From owner-freebsd-questions@FreeBSD.ORG Sun Mar 21 21:53:47 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 373ED106564A for ; Sun, 21 Mar 2010 21:53:47 +0000 (UTC) (envelope-from subscriber+freebsd@markshroyer.com) Received: from frodo.paleogene.net (frodo.paleogene.net [206.125.175.178]) by mx1.freebsd.org (Postfix) with ESMTP id 168798FC17 for ; Sun, 21 Mar 2010 21:53:46 +0000 (UTC) Received: from auth-client.paleogene.net (auth-client.paleogene.net [206.125.175.178]) (Authenticated sender: hidden) by frodo.paleogene.net (Postfix) with ESMTPSA id F40C33F416 for ; Sun, 21 Mar 2010 17:53:45 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=markshroyer.com; s=default; t=1269208426; bh=PDDwHNC6EvoRonJI7Terl6SC+X1mEeMdnX9wpmAjRtc=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=dsT9X7X3m1PGa9uthZeBFiflB0t5uoEArP/nuR8PJoBSne4+9CGYlmC5yJ8ZRNp09 ArDhs0D7huoadcChSyTFidLXPR1Trx3ukXMzkV+RarQhi8SHPObJfDk+NNCrluHohG 89fDLs9KZFnRLyAtn0UAnvi/m7W7WddwUoBa6VJk= Message-ID: <4BA69566.2040504@markshroyer.com> Date: Sun, 21 Mar 2010 17:53:42 -0400 From: Mark Shroyer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4BA5AA53.5030503@comclark.com> In-Reply-To: <4BA5AA53.5030503@comclark.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Subject: Re: ezjail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Mar 2010 21:53:47 -0000 On 3/21/2010 1:10 AM, Aiza wrote: > I don't have sources installed on my system. Just use the binary > Freebsd-update function. At new releases I do a clean install. > I only have a single public IP address. > > Now I would like to play with jails. One for postfix, apache, and ftp. > My reading of EZJAIL and the jails section of the handbook lead me to > believe I need a unique IP address for each jail. Is that correct? Yes. But if you have only one public IP address, you can give the jail a loopback interface with an address in 127.0.0/24 or one of the RFC 1918 private blocks (there's some debate as to which is the more "correct" type of address to use, but either will work), then use NAT if you need your jail to be able to access the Internet. If it helps you to reason about this, keep in mind that your jail does *not* have its own virtualized network stack, like with Solaris Zones for instance. The best way to think about your jails is as a group of processes running on the same operating system as the host, just with the restriction that (among other things) they can only communicate with the outside world using a limited subset of the IP addresses available to non-jailed processes. > I have no need to build world or install world because it does this from > /usr/src which i don't install. Is there some EZJAIL option to just copy > over the running system binaries instead of the sources? Until recently, the method for creating ezjail's "basejail" was to issue the "ezjail-admin update" command, which compiles the basejail from /usr/src. Just recently an "ezjail-admin install" command was added, which downloads binaries from a FreeBSD FTP server instead. So you shouldn't need sources to get started, however I'm not sure what the update mechanism is if you use the install command. > The handbook "15.4 Creating and Controlling Jails" talks about > “complete” jails, which resemble a real FreeBSD system, and “service” > jails, dedicated to one application or service. Section 15.4 is the > procedure for building a "complete jail" using the jail command. > > The 15.6 Application of Jails (service jails) talks about creating a > root skeleton containing the host running files which are shared with > all the guest jails in read only mode. This eliminates the massive > duplication of running system files in each jail as in the complete jail > system talked about in handbook section "15.4 Creating and Controlling > Jails". > > Now reading the ezjail man pages I see that ezjail also creates a base > template that is shared between all jails. Is this the same method > talked about in the handbook section 15.6 Application of Jails (service > jail)? It's essentially the same approach. (With ezjail you'll still be duplicating binaries between the host system and the basejail, but I wouldn't loose sleep over it.) -- Mark Shroyer http://markshroyer.com/contact/