jails Docs - Chapter 17 - Jails - NullFS jail

E

esogs

docs.freebsd.org

Chapter 17. Jails and Containers

Jails improve on the concept of the traditional chroot environment in several ways
docs.freebsd.org docs.freebsd.org

I might be missing something - but if I follow this guide and I get to the point where I think I'm supposed to make these symbolic links - since we just moved the directories (usr, var etc) from the "base" to the "skeleton" in the steps before - and now I'm changed into the root for the 14.2-RELEASE-base, won't this create links to nothing?

Given the docs just said to do this, wouldn't the base directories now no longer be under base?
# mkdir -p /usr/local/jails/templates/14.2-RELEASE-skeleton/home
# mkdir -p /usr/local/jails/templates/14.2-RELEASE-skeleton/usr
# mv /usr/local/jails/templates/14.2-RELEASE-base/etc /usr/local/jails/templates/14.2-RELEASE-skeleton/etc
# mv /usr/local/jails/templates/14.2-RELEASE-base/usr/local /usr/local/jails/templates/14.2-RELEASE-skeleton/usr/local
# mv /usr/local/jails/templates/14.2-RELEASE-base/tmp /usr/local/jails/templates/14.2-RELEASE-skeleton/tmp
# mv /usr/local/jails/templates/14.2-RELEASE-base/var /usr/local/jails/templates/14.2-RELEASE-skeleton/var
# mv /usr/local/jails/templates/14.2-RELEASE-base/root /usr/local/jails/templates/14.2-RELEASE-skeleton/root
Click to expand...

And then, in the next section of the docs, are we trying to "link" the skeleton versions of those files back into the base? Because it seems the next section has you change into the base directory, then try to create a symbolic link to the directories you just moved out to the skeleton?

In short - should it be something like this?
ln -s /usr/local/jails/templates/14.2-RELEASE-skeleton/etc etc

instead of the below?
# cd /usr/local/jails/templates/14.2-RELEASE-base/
# mkdir skeleton
# ln -s skeleton/etc etc
# ln -s skeleton/home home
# ln -s skeleton/root root
# ln -s ../skeleton/usr/local usr/local
# ln -s skeleton/tmp tmp
# ln -s skeleton/var var
Click to expand...
 
I remember noticing that something was off in that section when I've read it a year vor two ago.

With ZFS and its intuitive snapshot/clone mechanism, creating thin jails is a piece of cake. And even with ZFS, thin jails are bit special in some regards. But definitely manageable.

So in the end, I decided to simply not do thin jails on my UFS machine.

However, I do mount shared data with nullfs into my jails. Nullfs
works splendid for that.

For example, I have my FLAC files and my movies in my nextcloud jail, as well as in my emby jail. Works like a charm if one takes file ownership/permissions and user ids into account.
 
Nevermind - I think I figured this part out. The actual jail is going to be a new directory in the jails directory. The container is just the filesystem clone I guess, and then we are going to mount that filesystem to the actual jail in the jails directory? Also, those symbolic links above? Maybe when I nullfs mount the directories from the skeleton into the actual jail in the jails directory - this will all auto-magically link.

For now - I'm going to strike out my question below and see if I can just work this out.

There is more funkiness in this section of the docs (I think - I am not a systems admin or anything - I just am trying to build this for a minecraft server for my grandkids).

But when you zfs clone the base into the directory structure that the guide is using (E.g, a containers directory for your jails)

# zfs snapshot zroot/jails/templates/14.2-RELEASE-skeleton@base
# zfs clone zroot/jails/templates/14.2-RELEASE-skeleton@base zroot/jails/containers/thinjail
Click to expand...

The next step says this:

Then create the directory in which the base template and the skeleton will be mounted:
# mkdir -p /usr/local/jails/thinjail-nullfs-base
Click to expand...

Is that right? What is this nullfs base jail in the "jails" directory, and how does it relate to the zfs cloned filesystem now in the containers directory?

Then the jails.conf entry has this, which doesn't reference the "containers" directory - it seems to point to the above thinjail-nullfs-base directory.

# HOSTNAME/PATH
host.hostname = "${name}";
path = "/usr/local/jails/${name}-nullfs-base";
Click to expand...

And then, the fstab entry has this, but I don't see how this gets used by the cloned jail in the containers directory?

Line #1
Field 1: Device or File System to be mounted: /usr/local/jails/templates/14.2-RELEASE-base
Field 2: Mountpoint: /usr/local/jails/thinjail-nullfs-base/
Field 3: File System Type: nullfs
Filed 4: Options: ro
Field 5: dump: 0
Field 6: fsck-order: 0

Line #2
Field 1: Device or File System to be mounted: /usr/local/jails/containers/thinjail
Field 2: Mountpoint: /usr/local/jails/thinjail-nullfs-base/skeleton
Field 3: File System Type: nullfs
Filed 4: Options: rw
Field 5: dump: 0
Field 6: fsck-order: 0
/usr/local/jails/templates/14.2-RELEASE-base /usr/local/jails/thinjail-nullfs-base/ nullfs ro 0 0
/usr/local/jails/containers/thinjail /usr/local/jails/thinjail-nullfs-base/skeleton nullfs rw 0 0
Click to expand...

So I'm not sure I am understanding at all how the containers cloned ZFS jail is being used in this guide.
 
Also - as it relates to my first post - I just didn't understand what was going on here I think. In the end, when you mount the nullfs filesystems for the base and the skeleton all in the same "directory" for the new jail, these symbolic links I "think" will just work, so the doc may very well be correct.
 
You're not the first one complaining about this handbook section. I looked once and concluded it's all bugged or at least very unclear.

Il you want to know how to create nullfs jails, look into the sysutils/ezjail script. This is what I did to make my own.
Code: 
(...)

cd $Jaildir/root

echo "Copy files from base. It may take a while..."
mkdir usr
tocopy='dev etc media mnt net proc root tmp usr/local usr/obj usr/tests var COPYRIGHT'
for d in $tocopy; do
    cp -Rp $Jdir/base/$d $d
done

echo "Create dir $Jaildir/root/base"
mkdir base

echo 'Create links to base jail.'
tolink='bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/src usr/share'
for dir in $tolink; do
    ln -s /base/${dir} ${dir}
done

(...)

Some explanations:
$Jaildir/root is the "/" of the jail.
$Jdir/base is the directory that contains the base.

In the fstab file of the jail, you need to mount the nullfs like this:
Code: 
$Jdir/base $Jaildir/root/base nullfs ro 0 0
 
You must log in or register to reply here.
Back
Top