From owner-freebsd-questions@freebsd.org Fri Oct 30 08:18:02 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FF79A204D9 for ; Fri, 30 Oct 2015 08:18:02 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AAF511C6; Fri, 30 Oct 2015 08:18:01 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by wmff134 with SMTP id f134so5859618wmf.0; Fri, 30 Oct 2015 01:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0FQnugLF4cGhNY3zkTVxH1UqBOp3qNFIU0XCvBSW3SY=; b=0rHqlURlbTQm4a9MjjQEdAF7g8eUbfWh2aPntBLt9e7yieAImzmi7PmjU/ybO3MMa8 28ttrw7Vs2LZ+3h9wo0vOz7PO83HJa5VL8BRFUk+IVDilqXGI/NFndVpspRAEBnK6pbe lZPiCuw7pT5JnOjoZpGW2iCGSK40Nrnaro0zAP0w0smdY1KcRJ1zVCa5WfnkhaW8Gs5r 55mM3MtBBfCC9AFawOgxrTq5dlH1s7+QI/ahwcSNCe8WtjaS0ijViAJdUfZPzP6KHpNK iH00AdgVoY7pIOP0jFcN72ea9Y/BFdR0ax7PinLLanyrK5728LfC7rHnij+09tSQ0kz7 /wiw== MIME-Version: 1.0 X-Received: by 10.28.7.68 with SMTP id 65mr1801952wmh.19.1446193079920; Fri, 30 Oct 2015 01:17:59 -0700 (PDT) Received: by 10.28.181.193 with HTTP; Fri, 30 Oct 2015 01:17:59 -0700 (PDT) In-Reply-To: References: <49230.128.135.52.6.1446047977.squirrel@cosmo.uchicago.edu> <1446064085.1148620.422968569.0E47599D@webmail.messagingengine.com> <20953.128.135.52.6.1446065026.squirrel@cosmo.uchicago.edu> <1446126519.3886654.423612921.572AA6CD@webmail.messagingengine.com> Date: Fri, 30 Oct 2015 08:17:59 +0000 Message-ID: Subject: Re: /etc/jail.conf documentation? From: krad To: Ricky G Cc: Mark Felder , "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 08:18:02 -0000 Be careful with your vnet config as if you use it with more than one jail at once shutting down one jail will break the networking on the other(s) as you create and destroy the bridge. This may be intended but in most cases I suspect people bind a bridge to a physical NIC and the epairs for a flat network, with maybe a vlan or two thrown in. In these cases let cloned_interfaces build the bridge and just add and remove the nics to the relevant bridge(s). On 29 October 2015 at 15:04, Ricky G wrote: > Saw this post and decided to share as well. When I started using jails I > wanted the system to be easy and flexible. Reading the handbook, I liked > this layout https://www.freebsd.org/doc/handbook/jails-application.html. > I decided to make some scripts based on this layout and I also made some > improvements based on problems I ran into using the layout. > Basically the scripts create a readonly base and duplicates the base > setting to readonly. Upgrading is simple because you just recreate the base > shutdown duplicate startup and the jails are updated. One side note that Id > like to add is my use of mergemaster is the safe way which is a bit more > work. (The scripts will do everything except create the base dataset). I > still have some more work to do on these scripts with possible errors, but > they work well for what I need them for. As for my jail.conf > > host.hostname = "${name}";path = "/usr/jails/${name}";mount.fstab = > "/etc/fstab.${name}";mount.devfs = "1";devfs_ruleset = "4";exec.consolelog > = "/var/log/jail_${name}_console.log";interface = "ue0";exec.start = > "/bin/sh /etc/rc";exec.stop = "/bin/sh > /etc/rc.shutdown";exec.clean;persist; > allow.raw_sockets = "1";allow.set_hostname = "0"; > foo { ip4.addr = "192.168.1.9/24";} > ### For vnet ###bar { $if = "0"; $ip_addr = "192.168.1.10/24"; > $ip_route = "192.168.1.1"; interface = "bridge0"; vnet; vnet.interface = > "epair${if}b"; exec.prestart = "ifconfig bridge0 create"; exec.prestart > += "ifconfig epair${if} create up"; exec.prestart += "ifconfig bridge0 > addm epair${if}a"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; > exec.start += "/sbin/ifconfig epair${if}b inet ${ip_addr} up"; exec.start > += "/sbin/route add default ${ip_route}"; exec.start += "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "ifconfig bridge0 > destroy"; exec.poststop += "ifconfig epair${if}a destroy"; exec.clean; > persist;} > > > > $ cat update #!/usr/bin/env > bashTEMPLATE_ZFS_DIR="tank/jails/template"TEMPLATE_NAME="main"TEMPLATE_DIR="/usr/jails/template"TEMPLATE_SNAPSHOT_NAME="now"JAIL_DIR="/usr/jails"JAIL_ZFS_DIR="tank/jails"JAILS=( > $(jls | grep ${JAIL_DIR} | awk '{ print $3 }') )SRC="/usr/src" > > ZFS_TEMPLATE="${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT="${ZFS_TEMPLATE}@ > ${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE_OLD_SNAPSHOT="${ZFS_TEMPLATE}@old.$(openssl > rand -hex > 8)"TEMPLATE="${TEMPLATE_DIR}/${TEMPLATE_NAME}"SKEL="${TEMPLATE_DIR}/skel" > ### Some error checking ###zfs list "${ZFS_TEMPLATE}" >& /dev/nullif [ $? > -eq 1 ];then echo "Template dataset ${ZFS_TEMPLATE} not found, or wrong > Template name" exit 1fiif [ $(zfs get mountpoint "${ZFS_TEMPLATE}" | > awk '{ print $3 }' | tail -n 1) != "${TEMPLATE}" ]then echo "Template > dataset not mounted at ${TEMPLATE}" exit 1fiif [ $(zfs get mounted > "${ZFS_TEMPLATE}" | awk '{ print $3 }' | tail -n 1) != yes ]then echo > "Template dataset ${ZFS_TEMPLATE} not mounted" exit 1fi### Destroy old > template ###zfs set readonly=off "${ZFS_TEMPLATE}"chflags -R 0 > "${TEMPLATE}"rm -r "${TEMPLATE}"/*cd "${SKEL}"rm -R media root etc mnt tmp > var > ### Create new template ###cd ${SRC}make installworld > DESTDIR="${TEMPLATE}"if [ $? -eq 1 ]then echo "${SRC} Needs to be > compiled. Run make buildworld." exit 1fimake distribution > DESTDIR="${TEMPLATE}" > ### Recreate skel ###cd "${TEMPLATE}"for skel in media root etc mnt tmp > vardo mv "${TEMPLATE}"/"${skel}" "${SKEL}"/done > if [ -f /etc/resolv.conf ]then cp /etc/resolv.conf "${SKEL}"/etc/fiprintf > 'hostname=""\nsendmail_enable="NO"\nsendmail_submit_enable="NO"\nsendmail_outbound_enable="NO"\nsendmail_msp_queue_enable="NO"' > > "${SKEL}"/etc/rc.conf### Create links for new template ###for link in etc > home mnt media root tmp vardo ln -s s/${link} > "${TEMPLATE}"/${link}doneln -s ../s/home "${TEMPLATE}"/usr/homeln -s > ../s/usr-X11R6 "${TEMPLATE}"/usr/X11R6mkdir "${TEMPLATE}"/s > ### Finish template by setting readonly=on ###zfs set readonly=on > "${ZFS_TEMPLATE}" > ### Move old template to a new name if it exists ###zfs list > "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 0 ];then zfs rename > "${TEMPLATE_SNAPSHOT}" "${TEMPLATE_OLD_SNAPSHOT}"fi > ### Create snapshot of the new template ###zfs snapshot > "${TEMPLATE_SNAPSHOT}"### Updating jails that are currently running ###for > jail in ${JAILS[@]};do if [ $(jls | grep ${jail} | awk '{ print $4 > }') == "${JAIL_DIR}"/"${jail}" ] then cd /usr/src > mergemaster -t "${JAIL_DIR}"/"${jail}"/var/tmp/temproot -D > "${JAIL_DIR}"/"${jail}"/s -i -F cd "${JAIL_DIR}"/"${jail}"/s > rm -r .cshrc .profile COPYRIGHT bin boot dev lib libexec proc > rescue sbin sys usr cd /usr/src jail -r > "${jail}" zfs destroy -f "${JAIL_ZFS_DIR}"/"${jail}" > zfs clone -o readonly=on -o mountpoint="${JAIL_DIR}"/"${jail}" > "${TEMPLATE_SNAPSHOT}" "${JAIL_ZFS_DIR}"/"${jail}" jail -c > "${jail}" else FAILED+="${jail} " fidone > ### Destroy old template ###zfs destroy "${TEMPLATE_OLD_SNAPSHOT}"if [ -n > "${FAILED}" ]then printf "The following jails failed to update due to > incorrect mountpoint... ${FAILED}\n"fiecho "Update Finished" > > > > $ cat duplicate #!/usr/bin/env > bashTEMPLATE_ZFS_DIR="tank/jails/template"TEMPLATE_NAME="main"TEMPLATE_DIR="/usr/jails/template"TEMPLATE_SNAPSHOT_NAME="now"JAIL_DIR="/usr/jails"JAIL_ZFS_DIR="tank/jails" > > ZFS_TEMPLATE="${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT="${ZFS_TEMPLATE}@ > ${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE="${TEMPLATE_DIR}/${TEMPLATE_NAME}"SKEL="${TEMPLATE_DIR}/skel" > echo What will the jail name be?read -e JAIL_NAMEecho What will the ip4 > address be? ie 192.168.1.1/24?read -e IP4zfs list "${ZFS_TEMPLATE}" >& > /dev/nullif [ $? -eq 1 ];then echo "Incorrect template" exit > 1fizfs list "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 1 ];then > echo "Snapshot not found" exit 1fi > > JAIL="${JAIL_ZFS_DIR}/${JAIL_NAME}"JAIL_ZFS_DATA="${TEMPLATE_ZFS_DIR}/${JAIL_NAME}"JAIL_ZFS_DATA_LOCAL="${TEMPLATE_ZFS_DIR}/${JAIL_NAME}-local"JAIL_DATA="${TEMPLATE_DIR}/${JAIL_NAME}"JAIL_FSTAB="${JAIL_DIR}/${JAIL_NAME}" > zfs clone -o readonly=on -o mountpoint="${JAIL_FSTAB}" > "${TEMPLATE_SNAPSHOT}" "${JAIL}"if [ $? -eq 1 ];then echo "clone > failed" exit 1fiecho "clone successful"zfs create -o recordsize=1M -o > compression=lz4 -o mountpoint="${JAIL_DATA}" "${JAIL_ZFS_DATA}"zfs create > -o recordsize=1M -o compression=lz4 -o canmount=noauto > "${JAIL_ZFS_DATA_LOCAL}"cp -Ra "${SKEL}"/* "${JAIL_DATA}"/umount > "${JAIL_DATA}"rmdir "${JAIL_DATA}"zfs set canmount=noauto > "${JAIL_ZFS_DATA}"printf "${JAIL_ZFS_DATA} ${JAIL_FSTAB}/s\tzfs\trw 0 > 0\n${JAIL_ZFS_DATA_LOCAL} ${JAIL_FSTAB}/usr/local\t zfs\trw 0 0" > > /etc/fstab."${JAIL_NAME}"printf "\n${JAIL_NAME} {\n ip4.addr = > \"${IP4}\";\n}" >> /etc/jail.conf > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >