Re: started playing with jails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Wednesday, March 21, 2007 15:58:42 -0500 Jonathan Horne [EMAIL PROTECTED] wrote: Ah, now that you mention it I do recall discussions of multiple instances peeing in each others pools so to speak. I also thought there was discussion of how to fix it, but have no idea where that went if anywhere... A single instance inside a jail does work quite happily if the knob above is set. To deal with this, all you need to do is make sure that the UID of the postgresql process in each jail is different ... - Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFGAd9Y4QvfyHIvDvMRAsU0AJwN4mvDdJuG0hm1C1RvpkLmcrMCoACggtYT WemkZhglQuExHGpltskMoJ8= =C9ph -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
another quick jails question: in my VMware environment, its quite common to create a VM on one machine, and then take the VM's files and move them to another machine. how well would this work with a jail? say, so tar the entire root directory of the jail, and move/untar on to another server? thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
In response to Jonathan Horne [EMAIL PROTECTED]: another quick jails question: in my VMware environment, its quite common to create a VM on one machine, and then take the VM's files and move them to another machine. how well would this work with a jail? say, so tar the entire root directory of the jail, and move/untar on to another server? In theory, it should work fine. I've never tried it. I expect you'll need to have _exactly_ the same versions of FreeBSD on each machine. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
started playing with jails
i started playing with jails today, and after following and re-following the man page and the freebsddiary article a few times, i finally got it to work! i have one jail that starts on startup, and actually the hump i was getting over was getting the jail to actually kick off the sshd daemon. all that is working, and i can reboot my host, and then log into the jail that auto-starts via ssh. a couple of general questions that i cannot find the answers to: 1) if i want more than one jail, what is the proper syntax in the host's /etc/rc.conf file for the jail_list=jailed statement? multiple jail_list lines, or a single line that specifies more than one jail? 2) what happens to a jail when i 'shutdown -p now' on the host? what caveats do i need to watch for when rebooting or shutting down the host? 3) i would like to build some ports in my jailed process, but for my environment, this requires mounting the export from my main box on my network. so far, i am not able to mount a NFS share to /usr/ports (mount_nfs: /usr/ports: Operation not permitted). so far so good, and im hoping i can find some interesting uses for jails on my network! thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
In response to Jonathan Horne [EMAIL PROTECTED]: i started playing with jails today, and after following and re-following the man page and the freebsddiary article a few times, i finally got it to work! i have one jail that starts on startup, and actually the hump i was getting over was getting the jail to actually kick off the sshd daemon. all that is working, and i can reboot my host, and then log into the jail that auto-starts via ssh. a couple of general questions that i cannot find the answers to: 1) if i want more than one jail, what is the proper syntax in the host's /etc/rc.conf file for the jail_list=jailed statement? multiple jail_list lines, or a single line that specifies more than one jail? 2) what happens to a jail when i 'shutdown -p now' on the host? what caveats do i need to watch for when rebooting or shutting down the host? 3) i would like to build some ports in my jailed process, but for my environment, this requires mounting the export from my main box on my network. so far, i am not able to mount a NFS share to /usr/ports (mount_nfs: /usr/ports: Operation not permitted). If you're shooting purely for usability, I recommend the ezjail port, which adds some additional admin scripts on top of the stock jail system that (in my opinion) make things a lot easier. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
Jonathan Horne wrote: i started playing with jails today, and after following and re-following the man page and the freebsddiary article a few times, i finally got it to work! i have one jail that starts on startup, and actually the hump i was getting over was getting the jail to actually kick off the sshd daemon. all that is working, and i can reboot my host, and then log into the jail that auto-starts via ssh. a couple of general questions that i cannot find the answers to: First let me say that you may be interested in sysutils/ezjail which takes care of creating and managing of multiple jails. Have a look at http://erdgeist.org/arts/software/ezjail/ 1) if i want more than one jail, what is the proper syntax in the host's /etc/rc.conf file for the jail_list=jailed statement? multiple jail_list lines, or a single line that specifies more than one jail? $ grep jail_list= /etc/defaults/rc.conf jail_list=# Space separated list of names of jails 2) what happens to a jail when i 'shutdown -p now' on the host? what caveats do i need to watch for when rebooting or shutting down the host? I use multiple jails (max 3 per host) and never had any problems with that. I use ezjail, so jails are started/stopped by rc.d script. You may wait for more technical answer for that, though. 3) i would like to build some ports in my jailed process, but for my environment, this requires mounting the export from my main box on my network. so far, i am not able to mount a NFS share to /usr/ports (mount_nfs: /usr/ports: Operation not permitted). I'm not really experienced with NFS but how about mounting NFS share in /usr/ports on host system and then using mount_nullfs to mount that into jails? Just like ezjail uses mount_nullfs to mount host's /usr/ports into jails. HTH, Karol -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 signature.asc Description: OpenPGP digital signature
Re: started playing with jails
Jonathan Horne wrote: i started playing with jails today, and after following and re-following the man page and the freebsddiary article a few times, i finally got it to work! i have one jail that starts on startup, and actually the hump i was getting over was getting the jail to actually kick off the sshd daemon. all that is working, and i can reboot my host, and then log into the jail that auto-starts via ssh. a couple of general questions that i cannot find the answers to: First let me say that you may be interested in sysutils/ezjail which takes care of creating and managing of multiple jails. Have a look at http://erdgeist.org/arts/software/ezjail/ 1) if i want more than one jail, what is the proper syntax in the host's /etc/rc.conf file for the jail_list=jailed statement? multiple jail_list lines, or a single line that specifies more than one jail? $ grep jail_list= /etc/defaults/rc.conf jail_list=# Space separated list of names of jails 2) what happens to a jail when i 'shutdown -p now' on the host? what caveats do i need to watch for when rebooting or shutting down the host? I use multiple jails (max 3 per host) and never had any problems with that. I use ezjail, so jails are started/stopped by rc.d script. You may wait for more technical answer for that, though. 3) i would like to build some ports in my jailed process, but for my environment, this requires mounting the export from my main box on my network. so far, i am not able to mount a NFS share to /usr/ports (mount_nfs: /usr/ports: Operation not permitted). I'm not really experienced with NFS but how about mounting NFS share in /usr/ports on host system and then using mount_nullfs to mount that into jails? Just like ezjail uses mount_nullfs to mount host's /usr/ports into jails. HTH, Karol -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 ah thank you bill and karol. the mount_nullfs did work for mounting my ports, and away it goes! ill take a look at ezjail too, that sounds like a neat tool. ok, here are a couple other questions: 4) what about kernel and system updates? i would assume that i would have to manually update these jails when i buildworld and kernel for other systems as well (ie, that updating the host would not also update the jails)? 5) how about memory? is it basically one giant shared pool of physical memory between the host and guests? is there any sort of memory target that i should try to meet in order to have my jails run the best the can (or a ratio of memory to host/jails)? finally, i suppose the best configuration might be to have my host just a minimal install (avoiding anything that i dont need to function), and have my jails set up as my service-providing hosts? and are there any services that just dont work well in a jail (i think i can see NFS being one). thanks all, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
In response to Jonathan Horne [EMAIL PROTECTED]: 4) what about kernel and system updates? i would assume that i would have to manually update these jails when i buildworld and kernel for other systems as well (ie, that updating the host would not also update the jails)? Yes, except this is another place where the ezjail port makes life a breeze. ezjail pretty much automates upgrading all your jails at once (except ports). 5) how about memory? is it basically one giant shared pool of physical memory between the host and guests? is there any sort of memory target that i should try to meet in order to have my jails run the best the can (or a ratio of memory to host/jails)? There's no hard and fast rule that I know of. The more stuff you run in each jail, the more each of those will require. If you run relatively lightweight jails, you don't need as much. I've documented some of the stuff I learned here: http://people.collaborativefusion.com/~wmoran/howtos/sshdinjail.html It only describes creating a lightweight jail for sshd, but you can follow a similar process for httpd, or an email server, or whatever. Saves a LOT of memory and process space. Also, ezjail saves a LOT of disk space as you create more and more jails as it uses nullfs mounts to duplicate the base install instead of copying it. finally, i suppose the best configuration might be to have my host just a minimal install (avoiding anything that i dont need to function), and have my jails set up as my service-providing hosts? and are there any services that just dont work well in a jail (i think i can see NFS being one). Mostly. We run hardware-related stuff on the host system (i.e. snmpd) as well as some universal services (A DNS cache, sendmail). I've had trouble getting programs that use shared memory (such as Postgres) to run inside a jail, but it's been a while since I've tried. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
Bill Moran wrote: I've had trouble getting programs that use shared memory (such as Postgres) to run inside a jail, but it's been a while since I've tried. Postgres needs this in the host rc.conf: jail_sysvipc_allow=YES -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
In response to Greg Barniskis [EMAIL PROTECTED]: Bill Moran wrote: I've had trouble getting programs that use shared memory (such as Postgres) to run inside a jail, but it's been a while since I've tried. Postgres needs this in the host rc.conf: jail_sysvipc_allow=YES My experiments with Postgres in jail predate the existence of that setting. When I was working with it, you had to frob a sysctl via /etc/sysctl.conf But even then, I couldn't seem to get it to work -- the Postgres in the jail would corrupt the shared memory of the postgres outside the jail. It was ugly. Imagine big, wet tears rolling down my cheeks. I haven't had the need to try it in a while, so it might work OK now, I just don't know. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
Bill Moran wrote: In response to Greg Barniskis [EMAIL PROTECTED]: Bill Moran wrote: I've had trouble getting programs that use shared memory (such as Postgres) to run inside a jail, but it's been a while since I've tried. Postgres needs this in the host rc.conf: jail_sysvipc_allow=YES My experiments with Postgres in jail predate the existence of that setting. When I was working with it, you had to frob a sysctl via /etc/sysctl.conf But even then, I couldn't seem to get it to work -- the Postgres in the jail would corrupt the shared memory of the postgres outside the jail. It was ugly. Imagine big, wet tears rolling down my cheeks. I haven't had the need to try it in a while, so it might work OK now, I just don't know. Ah, now that you mention it I do recall discussions of multiple instances peeing in each others pools so to speak. I also thought there was discussion of how to fix it, but have no idea where that went if anywhere... A single instance inside a jail does work quite happily if the knob above is set. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
Bill Moran wrote: In response to Greg Barniskis [EMAIL PROTECTED]: Bill Moran wrote: I've had trouble getting programs that use shared memory (such as Postgres) to run inside a jail, but it's been a while since I've tried. Postgres needs this in the host rc.conf: jail_sysvipc_allow=YES My experiments with Postgres in jail predate the existence of that setting. When I was working with it, you had to frob a sysctl via /etc/sysctl.conf But even then, I couldn't seem to get it to work -- the Postgres in the jail would corrupt the shared memory of the postgres outside the jail. It was ugly. Imagine big, wet tears rolling down my cheeks. I haven't had the need to try it in a while, so it might work OK now, I just don't know. Ah, now that you mention it I do recall discussions of multiple instances peeing in each others pools so to speak. I also thought there was discussion of how to fix it, but have no idea where that went if anywhere... A single instance inside a jail does work quite happily if the knob above is set. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 what is the best method for backup? just back up the whole thing as if it were files on my host? thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
On 22/03/2007 3:50 AM, Greg Barniskis wrote: Bill Moran wrote: My experiments with Postgres in jail predate the existence of that setting. When I was working with it, you had to frob a sysctl via /etc/sysctl.conf But even then, I couldn't seem to get it to work -- the Postgres in the jail would corrupt the shared memory of the postgres outside the jail. It was ugly. Imagine big, wet tears rolling down my cheeks. I haven't had the need to try it in a while, so it might work OK now, I just don't know. Ah, now that you mention it I do recall discussions of multiple instances peeing in each others pools so to speak. I also thought there was discussion of how to fix it, but have no idea where that went if anywhere... A single instance inside a jail does work quite happily if the knob above is set. From memory, I think the discussion went something like Postgres uses the TCP port number it binds to as its SYSV IPC ID... so if you want to run multiple instances in jails/etc without conflict, run them on different port numbers (and consequentially they will get separate SYSV IPC IDs). --Antony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
Jonathan Horne wrote: what is the best method for backup? just back up the whole thing as if it were files on my host? Files in a jail are in fact just files on the host, so you could certainly do that. But as in many things (and especially when talking about backups), best is framed by local conditions, practices and requirements. There's nothing much special about backing up jail files though, so do what you normally do. There are by default some constraints on jailed processes using devices. This may or may not affect trying to run backup processes from inside the jail. Backups running in the host environment have no such constraints. Personally, I like to configure all jails on a standalone /jails partition so that I can easily take a snapshot from the host and run a backup against that. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
In response to Antony Mawer [EMAIL PROTECTED]: On 22/03/2007 3:50 AM, Greg Barniskis wrote: Bill Moran wrote: My experiments with Postgres in jail predate the existence of that setting. When I was working with it, you had to frob a sysctl via /etc/sysctl.conf But even then, I couldn't seem to get it to work -- the Postgres in the jail would corrupt the shared memory of the postgres outside the jail. It was ugly. Imagine big, wet tears rolling down my cheeks. I haven't had the need to try it in a while, so it might work OK now, I just don't know. Ah, now that you mention it I do recall discussions of multiple instances peeing in each others pools so to speak. I also thought there was discussion of how to fix it, but have no idea where that went if anywhere... A single instance inside a jail does work quite happily if the knob above is set. From memory, I think the discussion went something like Postgres uses the TCP port number it binds to as its SYSV IPC ID... so if you want to run multiple instances in jails/etc without conflict, run them on different port numbers (and consequentially they will get separate SYSV IPC IDs). That's how I remember it as well. I don't remember being able to get it working with a different port # either, but it's been a while -- back when 7.4 was the latest. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: started playing with jails
In response to Jonathan Horne [EMAIL PROTECTED]: [snip] [RE: jails] what is the best method for backup? just back up the whole thing as if it were files on my host? With 6.x, your best bet is to do a filesystem snapshot and back up the snapshot. Depending on your precise backup needs, however, this may be overkill. You can just backup individual files/directories. If you use ezjail be careful not to follow mount points or you'll end up backing up the same stuff over and over for each separate jail you have. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]