to be able to manage them in bulk more easily. In this environment, each jail runs just a single application, installed = from a package built using poudriere from a custom port. That package dep= ends on Java, so lots of other packages also get pulled in. That applicat= ion gets new versions roughly once every 4 weeks. The problems I have rig= ht now are: * FreeBSD's packaging system doesn't understand the concept of installing= a particular package version, so all my scripts will by default upgrade = the application to the current version even if I don't want to. I can't e= asily install a new jail at an old version. * It is hard to reproduce the environment exactly, matching the applicati= on to the same version of Java that was available at the time of deployme= nt. Again I'm fighting against the pkg system which always wants the late= st version. * For failover I want each jail reproduced exactly on another host, or at= least a snapshot which could be sent to another host within a few second= s. The jails are quite small (< 500Mb). Most of that is just the openjdk = pkg. As I understand, ezjail doesn't support multiple base jails. If it did, t= hen I could simply install the application (and packages) to the base jai= l and have versions of the base. Then by shutting down a jail, switching = the base to the new version and starting up, everything would upgrade eas= ily. Even better would be some concept of hierarchy with customer_jail si= tting on top of base_version_1.0 which in turn sits on top of base_jail. Would I need to abandon ezjail and be able to build all the above myself = with a combination of nullfs (basejail) and unionfs (intermediate version= ed jail)? Does unionfs now work with ZFS? Alternatively I could simply use zfs clones to deploy a new version of th= e application by destroying the whole jail and replacing it with a new on= e. I'd need to then script (I use saltstack) deploying the 2-3 config fil= es which are different in each jail. Thoughts? What seems like a more robust long term approach to jail manage= ment? Thanks Ari --=20 --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A --JEC4XxAf0MKIGgeSV80L2lcWQUnLTbIwr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlbKYL0ACgkQ72p9Lj5JECrLswCcCTh6KOLwP+1fRPFqUizxLbQ/ mcwAnjeEmBO+PgjgthrpLqRSf5KfFZS/ =+mJd -----END PGP SIGNATURE----- --JEC4XxAf0MKIGgeSV80L2lcWQUnLTbIwr--