From owner-freebsd-jail@freebsd.org Tue Mar 15 09:40:24 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96248AD05B1 for ; Tue, 15 Mar 2016 09:40:24 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D23D908 for ; Tue, 15 Mar 2016 09:40:23 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E22C728417; Tue, 15 Mar 2016 10:40:19 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 14D8428412; Tue, 15 Mar 2016 10:40:18 +0100 (CET) Message-ID: <56E7D882.8060400@quip.cz> Date: Tue, 15 Mar 2016 10:40:18 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: "Martin \"eto\" Misuth" , freebsd-jail@freebsd.org Subject: Re: Jail management References: <0f5cae7e-7de3-2617-fcf6-3423d4caf13a@ish.com.au> <56CAE974.4050508@quip.cz> <0eaf61d4-43e6-265a-f773-820244fc8931@ish.com.au> <20160225161413.25f17811@eto-mona.office.smartweb.sk> In-Reply-To: <20160225161413.25f17811@eto-mona.office.smartweb.sk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2016 09:40:24 -0000 Martin "eto" Misuth wrote on 02/25/2016 16:14: [...] > - not sure about Miroslav's problems with freebsd-update, but it seems to work > pretty well with -basedir /jail/tree parameter nowadays (there might be > corner cases) Freebsd-update maintains patches for each file in each jail (if you use full jails and not shared basejail) so this is IO / space / time consuming. freebsd-update has some unhandled exceptions which can leave system in an inconsistent state. (unbootable) It ended up with mixed files from 9.x and 10.x on host when updating host. It was about 2 years ago and it may be fixed. I don't know. > - you can have older jail-base run on newest kernel (other way around is not > possible) > - you can kill many files in given jail to get bare minimal running setup > (this seems completely driven by gut, from what I gathered, as some things > might have un-obvious dependencies) > - you can mount many things into jail read-only (this makes them more rigid > and harder to "manage" "live") > - jails can have limits on number of procs living in them and can be > allowed to be nested(!) (jail-in-jail) > - with rctl you can cap resources per jail Beware of RCTL. We are using it a lot but some of them don't work as one can expect from their name and manpage description. Namely memory or swapuse. Limiting of processor seems good. Miroslav Lachman