From owner-freebsd-questions@FreeBSD.ORG Mon Mar 22 00:21:40 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBF481065676 for ; Mon, 22 Mar 2010 00:21:40 +0000 (UTC) (envelope-from aiza21@comclark.com) Received: from avmxsmtp1.comclark.com (avmxsmtp1.comclark.com [202.69.191.115]) by mx1.freebsd.org (Postfix) with ESMTP id 4987D8FC13 for ; Mon, 22 Mar 2010 00:21:39 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtomAI5UpkvKRa39OWdsb2JhbAAHmz4BAQEBNwa5KIR9BIMc X-IronPort-AV: E=Sophos;i="4.51,284,1267372800"; d="scan'208";a="10533433" Received: from unknown (HELO [10.0.10.3]) ([202.69.173.253]) by avmxsmtp5.comclark.com with ESMTP; 22 Mar 2010 08:21:38 +0800 Message-ID: <4BA6B80F.7050806@comclark.com> Date: Mon, 22 Mar 2010 08:21:35 +0800 From: Aiza User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Mark Shroyer References: <4BA5AA53.5030503@comclark.com> <4BA69566.2040504@markshroyer.com> In-Reply-To: <4BA69566.2040504@markshroyer.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: ezjail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Mar 2010 00:21:41 -0000 Mark Shroyer wrote: > On 3/21/2010 1:10 AM, Aiza wrote: >> I don't have sources installed on my system. Just use the binary >> Freebsd-update function. At new releases I do a clean install. >> I only have a single public IP address. >> >> Now I would like to play with jails. One for postfix, apache, and ftp. >> My reading of EZJAIL and the jails section of the handbook lead me to >> believe I need a unique IP address for each jail. Is that correct? > > Yes. But if you have only one public IP address, you can give the jail > a loopback interface with an address in 127.0.0/24 or one of the RFC > 1918 private blocks (there's some debate as to which is the more > "correct" type of address to use, but either will work), then use NAT if > you need your jail to be able to access the Internet. > > If it helps you to reason about this, keep in mind that your jail does > *not* have its own virtualized network stack, like with Solaris Zones > for instance. The best way to think about your jails is as a group of > processes running on the same operating system as the host, just with > the restriction that (among other things) they can only communicate with > the outside world using a limited subset of the IP addresses available > to non-jailed processes. > Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. >> I have no need to build world or install world because it does this from >> /usr/src which i don't install. Is there some EZJAIL option to just copy >> over the running system binaries instead of the sources? > > Until recently, the method for creating ezjail's "basejail" was to issue > the "ezjail-admin update" command, which compiles the basejail from > /usr/src. Just recently an "ezjail-admin install" command was added, > which downloads binaries from a FreeBSD FTP server instead. So you > shouldn't need sources to get started, however I'm not sure what the > update mechanism is if you use the install command. > I found the man ezjail-admin has this format ezjail-admin install -h file:// Where -h file:// means get the binaries from the host system the jails are running on. Am I correct? >> The handbook "15.4 Creating and Controlling Jails" talks about >> “complete” jails, which resemble a real FreeBSD system, and “service” >> jails, dedicated to one application or service. Section 15.4 is the >> procedure for building a "complete jail" using the jail command. >> >> The 15.6 Application of Jails (service jails) talks about creating a >> root skeleton containing the host running files which are shared with >> all the guest jails in read only mode. This eliminates the massive >> duplication of running system files in each jail as in the complete jail >> system talked about in handbook section "15.4 Creating and Controlling >> Jails". >> >> Now reading the ezjail man pages I see that ezjail also creates a base >> template that is shared between all jails. Is this the same method >> talked about in the handbook section 15.6 Application of Jails (service >> jail)? > > It's essentially the same approach. (With ezjail you'll still be > duplicating binaries between the host system and the basejail, but I > wouldn't loose sleep over it.) > My understanding of handbook section 15.6 Application of Jails (service jails)is a copy of the host binaries is populated into the basejail and all the other jails have read only access to it. Each guest jail also has a read/write space for installing ports/packages unique to that jail including /var /usr /etc. Am I correct? Is this how ezjail is configured now?