ezjail

[Mark Shroyer]

On 3/21/2010 1:10 AM, Aiza wrote:
> I don't have sources installed on my system. Just use the binary
> Freebsd-update function. At new releases I do a clean install.
> I only have a single public IP address.
> 
> Now I would like to play with jails. One for postfix, apache, and ftp.
> My reading of EZJAIL and the jails section of the handbook lead me to
> believe I need a unique IP address for each jail. Is that correct?

Yes.  But if you have only one public IP address, you can give the jail
a loopback interface with an address in 127.0.0/24 or one of the RFC
1918 private blocks (there's some debate as to which is the more
"correct" type of address to use, but either will work), then use NAT if
you need your jail to be able to access the Internet.

If it helps you to reason about this, keep in mind that your jail does
*not* have its own virtualized network stack, like with Solaris Zones
for instance.  The best way to think about your jails is as a group of
processes running on the same operating system as the host, just with
the restriction that (among other things) they can only communicate with
the outside world using a limited subset of the IP addresses available
to non-jailed processes.

> I have no need to build world or install world because it does this from
> /usr/src which i don't install. Is there some EZJAIL option to just copy
> over the running system binaries instead of the sources?

Until recently, the method for creating ezjail's "basejail" was to issue
the "ezjail-admin update" command, which compiles the basejail from
/usr/src.  Just recently an "ezjail-admin install" command was added,
which downloads binaries from a FreeBSD FTP server instead.  So you
shouldn't need sources to get started, however I'm not sure what the
update mechanism is if you use the install command.

> The handbook "15.4 Creating and Controlling Jails" talks about
> “complete” jails, which resemble a real FreeBSD system, and “service”
> jails, dedicated to one application or service. Section 15.4 is the
> procedure for building a "complete jail" using the jail command.
> 
> The 15.6 Application of Jails (service jails) talks about creating a
> root skeleton containing the host running files which are shared with
> all the guest jails in read only mode. This eliminates the massive
> duplication of running system files in each jail as in the complete jail
> system talked about in handbook section "15.4 Creating and Controlling
> Jails".
> 
> Now reading the ezjail man pages I see that ezjail also creates a base
> template that is shared between all jails. Is this the same method
> talked about in the handbook section 15.6 Application of Jails (service
> jail)?

It's essentially the same approach.  (With ezjail you'll still be
duplicating binaries between the host system and the basejail, but I
wouldn't loose sleep over it.)

-- 
Mark Shroyer
http://markshroyer.com/contact/