From owner-freebsd-jail@freebsd.org Mon Feb 22 01:38:13 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9686AB0049 for ; Mon, 22 Feb 2016 01:38:13 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7AB8B13B5 for ; Mon, 22 Feb 2016 01:38:13 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: by mail-wm0-x235.google.com with SMTP id g62so150788776wme.1 for ; Sun, 21 Feb 2016 17:38:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=multiplay-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=Lk/VYytTxyvwqsOy1FAJrvSyWmId7LKWyqsBt86w77g=; b=Z+k+JlDzp0O2MwPNrRNZF35T8leQKSYHPITZ+0QnOr7hFsDYNFzeb7+Sr9g0Zn7zJh ESKgBZaJYsxUSyZ4YNbAzOh9KaBcl/ZYfCfsQvnEa2QN0xoNH1ZUwbfgUcCnUZ840Sqa Hu2vXMPDe+tcI6QhUOVfaj08aGKg8PUtLN12lbRqD+fC33OlORm3cuOrD1Mj0yS6+z5D zNWveGSCLjW/uIqXDwpy+J2RSRNZBatJcIkucma8t3UKB98Oi/X6sdXyngWZzj8Ycgq6 2jh6TtN607VruTpCSSZ9qanqLvz0CzZVraUbJeuDoFzKPYj2rwULzfhGXjKPq9K99tSD eALg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=Lk/VYytTxyvwqsOy1FAJrvSyWmId7LKWyqsBt86w77g=; b=k5mWiyejWBDFENIGB/tELBEbmIdhEapQmOWFp36ShkA/crOd5YW0lcGDyMASkWdm/A GLHbvBZryRaeq1SWAWIfqjw8jwQ7ePDSKfzrKAJ0z0YTGlE35pMHn4x9xSsP49cAzgaj UsQBePbAwAZUmwGFehrNoeNa4q6ULPoNWbENWPzVKVlt+fcyxEogMqEURaVY68uJnOHM h+42nGf4h5B5YWUOewqX4JvLQgdjKh1Wo+GugJh1XwrRScakJp/G/jll9eRlJUl+3SbP YRIyRx6PFq0j92LVvITEh4tf+nDB8Tamv4ZCjtqTQbf/0nrNN1E6HhW5nMmpz1fgSjJ1 Ye6A== X-Gm-Message-State: AG10YOSqa6+kTskG9fP4WqA/M0LIWgMhDCAblbhvv6bHfJmO7qclckX0owuVsBomVv4NNvO8 X-Received: by 10.194.92.226 with SMTP id cp2mr24196430wjb.180.1456105091763; Sun, 21 Feb 2016 17:38:11 -0800 (PST) Received: from [10.10.1.58] (liv3d.labs.multiplay.co.uk. [82.69.141.171]) by smtp.gmail.com with ESMTPSA id jo6sm22308381wjb.48.2016.02.21.17.38.10 for (version=TLSv1/SSLv3 cipher=OTHER); Sun, 21 Feb 2016 17:38:10 -0800 (PST) Subject: Re: Jail management To: freebsd-jail@freebsd.org References: From: Steven Hartland Message-ID: <56CA6685.4030705@multiplay.co.uk> Date: Mon, 22 Feb 2016 01:38:13 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2016 01:38:14 -0000 Checkout qjail from your description I think it will do what you want. On 22/02/2016 01:13, Aristedes Maniatis wrote: > I've been using FreeBSD jails (with ezjail) for many years and they work very well. However I'm now reaching a critical mass (30+ jails) where I want to be able to manage them in bulk more easily. > > In this environment, each jail runs just a single application, installed from a package built using poudriere from a custom port. That package depends on Java, so lots of other packages also get pulled in. That application gets new versions roughly once every 4 weeks. The problems I have right now are: > > * FreeBSD's packaging system doesn't understand the concept of installing a particular package version, so all my scripts will by default upgrade the application to the current version even if I don't want to. I can't easily install a new jail at an old version. > > * It is hard to reproduce the environment exactly, matching the application to the same version of Java that was available at the time of deployment. Again I'm fighting against the pkg system which always wants the latest version. > > * For failover I want each jail reproduced exactly on another host, or at least a snapshot which could be sent to another host within a few seconds. The jails are quite small (< 500Mb). Most of that is just the openjdk pkg. > > > As I understand, ezjail doesn't support multiple base jails. If it did, then I could simply install the application (and packages) to the base jail and have versions of the base. Then by shutting down a jail, switching the base to the new version and starting up, everything would upgrade easily. Even better would be some concept of hierarchy with customer_jail sitting on top of base_version_1.0 which in turn sits on top of base_jail. > > Would I need to abandon ezjail and be able to build all the above myself with a combination of nullfs (basejail) and unionfs (intermediate versioned jail)? Does unionfs now work with ZFS? > > > Alternatively I could simply use zfs clones to deploy a new version of the application by destroying the whole jail and replacing it with a new one. I'd need to then script (I use saltstack) deploying the 2-3 config files which are different in each jail. > > > > Thoughts? What seems like a more robust long term approach to jail management? > > > Thanks > Ari > > >