Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Oct 2015 08:26:53 -0400
From:      Ricky G <ricky1252@hotmail.com>
To:        krad <kraduk@gmail.com>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   RE: /etc/jail.conf documentation?
Message-ID:  <SNT146-W92BDA6F54F1DCDEA18EE72A12F0@phx.gbl>
In-Reply-To: <CALfReyeNxbgNCbBSg71RaMOLrWM9BbB2tejp5-nvbBTOcWrZ0g@mail.gmail.com>
References:  <49230.128.135.52.6.1446047977.squirrel@cosmo.uchicago.edu>, <1446064085.1148620.422968569.0E47599D@webmail.messagingengine.com>, <20953.128.135.52.6.1446065026.squirrel@cosmo.uchicago.edu>, <CALfReycwGJfBsx1JB_HOpwRXj2BPt9JTDAFPZHHC4HA=-fiisw@mail.gmail.com>, <1446126519.3886654.423612921.572AA6CD@webmail.messagingengine.com>, <SNT146-W3153B1A15ED9D1429DC69AA1200@phx.gbl>, <CALfReyeNxbgNCbBSg71RaMOLrWM9BbB2tejp5-nvbBTOcWrZ0g@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
 This is intended. I'm not sure if its fixed=2C however I found an odd bug =
awhile back where reusing a bridge for a vnet jail causes a high number of =
dropped packets. The more it is reused the more the dropped packets. After =
around 4 jail restarts there was about 60% packet loss. To resolve it=2C I =
found recreating the bridge fixed the issue. I also only use one vnet so th=
is isn't a problem for me=2C of course you are correct that multiple vnets =
with this configuration will not work. Sorry for not making that clear befo=
re I posted.

Really need to stop using outlook. I hate how \n is not read correctly. =3D=
/






Date: Fri=2C 30 Oct 2015 08:17:59 +0000
Subject: Re: /etc/jail.conf documentation?
From: kraduk@gmail.com
To: ricky1252@hotmail.com
CC: feld@freebsd.org=3B freebsd-questions@freebsd.org

Be careful with your vnet config as if you use it with more than one jail a=
t once shutting down one jail will break the networking on the other(s) as =
you create and destroy the bridge. This may be intended but in most cases I=
 suspect people bind a bridge to a physical NIC and the epairs for a flat n=
etwork=2C with maybe a vlan or two thrown in. In these cases let cloned_int=
erfaces build the bridge and just add and remove the nics to the relevant b=
ridge(s).


On 29 October 2015 at 15:04=2C Ricky G <ricky1252@hotmail.com> wrote:
Saw this post and decided to share as well. When I started using jails I wa=
nted the system to be easy and flexible. Reading the handbook=2C I liked th=
is layout https://www.freebsd.org/doc/handbook/jails-application.html. I de=
cided to make some scripts based on this layout and I also made some improv=
ements based on problems I ran into using the layout.
=0A=
Basically the scripts create a readonly base and duplicates the base settin=
g to readonly. Upgrading is simple because you just recreate the base shutd=
own duplicate startup and the jails are updated. One side note that Id like=
 to add is my use of mergemaster is the safe way which is a bit more work. =
(The scripts will do everything except create the base dataset). I still ha=
ve some more work to do on these scripts with possible errors=2C but they w=
ork well for what I need them for. As for my jail.conf
=0A=

=0A=
host.hostname =3D "${name}"=3Bpath =3D "/usr/jails/${name}"=3Bmount.fstab =
=3D "/etc/fstab.${name}"=3Bmount.devfs =3D "1"=3Bdevfs_ruleset =3D "4"=3Bex=
ec.consolelog =3D "/var/log/jail_${name}_console.log"=3Binterface  =3D "ue0=
"=3Bexec.start  =3D "/bin/sh /etc/rc"=3Bexec.stop  =3D "/bin/sh /etc/rc.shu=
tdown"=3Bexec.clean=3Bpersist=3B
=0A=
allow.raw_sockets =3D "1"=3Ballow.set_hostname =3D "0"=3B
=0A=
foo { ip4.addr  =3D "192.168.1.9/24"=3B}
=0A=
### For vnet ###bar { $if =3D "0"=3B $ip_addr  =3D "192.168.1.10/24"=3B $ip=
_route  =3D "192.168.1.1"=3B interface  =3D "bridge0"=3B vnet=3B vnet.inter=
face =3D "epair${if}b"=3B exec.prestart  =3D "ifconfig bridge0 create"=3B e=
xec.prestart  +=3D "ifconfig epair${if} create up"=3B exec.prestart  +=3D "=
ifconfig bridge0 addm epair${if}a"=3B exec.start  =3D "/sbin/ifconfig lo0 1=
27.0.0.1 up"=3B exec.start  +=3D "/sbin/ifconfig epair${if}b inet ${ip_addr=
} up"=3B exec.start  +=3D "/sbin/route add default ${ip_route}"=3B exec.sta=
rt  +=3D "/bin/sh /etc/rc"=3B exec.stop  =3D "/bin/sh /etc/rc.shutdown"=3B =
exec.poststop  =3D "ifconfig bridge0 destroy"=3B exec.poststop  +=3D "ifcon=
fig epair${if}a destroy"=3B exec.clean=3B persist=3B}
=0A=

=0A=

=0A=

=0A=
$ cat update #!/usr/bin/env bashTEMPLATE_ZFS_DIR=3D"tank/jails/template"TEM=
PLATE_NAME=3D"main"TEMPLATE_DIR=3D"/usr/jails/template"TEMPLATE_SNAPSHOT_NA=
ME=3D"now"JAIL_DIR=3D"/usr/jails"JAIL_ZFS_DIR=3D"tank/jails"JAILS=3D( $(jls=
 | grep ${JAIL_DIR} | awk '{ print $3 }') )SRC=3D"/usr/src"
=0A=
ZFS_TEMPLATE=3D"${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT=3D"$=
{ZFS_TEMPLATE}@${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE_OLD_SNAPSHOT=3D"${ZFS_TEM=
PLATE}@old.$(openssl rand -hex 8)"TEMPLATE=3D"${TEMPLATE_DIR}/${TEMPLATE_NA=
ME}"SKEL=3D"${TEMPLATE_DIR}/skel"
=0A=
### Some error checking ###zfs list "${ZFS_TEMPLATE}" >& /dev/nullif [ $? -=
eq 1 ]=3Bthen  echo "Template dataset ${ZFS_TEMPLATE} not found=2C or wrong=
 Template name"       exit 1fiif [ $(zfs get mountpoint "${ZFS_TEMPLATE}" |=
 awk '{ print $3 }' | tail -n 1) !=3D "${TEMPLATE}" ]then    echo "Template=
 dataset not mounted at ${TEMPLATE}"      exit 1fiif [ $(zfs get mounted "$=
{ZFS_TEMPLATE}" | awk '{ print $3 }' | tail -n 1) !=3D yes ]then echo "Temp=
late dataset ${ZFS_TEMPLATE} not mounted"     exit 1fi### Destroy old templ=
ate ###zfs set readonly=3Doff "${ZFS_TEMPLATE}"chflags -R 0 "${TEMPLATE}"rm=
 -r "${TEMPLATE}"/*cd "${SKEL}"rm -R media root etc mnt tmp var
=0A=
### Create new template ###cd ${SRC}make installworld DESTDIR=3D"${TEMPLATE=
}"if [ $? -eq 1 ]then  echo "${SRC} Needs to be compiled. Run make buildwor=
ld."        exit 1fimake distribution DESTDIR=3D"${TEMPLATE}"
=0A=
### Recreate skel ###cd "${TEMPLATE}"for skel in media root etc mnt tmp var=
do   mv "${TEMPLATE}"/"${skel}" "${SKEL}"/done
=0A=
if [ -f /etc/resolv.conf ]then  cp /etc/resolv.conf "${SKEL}"/etc/fiprintf =
'hostname=3D""\nsendmail_enable=3D"NO"\nsendmail_submit_enable=3D"NO"\nsend=
mail_outbound_enable=3D"NO"\nsendmail_msp_queue_enable=3D"NO"' > "${SKEL}"/=
etc/rc.conf### Create links for new template ###for link in etc home mnt me=
dia root tmp vardo    ln -s s/${link} "${TEMPLATE}"/${link}doneln -s ../s/h=
ome "${TEMPLATE}"/usr/homeln -s ../s/usr-X11R6 "${TEMPLATE}"/usr/X11R6mkdir=
 "${TEMPLATE}"/s
=0A=
### Finish template by setting readonly=3Don ###zfs set readonly=3Don "${ZF=
S_TEMPLATE}"
=0A=
### Move old template to a new name if it exists ###zfs list "${TEMPLATE_SN=
APSHOT}" >& /dev/nullif [ $? -eq 0 ]=3Bthen    zfs rename "${TEMPLATE_SNAPS=
HOT}" "${TEMPLATE_OLD_SNAPSHOT}"fi
=0A=
### Create snapshot of the new template ###zfs snapshot "${TEMPLATE_SNAPSHO=
T}"### Updating jails that are currently running ###for jail in ${JAILS[@]}=
=3Bdo       if [ $(jls | grep ${jail} | awk '{ print $4 }') =3D=3D "${JAIL_=
DIR}"/"${jail}" ]    then            cd /usr/src             mergemaster -t=
 "${JAIL_DIR}"/"${jail}"/var/tmp/temproot -D "${JAIL_DIR}"/"${jail}"/s -i -=
F              cd "${JAIL_DIR}"/"${jail}"/s            rm -r .cshrc .profil=
e COPYRIGHT bin boot dev lib libexec proc rescue sbin sys usr              =
 cd /usr/src             jail -r "${jail}"               zfs destroy -f "${=
JAIL_ZFS_DIR}"/"${jail}"              zfs clone -o readonly=3Don -o mountpo=
int=3D"${JAIL_DIR}"/"${jail}" "${TEMPLATE_SNAPSHOT}" "${JAIL_ZFS_DIR}"/"${j=
ail}"               jail -c "${jail}"       else            FAILED+=3D"${ja=
il} "      fidone
=0A=
### Destroy old template ###zfs destroy "${TEMPLATE_OLD_SNAPSHOT}"if [ -n "=
${FAILED}" ]then     printf "The following jails failed to update due to in=
correct mountpoint... ${FAILED}\n"fiecho "Update Finished"
=0A=

=0A=

=0A=

=0A=
$ cat duplicate #!/usr/bin/env bashTEMPLATE_ZFS_DIR=3D"tank/jails/template"=
TEMPLATE_NAME=3D"main"TEMPLATE_DIR=3D"/usr/jails/template"TEMPLATE_SNAPSHOT=
_NAME=3D"now"JAIL_DIR=3D"/usr/jails"JAIL_ZFS_DIR=3D"tank/jails"
=0A=
ZFS_TEMPLATE=3D"${TEMPLATE_ZFS_DIR}/${TEMPLATE_NAME}"TEMPLATE_SNAPSHOT=3D"$=
{ZFS_TEMPLATE}@${TEMPLATE_SNAPSHOT_NAME}"TEMPLATE=3D"${TEMPLATE_DIR}/${TEMP=
LATE_NAME}"SKEL=3D"${TEMPLATE_DIR}/skel"
=0A=
echo What will the jail name be?read -e JAIL_NAMEecho What will the ip4 add=
ress be? ie 192.168.1.1/24?read -e IP4zfs list "${ZFS_TEMPLATE}" >& /dev/nu=
llif [ $? -eq 1 ]=3Bthen    echo "Incorrect template"       exit 1fizfs lis=
t "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 1 ]=3Bthen        echo "Sn=
apshot not found"       exit 1fi
=0A=
JAIL=3D"${JAIL_ZFS_DIR}/${JAIL_NAME}"JAIL_ZFS_DATA=3D"${TEMPLATE_ZFS_DIR}/$=
{JAIL_NAME}"JAIL_ZFS_DATA_LOCAL=3D"${TEMPLATE_ZFS_DIR}/${JAIL_NAME}-local"J=
AIL_DATA=3D"${TEMPLATE_DIR}/${JAIL_NAME}"JAIL_FSTAB=3D"${JAIL_DIR}/${JAIL_N=
AME}"
=0A=
zfs clone -o readonly=3Don -o mountpoint=3D"${JAIL_FSTAB}" "${TEMPLATE_SNAP=
SHOT}" "${JAIL}"if [ $? -eq 1 ]=3Bthen     echo "clone failed"     exit 1fi=
echo "clone successful"zfs create -o recordsize=3D1M -o compression=3Dlz4 -=
o mountpoint=3D"${JAIL_DATA}" "${JAIL_ZFS_DATA}"zfs create -o recordsize=3D=
1M -o compression=3Dlz4 -o canmount=3Dnoauto "${JAIL_ZFS_DATA_LOCAL}"cp -Ra=
 "${SKEL}"/* "${JAIL_DATA}"/umount "${JAIL_DATA}"rmdir "${JAIL_DATA}"zfs se=
t canmount=3Dnoauto "${JAIL_ZFS_DATA}"printf "${JAIL_ZFS_DATA} ${JAIL_FSTAB=
}/s\tzfs\trw 0 0\n${JAIL_ZFS_DATA_LOCAL} ${JAIL_FSTAB}/usr/local\t zfs\trw =
0 0" > /etc/fstab."${JAIL_NAME}"printf "\n${JAIL_NAME} {\n ip4.addr =3D \"$=
{IP4}\"=3B\n}" >> /etc/jail.conf
=0A=

=0A=
_______________________________________________
=0A=
freebsd-questions@freebsd.org mailing list
=0A=
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
=0A=
To unsubscribe=2C send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
=0A=

 		 	   		  =



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?SNT146-W92BDA6F54F1DCDEA18EE72A12F0>