From owner-freebsd-questions Thu Feb 14 5: 0:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from crag.niss.com (niss.com [169.207.33.46]) by hub.freebsd.org (Postfix) with ESMTP id 86A1737B402 for ; Thu, 14 Feb 2002 05:00:06 -0800 (PST) Received: from crag.niss.com (localhost.niss.com [127.0.0.1]) by crag.niss.com (8.11.6/8.11.6) with ESMTP id g1ECxv067094; Thu, 14 Feb 2002 06:59:57 -0600 (CST) (envelope-from listS+freebsd-questions@niss.com) Message-Id: <200202141259.g1ECxv067094@crag.niss.com> From: Scott Bolte To: BSD Freak Cc: FreeBSD Questions Subject: Re: File system layout with multiple jails MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <67091.1013691597.1@crag.niss.com> Date: Thu, 14 Feb 2002 06:59:57 -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 14 Feb 2002 17:44:14 +1100, BSD Freak wrote: > Hi everyone, > > Does anyone have any bright ideas for good file system layouts when > running multiple jails? I won't say they are bright, but the ideas reflected in this layout are working well for me: /jails/ Home for most jail related material. Note I do not backup /jails every night as I do other partitions. (I do backup /data every night and you'll see below how I make use of that in a jail.) /jails is its own partition so if it fills, it will not cause problems for the host system. /jails/{jail_X}/ The root for one specific jail. Of course if you have sets of jails, then /jails/jail_A/{cell_1,cell_2} and /jails/jail_B/{cell_10,cell_11} where cell_# is actually the root directory works well for keeping them well organized. /jails/etc/rc.d/ Startup scripts (e.g. jail_X.sh) for all jails. If you augment $local_startup in /etc/rc.conf to include /jails/etc/rc.d then all the jails will be started automatically. /jails/bin/ Jail management scripts. .../bin/JAIL_CTL.sh A generic start, stop, enter, trace, ps script. Each jail's startup script sets a bunch of environment variables and then calls JAIL_CTL. .../bin/jail_clone duplicates a jail. .../bin/jail_ps runs ps for all the processes in a specific jail. /jails/var/trace/ Home for kdump traces of jail execution. /jails/template/ A reference jail that I can clone in a few minutes time. Much easier then running (make world) every time I need a new jail. /data/jails/{jail_X}/ If there is a /data/jails/{jail_X} present, then it is automatically mounted as /jails/{jail_X}/data when the jail is started. That way the /data directory in a jail can be treated separately then from the rest of the jail. One caveat if you do this. Multiple jails, each with their own uid space, will rapidly overlap in the host's uid space. To avoid this, my jail creation script hashes the jail's IP address to create a (relatively) unique starting point for that jail's uids. That starting uid is placed in the jail's /etc/adduser.conf as $uid_start. This minimizes the chances that uids will collide. /data/jails/{jail_X}/home/ Symlink to /data/home (in the jail of course). If /data/jails/{jail_X} is mounted on the jail's /data, then the home partition in the jail is actually coming from /data of the host and therefore will be backed up on a regular basis. /data/jails/{jail_X}/proc/ If it is present, then /proc is mounted on this directory when a jail is started and unmounted when it is stopped. > How do I stop /var/log in one the jails from filling up the whole drive > and affecting the rest without giving each jail it's own partition? > > Is it possible to some how set a quota on how large a particular > directory can get? About all I can think of is to make a directory, and all its subordinate directories, owned by a specific user. You can then have per user quotas. For the specific example of /var/log, you'd have to set the user to be root_X. If you then set the user-ID-on-execution bit (see chmod(1) or chmod(2)) for /var/log so all new files and directories created under it would also be owned by root_X. I suspect you'd have to pre-populate your /var/log directory and chown everything to root_X. If you then change everything there to have world write permissions then root in the jail can update the files. Having world write access is a bad idea, but it's your trade-off to consider. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message