From owner-freebsd-questions Fri Oct 5 17:16:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pris.polaris.ca (pris.polaris.ca [199.247.156.218]) by hub.freebsd.org (Postfix) with SMTP id 4B9DA37B407 for ; Fri, 5 Oct 2001 17:16:06 -0700 (PDT) Received: (qmail 32228 invoked by uid 85); 6 Oct 2001 00:18:53 -0000 Received: from tornado.northwestel.net (HELO tornado) (216.126.126.210) by 0 with SMTP; 6 Oct 2001 00:18:52 -0000 From: "Seamus.Venasse" To: "'Albert Everett'" , Subject: RE: looking for long-term usage comments re jail Date: Fri, 5 Oct 2001 17:19:10 -0700 Message-ID: <00c701c14dfc$85f1fad0$d27e7ed8@POLARIS.CA> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of > Albert Everett > Sent: October 5, 2001 8:54 AM > To: freebsd-questions@freebsd.org > Subject: looking for long-term usage comments re jail > > > I'm looking into using jail for dns, mail and web servers. I see from > various documentation how to set it up, but not much about how things > go over time. > > Have any of you out there found jails to be more trouble than > they are worth? I run a PII-433 with 128MB RAM on an IDE system. I've used several jails since about January of this year. I have seperate jails for the following services: 1) DNS 2) Apache+FP 3) Apache+PHP4+mod_perl, MySQL, ProFTPd 4) qmail, Apache-SSL, vpopmail, qmailadmin 5) Apache, Jakarta-Tomcat, jdk13 6) Apache, Zope Usage is getting higher, so I am moving to a faster CPU and using SCSI-RAID5, but performance wise, it works just fine. > How does it go with tracking stable and installing ports inside the > jail? Is it best to have /usr/src, /usr/obj and /usr/ports all set up > inside the jail or can one update/install from host to jail for most > everything? I found the best way to install ports is to NFS mount the ports system into the jail (localhost). It makes installing common ports, such as bash2, a lot quicker. As for upgrading, there should not be any issues, but I've never had to bother with it. I have written scripts which create the jails, then do a MD5 checksum of all files in the directory. When I install additional software and configurations, I can do another MD5 checksum, and just backup the files which are different. It makes moving jails from a development to production (production to backup) a lot smoother. > I sense that things will be simpler and smaller to make fewer rather > than many jails per machine, although it will be tempting to set up a > jail for java users, one for zope users, one for php users, etc. I have stripped out as much as possible from each of the jails, so when they were first created, they were all identical. I have saved over 25MB per jail using this install string: make installworld DESTDIR=$D NO_CVS=yes NO_BIND=yes NO_FORTRAN=yes NO_LPR=yes NO_MODULES=yes NO_SHAREDOCS=yes NO_X=yes NOGAMES=yes NOINFO=yes NOPROFILE=yes NOUUCP=yes > Does ProFTPd work within a jail. I've had good luck with it in the > past and haven't found anything yet that can give me equal access > control. Wouldn't mind suggestions on this. As I pointed out in my third jail, yes, it works. > Any other issues that I should be aware of before I make the leap? The only service I have running on the "real" system is SSH2. You have to modify the /etc/ssh/sshd_config to set your "ListenAddress" to the IP address for the "real" system. Otherwise, it will bind to all your alias interfaces and you won't be able to connect to the jails via SSH. Hope this has been useful to you. Seamus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message