From nobody Thu Feb 10 10:54:05 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1B42019BCD92 for ; Thu, 10 Feb 2022 10:54:21 +0000 (UTC) (envelope-from gray@nxg.name) Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JvYXX2BtFz4ZsY for ; Thu, 10 Feb 2022 10:54:20 +0000 (UTC) (envelope-from gray@nxg.name) Received: from [81.2.70.164] (port=17905 helo=[172.20.180.136]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1nI75Y-0007Mz-DF; Thu, 10 Feb 2022 10:54:12 +0000 From: Norman Gray To: FreeBSD Questions Subject: Re: Jail, and specifically iocage, best practices -- summary Date: Thu, 10 Feb 2022 10:54:05 +0000 X-Mailer: MailMate (1.14r5818) Message-ID: In-Reply-To: References: List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BlackCat-Spam-Score: 24 X-Spam-Status: No, score=2.4 X-Rspamd-Queue-Id: 4JvYXX2BtFz4ZsY X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of gray@nxg.name designates 2a00:1098:0:86:1000:0:2:1 as permitted sender) smtp.mailfrom=gray@nxg.name X-Spamd-Result: default: False [-0.85 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_MISSING_CHARSET(2.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1098::86:1000:0:2:0/112]; DMARC_NA(0.00)[nxg.name]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.85)[-0.850]; NEURAL_HAM_MEDIUM(-1.00)[-0.997]; TO_DN_ALL(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[2a00:1098:0:86:1000:0:2:1:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-questions]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:44684, ipnet:2a00:1098::/32, country:GB]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hello, all. On 6 Feb 2022, at 12:58, Norman Gray wrote: > Greetings. > > On the freebsd-questions list recently, there was a useful thread about= freebsd-update and jails. This prompts a related question of mine. > > Is there anywhere a collection of recommended practices with respect to= jails? Thanks, everyone, for very useful comments on this. I don't want to repeat everyone's suggestions, though I encourage people = to look at the thread [1]. But the things that particularly stood out fo= r me are: * Several people mentioned that Lucas's Jails book [2] does cover iocag= e! We have a copy of this book on the shelf, and now I can get my hands = on it again, physically, I see 'iocage' all over the ToC, whereas I'd pre= viously convinced myself it was jail(8)-only. I feel rather foolish abou= t that... * Peter Boosten said 'use a mix', suggesting that it's reasonable to us= e a script to set up a jail, and then unscripted tools to manage it there= after. That is, a script isn't (necessarily) locking you into a particul= ar way of managing these, and it's reassuring to be reminded, in particul= ar, that ezjail/iocage/... aren't adding any particular secret sauce to t= he jail. There was also a mention of iocell [3], as a fork of iocage. I'm always = a bit nervous of forks, and note that the iocell documentation doesn't me= ntion the circumstances of the fork (and I remember the ezjail/qjail unpl= easantness of a few years ago). Is there a story here? It sounds as if a one line summary of the thread (acknowledging that ther= e isn't a universal consensus here) is: You won't go far wrong with iocage; buy Lucas's Jails book. Thanks again, everyone. Best wishes, Norman [1] https://lists.freebsd.org/archives/freebsd-questions/2022-February/00= 0622.html [2] [FreeBSD Mastery: Jails](https://mwl.io/nonfiction/os#fmjail) [3] https://iocell.readthedocs.io/en/latest/ -- = Norman Gray : https://nxg.me.uk