From owner-freebsd-questions@FreeBSD.ORG Tue May 9 16:55:18 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DC1116A5EE for ; Tue, 9 May 2006 16:55:18 +0000 (UTC) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (mail.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DB4243D5A for ; Tue, 9 May 2006 16:55:11 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.171.127.191] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1FdVUM-000F5A-N4; Tue, 09 May 2006 10:55:10 -0600 In-Reply-To: <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com> References: <62b856460605090453o24f7de34ka71fffa392bfdedb@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "Chad Leigh -- Shire.Net LLC" Date: Tue, 9 May 2006 10:55:09 -0600 To: Michael Grant X-Mailer: Apple Mail (2.749.3) X-SA-Exim-Connect-IP: 67.171.127.191 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: freebsd-questions@freebsd.org Subject: Re: jails or chroot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 16:55:19 -0000 On May 9, 2006, at 5:53 AM, Michael Grant wrote: > > When it comes time to upgrade, how does one upgrade 100 different > jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail. I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). I basically set up /local/jails/master and install according to man jail into this place. I never start this jail. I happen to use disk backed md devices as the root for each jail. I mount each on on /local/jail/ Then I do /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ adcmw/libexec /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ sbin /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr /sbin/mount -t procfs proc /local/jails/adcmw/proc devfs_domount /local/jails/adcmw/dev devfsrules_jail devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset In my master jail I have some symlinks so that each jail has its own / usr/local/ that is writable. All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net