Share MySQL socket across ezjails on ZFS root

So I have a web devel server in-house that also runs a groupware service and for network topography reasons needed each service to be in their own subnet / jail and communicate to the jailed mysql server via socket, not tcp.

This is actually very easy to do if you know a little about mounting filesystems but where it gets tricky for the uninformed is when ZFS is your base filesystem and the filesystem of your jails.

To the point, ZFS is not a clustering filesystem meaning it does not natively support moving data across different datasets. To share data across datasets you have to use nullfs() which is declared in the jail's fstab()

Thanks to Scott Alan Miller who I talked to through spiceworks.com for the ZFS backstory
http://www.smbitjournal.com/2014/05/the-cult-of-zfs/

Ezjail() makes setup and administration of jails very easy and an added bonus is it automagically creates a etc/fstab.jailname for every jail you create. Simply add your nullfs() mount(s) in the fstab and they get mounted when the jail starts.

Some points to remember:
  • nullfs acts as a virtual bridge that sits on top of the physical filesystem. The root mount is the parent and the share mount is the child resulting in a flow of information from parent to child which is important to know because if the mount is read only (ro) the only files the root will be able to see are the ones in the root directory. The child is not able to write to the parent unless you declare read / write (rw) so files on the child's end don't get passed back to the parent
  • allowing jails to write information to the host is a security risk that pretty much negates the primary purpose of jailing. I do not recommend this practice in a public production environment if you value what's on your server
  • if you need to delete a shared file make sure you umount first otherwise you'll get stuck in a loop where the file keeps reappearing (in rw nullfs mounts)
In my setup I have 3 jails: MySQL, Apache and egroupware.

I created a parent directory in the ezjail base directory and set ownership if needed:
/usr/jails/_jailshare (in my scenario I chmod() the directory to user "www")

and one child directory in each jail:
/usr/jails/mysql-db/tmp/_HostMnt
/usr/jails/www-devel/tmp/_HostMnt
/usr/jails/groupware/tmp/_HostMnt

and add a line in each jails fstab:
Code:
/usr/jails/_jailshare /usr/jails/(jail name here)/tmp/_HostMnt nullfs rw 0 0

That's it... pretty simple
 
Back
Top