Date: Fri, 30 Oct 2015 08:26:53 -0400 From: Ricky G <ricky1252@hotmail.com> To: krad <kraduk@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: RE: /etc/jail.conf documentation? Message-ID: <SNT146-W92BDA6F54F1DCDEA18EE72A12F0@phx.gbl> In-Reply-To: <CALfReyeNxbgNCbBSg71RaMOLrWM9BbB2tejp5-nvbBTOcWrZ0g@mail.gmail.com> References: <49230.128.135.52.6.1446047977.squirrel@cosmo.uchicago.edu>, <1446064085.1148620.422968569.0E47599D@webmail.messagingengine.com>, <20953.128.135.52.6.1446065026.squirrel@cosmo.uchicago.edu>, <CALfReycwGJfBsx1JB_HOpwRXj2BPt9JTDAFPZHHC4HA=-fiisw@mail.gmail.com>, <1446126519.3886654.423612921.572AA6CD@webmail.messagingengine.com>, <SNT146-W3153B1A15ED9D1429DC69AA1200@phx.gbl>, <CALfReyeNxbgNCbBSg71RaMOLrWM9BbB2tejp5-nvbBTOcWrZ0g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is intended. I'm not sure if its fixed=2C however I found an odd bug = awhile back where reusing a bridge for a vnet jail causes a high number of = dropped packets. The more it is reused the more the dropped packets. After = around 4 jail restarts there was about 60% packet loss. To resolve it=2C I = found recreating the bridge fixed the issue. I also only use one vnet so th= is isn't a problem for me=2C of course you are correct that multiple vnets = with this configuration will not work. Sorry for not making that clear befo= re I posted. Really need to stop using outlook. I hate how \n is not read correctly. =3D= / Date: Fri=2C 30 Oct 2015 08:17:59 +0000 Subject: Re: /etc/jail.conf documentation? From: kraduk@gmail.com To: ricky1252@hotmail.com CC: feld@freebsd.org=3B freebsd-questions@freebsd.org Be careful with your vnet config as if you use it with more than one jail a= t once shutting down one jail will break the networking on the other(s) as = you create and destroy the bridge. This may be intended but in most cases I= suspect people bind a bridge to a physical NIC and the epairs for a flat n= etwork=2C with maybe a vlan or two thrown in. In these cases let cloned_int= erfaces build the bridge and just add and remove the nics to the relevant b= ridge(s). On 29 October 2015 at 15:04=2C Ricky G <ricky1252@hotmail.com> wrote: Saw this post and decided to share as well. When I started using jails I wa= nted the system to be easy and flexible. Reading the handbook=2C I liked th= is layout https://www.freebsd.org/doc/handbook/jails-application.html. I de= cided to make some scripts based on this layout and I also made some improv= ements based on problems I ran into using the layout. =0A= Basically the scripts create a readonly base and duplicates the base settin= g to readonly. Upgrading is simple because you just recreate the base shutd= own duplicate startup and the jails are updated. One side note that Id like= to add is my use of mergemaster is the safe way which is a bit more work. = (The scripts will do everything except create the base dataset). I still ha= ve some more work to do on these scripts with possible errors=2C but they w= ork well for what I need them for. As for my jail.conf =0A= =0A= host.hostname =3D "${name}"=3Bpath =3D "/usr/jails/${name}"=3Bmount.fstab = =3D "/etc/fstab.${name}"=3Bmount.devfs =3D "1"=3Bdevfs_ruleset =3D "4"=3Bex= ec.consolelog =3D "/var/log/jail_${name}_console.log"=3Binterface =3D "ue0= "=3Bexec.start =3D "/bin/sh /etc/rc"=3Bexec.stop =3D "/bin/sh /etc/rc.shu= tdown"=3Bexec.clean=3Bpersist=3B =0A= allow.raw_sockets =3D "1"=3Ballow.set_hostname =3D "0"=3B =0A= foo { ip4.addr =3D "192.168.1.9/24"=3B} =0A= ### For vnet ###bar { $if =3D "0"=3B $ip_addr =3D "192.168.1.10/24"=3B $ip= _route =3D "192.168.1.1"=3B interface =3D "bridge0"=3B vnet=3B vnet.inter= face =3D "epair${if}b"=3B exec.prestart =3D "ifconfig bridge0 create"=3B e= xec.prestart +=3D "ifconfig epair${if} create up"=3B exec.prestart +=3D "= ifconfig bridge0 addm epair${if}a"=3B exec.start =3D "/sbin/ifconfig lo0 1= 27.0.0.1 up"=3B exec.start +=3D "/sbin/ifconfig epair${if}b inet ${ip_addr= } up"=3B exec.start +=3D "/sbin/route add default ${ip_route}"=3B exec.sta= rt +=3D "/bin/sh /etc/rc"=3B exec.stop =3D "/bin/sh /etc/rc.shutdown"=3B = exec.poststop =3D "ifconfig bridge0 destroy"=3B exec.poststop +=3D "ifcon= fig epair${if}a destroy"=3B exec.clean=3B persist=3B} =0A= =0A= =0A= =0A= $ cat update #!/usr/bin/env bashTEMPLATE_ZFS_DIR=3D"tank/jails/template"TEM= PLATE_NAME=3D"main"TEMPLATE_DIR=3D"/usr/jails/template"TEMPLATE_SNAPSHOT_NA= ME=3D"now"JAIL_DIR=3D"/usr/jails"JAIL_ZFS_DIR=3D"tank/jails"JAILS=3D( $(jls= | grep ${JAIL_DIR} | awk '{ print $3 }') )SRC=3D"/usr/src" =0A= ZFS_TEMPLATE=3D"${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT=3D"$= {ZFS_TEMPLATE}@${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE_OLD_SNAPSHOT=3D"${ZFS_TEM= PLATE}@old.$(openssl rand -hex 8)"TEMPLATE=3D"${TEMPLATE_DIR}/${TEMPLATE_NA= ME}"SKEL=3D"${TEMPLATE_DIR}/skel" =0A= ### Some error checking ###zfs list "${ZFS_TEMPLATE}" >& /dev/nullif [ $? -= eq 1 ]=3Bthen echo "Template dataset ${ZFS_TEMPLATE} not found=2C or wrong= Template name" exit 1fiif [ $(zfs get mountpoint "${ZFS_TEMPLATE}" |= awk '{ print $3 }' | tail -n 1) !=3D "${TEMPLATE}" ]then echo "Template= dataset not mounted at ${TEMPLATE}" exit 1fiif [ $(zfs get mounted "$= {ZFS_TEMPLATE}" | awk '{ print $3 }' | tail -n 1) !=3D yes ]then echo "Temp= late dataset ${ZFS_TEMPLATE} not mounted" exit 1fi### Destroy old templ= ate ###zfs set readonly=3Doff "${ZFS_TEMPLATE}"chflags -R 0 "${TEMPLATE}"rm= -r "${TEMPLATE}"/*cd "${SKEL}"rm -R media root etc mnt tmp var =0A= ### Create new template ###cd ${SRC}make installworld DESTDIR=3D"${TEMPLATE= }"if [ $? -eq 1 ]then echo "${SRC} Needs to be compiled. Run make buildwor= ld." exit 1fimake distribution DESTDIR=3D"${TEMPLATE}" =0A= ### Recreate skel ###cd "${TEMPLATE}"for skel in media root etc mnt tmp var= do mv "${TEMPLATE}"/"${skel}" "${SKEL}"/done =0A= if [ -f /etc/resolv.conf ]then cp /etc/resolv.conf "${SKEL}"/etc/fiprintf = 'hostname=3D""\nsendmail_enable=3D"NO"\nsendmail_submit_enable=3D"NO"\nsend= mail_outbound_enable=3D"NO"\nsendmail_msp_queue_enable=3D"NO"' > "${SKEL}"/= etc/rc.conf### Create links for new template ###for link in etc home mnt me= dia root tmp vardo ln -s s/${link} "${TEMPLATE}"/${link}doneln -s ../s/h= ome "${TEMPLATE}"/usr/homeln -s ../s/usr-X11R6 "${TEMPLATE}"/usr/X11R6mkdir= "${TEMPLATE}"/s =0A= ### Finish template by setting readonly=3Don ###zfs set readonly=3Don "${ZF= S_TEMPLATE}" =0A= ### Move old template to a new name if it exists ###zfs list "${TEMPLATE_SN= APSHOT}" >& /dev/nullif [ $? -eq 0 ]=3Bthen zfs rename "${TEMPLATE_SNAPS= HOT}" "${TEMPLATE_OLD_SNAPSHOT}"fi =0A= ### Create snapshot of the new template ###zfs snapshot "${TEMPLATE_SNAPSHO= T}"### Updating jails that are currently running ###for jail in ${JAILS[@]}= =3Bdo if [ $(jls | grep ${jail} | awk '{ print $4 }') =3D=3D "${JAIL_= DIR}"/"${jail}" ] then cd /usr/src mergemaster -t= "${JAIL_DIR}"/"${jail}"/var/tmp/temproot -D "${JAIL_DIR}"/"${jail}"/s -i -= F cd "${JAIL_DIR}"/"${jail}"/s rm -r .cshrc .profil= e COPYRIGHT bin boot dev lib libexec proc rescue sbin sys usr = cd /usr/src jail -r "${jail}" zfs destroy -f "${= JAIL_ZFS_DIR}"/"${jail}" zfs clone -o readonly=3Don -o mountpo= int=3D"${JAIL_DIR}"/"${jail}" "${TEMPLATE_SNAPSHOT}" "${JAIL_ZFS_DIR}"/"${j= ail}" jail -c "${jail}" else FAILED+=3D"${ja= il} " fidone =0A= ### Destroy old template ###zfs destroy "${TEMPLATE_OLD_SNAPSHOT}"if [ -n "= ${FAILED}" ]then printf "The following jails failed to update due to in= correct mountpoint... ${FAILED}\n"fiecho "Update Finished" =0A= =0A= =0A= =0A= $ cat duplicate #!/usr/bin/env bashTEMPLATE_ZFS_DIR=3D"tank/jails/template"= TEMPLATE_NAME=3D"main"TEMPLATE_DIR=3D"/usr/jails/template"TEMPLATE_SNAPSHOT= _NAME=3D"now"JAIL_DIR=3D"/usr/jails"JAIL_ZFS_DIR=3D"tank/jails" =0A= ZFS_TEMPLATE=3D"${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT=3D"$= {ZFS_TEMPLATE}@${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE=3D"${TEMPLATE_DIR}/${TEMP= LATE_NAME}"SKEL=3D"${TEMPLATE_DIR}/skel" =0A= echo What will the jail name be?read -e JAIL_NAMEecho What will the ip4 add= ress be? ie 192.168.1.1/24?read -e IP4zfs list "${ZFS_TEMPLATE}" >& /dev/nu= llif [ $? -eq 1 ]=3Bthen echo "Incorrect template" exit 1fizfs lis= t "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 1 ]=3Bthen echo "Sn= apshot not found" exit 1fi =0A= JAIL=3D"${JAIL_ZFS_DIR}/${JAIL_NAME}"JAIL_ZFS_DATA=3D"${TEMPLATE_ZFS_DIR}/$= {JAIL_NAME}"JAIL_ZFS_DATA_LOCAL=3D"${TEMPLATE_ZFS_DIR}/${JAIL_NAME}-local"J= AIL_DATA=3D"${TEMPLATE_DIR}/${JAIL_NAME}"JAIL_FSTAB=3D"${JAIL_DIR}/${JAIL_N= AME}" =0A= zfs clone -o readonly=3Don -o mountpoint=3D"${JAIL_FSTAB}" "${TEMPLATE_SNAP= SHOT}" "${JAIL}"if [ $? -eq 1 ]=3Bthen echo "clone failed" exit 1fi= echo "clone successful"zfs create -o recordsize=3D1M -o compression=3Dlz4 -= o mountpoint=3D"${JAIL_DATA}" "${JAIL_ZFS_DATA}"zfs create -o recordsize=3D= 1M -o compression=3Dlz4 -o canmount=3Dnoauto "${JAIL_ZFS_DATA_LOCAL}"cp -Ra= "${SKEL}"/* "${JAIL_DATA}"/umount "${JAIL_DATA}"rmdir "${JAIL_DATA}"zfs se= t canmount=3Dnoauto "${JAIL_ZFS_DATA}"printf "${JAIL_ZFS_DATA} ${JAIL_FSTAB= }/s\tzfs\trw 0 0\n${JAIL_ZFS_DATA_LOCAL} ${JAIL_FSTAB}/usr/local\t zfs\trw = 0 0" > /etc/fstab."${JAIL_NAME}"printf "\n${JAIL_NAME} {\n ip4.addr =3D \"$= {IP4}\"=3B\n}" >> /etc/jail.conf =0A= =0A= _______________________________________________ =0A= freebsd-questions@freebsd.org mailing list =0A= https://lists.freebsd.org/mailman/listinfo/freebsd-questions =0A= To unsubscribe=2C send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" =0A= =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT146-W92BDA6F54F1DCDEA18EE72A12F0>