Date: Sun, 21 Feb 2016 20:15:43 -0700 From: markham breitbach <markham@ssimicro.com> To: freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: Jail management Message-ID: <56CA7D5F.7060709@ssimicro.com> In-Reply-To: <ff8307f6-1264-30ec-1ef8-ed3b0a18dd84@ish.com.au> References: <ff8307f6-1264-30ec-1ef8-ed3b0a18dd84@ish.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--V1rgdSU3Ftg6Ri1jerCssFQcPFKq2RehU
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
One of the solutions I have found to the version issue is to build my
own package repo. I build the packages the way I want, and then upload
them to my own package repo (which is just another jail running
thttpd). I also keep a jail running with the ports tree frozen at the
versions I am using for production.
Add the following to /usr/local/etc/pkg.conf
repos_dir: [
"/usr/local/etc/pkg/repos",
"/etc/pkg",
]
The tells pkg to look in your private repo first
Then, create /usr/local/etc/pkg/repos/private.conf
private: {
url: "pkg+http://pkg.ssimicro.com/${ABI}/latest",
enabled: true,
signature_type: "PUBKEY",
PUBKEY: "/usr/local/etc/pkg/repos/ssi.pub",
mirror_type: "srv"
}
Note: you also need to create a public/private key pair for this using
openssl. I don't recall the specifics though, but it looks like a
pretty standard self-signed key/cert pair.
The private key is stored on the repo and used to sign the packages when
you add initialize the repo:
pkg repo /home/pkg/repo/freebsd:10:x86:64/latest /home/pkg/repo.key
Best,
-Markham
On 2016-02-21 6:13 PM, Aristedes Maniatis wrote:
> I've been using FreeBSD jails (with ezjail) for many years and they wor=
k very well. However I'm now reaching a critical mass (30+ jails) where I=
want to be able to manage them in bulk more easily.
>
> In this environment, each jail runs just a single application, installe=
d from a package built using poudriere from a custom port. That package d=
epends on Java, so lots of other packages also get pulled in. That applic=
ation gets new versions roughly once every 4 weeks. The problems I have r=
ight now are:
>
> * FreeBSD's packaging system doesn't understand the concept of installi=
ng a particular package version, so all my scripts will by default upgrad=
e the application to the current version even if I don't want to. I can't=
easily install a new jail at an old version.
>
> * It is hard to reproduce the environment exactly, matching the applica=
tion to the same version of Java that was available at the time of deploy=
ment. Again I'm fighting against the pkg system which always wants the la=
test version.
>
> * For failover I want each jail reproduced exactly on another host, or =
at least a snapshot which could be sent to another host within a few seco=
nds. The jails are quite small (< 500Mb). Most of that is just the openjd=
k pkg.
>
>
> As I understand, ezjail doesn't support multiple base jails. If it did,=
then I could simply install the application (and packages) to the base j=
ail and have versions of the base. Then by shutting down a jail, switchin=
g the base to the new version and starting up, everything would upgrade e=
asily. Even better would be some concept of hierarchy with customer_jail =
sitting on top of base_version_1.0 which in turn sits on top of base_jail=
=2E
>
> Would I need to abandon ezjail and be able to build all the above mysel=
f with a combination of nullfs (basejail) and unionfs (intermediate versi=
oned jail)? Does unionfs now work with ZFS?
>
>
> Alternatively I could simply use zfs clones to deploy a new version of =
the application by destroying the whole jail and replacing it with a new =
one. I'd need to then script (I use saltstack) deploying the 2-3 config f=
iles which are different in each jail.
>
>
>
> Thoughts? What seems like a more robust long term approach to jail mana=
gement?
>
>
> Thanks
> Ari
>
>
>
--V1rgdSU3Ftg6Ri1jerCssFQcPFKq2RehU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlbKfWMACgkQKQ+fauj+jf6LuQCg1N3GkStrpq8jdLe7UmVRInfC
R9YAoLGk9n1FZJ1F79MXK5cqHOKIWbO0
=GzxB
-----END PGP SIGNATURE-----
--V1rgdSU3Ftg6Ri1jerCssFQcPFKq2RehU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56CA7D5F.7060709>