Jail organization

Florian Weimer fw at deneb.enyo.de
Mon Apr 26 03:27:37 PDT 2004

I'd like to use jails to run different server software in different
jails, so that if one service is compromised, the others are not
affected (unless there are kernel bugs, of course).  All jails are in
the same administrative domain.

Three different ways of setting up the jails come to my mind.

  * No data sharing between any jails.

    Problem: Upgrades are more difficult then necessary (a libc update
    has to be applied to each jail individual, for example).

  * /usr is mounted read-only and shared, /usr/local is jail-specific.

    Problem: Installing ports is problematic because some of them want
    to write to /usr.

  * Both /usr and /usr/local are shared.

    Problem: All software is available in all jails.  Some hackery is
    necessary to prevent most of the daemons from starting, and
    setuid/setgid binaries might have issues.

So far, I've used the second and third variant, but I have little
experience with handling updates.  How do you solve these problems?
Is there a different approach I missed?

(As an administrator, I'm rather new to FreeBSD, so please bear with

Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net,
postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.

More information about the freebsd-questions mailing list