Information on Setting up a Jailed Webserver
APseudoUtopia
apseudoutopia at gmail.com
Thu Aug 27 16:28:48 UTC 2009
On Thu, Aug 27, 2009 at 11:03 AM, Adam Vande More<amvandemore at gmail.com> wrote:
> On Thu, Aug 27, 2009 at 9:13 AM, APseudoUtopia <apseudoutopia at gmail.com>
> wrote:
>>
>> On Wed, Aug 26, 2009 at 11:35 PM, Erich Dollansky<erich at apsara.com.sg>
>> wrote:
>> > Hi,
>> >
>> > On 27 August 2009 am 11:10:37 Adam Vande More wrote:
>> >> On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia
>> > <apseudoutopia at gmail.com>wrote:
>> >> >
>> >> > Also, how memory-intensive is a jail?
>> >>
>> >> Very light when compared to other virtualization methods.
>> >
>> > jails share the kernel but not the world.
>> >
>> > So, there will be only one kernel loaded but all libraries in use
>> > will be loaded individually by each jail when needed.
>> >
>> > Jails need some more disk space as the world, all libraries needed
>> > and all applications needed are installed individually in each
>> > jail.
>> >
>> > This can be minimised with proper planning of what runs it what
>> > jail.
>> >
>> > Erich
>> >
>>
>> Thanks for the helpful replies. I have a couple of questions:
>>
>> When a jail is compromised, the only thing I have to do to recover the
>> system is delete the jail and create a new one, correct? The host
>> system is untouched even if a jail is compromised?
>
> Really depends on how you're using the jail, but under standard usage yes.
>>
>>
>> And how does the upgrade process work? I know the userland must be the
>> same for the host system and the jail. If I want to upgrade to, say,
>> FreeBSD 8 when released, what is the process? I'd imagine it goes
>> something like this, but I'm not sure:
>> -Shut down jail
>> -Upgrade host system
>> -Install host binaries
>> -Install jail binaries
>> -Restart jail
>>
>> Or is there more to the process than what it seems?
>
> That's the basic process, however as mentioned before checkout ezjail. It
> makes administering multiple jails much easier and can save you disk space.
>>
>>
>> Thanks again.
Ok, thanks.
Two more questions then I should be ready to go with my jail(s).
In order to minimize the HDD space of the jail, can I add things in my
src.conf such as
WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF?
I do use pf on the host system, but it isn't needed inside the jail as
well, correct?
Also, is it possible to compile a port (specifically nginx) inside the
host, then simply cp it into the jail and run it? I'd like to do this
to avoid installing a compiler into the jail itself.
Thanks again for the help.
More information about the freebsd-questions
mailing list