Jails, zfs quotas, and nullfs

R

ravinald

Has anyone figured a good method for using jails following the method in section 15.6 of the Handbook while using zfs with quotas?

Right now each jailspace has its own zpool with a quota in /z/jail/${jail}. The mroot is just in the general pool without a quota also in /z/jail. I nullfs RO mount the mroot to /z/jail/mount/${jail} but the problem is the free disk space reported within the jail is that of mroot (which makes sense) and not that of the RW mount of the jail's jail space.

One seeming unavoidable, unappealing alternative is to have the mroot physically be in /z/jail/${jail} along with the jailspace and the jail's actual mount point. Doing a nullfs mount all within the same zfs pool should correctly report the available disk as expected however this makes updating less appealing.

Am I over engineering this? Did I even articulate my problem well enough that anyone has an idea what I'm trying to do?
 
why not just use ezjails, and before you create the jail make a zfs filesystem for it.

For example, if your jail dir is /usr/jails
Code: 
zfs create tank/jails/
zfs set mountpoint=/usr/jails tank/jails
zfs create tank/jails/newjail
ezjail-admin create newjail 10.0.0.1
 
yes, i read the handbook. Did you read about ezjails?

ezjail does exactly that.


Overview (from http://erdgeist.org/arts/software/ezjail/ )

A Jail in FreeBSD-speak is one or more tasks with the same kernel Jail-ID, bound on a single IP address, having the same chroot-environment. One usecase of the FreeBSD Jail Subsystem is to provide virtual FreeBSD-systems within a Host-system. ezjail is about making this as easy as possible, aiming for minimum system resource usage. All further references to the term Jail are to a virtual FreeBSD-system consisting of a host name, an IP-address and a Jail root.

The jail(8) man page outlines the way to create Jails, however, when you need several Jails, complete Jail Directory Trees quickly use much of your valuable hard disc space. ezjail avoids this by using FreeBSDs nullfs feature. Most of the base system (/bin, /boot, /sbin, /lib, /libexec, /rescue, /usr/{bin, include, lib, libexec, ports, sbin, share, src}) only exists in one copy in the Host-system and is being mounted read only into all Jails via nullfs. Those Jails are quite slim (around 2mb each) and only consist of some soft links into the basejail mount point and non-shared directories like /etc, /usr/local, etc.

The ezjail approach offers lots of advantages:

* You save disc space, inodes and even memory since the system only needs to hold one copy of base system binaries for all Jails
* You can update all Jails on a single base directory, since it is so eazy, you might actually do it
* Intruders compromising Jails are unable to install standard rootkits (as the base system is mounted read only)
* Since ezjail is written entirely in sh, there is no need to install other script languages into the Host-system
* As the base system is provided via soft links, the enjailed users can choose not to use the mounted world
* An often underestimated fact: less complexity means more security.
Click to expand...

It builds a basejail and mounts it ro using a bunch of symbolic links.

the basejail is in /usr/jails/basejail which it mounts using the /etc/fstab.jailname file on /usr/jails/jailname/basejail

then it uses symbolic links to point to stuff in /usr/jails/jailname/basejail

i also tend to use the /etc/fstab.jailname file to mount the base system /usr/src and /usr/ports (some of the ports need /usr/src, i don't think it's many) and i mount them ro just like the basejail.

by default, ezjail builds all ports in $JAIL/var/ports/ so mounting it ro is fine.

but even without using ezjails, you should be able to do what you're saying. make a zfs filesystem, then make a dir inside of that to mount your basejail on ro, set up your links pointing to your stuff in the basejail and it will do basically the same thing as what i said in the first post.

Unless i am misunderstanding what you want to do.
 
I skimmed the page far too quickly and completely missed the Overview. It appears to do what I need so I'll give it a go and see how it works.

Thanks for helping me to read.
 
You must log in or register to reply here.
Back
Top