From owner-freebsd-questions@FreeBSD.ORG Thu Aug 27 16:28:47 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C922F106568B for ; Thu, 27 Aug 2009 16:28:47 +0000 (UTC) (envelope-from apseudoutopia@gmail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3188FC2C for ; Thu, 27 Aug 2009 16:28:47 +0000 (UTC) Received: by bwz2 with SMTP id 2so1008074bwz.43 for ; Thu, 27 Aug 2009 09:28:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=GEgR1ck389SAf5aCXC/mhzs1c5XHlJE58GiiIX3CEHs=; b=wjtPMA5AC0dotcTVjDvF6bKHGL+n56tKHJQWG00OlG/yzNJvmS9Qxz5PRN4C3Wq85g TJMLKN1i9BgDbz3MkfJOdOH5nNFbt45qGWIHqdG1+go7eT7TDd0iqfC+/1/ncM0CYGh0 jD+3QJJbcfljTqG9324cyq5yDE/ZmqiVFe1qA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=MXNevnCNxs+P/Lp3I8bYrm2hsoAHkyd17KWMNwXu7VE8NRi7XvEqMg9QrXYtUJXI7i l6ddVDIIc8cCw6Z8QyWDIFDw9LArybNpCIMAbK638yLgCgy59QlRUIvhFJA7N/wy9Xs0 XXMjTBl1zN3LSbzEZoTcikSjP2bx/tLvfv4wE= MIME-Version: 1.0 Received: by 10.204.161.204 with SMTP id s12mr5039894bkx.26.1251390526139; Thu, 27 Aug 2009 09:28:46 -0700 (PDT) In-Reply-To: <6201873e0908270803k639b4742w1211d686607f7e9@mail.gmail.com> References: <27ade5280908261959q39aeab15ta300048b861a50f7@mail.gmail.com> <6201873e0908262010n1f554fa6p88895ee4641a5620@mail.gmail.com> <200908271135.13045.erich@apsara.com.sg> <27ade5280908270713g5710797xadb07b5055158808@mail.gmail.com> <6201873e0908270803k639b4742w1211d686607f7e9@mail.gmail.com> From: APseudoUtopia Date: Thu, 27 Aug 2009 12:28:26 -0400 Message-ID: <27ade5280908270928s256bed30s2cc75587b22577b1@mail.gmail.com> To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Information on Setting up a Jailed Webserver X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2009 16:28:48 -0000 On Thu, Aug 27, 2009 at 11:03 AM, Adam Vande More wr= ote: > On Thu, Aug 27, 2009 at 9:13 AM, APseudoUtopia > wrote: >> >> On Wed, Aug 26, 2009 at 11:35 PM, Erich Dollansky >> wrote: >> > Hi, >> > >> > On 27 August 2009 am 11:10:37 Adam Vande More wrote: >> >> On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia >> > wrote: >> >> > >> >> > Also, how memory-intensive is a jail? >> >> >> >> Very light when compared to other virtualization methods. >> > >> > jails share the kernel but not the world. >> > >> > So, there will be only one kernel loaded but all libraries in use >> > will be loaded individually by each jail when needed. >> > >> > Jails need some more disk space as the world, all libraries needed >> > and all applications needed are installed individually in each >> > jail. >> > >> > This can be minimised with proper planning of what runs it what >> > jail. >> > >> > Erich >> > >> >> Thanks for the helpful replies. I have a couple of questions: >> >> When a jail is compromised, the only thing I have to do to recover the >> system is delete the jail and create a new one, correct? The host >> system is untouched even if a jail is compromised? > > Really depends on how you're using the jail, but under standard usage yes= . >> >> >> And how does the upgrade process work? I know the userland must be the >> same for the host system and the jail. If I want to upgrade to, say, >> FreeBSD 8 when released, what is the process? I'd imagine it goes >> something like this, but I'm not sure: >> -Shut down jail >> -Upgrade host system >> -Install host binaries >> -Install jail binaries >> -Restart jail >> >> Or is there more to the process than what it seems? > > That's the basic process, however as mentioned before checkout ezjail.=C2= =A0 It > makes administering multiple jails much easier and can save you disk spac= e. >> >> >> Thanks again. Ok, thanks. Two more questions then I should be ready to go with my jail(s). In order to minimize the HDD space of the jail, can I add things in my src.conf such as WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF? I do use pf on the host system, but it isn't needed inside the jail as well, correct? Also, is it possible to compile a port (specifically nginx) inside the host, then simply cp it into the jail and run it? I'd like to do this to avoid installing a compiler into the jail itself. Thanks again for the help.