Site Navigation

Date:      Tue, 9 May 2006 10:55:09 -0600
From:      "Chad Leigh -- Shire.Net LLC" <chad@shire.net>
To:        Michael Grant <mg-fbsd3@grant.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: jails or chroot?
Message-ID:  <C60DD298-4A89-4B75-A3AF-88C612C47065@shire.net>
In-Reply-To: <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com>
References:  <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On May 9, 2006, at 5:53 AM, Michael Grant wrote:

>
> When it comes time to upgrade, how does one upgrade 100 different
> jails?  This will be a nightmare!

Actually, not.  You only need 1 master jail and a bunch of nullfs  
read only mounts plus some exclusive space for each jail.    I run 44  
jails at the moment this way.  Upgrading is relatively easy as I only  
have to upgrade one master jail (and unfortunately lots of jail etc  
if such happens but a few scripts can automate much of that).

I basically set up

/local/jails/master  and install according to man jail into this  
place.  I never start this jail.

I happen to use disk backed md devices as the root for each jail.  I  
mount each on on /local/jail/<jailname>

Then I do

/sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin
/sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib
/sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ 
adcmw/libexec
/sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ 
sbin
/sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr
/sbin/mount -t procfs proc /local/jails/adcmw/proc
devfs_domount /local/jails/adcmw/dev devfsrules_jail
devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev
/sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset

In my master jail I have some symlinks so that each jail has its own / 
usr/local/ that is writable.

All the jails run out of one installed jail and they also have the  
side benefit of the main system directories being read only so  
exploits in one jail cannot affect all the running jails.

Chad


---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C60DD298-4A89-4B75-A3AF-88C612C47065>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact