Aiza aiza21 at comclark.com
Mon Mar 22 00:21:41 UTC 2010

Mark Shroyer wrote:
> On 3/21/2010 1:10 AM, Aiza wrote:
>> I don't have sources installed on my system. Just use the binary
>> Freebsd-update function. At new releases I do a clean install.
>> I only have a single public IP address.
>> Now I would like to play with jails. One for postfix, apache, and ftp.
>> My reading of EZJAIL and the jails section of the handbook lead me to
>> believe I need a unique IP address for each jail. Is that correct?
> Yes.  But if you have only one public IP address, you can give the jail
> a loopback interface with an address in 127.0.0/24 or one of the RFC
> 1918 private blocks (there's some debate as to which is the more
> "correct" type of address to use, but either will work), then use NAT if
> you need your jail to be able to access the Internet.
> If it helps you to reason about this, keep in mind that your jail does
> *not* have its own virtualized network stack, like with Solaris Zones
> for instance.  The best way to think about your jails is as a group of
> processes running on the same operating system as the host, just with
> the restriction that (among other things) they can only communicate with
> the outside world using a limited subset of the IP addresses available
> to non-jailed processes.
Does the ip address notation for the jail include the port number?
Like Nat port forwarding is the long way around just to get 
the correct port number to the jail ip address.

>> I have no need to build world or install world because it does this from
>> /usr/src which i don't install. Is there some EZJAIL option to just copy
>> over the running system binaries instead of the sources?
> Until recently, the method for creating ezjail's "basejail" was to issue
> the "ezjail-admin update" command, which compiles the basejail from
> /usr/src.  Just recently an "ezjail-admin install" command was added,
> which downloads binaries from a FreeBSD FTP server instead.  So you
> shouldn't need sources to get started, however I'm not sure what the
> update mechanism is if you use the install command.

I found the man ezjail-admin has this format
ezjail-admin install -h file://   Where -h file:// means get the 
binaries from the host system the jails are running on.  Am I correct?

>> The handbook "15.4 Creating and Controlling Jails" talks about
>> “complete” jails, which resemble a real FreeBSD system, and “service”
>> jails, dedicated to one application or service. Section 15.4 is the
>> procedure for building a "complete jail" using the jail command.
>> The 15.6 Application of Jails (service jails) talks about creating a
>> root skeleton containing the host running files which are shared with
>> all the guest jails in read only mode. This eliminates the massive
>> duplication of running system files in each jail as in the complete jail
>> system talked about in handbook section "15.4 Creating and Controlling
>> Jails".
>> Now reading the ezjail man pages I see that ezjail also creates a base
>> template that is shared between all jails. Is this the same method
>> talked about in the handbook section 15.6 Application of Jails (service
>> jail)?
> It's essentially the same approach.  (With ezjail you'll still be
> duplicating binaries between the host system and the basejail, but I
> wouldn't loose sleep over it.)

My understanding of handbook section 15.6 Application of Jails
(service jails)is a copy of the host binaries is populated into the 
basejail and all the other jails have read only access to it. Each guest 
jail also has a read/write space for installing ports/packages unique to 
that jail including /var /usr /etc.  Am I correct? Is this how ezjail is 
configured now?

More information about the freebsd-questions mailing list