From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 20 13:50:57 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B13C16A4CE for ; Wed, 20 Apr 2005 13:50:57 +0000 (GMT) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62D7C43D45 for ; Wed, 20 Apr 2005 13:50:56 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id 003BF3177E3; Wed, 20 Apr 2005 15:50:54 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 56820405A; Wed, 20 Apr 2005 15:50:13 +0200 (CEST) Date: Wed, 20 Apr 2005 15:50:13 +0200 From: Jeremie Le Hen To: ?? ?? Message-ID: <20050420135013.GE91329@obiwan.tataz.chchile.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i cc: freebsd-hackers@freebsd.org Subject: Re: Configuration differences for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2005 13:50:57 -0000 Hi, > I am now trying to use jail in FreeBSD. I have read the jail(8) man page > and some > others documents for setting up jails. But I'm a little confused about the > procedure and configurations for setting up jails. > As known to all, jail can be used for two purposes, i.e. jailing a single > application or acting as a virtual host. What i want to know is the > concrete configuration (procedure) difference between the two types use of > jails. Is there a SMALLEST set > of configuration necessary for setting up a jail? If so, what is it? > Another question, > is there any way to detect the share of files between multiple jails > automatically? The following is based on my own experience and therefore may not be what other people feel. I run two main services on a box, Bind and Postfix, and I wanted to separate each other from the base system for security reason. I thought it was quite heavy to boot two virtual hosts as described in the jail(8) manpage for two daemons only, so I decided to just jail each application. In all cases, I strongly wanted the chosen setup to create a very few overhead compared to what it would be without jail. In the per-application case, you will have to be very careful about the things that will be needed by the daemon (dynamic libraries and configuration files as well as spool queues, mailboxes or maildirs, and other filesystem objects such as Unix domain sockets, named pipes, ...) Since I wanted this setup to be as transparent as possible, I decided to null mounts all needed directories from host to jail root, in order to be able to execute administrative commands (postconf(8), mailq(8), ...) from host itself. One exception is /etc : you don't want to null mount it into the jail as it contains very sensible informations like password hashes ; you will have to manually synchronize resolv.conf, localtime, aliases, ... Now with some distance, I must admit that all this gymnastic is quite boring. I now decided to run two virtual hosts as they are managed in a very natural way. These two hosts are just like two real boxes, one running Bind and the other one running Postfix. When I need to update something in the configuration, I login to the box with ssh(1). This take some more memory and in principle no CPU as all processes are sleeping most of the time. > BTW, what is the meaning of "IMHO"? :) > It appears very frequently in the mail list. The port games/wtf will translate acronyms for you. %%% obiwan:ports$ wtf IMHO IMHO: in my humble opinion %%% Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >