From owner-freebsd-questions@FreeBSD.ORG Wed May 10 08:33:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17B3C16A42A for ; Wed, 10 May 2006 08:33:45 +0000 (UTC) (envelope-from ianchov@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65D4B43D46 for ; Wed, 10 May 2006 08:33:44 +0000 (GMT) (envelope-from ianchov@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so28175uge for ; Wed, 10 May 2006 01:33:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=qEQNXZ/t5uwE/0usImKu0iRL1/N3LyrllxxzN+e+EK/fWb/N5+kouY9s3cMPJMFXDg3Zucu2Wktfg77nwiIun7lq4P8MDg9EwtLY26RzhX7KbHSZpLuZqLMCqILy/j/vPYdfBmTuaVG1oeY4sx+o2ZAornhhbaTJdj25Ml9EI2I= Received: by 10.78.40.10 with SMTP id n10mr78062hun; Wed, 10 May 2006 01:33:43 -0700 (PDT) Received: by 10.78.16.16 with HTTP; Wed, 10 May 2006 01:33:43 -0700 (PDT) Message-ID: <18e02bd30605100133p58f81d28w5d30a8089304dbce@mail.gmail.com> Date: Wed, 10 May 2006 11:33:43 +0300 From: "Iantcho Vassilev" To: freebsd-questions@freebsd.org In-Reply-To: MIME-Version: 1.0 References: <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: jails or chroot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 08:33:45 -0000 On 5/9/06, Chad Leigh -- Shire.Net LLC wrote: > > > On May 9, 2006, at 5:53 AM, Michael Grant wrote: > > > > > When it comes time to upgrade, how does one upgrade 100 different > > jails? This will be a nightmare! > > Actually, not. You only need 1 master jail and a bunch of nullfs > read only mounts plus some exclusive space for each jail. I run 44 > jails at the moment this way. Upgrading is relatively easy as I only > have to upgrade one master jail (and unfortunately lots of jail etc > if such happens but a few scripts can automate much of that). > > I basically set up > > /local/jails/master and install according to man jail into this > place. I never start this jail. > > I happen to use disk backed md devices as the root for each jail. I > mount each on on /local/jail/ > > Then I do > > /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin > /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib > /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ > adcmw/libexec > /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ > sbin > /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr > /sbin/mount -t procfs proc /local/jails/adcmw/proc > devfs_domount /local/jails/adcmw/dev devfsrules_jail > devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev > /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset > > In my master jail I have some symlinks so that each jail has its own / > usr/local/ that is writable. > > All the jails run out of one installed jail and they also have the > side benefit of the main system directories being read only so > exploits in one jail cannot affect all the running jails. Wow, I really like the setup you have make.. One question.How do you update the system(and the jail) ?