FBSD jail versus VMWare? What services do YOU run in a jail?

Michael Ross gmx at ross.cx
Fri Apr 25 17:47:21 UTC 2014

On Fri, 25 Apr 2014 18:46:12 +0200, Fbsd8 <fbsd8 at a1poweruser.com> wrote:

> Victor Sudakov wrote:
>> Fbsd8 wrote:
>>> As the number of running jails increase the difficultly of managing  
>>> them also increases. ezjail has no provisions
>>> to address this problem. qjail on the other hand is designed from the  
>>> ground floor to simplify the administration of large scale jail  
>>> environments [1 to 2000+ jails].
>>  Where can I read more about the unique and advanced features of qjail
>> missing in ezjail?
> I have never come across a feature comparison between the two. But qjail  
> is a fork of an old ezjail-3.1 version so much of the feel is the same.
> http://svnweb.freebsd.org/ports/head/sysutils/qjail/pkg-descr?revision=HEAD
> This link is a good place to start, then pkg install qjail & ezjail and  
> read their man pages for the details your looking for.
> For a more general background on jails  
> http://svnweb.freebsd.org/ports/head/sysutils/jail-primer/pkg-descr?revision=HEAD
> will bring you up to the current status as of release 9.2.
>>  I am especially interested in features which help update and upgrade
>> multiple jails and software therein.
>>  I must admit it's a bit of PITA in ezjail when it comes to upgrading
>> third party software. I have set up a pkg repository for that purpose,
>> but still I have to visit each jail individually and run "pkg upgrade"
>> from inside.

(ezjail user here)

Couldn't you create one "master" jail,
and nullfs-mount /usr/local/(s)bin from there to the other jails?

Or, two master jails, and a nullfs mount chain
master1-local-sbin mounted to <mountpoint> and mount /usr/local/sbin  
inside the jails there

update software in master2-local-sbin
change <mountpoint> mount from master1 to master2
restart ezjail

ls /usr/jails/myjail* | xargs -I% ezjail-admin console % -e pkg upgrade
(?, never tried)

> jail updates is really 2 different arenas. You have the update of the  
> host system binaries and the update of ports.
> ezjail relies on the old "make buildworld" method.

Not necessarily:
ezjail-admin update -u
ezjail-admin update -U

Also note that qjail has a restrictive license - not allowed to fork  
without author's permission.


> qjail has function to refresh the sharedfs from the running host.
> You can use what ever method you want to update your host running system  
> and just copy the host running system to qjail. For maximum security and  
> reliability the host and the jails MUST be running the same release  
> level.
> The second arena is updating your installed ports. Before 10.0 and pkgng  
> this was always a time consuming task. Ports running in jails are bound  
> by the same requirements as running ports on the host. FreeBSD only  
> guarantees ports to function across minor releases. such as moving from  
> 9.0 to 9.1, but when moving across major releases such as moving from  
> 8.2 to 9.0 your inventory of installed ports have to be updated by  
> re-compiling using a current ports filesystem. This is also true for  
> jails. Basing your ports major release update plans on pkgng instead of  
> compiling the port and all its dependents is a great time saver. The  
> only reason to visit each jail individually is if each jail has  
> different mix of installed ports. In large scale jail environments the  
> same port mix is often used in many jails and this is easy for qjail to  
> duplicate.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to  
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list