Date: Tue, 19 Mar 2002 21:23:52 +1100 From: BSD Freak <bsd-freak@mbox.com.au> To: Scott Bolte <listS+freebsd-questions@niss.com>, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: File system layout with multiple jails Message-ID: <22e12ff22dffe6.22dffe622e12ff@mbox.com.au>
next in thread | raw e-mail | index | archive | help
Very clever! Would you mind posting the contents of scripts on the this
list or perhaps on somewhere on the web. It would be very helpful to
many I think.......
----- Original Message -----
From: Scott Bolte <listS+freebsd-questions@niss.com>
Date: Thursday, February 14, 2002 11:59 pm
Subject: Re: File system layout with multiple jails
> On Thu, 14 Feb 2002 17:44:14 +1100, BSD Freak wrote:
> > Hi everyone,
> >
> > Does anyone have any bright ideas for good file system layouts
> when
> > running multiple jails?
>
> I won't say they are bright, but the ideas reflected in
> this layout are working well for me:
>
> /jails/ Home for most jail related material. Note I do not
> backup /jails every night as I do other partitions.
> (I do backup /data every night and you'll see below
> how I make use of that in a jail.)
>
> /jails is its own partition so if it fills, it will
> not cause problems for the host system.
>
> /jails/{jail_X}/
> The root for one specific jail. Of course if you
> have sets of jails, then /jails/jail_A/{cell_1,cell_2}
> and /jails/jail_B/{cell_10,cell_11} where cell_#
> is actually the root directory works well for
> keeping them well organized.
>
> /jails/etc/rc.d/
> Startup scripts (e.g. jail_X.sh) for all jails.
>
> If you augment $local_startup in /etc/rc.conf to
> include /jails/etc/rc.d then all the jails will be
> started automatically.
>
> /jails/bin/
> Jail management scripts.
>
> .../bin/JAIL_CTL.sh A generic start, stop, enter, trace,
> ps script. Each jail's startup
> script sets a bunch of environment
> variables and then calls JAIL_CTL.
>
> .../bin/jail_clone duplicates a jail.
>
> .../bin/jail_ps runs ps for all the processes in
> a specific jail.
>
> /jails/var/trace/
> Home for kdump traces of jail execution.
>
> /jails/template/
> A reference jail that I can clone in a few minutes
> time. Much easier then running (make world) every
> time I need a new jail.
>
> /data/jails/{jail_X}/
> If there is a /data/jails/{jail_X} present, then
> it is automatically mounted as /jails/{jail_X}/data
> when the jail is started. That way the /data
> directory in a jail can be treated separately then
> from the rest of the jail.
>
> One caveat if you do this. Multiple jails, each
> with their own uid space, will rapidly overlap in
> the host's uid space. To avoid this, my jail creation
> script hashes the jail's IP address to create a
> (relatively) unique starting point for that jail's
> uids. That starting uid is placed in the jail's
> /et chances that uids will collide.
>
> /data/jails/{jail_X}/home/
> Symlink to /data/home (in the jail of course). If
> /data/jails/{jail_X} is mounted on the jail's /data,
> then the home partition in the jail is actually
> coming from /data of the host and therefore will
> be backed up on a regular basis.
>
> /data/jails/{jail_X}/proc/
> If it is present, then /proc is mounted on this
> directory when a jail is started and unmounted when
> it is stopped.
>
>
> > How do I stop /var/log in one the jails from filling up the
> whole drive
> > and affecting the rest without giving each jail it's own partition?
> >
> > Is it possible to some how set a quota on how large a particular
> > directory can get?
>
> About all I can think of is to make a directory, and all its
> subordinate directories, owned by a specific user. You can
> then have per user quotas.
>
> For the specific example of /var/log, you'd have to set the
> user to be root_X. If you then set the user-ID-on-execution
> bit (see chmod(1) or chmod(2)) for /var/log so all new files
> and directories created under it would also be owned by root_X.
>
> I suspect you'd have to pre-populate your /var/log directory
> and chown everything to root_X. If you then change everything
> there to have world write permissions then root in the jail
> can update the files. Having world write access is a bad
> idea, but it's your trade-off to consider.
>
>
> Scott
>
---------------------------------------------------------------------
Would you like to receive faxes to your personal email address?
You can with mBox. Visit http://www.mbox.com.au/fax
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22e12ff22dffe6.22dffe622e12ff>