Jails and filesystems

Björn König bkoenig at cs.tu-berlin.de
Sat Jun 11 12:57:36 GMT 2005

Rob wrote:

> I'm trying to figure out the best layout for multiple jails.
> I'd like to share binaries across jails - patches and packages only need 
> to be installed once, and it saves a lot of space. So these directories 
> would be shared and read-only: [...]

You can also use mount_unionfs with option -b. For instance you have a 
template jail, let's say in /usr/jail/template, and a jail in 
/usr/jail/myjail. You can mount now the template to the jail directory

   mount_unionfs -b /usr/jail/template /usr/jail/myjail

It's not read-only. Now you have all files of the template in myjail and 
you can even overwrite or delete them if you like, the template remains 

unionfs treats the mounted directory and the mount point as two layers. 
An upper layer where all changes are stored and a lower layer which is 
not writable through the upper layer. The option -b invert the position 
of these layers.

I make some practical examples:

If you access the myjail directory then you can imagine that you look 
from top onto the upper layer and in some cases you look through the 
upper layer to the lower layer.

          (1)        (2)            (3)
           |          |              |
   | upper layer: /usr/jail/myjail   |        |
   |       |          |              |        |
   |       |          V              X        |
   |       |     /etc/rc.conf                 |
   | lower layer: /usr/jail/template          |
   |       |                                  |
   |       V                                  |
   |   /bin/sh   /etc/rc.conf   /usr/bin/gcc  |

(1) /bin/sh exists in the template, but not in myjail. You'll access the 
file of the lower layer.

(2) At first /etc/rc.conf exists in the template only. Then you deceide 
that you want to make some changes to the file and you save it. It's 
stored in the upper layer and from now you access your changed file 
only. The file exists in two different versions in both layers.

(3) You don't need /usr/bin/gcc in your jail? Just delete it. The 
template remains untouched, but you can't access it now anymore; even 
not if you remount your unionfs.

Please test the use of unionfs copiously. Read the manpage 
mount_unionfs(8), especially the BUGS section. I know some users which 
never had problems with unionfs and jails, but you should be careful 
with it nevertheless.


More information about the freebsd-questions mailing list