jails or chroot?
Chad Leigh -- Shire.Net LLC
chad at shire.net
Tue May 9 16:55:19 UTC 2006
On May 9, 2006, at 5:53 AM, Michael Grant wrote:
>
> When it comes time to upgrade, how does one upgrade 100 different
> jails? This will be a nightmare!
Actually, not. You only need 1 master jail and a bunch of nullfs
read only mounts plus some exclusive space for each jail. I run 44
jails at the moment this way. Upgrading is relatively easy as I only
have to upgrade one master jail (and unfortunately lots of jail etc
if such happens but a few scripts can automate much of that).
I basically set up
/local/jails/master and install according to man jail into this
place. I never start this jail.
I happen to use disk backed md devices as the root for each jail. I
mount each on on /local/jail/<jailname>
Then I do
/sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin
/sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib
/sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/
adcmw/libexec
/sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/
sbin
/sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr
/sbin/mount -t procfs proc /local/jails/adcmw/proc
devfs_domount /local/jails/adcmw/dev devfsrules_jail
devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev
/sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset
In my master jail I have some symlinks so that each jail has its own /
usr/local/ that is writable.
All the jails run out of one installed jail and they also have the
side benefit of the main system directories being read only so
exploits in one jail cannot affect all the running jails.
Chad
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net
More information about the freebsd-questions
mailing list