Date: Sun, 6 Feb 2022 12:24:09 -0800 From: David Christensen <dpchrist@holgerdanske.com> To: questions@freebsd.org Subject: Re: Jail, and specifically iocage, best practices Message-ID: <03d3126f-dd2a-312c-3dce-392fae2856b9@holgerdanske.com> In-Reply-To: <DFC3D35A-BDC4-4769-8DE3-54FEDD85042C@nxg.name> References: <DFC3D35A-BDC4-4769-8DE3-54FEDD85042C@nxg.name>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/6/22 04:58, Norman Gray wrote: > > > Greetings. > > On the freebsd-questions list recently, there was a useful thread about > freebsd-update and jails. This prompts a related question of mine. > > Is there anywhere a collection of recommended practices with respect to > jails? > > The handbook [1] talks of jails in general, and mentions ezjail in > passing at the end. I've used ezjail with success, but I get the > impression (is this correct?) that ezjail is now at least > semi-abandoned, and that iocage is the 'obvious' replacement tool for > those (such as me) who would rather do the 'obvious'/normal/usual/POLA > thing, rather than having any need, yet, to learn how to roll their own. > > The Lucas 'Absolute FreeBSD' chapter on jails is also good, but also > focuses on roll-your-own solutions [3]. > > The iocage documentation [2] is good (I've used it to get a few jails > going), and terse (which is a virtue), but sometimes leaves questions > unanswered. For example, what should I worry about when picking a > suitable private address range for the jail? Is it a good idea to clone > lo0 when setting up jail networking, or a good idea not to? What are > the important differences between the different jail types (clone and > basejail have distinct explanations, but I don't have a clear picture of > the difference, or of the respective tradeoffs)? What _is_ the > recommended way to update a jail (see the other thread)? And is an > iocage-created jail importantly different from a by-hand jail? > > I've worked out answers to some of these questions, based on these > resources and forum posts, but I'm not particularly confident in my > answers, nor confident that there aren't other bear-traps that haven't > occurred to me. > > So: am I missing something? Is there anywhere an article or HOWTO which > describes the 'what everyone knows' about how to look after jails > _properly_? > > Best wishes, > > Norman > > > [1] https://docs.freebsd.org/en/books/handbook/jails/ > [2] https://iocage.readthedocs.io/en/latest/basic-use.html > [3] https://nostarch.com/absfreebsd3 Another resource is Lucas' book on jails: https://mwl.io/nonfiction/os#fmjail I have one 12.3-R server in my SOHO environment with two jails (Samba and SSH/CVS) that are always running and are relatively constant. So, the base FreeBSD tools plus a few scripts inspired by Lucas are enough for me. David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03d3126f-dd2a-312c-3dce-392fae2856b9>