From owner-freebsd-jail@freebsd.org Mon Feb 22 10:00:16 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7C9DAB0D28 for ; Mon, 22 Feb 2016 10:00:16 +0000 (UTC) (envelope-from ari@ish.com.au) Received: from mail13.tpgi.com.au (mail13.tpgi.com.au [203.12.160.181]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL SHA256 CA - G3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 775D71745 for ; Mon, 22 Feb 2016 10:00:15 +0000 (UTC) (envelope-from ari@ish.com.au) X-TPG-Junk-Status: Message not scanned X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Mon, 22 Feb 2016 21:00:12 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail13.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id u1MA0A0u027475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 22 Feb 2016 21:00:12 +1100 Received: from ip-136.ish.com.au ([203.29.62.136]:62849) by fish.ish.com.au with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1aXnHe-0003pZ-0H; Mon, 22 Feb 2016 21:00:02 +1100 X-CTCH-RefID: str=0001.0A150207.56CADC22.0108:SCFSTAT29393324, ss=1, re=-4.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 Subject: Re: Jail management To: Tom Lazar References: <7b947a1c-824b-193d-3dc3-49d876b21be9@ish.com.au> <13A9C47A-86FE-4E44-83D6-4736488FB9CC@tomster.org> Cc: markham breitbach , freebsd-jail From: Aristedes Maniatis X-Enigmail-Draft-Status: N1110 Message-ID: <20af917f-78c1-5a38-df36-6d8749377cc3@ish.com.au> Date: Mon, 22 Feb 2016 21:00:00 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <13A9C47A-86FE-4E44-83D6-4736488FB9CC@tomster.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gDmNOn2ARHscJKVkrEGxjiqlhu3fa2w3D" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2016 10:00:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gDmNOn2ARHscJKVkrEGxjiqlhu3fa2w3D Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 22/02/2016 8:28pm, Tom Lazar wrote: >=20 >> On 22 Feb 2016, at 09:17, Aristedes Maniatis > wrote: >> >> Markham wrote: >> >> I also discovered iocage which looks quite different and interesting. = I'm still reading about it, but it seems to: >=20 > another thing you might want to take a look at - given your requirement= s and current setup - is jetpack[1] >=20 > it basically implements the docker approach using zfs and jails as unde= rlying technology and pretty much replaces (the unstable) solution of uni= onfs with its layers based on zfs snapshots. >=20 > while it seems to be the least mature option discussed in this thread s= o far, i think its container approach fills a niche that might fit your u= se case very well. Very interesting indeed. Thanks for that pointer. However, I think I'm st= ill on the fence about docker (and friends). It looks like a complex solu= tion to independent problems (bundling, jails, snapshots, configuration m= anagement). > having said that, i=92d like to point out, that florian and myself (the= authors of bsdploy) are very open to using saltstack - bsdploy is design= ed to be modular and we already have experimental support for it [2] and = the GPL licence of ansible is turning into a bigger annoyance than expect= ed[3] so we are motivated to continue along that path. Great, I think you'll like salt although it has a very steep initial lear= ning curve. I'm happy with my choice of saltstack and it appears to have = a couple of people contributing FreeBSD improvements reasonably regularly= =2E pkg support is pretty good now and it has limited jail support. The b= iggest issue I've found with salt is that there is no recommended best-pr= actices way of using it. Its like being given a shed full of wonderful to= ols and being told to build a house. But at this point I think my problem looks like a thin layer on top of ja= ils rather than something bigger. I still need to try more things and I j= ust found this which looks like a nice way to easily control iocage: https://github.com/bougie/salt-iocage-formula Maybe my workflow is: * destroy jail * create new jail from new template (with new version of app) * use salt to inject the little config files * start jail That means I lose all logs and other things at each upgrade, but with log= stash that's less of a problem than it was. On top of that I need a mechanism to create the jail templates, but somet= hing manual with FreeBSD pkg might be enough there. If I avoid the iocage 'packaging' thing then it looks like I avoid the un= ionfs which several people have warned about not being stable. Ari > just my two cents, >=20 > cheers, >=20 > tom > =20 > [1] https://github.com/3ofcoins/jetpack > [2] https://github.com/ployground/ploy_salt > [3] https://github.com/ployground/bsdploy/issues/75 --=20 --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A --gDmNOn2ARHscJKVkrEGxjiqlhu3fa2w3D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iEUEARECAAYFAlbK3CEACgkQ72p9Lj5JECrhGgCY6mS3YBbwzezquw8ea5UO0sOV UQCfdwvC4CRcMbNG9fO/3hE8uJphbZ8= =Dn4N -----END PGP SIGNATURE----- --gDmNOn2ARHscJKVkrEGxjiqlhu3fa2w3D--