Date:      Fri, 30 Oct 2015 08:26:53 -0400
From:      Ricky G <>
To:        krad <>
Cc:        "" <>
Subject:   RE: /etc/jail.conf documentation?
Message-ID:  <SNT146-W92BDA6F54F1DCDEA18EE72A12F0@phx.gbl>
In-Reply-To: <>
References:  <>, <>, <>, <>, <>, <SNT146-W3153B1A15ED9D1429DC69AA1200@phx.gbl>, <>

 This is intended. I'm not sure if its fixed=2C however I found an odd bug =
awhile back where reusing a bridge for a vnet jail causes a high number of =
dropped packets. The more it is reused the more the dropped packets. After =
around 4 jail restarts there was about 60% packet loss. To resolve it=2C I =
found recreating the bridge fixed the issue. I also only use one vnet so th=
is isn't a problem for me=2C of course you are correct that multiple vnets =
with this configuration will not work. Sorry for not making that clear befo=
re I posted.

Really need to stop using outlook. I hate how \n is not read correctly. =3D=

Date: Fri=2C 30 Oct 2015 08:17:59 +0000
Subject: Re: /etc/jail.conf documentation?

Be careful with your vnet config as if you use it with more than one jail a=
t once shutting down one jail will break the networking on the other(s) as =
you create and destroy the bridge. This may be intended but in most cases I=
 suspect people bind a bridge to a physical NIC and the epairs for a flat n=
etwork=2C with maybe a vlan or two thrown in. In these cases let cloned_int=
erfaces build the bridge and just add and remove the nics to the relevant b=

On 29 October 2015 at 15:04=2C Ricky G <> wrote:
Saw this post and decided to share as well. When I started using jails I wa=
nted the system to be easy and flexible. Reading the handbook=2C I liked th=
is layout I de=
cided to make some scripts based on this layout and I also made some improv=
ements based on problems I ran into using the layout.
Basically the scripts create a readonly base and duplicates the base settin=
g to readonly. Upgrading is simple because you just recreate the base shutd=
own duplicate startup and the jails are updated. One side note that Id like=
 to add is my use of mergemaster is the safe way which is a bit more work. =
(The scripts will do everything except create the base dataset). I still ha=
ve some more work to do on these scripts with possible errors=2C but they w=
ork well for what I need them for. As for my jail.conf

host.hostname =3D "${name}"=3Bpath =3D "/usr/jails/${name}"=3Bmount.fstab =
=3D "/etc/fstab.${name}"=3Bmount.devfs =3D "1"=3Bdevfs_ruleset =3D "4"=3Bex=
ec.consolelog =3D "/var/log/jail_${name}_console.log"=3Binterface  =3D "ue0=
"=3Bexec.start  =3D "/bin/sh /etc/rc"=3Bexec.stop  =3D "/bin/sh /etc/rc.shu=
allow.raw_sockets =3D "1"=3Ballow.set_hostname =3D "0"=3B
foo { ip4.addr  =3D ""=3B}
### For vnet ###bar { $if =3D "0"=3B $ip_addr  =3D ""=3B $ip=
_route  =3D ""=3B interface  =3D "bridge0"=3B vnet=3B vnet.inter=
face =3D "epair${if}b"=3B exec.prestart  =3D "ifconfig bridge0 create"=3B e=
xec.prestart  +=3D "ifconfig epair${if} create up"=3B exec.prestart  +=3D "=
ifconfig bridge0 addm epair${if}a"=3B exec.start  =3D "/sbin/ifconfig lo0 1= up"=3B exec.start  +=3D "/sbin/ifconfig epair${if}b inet ${ip_addr=
} up"=3B exec.start  +=3D "/sbin/route add default ${ip_route}"=3B exec.sta=
rt  +=3D "/bin/sh /etc/rc"=3B exec.stop  =3D "/bin/sh /etc/rc.shutdown"=3B =
exec.poststop  =3D "ifconfig bridge0 destroy"=3B exec.poststop  +=3D "ifcon=
fig epair${if}a destroy"=3B exec.clean=3B persist=3B}



$ cat update #!/usr/bin/env bashTEMPLATE_ZFS_DIR=3D"tank/jails/template"TEM=
ME=3D"now"JAIL_DIR=3D"/usr/jails"JAIL_ZFS_DIR=3D"tank/jails"JAILS=3D( $(jls=
 | grep ${JAIL_DIR} | awk '{ print $3 }') )SRC=3D"/usr/src"
PLATE}@old.$(openssl rand -hex 8)"TEMPLATE=3D"${TEMPLATE_DIR}/${TEMPLATE_NA=
### Some error checking ###zfs list "${ZFS_TEMPLATE}" >& /dev/nullif [ $? -=
eq 1 ]=3Bthen  echo "Template dataset ${ZFS_TEMPLATE} not found=2C or wrong=
 Template name"       exit 1fiif [ $(zfs get mountpoint "${ZFS_TEMPLATE}" |=
 awk '{ print $3 }' | tail -n 1) !=3D "${TEMPLATE}" ]then    echo "Template=
 dataset not mounted at ${TEMPLATE}"      exit 1fiif [ $(zfs get mounted "$=
{ZFS_TEMPLATE}" | awk '{ print $3 }' | tail -n 1) !=3D yes ]then echo "Temp=
late dataset ${ZFS_TEMPLATE} not mounted"     exit 1fi### Destroy old templ=
ate ###zfs set readonly=3Doff "${ZFS_TEMPLATE}"chflags -R 0 "${TEMPLATE}"rm=
 -r "${TEMPLATE}"/*cd "${SKEL}"rm -R media root etc mnt tmp var
### Create new template ###cd ${SRC}make installworld DESTDIR=3D"${TEMPLATE=
}"if [ $? -eq 1 ]then  echo "${SRC} Needs to be compiled. Run make buildwor=
ld."        exit 1fimake distribution DESTDIR=3D"${TEMPLATE}"
### Recreate skel ###cd "${TEMPLATE}"for skel in media root etc mnt tmp var=
do   mv "${TEMPLATE}"/"${skel}" "${SKEL}"/done
if [ -f /etc/resolv.conf ]then  cp /etc/resolv.conf "${SKEL}"/etc/fiprintf =
mail_outbound_enable=3D"NO"\nsendmail_msp_queue_enable=3D"NO"' > "${SKEL}"/=
etc/rc.conf### Create links for new template ###for link in etc home mnt me=
dia root tmp vardo    ln -s s/${link} "${TEMPLATE}"/${link}doneln -s ../s/h=
ome "${TEMPLATE}"/usr/homeln -s ../s/usr-X11R6 "${TEMPLATE}"/usr/X11R6mkdir=
### Finish template by setting readonly=3Don ###zfs set readonly=3Don "${ZF=
### Move old template to a new name if it exists ###zfs list "${TEMPLATE_SN=
APSHOT}" >& /dev/nullif [ $? -eq 0 ]=3Bthen    zfs rename "${TEMPLATE_SNAPS=
### Create snapshot of the new template ###zfs snapshot "${TEMPLATE_SNAPSHO=
T}"### Updating jails that are currently running ###for jail in ${JAILS[@]}=
=3Bdo       if [ $(jls | grep ${jail} | awk '{ print $4 }') =3D=3D "${JAIL_=
DIR}"/"${jail}" ]    then            cd /usr/src             mergemaster -t=
 "${JAIL_DIR}"/"${jail}"/var/tmp/temproot -D "${JAIL_DIR}"/"${jail}"/s -i -=
F              cd "${JAIL_DIR}"/"${jail}"/s            rm -r .cshrc .profil=
e COPYRIGHT bin boot dev lib libexec proc rescue sbin sys usr              =
 cd /usr/src             jail -r "${jail}"               zfs destroy -f "${=
JAIL_ZFS_DIR}"/"${jail}"              zfs clone -o readonly=3Don -o mountpo=
int=3D"${JAIL_DIR}"/"${jail}" "${TEMPLATE_SNAPSHOT}" "${JAIL_ZFS_DIR}"/"${j=
ail}"               jail -c "${jail}"       else            FAILED+=3D"${ja=
il} "      fidone
### Destroy old template ###zfs destroy "${TEMPLATE_OLD_SNAPSHOT}"if [ -n "=
${FAILED}" ]then     printf "The following jails failed to update due to in=
correct mountpoint... ${FAILED}\n"fiecho "Update Finished"



$ cat duplicate #!/usr/bin/env bashTEMPLATE_ZFS_DIR=3D"tank/jails/template"=
echo What will the jail name be?read -e JAIL_NAMEecho What will the ip4 add=
ress be? ie -e IP4zfs list "${ZFS_TEMPLATE}" >& /dev/nu=
llif [ $? -eq 1 ]=3Bthen    echo "Incorrect template"       exit 1fizfs lis=
t "${TEMPLATE_SNAPSHOT}" >& /dev/nullif [ $? -eq 1 ]=3Bthen        echo "Sn=
apshot not found"       exit 1fi
zfs clone -o readonly=3Don -o mountpoint=3D"${JAIL_FSTAB}" "${TEMPLATE_SNAP=
SHOT}" "${JAIL}"if [ $? -eq 1 ]=3Bthen     echo "clone failed"     exit 1fi=
echo "clone successful"zfs create -o recordsize=3D1M -o compression=3Dlz4 -=
o mountpoint=3D"${JAIL_DATA}" "${JAIL_ZFS_DATA}"zfs create -o recordsize=3D=
1M -o compression=3Dlz4 -o canmount=3Dnoauto "${JAIL_ZFS_DATA_LOCAL}"cp -Ra=
 "${SKEL}"/* "${JAIL_DATA}"/umount "${JAIL_DATA}"rmdir "${JAIL_DATA}"zfs se=
t canmount=3Dnoauto "${JAIL_ZFS_DATA}"printf "${JAIL_ZFS_DATA} ${JAIL_FSTAB=
}/s\tzfs\trw 0 0\n${JAIL_ZFS_DATA_LOCAL} ${JAIL_FSTAB}/usr/local\t zfs\trw =
0 0" > /etc/fstab."${JAIL_NAME}"printf "\n${JAIL_NAME} {\n ip4.addr =3D \"$=
{IP4}\"=3B\n}" >> /etc/jail.conf

