jails or chroot?
Iantcho Vassilev
ianchov at gmail.com
Wed May 10 08:33:45 UTC 2006
On 5/9/06, Chad Leigh -- Shire.Net LLC <chad at shire.net> wrote:
>
>
> On May 9, 2006, at 5:53 AM, Michael Grant wrote:
>
> >
> > When it comes time to upgrade, how does one upgrade 100 different
> > jails? This will be a nightmare!
>
> Actually, not. You only need 1 master jail and a bunch of nullfs
> read only mounts plus some exclusive space for each jail. I run 44
> jails at the moment this way. Upgrading is relatively easy as I only
> have to upgrade one master jail (and unfortunately lots of jail etc
> if such happens but a few scripts can automate much of that).
>
> I basically set up
>
> /local/jails/master and install according to man jail into this
> place. I never start this jail.
>
> I happen to use disk backed md devices as the root for each jail. I
> mount each on on /local/jail/<jailname>
>
> Then I do
>
> /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin
> /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib
> /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/
> adcmw/libexec
> /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/
> sbin
> /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr
> /sbin/mount -t procfs proc /local/jails/adcmw/proc
> devfs_domount /local/jails/adcmw/dev devfsrules_jail
> devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev
> /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset
>
> In my master jail I have some symlinks so that each jail has its own /
> usr/local/ that is writable.
>
> All the jails run out of one installed jail and they also have the
> side benefit of the main system directories being read only so
> exploits in one jail cannot affect all the running jails.
Wow,
I really like the setup you have make..
One question.How do you update the system(and the jail) ?
More information about the freebsd-questions
mailing list