You should search this lists archives for answers first. In the list archives I found this.
http://subwiki.honeypot.net/cgi-bin/view/Freebsd/JailAdmin http://jailnotes.cg.nu/ > Does anyone have any bright ideas for good file system layouts when > running multiple jails? I won't say they are bright, but the ideas reflected in this layout are working well for me: /jails/ Home for most jail related material. Note I do not backup /jails every night as I do other partitions. (I do backup /data every night and you'll see below how I make use of that in a jail.) /jails is its own partition so if it fills, it will not cause problems for the host system. /jails/{jail_X}/ The root for one specific jail. Of course if you have sets of jails, then /jails/jail_A/{cell_1,cell_2} and /jails/jail_B/{cell_10,cell_11} where cell_# is actually the root directory works well for keeping them well organized. /jails/etc/rc.d/ Startup scripts (e.g. jail_X.sh) for all jails. If you augment $local_startup in /etc/rc.conf to include /jails/etc/rc.d then all the jails will be started automatically. /jails/bin/ Jail management scripts. .../bin/JAIL_CTL.sh A generic start, stop, enter, trace, ps script. Each jail's startup script sets a bunch of environment variables and then calls JAIL_CTL. .../bin/jail_clone duplicates a jail. .../bin/jail_ps runs ps for all the processes in a specific jail. /jails/var/trace/ Home for kdump traces of jail execution. /jails/template/ A reference jail that I can clone in a few minutes time. Much easier then running (make world) every time I need a new jail. /data/jails/{jail_X}/ If there is a /data/jails/{jail_X} present, then it is automatically mounted as /jails/{jail_X}/data when the jail is started. That way the /data directory in a jail can be treated separately then from the rest of the jail. One caveat if you do this. Multiple jails, each with their own uid space, will rapidly overlap in the host's uid space. To avoid this, my jail creation script hashes the jail's IP address to create a (relatively) unique starting point for that jail's uids. That starting uid is placed in the jail's /etc/adduser.conf as $uid_start. This minimizes the chances that uids will collide. /data/jails/{jail_X}/home/ Symlink to /data/home (in the jail of course). If /data/jails/{jail_X} is mounted on the jail's /data, then the home partition in the jail is actually coming from /data of the host and therefore will be backed up on a regular basis. /data/jails/{jail_X}/proc/ If it is present, then /proc is mounted on this directory when a jail is started and unmounted when it is stopped. > How do I stop /var/log in one the jails from filling up the whole drive > and affecting the rest without giving each jail it's own partition? > > Is it possible to some how set a quota on how large a particular > directory can get? About all I can think of is to make a directory, and all its subordinate directories, owned by a specific user. You can then have per user quotas. For the specific example of /var/log, you'd have to set the user to be root_X. If you then set the user-ID-on-execution bit (see chmod(1) or chmod(2)) for /var/log so all new files and directories created under it would also be owned by root_X. I suspect you'd have to pre-populate your /var/log directory and chown everything to root_X. If you then change everything there to have world write permissions then root in the jail can update the files. Having world write access is a bad idea, but it's your trade-off to consider. managing passwd in a jailed env. Well i have the answer. just ran across the pw command, and looked it up. guess what i found. pw -V etcdir daoh! pw -V /usr/jail1/etc adduser bubba daoh, daoh!! pw -V /usr/jail1/etc usermod bubba -h 0 New password for user bubba: dd if=/dev/daoh of=/dev/stdout bs=1048576 count=1 so to some up, pw does everything i need to manage users in a jail, from outside of the jail. i knew there was something out there to do this with. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Ding Sent: Sunday, April 03, 2005 7:23 PM To: [email protected] Subject: looking for jail tutorial Hello, Running 5.3-p6 on a box with two NICs. I'm new to the list and FreeBSD in general. I'm trying to find more documentation on jail(8) than is offered in the man page. (I checked the Handbook but couldn't find anything about jails. Did I miss it?) For instance, the man page says: NOTE: It is important that only appropriate device nodes in devfs be exposed to a jail; access to disk devices in the jail may permit processes in the jail to bypass the jail sandboxing by modifying files outside of the jail. How do I know what the "appropriate device nodes" are for a given jail? I want to run four jails: two webservers, DNS, mail. After testing, the DNS and email jails will be shutdown and the services moved to separate machines. Also, do I configure identical Hosts files on each? Should the jails be on different subnets for added security or can they all be on the same subnet as the host machine? Any help you can give would be appreciated! Thanx, Bill The word 'politics' describes the situation so well: 'poli' meaning 'many' and 'tics' meaning 'bloodsucking creatures'. __________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
