Configuration differences for jails
Jeremie Le Hen
jeremie at le-hen.org
Wed Apr 20 06:50:57 PDT 2005
Hi,
> I am now trying to use jail in FreeBSD. I have read the jail(8) man page
> and some
> others documents for setting up jails. But I'm a little confused about the
> procedure and configurations for setting up jails.
> As known to all, jail can be used for two purposes, i.e. jailing a single
> application or acting as a virtual host. What i want to know is the
> concrete configuration (procedure) difference between the two types use of
> jails. Is there a SMALLEST set
> of configuration necessary for setting up a jail? If so, what is it?
> Another question,
> is there any way to detect the share of files between multiple jails
> automatically?
The following is based on my own experience and therefore may not be
what other people feel.
I run two main services on a box, Bind and Postfix, and I wanted to
separate each other from the base system for security reason. I thought
it was quite heavy to boot two virtual hosts as described in the jail(8)
manpage for two daemons only, so I decided to just jail each application.
In all cases, I strongly wanted the chosen setup to create a very few
overhead compared to what it would be without jail.
In the per-application case, you will have to be very careful about the
things that will be needed by the daemon (dynamic libraries and
configuration files as well as spool queues, mailboxes or maildirs, and
other filesystem objects such as Unix domain sockets, named pipes, ...)
Since I wanted this setup to be as transparent as possible, I decided
to null mounts all needed directories from host to jail root, in order
to be able to execute administrative commands (postconf(8), mailq(8), ...)
from host itself. One exception is /etc : you don't want to null mount
it into the jail as it contains very sensible informations like password
hashes ; you will have to manually synchronize resolv.conf, localtime,
aliases, ...
Now with some distance, I must admit that all this gymnastic is quite
boring. I now decided to run two virtual hosts as they are managed in
a very natural way. These two hosts are just like two real boxes, one
running Bind and the other one running Postfix. When I need to update
something in the configuration, I login to the box with ssh(1). This
take some more memory and in principle no CPU as all processes are
sleeping most of the time.
> BTW, what is the meaning of "IMHO"? :)
> It appears very frequently in the mail list.
The port games/wtf will translate acronyms for you.
%%%
obiwan:ports$ wtf IMHO
IMHO: in my humble opinion
%%%
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-hackers
mailing list