Date: Sun, 06 Feb 2022 12:58:50 +0000 From: Norman Gray <gray@nxg.name> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Jail, and specifically iocage, best practices Message-ID: <DFC3D35A-BDC4-4769-8DE3-54FEDD85042C@nxg.name>
next in thread | raw e-mail | index | archive | help
Greetings. On the freebsd-questions list recently, there was a useful thread about freebsd-update and jails. This prompts a related question of mine. Is there anywhere a collection of recommended practices with respect to jails? The handbook [1] talks of jails in general, and mentions ezjail in passing at the end. I've used ezjail with success, but I get the impression (is this correct?) that ezjail is now at least semi-abandoned, and that iocage is the 'obvious' replacement tool for those (such as me) who would rather do the 'obvious'/normal/usual/POLA thing, rather than having any need, yet, to learn how to roll their own. The Lucas 'Absolute FreeBSD' chapter on jails is also good, but also focuses on roll-your-own solutions [3]. The iocage documentation [2] is good (I've used it to get a few jails going), and terse (which is a virtue), but sometimes leaves questions unanswered. For example, what should I worry about when picking a suitable private address range for the jail? Is it a good idea to clone lo0 when setting up jail networking, or a good idea not to? What are the important differences between the different jail types (clone and basejail have distinct explanations, but I don't have a clear picture of the difference, or of the respective tradeoffs)? What _is_ the recommended way to update a jail (see the other thread)? And is an iocage-created jail importantly different from a by-hand jail? I've worked out answers to some of these questions, based on these resources and forum posts, but I'm not particularly confident in my answers, nor confident that there aren't other bear-traps that haven't occurred to me. So: am I missing something? Is there anywhere an article or HOWTO which describes the 'what everyone knows' about how to look after jails _properly_? Best wishes, Norman [1] https://docs.freebsd.org/en/books/handbook/jails/ [2] https://iocage.readthedocs.io/en/latest/basic-use.html [3] https://nostarch.com/absfreebsd3 -- Norman Gray : https://nxg.me.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DFC3D35A-BDC4-4769-8DE3-54FEDD85042C>