Re: /etc/jail.conf documentation?

2015-10-28 Thread Michael B. Eichorn 
On Wed, 2015-10-28 at 13:27 -0400, Ernie Luzar wrote:
> Valeri Galtsev wrote:
> > Dear All,
> > 
> > Can someone recommend something similar to FreeBSD handbook that
> > describes
> > building jails for newer systems meaning /etc/jail.conf as opposed to
> > /etc/rc.conf which handbook currently has in its jails chapter. I
> > still
> > have all jail configurations on 9.3 boxes in /etc/rc.conf, but it is
> > time
> > to build 10.x production boxes, and do things modern way (implying
> > /etc/jail.conf). I still intend to keep building jails "old fashion
> > way"
> > as described in handbook, as opposed to using tools "ezjail" or
> > similar.
> > 
> > Thanks for all your advises!
> > 
> > Valeri
> > 
> 
> Check out the jail-primer and qjail port.

(adding freebsd-jail list)

Ernie, I don't think that this is what Valeri was looking for. Those are
both jail-management utilities not really documentation on using jail(8)
via configuration using jail.conf(5).

I would be indeed be interested in a modern best-practices guide for
using the base system jail management tools.

smime.p7s
Description: S/MIME cryptographic signature

Re: /etc/jail.conf documentation?

2015-10-28 Thread Valeri Galtsev 

On Wed, October 28, 2015 1:41 pm, Michael B. Eichorn wrote:
> On Wed, 2015-10-28 at 13:27 -0400, Ernie Luzar wrote:
>> Valeri Galtsev wrote:
>> > Dear All,
>> >
>> > Can someone recommend something similar to FreeBSD handbook that
>> > describes
>> > building jails for newer systems meaning /etc/jail.conf as opposed to
>> > /etc/rc.conf which handbook currently has in its jails chapter. I
>> > still
>> > have all jail configurations on 9.3 boxes in /etc/rc.conf, but it is
>> > time
>> > to build 10.x production boxes, and do things modern way (implying
>> > /etc/jail.conf). I still intend to keep building jails "old fashion
>> > way"
>> > as described in handbook, as opposed to using tools "ezjail" or
>> > similar.
>> >
>> > Thanks for all your advises!
>> >
>> > Valeri
>> >
>>
>> Check out the jail-primer and qjail port.
>
> (adding freebsd-jail list)
>
> Ernie, I don't think that this is what Valeri was looking for. Those are
> both jail-management utilities not really documentation on using jail(8)
> via configuration using jail.conf(5).
>
> I would be indeed be interested in a modern best-practices guide for
> using the base system jail management tools.

Michael, thanks for your comment. You certainly are right.

Ernie, thanks for your pointers. They are not exactly a chapter on how to
do the whole jail manually new style - exactly as Michael says - similar
to what is found in FreeBSD handbook (alas, for old style). However,
thanks to your pointer, I've found http://jail-primer.sourceforge.net/
which at a first glance looks comprehensive and decent reading, and
combined with my experience of setting up jails "by the book" in the past,
is sufficient for me to do the same /etc/jail.conf way - I've got one
running already; it will need some careful walkover sill, but I'm in
business.

Thanks again for your insights and help, Ernie and Michael!

Valeri


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: Ip not configured on local interface

2015-10-28 Thread James Lodge 
>Hello,
>
>I'm running a FreeBSD 10.2 system and running jails created by ezjail.
>I'm getting an error on jail creation that the IP selected for the
>jail is not configured on any local interface, for example
>192.168.0.1.
>
>This machine has only a single NIC connected to the network and I'm
>cloning it repeatedly to a lo1 interface.
>
>After reading list traffic I'm wondering if my method, which I last
>used several years back in the 5.4 days, is no longer valid.
>Performance on my jails is sluggish, sometimes they have a hard time
>reaching the internet sometimes they don't work at all, for example I
>have a caching nameserver defined on the 192.168.x.x subnet and jails
>on that subnet can't reach it.
>
>Is there something better out there than ezjail? If so, how hard will
>it be to migrate configurations over? I've got two jails, the first
>the caching nameserver, the second a web server/test server with a
>great many packages.
>
>Thanks.
>Dave.

Hi Dave,

So you cloned lo1, is the IP of the error proned jail an alias address on the 
lo1 interface or do any interface reside on the subnet 192.168.0.0/24

here is my lo1 interface that my ezjail's use. One alias for each jail. 

lo1: flags=8049 metric 0 mtu 16384
options=63
inet 172.16.1.2 netmask 0x
inet 172.16.1.3 netmask 0x
inet 172.16.1.4 netmask 0x
inet 172.16.1.5 netmask 0x
inet 172.16.1.6 netmask 0x
inet 172.16.1.7 netmask 0x
inet 172.16.1.8 netmask 0x
inet 172.16.1.9 netmask 0x
inet 172.16.1.10 netmask 0x
nd6 options=29

Regards
James 
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Ip not configured on local interface

2015-10-28 Thread David Mehler 
Hello,

I'm running a FreeBSD 10.2 system and running jails created by ezjail.
I'm getting an error on jail creation that the IP selected for the
jail is not configured on any local interface, for example
192.168.0.1.

This machine has only a single NIC connected to the network and I'm
cloning it repeatedly to a lo1 interface.

After reading list traffic I'm wondering if my method, which I last
used several years back in the 5.4 days, is no longer valid.
Performance on my jails is sluggish, sometimes they have a hard time
reaching the internet sometimes they don't work at all, for example I
have a caching nameserver defined on the 192.168.x.x subnet and jails
on that subnet can't reach it.

Is there something better out there than ezjail? If so, how hard will
it be to migrate configurations over? I've got two jails, the first
the caching nameserver, the second a web server/test server with a
great many packages.

Thanks.
Dave.
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: /etc/jail.conf documentation?

2015-10-28 Thread Philip Jocks 

> Am 28.10.2015 um 22:05 schrieb Miroslav Lachman <000.f...@quip.cz>:
> 
> Valeri Galtsev wrote on 10/28/2015 21:25:
>> 
>> On Wed, October 28, 2015 1:41 pm, Michael B. Eichorn wrote:
>>> On Wed, 2015-10-28 at 13:27 -0400, Ernie Luzar wrote:
 Valeri Galtsev wrote:
> Dear All,
> 
> Can someone recommend something similar to FreeBSD handbook that
> describes
> building jails for newer systems meaning /etc/jail.conf as opposed to
> /etc/rc.conf which handbook currently has in its jails chapter. I
> still
> have all jail configurations on 9.3 boxes in /etc/rc.conf, but it is
> time
> to build 10.x production boxes, and do things modern way (implying
> /etc/jail.conf). I still intend to keep building jails "old fashion
> way"
> as described in handbook, as opposed to using tools "ezjail" or
> similar.
> 
> Thanks for all your advises!
> 
> Valeri
> 
 
 Check out the jail-primer and qjail port.
>>> 
>>> (adding freebsd-jail list)
>>> 
>>> Ernie, I don't think that this is what Valeri was looking for. Those are
>>> both jail-management utilities not really documentation on using jail(8)
>>> via configuration using jail.conf(5).
>>> 
>>> I would be indeed be interested in a modern best-practices guide for
>>> using the base system jail management tools.
>> 
>> Michael, thanks for your comment. You certainly are right.
>> 
>> Ernie, thanks for your pointers. They are not exactly a chapter on how to
>> do the whole jail manually new style - exactly as Michael says - similar
>> to what is found in FreeBSD handbook (alas, for old style). However,
>> thanks to your pointer, I've found http://jail-primer.sourceforge.net/
>> which at a first glance looks comprehensive and decent reading, and
>> combined with my experience of setting up jails "by the book" in the past,
>> is sufficient for me to do the same /etc/jail.conf way - I've got one
>> running already; it will need some careful walkover sill, but I'm in
>> business.
> 
> You can do your work with jails the same way (creation, updating, 
> upgrading...). You just need to convert your rc.conf configuration in to 
> jail.conf, which is more flexible.
> Automatic conversion (by rc.d/jail from FreeBSD 10.x) didn't work for me. 
> Manual creation of jail.conf was easy.

we currently use ezjail and on other boxes we roughly do it like this:

http://savagedlight.me/2014/03/14/freebsd-jail-server-with-zfs-clone-and-jail-conf/

at least, that’s pretty close to how we do it. On UFS based systems we use 
cpdup instead of the ZFS cloning.

For upgrades, we use Matt Simerson’s very nice `jailmanage` script:

https://www.tnpi.net/computing/freebsd/jail_manage.txt

which is pretty straight forward and just helps you with things (running 
freebsd-update etc) and doesn’t lock you in. Our jail.conf looks like this:

--
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
path = "/usr/jails/$name“;

jailname {
  host.hostname = 'jailname';
  ip4.addr = x.x.x.x;
}
--

and then we just repeat the jailname-blocks. `jailmanage` expects each block to 
start like this.

HTH,

Philip
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: Ip not configured on local interface

2015-10-28 Thread Allan Jude 
On 2015-10-28 17:04, David Mehler wrote:
> Hello,
> 
> I'm running a FreeBSD 10.2 system and running jails created by ezjail.
> I'm getting an error on jail creation that the IP selected for the
> jail is not configured on any local interface, for example
> 192.168.0.1.
> 
> This machine has only a single NIC connected to the network and I'm
> cloning it repeatedly to a lo1 interface.
> 
> After reading list traffic I'm wondering if my method, which I last
> used several years back in the 5.4 days, is no longer valid.
> Performance on my jails is sluggish, sometimes they have a hard time
> reaching the internet sometimes they don't work at all, for example I
> have a caching nameserver defined on the 192.168.x.x subnet and jails
> on that subnet can't reach it.
> 
> Is there something better out there than ezjail? If so, how hard will
> it be to migrate configurations over? I've got two jails, the first
> the caching nameserver, the second a web server/test server with a
> great many packages.
> 
> Thanks.
> Dave.
> ___
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
> 

In ezjail, if you just define the IP address as lo1|192.168.0.1
the jail system will automatically create the alias on that interface
when the jail starts, and remove it when the jail stops. It is much
easier than manually managing the interfaces.

-- 
Allan Jude



signature.asc
Description: OpenPGP digital signature