Safe to run Poudriere on machine with jails?

[Francisco Reyes]

I would like to run Poudriere on a server which has some iocage managed jails. My understanding is that Poudriere creates it's own jails and would expect the shouldn't be any issues, but wonder if anyone has done a similar setup and if they ran into any surprises.

I have seen a few pages with running Poudriere inside of an existing Jail, but the configuration seems complex and not sure what would be the benefit. To avoid the time it takes Poudriere to spin up it's jail?

 

[SirDice]

My understanding is that Poudriere creates it's own jails and would expect the shouldn't be any issues, but wonder if anyone has done a similar setup and if they ran into any surprises.

They're not going to interfere.

 

[psa]

I do this, it works fine and I haven't had any surprises.

 

[Remington]

Strongly suggest to run Poudriere in the main area rather than Jails. You can hard link folders with read-only from Poudriere's folder to Web Jail's folder so your jails or servers can download the packages from Poudriere. No external access to the main area. This is how I do it and it's secured.

 

[Lamia]

You can start out with running poudrière on Host OS. It's easier to get by that way. For improved overall performance, you may want to use a jail. Yes, it will require some additional configs more than a regular jail would have required.

When poudrière runs in jail, you can be use that it is isolated from the host, think of capsicum, etc. You can limit how much resources it consume from the host, if anything goes wrong - e.g. resource deadlock, you may do without the jail until you are ready to reboot, and many more.

 

[Francisco Reyes]

Strongly suggest to run Poudriere in the main area rather than Jails.

Thanks that is what I was thinking as long as there were no conflicts. I currently have a poudriere server, but looking to upgrade to better hardware. Figure if I could run some jails in the machine too that would be useful since only will run Poudriere several time per week. All other time the machine would be Idle.

Using Nginx to serve Poudriere and that is working well. Even if get jails in same machine will still keep Nginx so all machines, including remote, can use a single Poudriere.

 

[Francisco Reyes]

When poudrière runs in jail, you can be use that it is isolated from the host, think of capsicum, etc. You can limit how much resources it consume from the host

That is a good point. Had not thought of that.

Performance will not be an issue since only plan to run Poudriere several times per week and plan to be moving to better hardware. Security is a good reason to later explore running from Jail. Resource management not so much a concern since the machine will be primarily for Poudriere. Whatever jails I put in there will be light weight stuff (i.e. serving handfull of web sites that hardly ever get any traffic).