ZFS importance of different ZFS datasets in jails

[tOsYZYny]

I installed my base FreeBSD using the bsdinstall cmd which by default provides a bunch of datasets; however, whenever I setup my jails, I have been doing a single dataset except for my media or projects dataset.

My concern or question is, would it not be a good idea or best practice to have a similar structure as the host / base OS install? This is what is created by defaults:

/$ZFSBOOT_BEROOT_NAME mountpoint=none
/$ZFSBOOT_BEROOT_NAME/$ZFSBOOT_BOOTFS_NAME mountpoint=/

# Home directories separated so they are common to all BEs
/home mountpoint=/home

# Compress /tmp, allow exec but not setuid
/tmp mountpoint=/tmp,exec=on,setuid=off

# Don't mount /usr so that 'base' files go to the BEROOT
/usr mountpoint=/usr,canmount=off

# Ports tree
/usr/ports setuid=off

# Source tree (compressed)
/usr/src

# Create /var and friends
/var mountpoint=/var,canmount=off
/var/audit exec=off,setuid=off
/var/crash exec=off,setuid=off
/var/log exec=off,setuid=off
/var/mail atime=on
/var/tmp setuid=off

 

[patmaddox]

Depends on what you need. The value of having separate datasets is that you can manage them separately. i.e. if you have /home on a different dataset, you can create a fresh jail at /.

I don't personally feel the need to have as much slicing and dicing in the jails, but I do have /home and /var/db/* on different datasets.

 

[mer]

Depends on what you need. The value of having separate datasets is that you can manage them separately. i.e. if you have /home on a different dataset, you can create a fresh jail at /.

I don't personally feel the need to have as much slicing and dicing in the jails, but I do have /home and /var/db/* on different datasets.

For me, a lot would have to do with "what is the purpose of the jail". Is it just a DNS server, just a Web server, do users log into it?
If users don't log into the jail, why have home at all?

I don't personally feel the need to have as much slicing and dicing in the jails, but I do have /home and /var/db/* on different datasets.

Basically, this aligns with what I think.

 

[tOsYZYny]

I have 2 jails right now, my workstation, and my router which handles all of the networking responsibilities. The reason I asked this question was that there is some marginal benefit by having those separate data sets as illustrated above, but also, setuid is disabled for cache, audit, and log.

I suppose my main question is about setuid, can't that be a big security hole?

Secondly, back to my jails, I have 2 jails so that my 'host' system remains small as can be and generally does not need patched. I leverage Boot Environments and every time there is any sort of update, I create a Boot Environment prior to applying the update so I can always rollback. With a small host system, I seldom need to reboot.