jails or chroot?

Chad Leigh -- Shire.Net LLC chad at shire.net
Wed May 10 16:50:34 UTC 2006 

On May 10, 2006, at 2:33 AM, Iantcho Vassilev wrote:

> On 5/9/06, Chad Leigh -- Shire.Net LLC <chad at shire.net> wrote:
>>
>>
>> On May 9, 2006, at 5:53 AM, Michael Grant wrote:
>>
>> >
>> > When it comes time to upgrade, how does one upgrade 100 different
>> > jails?  This will be a nightmare!
>>
>> Actually, not.  You only need 1 master jail and a bunch of nullfs
>> read only mounts plus some exclusive space for each jail.    I run 44
>> jails at the moment this way.  Upgrading is relatively easy as I only
>> have to upgrade one master jail (and unfortunately lots of jail etc
>> if such happens but a few scripts can automate much of that).
>>
>> <snipppage>

>> All the jails run out of one installed jail and they also have the
>> side benefit of the main system directories being read only so
>> exploits in one jail cannot affect all the running jails.
>
>
>
>
> Wow,
> I really like the setup you have make..
>
> One question.How do you update the system(and the jail) ?

I shut all the jails down, and update the system.  Then I boot  
without starting the jails and rebuild the master jail according to  
"man jail".  Then I start a special main jail that was used to  
install ports used, if any, into a common area and do any updates  
necessary -- this last one from 5.4 to 6.0 I just made sure I had the  
5x compatibility stuff installed and all was fine for now so I have  
more time to redo individual ports or SW built frmo scratch.  When  
that is done I restart all the jails.

I had about 40 jails active when I went from 5.4 to 6.0 on this  
particular machine (some earlier ones I did from 5.4 to 6.0 had maybe  
1 or 2 jails so they were not the definitive test case).  Had no  
problems once I made sure all the jails were accessing the compat 5x  
stuff (which I did by editing in each jail /etc -- you could use a  
script  but I am lousy at writing more than simple scripts -- the  
rc.conf and making sure that "ldconfig_paths=" was set appropriately  
to the master jail wide compat5x library location...

Done, finis

Chad


---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net

More information about the freebsd-questions mailing list