ezjail - setup questions

[Beeblebrox]

Using ezjail for some testing of jails which sets up the basejail and a lightjail by default. It seems these jails are never started but mounted with null to any new jail that is created. I want to:

1. Add some ports to the basejail (sudo for ex) so that it will propagate to all child jails. If I just chroot to the basejail folder and do some pkg_add, will all child folders be populated with the added ports? I think I need to chroot to the lightjail folder because the basejail does not have a /var folder, but then the links to /usr will not work. What is the best way to add ports to basejail?
2. Mount my ports folder into basejail using nullfs for purpose of Q1. I do not see the purpose of downloading a separate ports tree for jail as told in the documentation - but which jail's fstab (light or base) should I modify? This question is related to Q1 since I do not yet understand how base and light interact / call each others folders.
3. If I create a pxeboot jail for diskless clients, where (base, light, pxeboot) and how (cp ok?) should I place /boot/kernel?

 

[Nukama]

1. Put your packages into /usr/jails/flavours/example/pkg/ and files into flavours/example/ and edit /usr/local/etc/ezjail.conf() to include this flavour by default:

ezjail_default_flavour example

Or specify for each creation # [pman]ezjail-admin[/pman] create [b]-f example[/b] hostname IP
These packages are installed for every jail on create and files are copied to /usr/jails/hostname/.
Packages can be easily updated with your preferred method.
/usr/jails/basejail is mounted on hostname/basejail.
/usr/jails/newjail/ is copied over to hostname/ on creation.
flavours/example/etc/rc.d/ezjail.flavour.example is run on first start.

Modifing basejail by hand is also possible, but more cumbersome.
What is this lightjail all about?

2. Put your nullfs mounts for every jail inside /etc/fstab.hostname.

/usr/ports/distfiles /usr/jails/hostname/var/ports/distfiles nullfs rw 0 0
/usr/ports/packages /usr/jails/hostname/var/ports/packages nullfs rw 0 0

These mounts come in handy.
A separate ports tree is useful, if you are trying to fix Makefiles in your basejail portstree without harming your jailhost portstree.
portsnap() is used to populate portstree in basejail, so fetching is only done once for /usr/ports and /usr/jails/basejail/usr/ports

3. Unlink /usr/jail/hostname/boot and copy your boot to /usr/jails/hostname/

 

[Beeblebrox]

/usr/jails/basejail is mounted on hostname/basejail.

That cleared up a lot of things. I suspected the setup worked as such but wanted confirmation before I went ahead and botched things up. I was initially trying to figure out how to add packages directly to basejail, so that all such packages would be included in every flavour, and so that there would be no need for installs + updates of all separate jails. I see that such an idea is impossible because basejail and newjail have separate /usr folders. Any standard include port will have to go into newjial.

I looked through ezjail.conf, the flavours concept and "nullfs mounting for jails" before posting so I have a pretty good grasp on that stuff. ezjail fails to start if the ezjail_jaildir is changed to something else, btw.

What is this lightjail all about?

lightjail is the terminology used in FreeBSD jail(8)() it is exactly the same thing as newjail or subsequent hostjails.

A separate ports tree is useful, if you are trying to fix Makefiles in your basejail portstree without harming your jailhost portstree.

No, I'm not. Plus, I really don't want a separate ports tree on my system. I also cannot potsnap since I have disabled the build in /etc/src.conf and the jailed world does not have it. I'll go with mount_nullfs -o ro of my existing tree. My builds take place outside of the jail and all builds are packaged into pkg/All repository - so I have all the packages I need to install into the jails.

where and how should I place /boot/kernel

Once I understood that basejial is mounted into newjail, this also became clear since basejail has a full boot/kernel folder.

** This part is not really understood - you are saying I can install packages into the jail without chrooting to it but how exactly?

Put your packages into /usr/jails/flavours/example/pkg/

 

[Nukama]

ezjail fails to start if the ezjail_jaildir is changed to something else, btw.

http://www.freebsd.org/doc/en_us.iso8859-1/books/handbook/jails-application.html

Warning: The reason why the jail_name_rootdir variable is set to /usr/home instead of /home is that the physical path of the /home 
directory on a default FreeBSD installation is /usr/home. The jail_name_rootdir variable must not be set to a path which includes a 
symbolic link, otherwise the jails will refuse to start. Use the realpath(1) utility to determine a value which should be set to this 
variable. Please see the FreeBSD-SA-07:01.jail Security Advisory for more information.

If this is not the case, can you report this finding to ezjail mailinglist: mail to ezjail@erdgeist.org after subscribing to ezjail-subscribe@erdgeist.org

lightjail is the terminology used in freebsd jail(8)() it is exactly the same thing as newjail or subsequent hostjails.

I don't remember this terminology appear to me, while I was reading jail() related stuff.

** this part is not really understood - you are saying i can install packages into the jail without chrooting to it but how exactly?

Not exactly, you can install packages only on first startup after creation of a jail with this method (put packages into flavours/example/pkg/).
But this might not work on 9.0-RELEASE yet.

If you're going to deploy more than a handful of jails something like sysutils/salt might be considered.

Regarding ports tree. Make sure that it is not mounted on /usr/jails/basejail/usr/ports.
Rather mount it inside each jails PORTSDIR using /etc/fstab.hostname.
(and create this directory, if not existent; PORTSDIR is specified inside jails /etc/make.conf)

 

[Beeblebrox]

The jail_name_rootdir variable must not be set to a path which includes a
symbolic link

Because symlinks are tricky, I always try to use the full, original path. I initially tried to put my jails into /usr/compat (not /compat) and the jails failed to start because they gave errors.

Regarding ports tree. Make sure that it is not mounted on /usr/jails/basejail/usr/ports.

Obvious, since both basejail/usr and newjail/usr exist separately and that newjail/usr is not a link like other folders to basejail. I am not giving port or source access to my jails, only access to the repository of host-compiled packages folder (normally under /usr/port/packages). The repository folder which is nullfs mounted to the jail is where pkg_add jobs look to.