|
Lines 76-102
Jails can be considered as a type of operating system-level virtualization.
Link Here
|
| 76 |
This chapter covers: |
76 |
This chapter covers: |
| 77 |
|
77 |
|
| 78 |
* What a jail is and what purpose it may serve in FreeBSD installations. |
78 |
* What a jail is and what purpose it may serve in FreeBSD installations. |
| 79 |
* The different type of jails. |
79 |
* The different types of jail. |
| 80 |
* The different way to configure the network for a jail. |
80 |
* The different ways to configure the network for a jail. |
| 81 |
* The jail configuration file. |
81 |
* The jail configuration file. |
| 82 |
* How to create the different types of jails. |
82 |
* How to create the different types of jail. |
| 83 |
* How to start, stop and restart a jail. |
83 |
* How to start, stop, and restart a jail. |
| 84 |
* The basics of jail administration, both from inside and outside the jail. |
84 |
* The basics of jail administration, both from inside and outside the jail. |
| 85 |
* How to upgrade the different types of jails. |
85 |
* How to upgrade the different types of jail. |
| 86 |
* A incomplete list of the different FreeBSD jail managers. |
86 |
* A incomplete list of the different FreeBSD jail managers. |
| 87 |
|
87 |
|
| 88 |
[[jail-types]] |
88 |
[[jail-types]] |
| 89 |
== Jail types |
89 |
== Jail Types |
| 90 |
|
90 |
|
| 91 |
Some administrators divide jails into different types, although the underlying technology is the same. |
91 |
Some administrators divide jails into different types, although the underlying technology is the same. |
| 92 |
Each administrator will have to assess what type of jail to create in each case depending on the problem they have to solve. |
92 |
Each administrator will have to assess what type of jail to create in each case depending on the problem they have to solve. |
| 93 |
|
93 |
|
| 94 |
Below can be found a list of the different types, their characteristics, etc. |
94 |
Below can be found a list of the different types, their characteristics, and considerations for use. |
| 95 |
|
95 |
|
| 96 |
[[thick-jails]] |
96 |
[[thick-jails]] |
| 97 |
=== Thick Jails |
97 |
=== Thick Jails |
| 98 |
|
98 |
|
| 99 |
A thick jail is a more traditional form of FreeBSD Jail. |
99 |
A thick jail is a traditional form of FreeBSD Jail. |
| 100 |
In a thick jail, a complete copy of the base system is replicated within the jail's environment. |
100 |
In a thick jail, a complete copy of the base system is replicated within the jail's environment. |
| 101 |
This means that the jail has its own separate instance of the FreeBSD base system, including libraries, executables, and configuration files. |
101 |
This means that the jail has its own separate instance of the FreeBSD base system, including libraries, executables, and configuration files. |
| 102 |
The jail can be thought of as an almost complete standalone FreeBSD installation, but running within the confines of the host system. |
102 |
The jail can be thought of as an almost complete standalone FreeBSD installation, but running within the confines of the host system. |
|
Lines 110-116
Advantages of Thick Jails:
Link Here
|
| 110 |
|
110 |
|
| 111 |
Disadvantages of Thick Jails: |
111 |
Disadvantages of Thick Jails: |
| 112 |
|
112 |
|
| 113 |
* Resource overhead: Because each jail maintains its own separate base system, it consumes more resources compared to thin jails. |
113 |
* Resource overhead: Because each jail maintains its own separate base system, thick jails consume more resources compared to thin jails. |
| 114 |
* Maintenance: Each jail requires its own maintenance and updates for its base system components. |
114 |
* Maintenance: Each jail requires its own maintenance and updates for its base system components. |
| 115 |
|
115 |
|
| 116 |
[[thin-jails]] |
116 |
[[thin-jails]] |
|
Lines 121-133
Only a minimal subset of base system is duplicated for each thin jail, resulting
Link Here
|
| 121 |
However, this also means that thin jails have less isolation and independence compared to thick jails. |
121 |
However, this also means that thin jails have less isolation and independence compared to thick jails. |
| 122 |
Changes in shared components could potentially affect multiple thin jails simultaneously. |
122 |
Changes in shared components could potentially affect multiple thin jails simultaneously. |
| 123 |
|
123 |
|
| 124 |
In summary, a FreeBSD Thick Jail is a type of FreeBSD Jail that replicates a substantial portion of the base system within the isolated environment. |
124 |
In summary, a FreeBSD Thin Jail is a type of FreeBSD Jail that replicates a substantial portion, but not all, of the base system within the isolated environment. |
| 125 |
|
125 |
|
| 126 |
Advantages of Thin Jails: |
126 |
Advantages of Thin Jails: |
| 127 |
|
127 |
|
| 128 |
* Resource Efficiency: Thin jails are more resource-efficient compared to thick jails. Since they share most of the base system, they consume less disk space and memory. This makes it possible to run more jails on the same hardware without consuming excessive resources. |
128 |
* Resource Efficiency: Thin jails are more resource-efficient compared to thick jails. Since they share most of the base system, they consume less disk space and memory. This makes it possible to run more jails on the same hardware without consuming excessive resources. |
| 129 |
* Faster Deployment: Creating and launching thin jails is generally faster compared to thick jails. This can be particularly advantageous when you need to rapidly deploy multiple instances. |
129 |
* Faster Deployment: Creating and launching thin jails is generally faster compared to thick jails. This can be particularly advantageous when you need to rapidly deploy multiple instances. |
| 130 |
* Unified Maintenance: Since thin jails share the majority of their base system with the host system, updates and maintenance of common base system components (such as libraries and binaries) only need to be done once on the host. This simplifies the maintenance process compared to maintaining individual base system for each thick jail. |
130 |
* Unified Maintenance: Since thin jails share the majority of their base system with the host system, updates and maintenance of common base system components (such as libraries and binaries) only need to be done once on the host. This simplifies the maintenance process compared to maintaining an individual base system for each thick jail. |
| 131 |
* Shared Resources: Thin jails can more easily share common resources such as libraries and binaries with the host system. This can potentially lead to more efficient disk caching and improved performance for applications within the jail. |
131 |
* Shared Resources: Thin jails can more easily share common resources such as libraries and binaries with the host system. This can potentially lead to more efficient disk caching and improved performance for applications within the jail. |
| 132 |
|
132 |
|
| 133 |
Disadvantages of Thin Jails: |
133 |
Disadvantages of Thin Jails: |
|
Lines 157-177
The purpose of a Linux Jail is to facilitate the execution of Linux software on
Link Here
|
| 157 |
[[host-configuration]] |
157 |
[[host-configuration]] |
| 158 |
== Host Configuration |
158 |
== Host Configuration |
| 159 |
|
159 |
|
| 160 |
Before creating any jail on the host system it is necessary to perform certain configurations and obtain some information from the host system. |
160 |
Before creating any jail on the host system it is necessary to perform certain configuration and obtain some information from the host system. |
| 161 |
|
161 |
|
| 162 |
It will be necessary to configure the man:jail[8] utility, create the necessary directories to configure and install the jails, obtain information from the host's network and check if the host uses OpenZFS or UFS as file system. |
162 |
It will be necessary to configure the man:jail[8] utility, create the necessary directories to configure and install jails, obtain information from the host's network, and check whether the host uses OpenZFS or UFS as its file system. |
| 163 |
|
163 |
|
| 164 |
[TIP] |
164 |
[TIP] |
| 165 |
==== |
165 |
==== |
| 166 |
The FreeBSD version running in the jail can not be newer that the version running in the host |
166 |
The FreeBSD version running in the jail can not be newer that the version running in the host. |
| 167 |
==== |
167 |
==== |
| 168 |
|
168 |
|
| 169 |
[[host-configuration-jail-Utility]] |
169 |
[[host-configuration-jail-utility]] |
| 170 |
=== Jail Utility |
170 |
=== Jail Utility |
| 171 |
|
171 |
|
| 172 |
The man:jail[8] utility manages jails. |
172 |
The man:jail[8] utility manages jails. |
| 173 |
|
173 |
|
| 174 |
To start the jails when the system boots, run the following commands: |
174 |
To start jails when the system boots, run the following commands: |
| 175 |
|
175 |
|
| 176 |
[source,shell] |
176 |
[source,shell] |
| 177 |
.... |
177 |
.... |
|
Lines 181-187
To start the jails when the system boots, run the following commands:
Link Here
|
| 181 |
|
181 |
|
| 182 |
[TIP] |
182 |
[TIP] |
| 183 |
==== |
183 |
==== |
| 184 |
With `jail_parallel_start` all configured jails will be started in the background. |
184 |
With `jail_parallel_start`, all configured jails will be started in the background. |
| 185 |
==== |
185 |
==== |
| 186 |
|
186 |
|
| 187 |
[[jails-networking]] |
187 |
[[jails-networking]] |
|
Lines 204-210
man:netgraph[4] is a versatile kernel framework for creating custom network conf
Link Here
|
| 204 |
It can be used to define how network traffic flows between jails and the host system and between different jails. |
204 |
It can be used to define how network traffic flows between jails and the host system and between different jails. |
| 205 |
|
205 |
|
| 206 |
[[host-configuration-directories]] |
206 |
[[host-configuration-directories]] |
| 207 |
=== Setting up the Jail Directory Tree |
207 |
=== Setting Up the Jail Directory Tree |
| 208 |
|
208 |
|
| 209 |
There is no specific place to put the files for the jails. |
209 |
There is no specific place to put the files for the jails. |
| 210 |
|
210 |
|
|
Lines 217-223
Apart from [.filename]#/usr/local/jails# other directories will be created:
Link Here
|
| 217 |
* [.filename]#templates# will contain the templates when using Thin Jails. |
217 |
* [.filename]#templates# will contain the templates when using Thin Jails. |
| 218 |
* [.filename]#containers# will contain the jails. |
218 |
* [.filename]#containers# will contain the jails. |
| 219 |
|
219 |
|
| 220 |
When using OpenZFS, execute the following commands to create the dataset: |
220 |
When using OpenZFS, execute the following commands to create datasets for these directories: |
| 221 |
|
221 |
|
| 222 |
[source,shell] |
222 |
[source,shell] |
| 223 |
.... |
223 |
.... |
|
Lines 245-251
When using UFS, execute the following commands to create the directories:
Link Here
|
| 245 |
[[jail-configuration-files]] |
245 |
[[jail-configuration-files]] |
| 246 |
=== Jail Configuration Files |
246 |
=== Jail Configuration Files |
| 247 |
|
247 |
|
| 248 |
There are two ways to configure the jails. |
248 |
There are two ways to configure jails. |
| 249 |
|
249 |
|
| 250 |
The first one is to add an entry for each jail to the file [.filename]#/etc/jail.conf#. |
250 |
The first one is to add an entry for each jail to the file [.filename]#/etc/jail.conf#. |
| 251 |
The other option is to create a file for each jail in the directory [.filename]#/etc/jail.conf.d/#. |
251 |
The other option is to create a file for each jail in the directory [.filename]#/etc/jail.conf.d/#. |
|
Lines 286-298
jailname { <.>
Link Here
|
| 286 |
<.> `exec.start` - Command(s) to run in the jail environment when a jail is created. A typical command to run is "/bin/sh /etc/rc". |
286 |
<.> `exec.start` - Command(s) to run in the jail environment when a jail is created. A typical command to run is "/bin/sh /etc/rc". |
| 287 |
<.> `exec.stop` - Command(s) to run in the jail environment before a jail is removed. A typical command to run is "/bin/sh /etc/rc.shutdown". |
287 |
<.> `exec.stop` - Command(s) to run in the jail environment before a jail is removed. A typical command to run is "/bin/sh /etc/rc.shutdown". |
| 288 |
<.> `exec.consolelog` - A file to direct command output (stdout and stderr) to. |
288 |
<.> `exec.consolelog` - A file to direct command output (stdout and stderr) to. |
| 289 |
<.> `allow.raw_sockets` - Allow to create raw sockets. Setting this parameter allows utilities like man:ping[8] and man:traceroute[8] to operate inside the jail. |
289 |
<.> `allow.raw_sockets` - Allow creating raw sockets inside the jail. Setting this parameter allows utilities like man:ping[8] and man:traceroute[8] to operate inside the jail. |
| 290 |
<.> `exec.clean` - Run commands in a clean environment. |
290 |
<.> `exec.clean` - Run commands in a clean environment. |
| 291 |
<.> `mount.devfs` - Mount a man:devfs[5] filesystem on the chrooted [.filename]#/dev# directory, and apply the ruleset in the devfs_ruleset parameter to restrict the devices visible inside the jail. |
291 |
<.> `mount.devfs` - Mount a man:devfs[5] filesystem on the chrooted [.filename]#/dev# directory, and apply the ruleset in the devfs_ruleset parameter to restrict the devices visible inside the jail. |
| 292 |
<.> `host.hostname` - The hostname of the jail. |
292 |
<.> `host.hostname` - The hostname of the jail. |
| 293 |
<.> `path` - The directory which is to be the root of the jail. Any commands run inside the jail, either by jail or from man:jexec[8], are run from this directory. |
293 |
<.> `path` - The directory which is to be the root of the jail. Any commands that are run inside the jail, either by jail or from man:jexec[8], are run from this directory. |
| 294 |
<.> `ip4.addr` - IPv4 address. There are two configuration possibilities for IPv4, the first is to establish an IP or a list of IPs as has been done in the example. The other is to use `ip4` instead and set the `inherit` value to inherit the host's IP address. |
294 |
<.> `ip4.addr` - IPv4 address. There are two configuration possibilities for IPv4. The first is to establish an IP or a list of IPs as has been done in the example. The other is to use `ip4` instead and set the `inherit` value to inherit the host's IP address. |
| 295 |
<.> `ip6.addr` - IPv6 address. There are two configuration possibilities for IPv6, the first is to establish an IP or a list of IPs as has been done in the example. The other is to use `ip6` instead and set the `inherit` value to inherit the host's IP address. |
295 |
<.> `ip6.addr` - IPv6 address. There are two configuration possibilities for IPv6. The first is to establish an IP or a list of IPs as has been done in the example. The other is to use `ip6` instead and set the `inherit` value to inherit the host's IP address. |
| 296 |
<.> `interface` - A network interface to add the jail's IP addresses. Usually the host interface. |
296 |
<.> `interface` - A network interface to add the jail's IP addresses. Usually the host interface. |
| 297 |
|
297 |
|
| 298 |
More information about configuration variables can be found in man:jail[8] and man:jail.conf[5]. |
298 |
More information about configuration variables can be found in man:jail[8] and man:jail.conf[5]. |
|
Lines 306-312
They can be managed more or less like a normal host system and updated independe
Link Here
|
| 306 |
[[creating-classic-jail]] |
306 |
[[creating-classic-jail]] |
| 307 |
=== Creating a Classic Jail |
307 |
=== Creating a Classic Jail |
| 308 |
|
308 |
|
| 309 |
In principle, a jail only needs a hostname, a root directory, an IP address and a userland. |
309 |
In principle, a jail only needs a hostname, a root directory, an IP address, and a userland. |
| 310 |
|
310 |
|
| 311 |
The userland for the jail can be obtained from the official FreeBSD download servers. |
311 |
The userland for the jail can be obtained from the official FreeBSD download servers. |
| 312 |
|
312 |
|
|
Lines 317-325
Execute the following command to download the userland:
Link Here
|
| 317 |
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz |
317 |
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz |
| 318 |
.... |
318 |
.... |
| 319 |
|
319 |
|
| 320 |
Once the download is complete it will be necessary to extract the contents into the jail directory. |
320 |
Once the download is complete, it will be necessary to extract the contents into the jail directory. |
| 321 |
|
321 |
|
| 322 |
Execute the following commands to extract the userland into jail's directory: |
322 |
Execute the following commands to extract the userland into the jail's directory: |
| 323 |
|
323 |
|
| 324 |
[source,shell] |
324 |
[source,shell] |
| 325 |
.... |
325 |
.... |
|
Lines 327-333
Execute the following commands to extract the userland into jail's directory:
Link Here
|
| 327 |
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/containers/classic --unlink |
327 |
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/containers/classic --unlink |
| 328 |
.... |
328 |
.... |
| 329 |
|
329 |
|
| 330 |
With the userland extracted in the jail directory, will be necessary to copy the timezone and the DNS servers files: |
330 |
With the userland extracted in the jail directory, it will be necessary to copy the timezone and DNS server files: |
| 331 |
|
331 |
|
| 332 |
[source,shell] |
332 |
[source,shell] |
| 333 |
.... |
333 |
.... |
|
Lines 335-349
With the userland extracted in the jail directory, will be necessary to copy the
Link Here
|
| 335 |
# cp /etc/localtime /usr/local/jails/containers/classic/etc/localtime |
335 |
# cp /etc/localtime /usr/local/jails/containers/classic/etc/localtime |
| 336 |
.... |
336 |
.... |
| 337 |
|
337 |
|
| 338 |
With the files moved the next thing to do is update to the latest patch level executing the following command: |
338 |
With the files copied, the next thing to do is update to the latest patch level by executing the following command: |
| 339 |
|
339 |
|
| 340 |
[source,shell] |
340 |
[source,shell] |
| 341 |
.... |
341 |
.... |
| 342 |
# freebsd-update -b /usr/local/jails/containers/classic/ fetch install |
342 |
# freebsd-update -b /usr/local/jails/containers/classic/ fetch install |
| 343 |
.... |
343 |
.... |
| 344 |
|
344 |
|
| 345 |
The last step will be to configure it. |
345 |
The last step is to configure the jail. |
| 346 |
It will be necessary to add an entry to the configuration file [.filename]#/etc/jail.conf# or in [.filename]#jail.conf.d# with the data of the jail. |
346 |
It will be necessary to add an entry to the configuration file [.filename]#/etc/jail.conf# or in [.filename]#jail.conf.d# with the parameters of the jail. |
| 347 |
|
347 |
|
| 348 |
An example would be the following: |
348 |
An example would be the following: |
| 349 |
|
349 |
|
|
Lines 370-376
classic {
Link Here
|
| 370 |
} |
370 |
} |
| 371 |
.... |
371 |
.... |
| 372 |
|
372 |
|
| 373 |
And then execute the following command to start the jail: |
373 |
Execute the following command to start the jail: |
| 374 |
|
374 |
|
| 375 |
[source,shell] |
375 |
[source,shell] |
| 376 |
.... |
376 |
.... |
|
Lines 382-402
More information on how to manage jails can be found in the section <<jail-manag
Link Here
|
| 382 |
[[thin-jail]] |
382 |
[[thin-jail]] |
| 383 |
== Thin Jails |
383 |
== Thin Jails |
| 384 |
|
384 |
|
| 385 |
Although the Thin Jails use the same technology, the creation is different. |
385 |
Although Thin Jails use the same technology as Thick Jails, the creation procedure is different. |
| 386 |
Thin jails can be created using OpenZFS snapshots or using templates and NullFS. |
386 |
Thin jails can be created using OpenZFS snapshots or using templates and NullFS. |
| 387 |
The use of OpenZFS snapshots and templates using NullFS have certain advantages over classic jails, |
387 |
The use of OpenZFS snapshots and templates using NullFS have certain advantages over classic jails, |
| 388 |
such as being able to create them faster from snapshots or being able to update multiple jails using NullFS. |
388 |
such as being able to create them faster from snapshots or being able to update multiple jails using NullFS. |
| 389 |
|
389 |
|
| 390 |
[[creating-thin-jail-openzfs-snapshots]] |
390 |
[[creating-thin-jail-openzfs-snapshots]] |
| 391 |
=== Creating a Thin Jail using OpenZFS Snapshots |
391 |
=== Creating a Thin Jail Using OpenZFS Snapshots |
| 392 |
|
392 |
|
| 393 |
Due to the good integration between FreeBSD and OpenZFS it is very easy to create new Thin Jails using OpenZFS Snapshots. |
393 |
Due to the good integration between FreeBSD and OpenZFS it is very easy to create new Thin Jails using OpenZFS Snapshots. |
| 394 |
|
394 |
|
| 395 |
To create a Thin Jail using OpenZFS Snapshots the first step will be to create a template. |
395 |
To create a Thin Jail using OpenZFS Snapshots the first step is to create a template. |
| 396 |
|
396 |
|
| 397 |
The templates will only be used to create new jails, for this reason they are created in "read-only" mode, in order to create jails easily with an immutable base. |
397 |
Templates will only be used to create new jails. |
|
|
398 |
For this reason they are created in "read-only" mode so that jails are created with an immutable base. |
| 398 |
|
399 |
|
| 399 |
To create the dataset to save the template execute the following command: |
400 |
To create the dataset for the template, execute the following command: |
| 400 |
|
401 |
|
| 401 |
[source,shell] |
402 |
[source,shell] |
| 402 |
.... |
403 |
.... |
|
Lines 410-423
Then execute the following command to download the userland:
Link Here
|
| 410 |
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz |
411 |
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz |
| 411 |
.... |
412 |
.... |
| 412 |
|
413 |
|
| 413 |
Once the download is complete it will be necessary to extract the contents in the template directory executing the following command: |
414 |
Once the download is complete, it will be necessary to extract the contents in the template directory by executing the following command: |
| 414 |
|
415 |
|
| 415 |
[source,shell] |
416 |
[source,shell] |
| 416 |
.... |
417 |
.... |
| 417 |
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE --unlink |
418 |
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE --unlink |
| 418 |
.... |
419 |
.... |
| 419 |
|
420 |
|
| 420 |
With the userland extracted in the templates directory, it will be necessary to copy the timezone and the DNS servers files to the template directory executing the following command: |
421 |
With the userland extracted in the templates directory, it will be necessary to copy the timezone and DNS server files to the template directory by executing the following command: |
| 421 |
|
422 |
|
| 422 |
[source,shell] |
423 |
[source,shell] |
| 423 |
.... |
424 |
.... |
|
Lines 425-457
With the userland extracted in the templates directory, it will be necessary to
Link Here
|
| 425 |
# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE/etc/localtime |
426 |
# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE/etc/localtime |
| 426 |
.... |
427 |
.... |
| 427 |
|
428 |
|
| 428 |
The next thing to do is update to the latest patch level executing the following command: |
429 |
The next thing to do is update to the latest patch level by executing the following command: |
| 429 |
|
430 |
|
| 430 |
[source,shell] |
431 |
[source,shell] |
| 431 |
.... |
432 |
.... |
| 432 |
# freebsd-update -b /usr/local/jails/templates/13.2-RELEASE/ fetch install |
433 |
# freebsd-update -b /usr/local/jails/templates/13.2-RELEASE/ fetch install |
| 433 |
.... |
434 |
.... |
| 434 |
|
435 |
|
| 435 |
Once the update is finished the template will be ready. |
436 |
Once the update is finished, the template is ready. |
| 436 |
|
437 |
|
| 437 |
To create the OpenZFS Snapshot from the template execute the following command: |
438 |
To create an OpenZFS Snapshot from the template, execute the following command: |
| 438 |
|
439 |
|
| 439 |
[source,shell] |
440 |
[source,shell] |
| 440 |
.... |
441 |
.... |
| 441 |
# zfs snapshot zroot/jails/templates/13.2-RELEASE@base |
442 |
# zfs snapshot zroot/jails/templates/13.2-RELEASE@base |
| 442 |
.... |
443 |
.... |
| 443 |
|
444 |
|
| 444 |
Once the OpenZFS Snapshot has been created infinite jails can be created using the OpenZFS clone function. |
445 |
Once the OpenZFS Snapshot has been created, infinite jails can be created using the OpenZFS clone function. |
| 445 |
|
446 |
|
| 446 |
To create a Thin Jail named `thinjail` execute the following command: |
447 |
To create a Thin Jail named `thinjail`, execute the following command: |
| 447 |
|
448 |
|
| 448 |
[source,shell] |
449 |
[source,shell] |
| 449 |
.... |
450 |
.... |
| 450 |
# zfs clone zroot/jails/templates/13.2-RELEASE@base zroot/jails/containers/thinjail |
451 |
# zfs clone zroot/jails/templates/13.2-RELEASE@base zroot/jails/containers/thinjail |
| 451 |
.... |
452 |
.... |
| 452 |
|
453 |
|
| 453 |
The last step is to configure it. |
454 |
The last step is to configure the jail. |
| 454 |
It will be necessary to add an entry to the configuration file [.filename]#/etc/jail.conf# or in [.filename]#jail.conf.d# with the data of the jail. |
455 |
It will be necessary to add an entry to the configuration file [.filename]#/etc/jail.conf# or in [.filename]#jail.conf.d# with the parameters of the jail. |
| 455 |
|
456 |
|
| 456 |
An example would be the following: |
457 |
An example would be the following: |
| 457 |
|
458 |
|
|
Lines 478-484
thinjail {
Link Here
|
| 478 |
} |
479 |
} |
| 479 |
.... |
480 |
.... |
| 480 |
|
481 |
|
| 481 |
And then execute the following command to start the jail: |
482 |
Execute the following command to start the jail: |
| 482 |
|
483 |
|
| 483 |
[source,shell] |
484 |
[source,shell] |
| 484 |
.... |
485 |
.... |
|
Lines 488-497
And then execute the following command to start the jail:
Link Here
|
| 488 |
More information on how to manage jails can be found in the section <<jail-management>>. |
489 |
More information on how to manage jails can be found in the section <<jail-management>>. |
| 489 |
|
490 |
|
| 490 |
[[creating-thin-jail-nullfs]] |
491 |
[[creating-thin-jail-nullfs]] |
| 491 |
=== Creating a Thin Jail using NullFS |
492 |
=== Creating a Thin Jail Using NullFS |
| 492 |
|
493 |
|
| 493 |
Combining Thin Jails and NullFS, a jail can be created with reduced duplication of system files by using Thin Jail techniques, |
494 |
A jail can be created with reduced duplication of system files by using the Thin Jail technique and using NullFS to selectively share specific directories from the host system into the jail. |
| 494 |
and use NullFS to selectively share specific directories from the host system into the jail. |
|
|
| 495 |
|
495 |
|
| 496 |
The first step is to create the dataset to save the template, execute the following command if using OpenZFS: |
496 |
The first step is to create the dataset to save the template, execute the following command if using OpenZFS: |
| 497 |
|
497 |
|
|
Lines 514-527
Then execute the following command to download the userland:
Link Here
|
| 514 |
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz |
514 |
# fetch https://download.freebsd.org/ftp/releases/amd64/amd64/13.2-RELEASE/base.txz -o /usr/local/jails/media/13.2-RELEASE-base.txz |
| 515 |
.... |
515 |
.... |
| 516 |
|
516 |
|
| 517 |
Once the download is complete it will be necessary to extract the contents in the template directory executing the following command: |
517 |
Once the download is complete, it will be necessary to extract the contents in the template directory by executing the following command: |
| 518 |
|
518 |
|
| 519 |
[source,shell] |
519 |
[source,shell] |
| 520 |
.... |
520 |
.... |
| 521 |
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE-base --unlink |
521 |
# tar -xf /usr/local/jails/media/13.2-RELEASE-base.txz -C /usr/local/jails/templates/13.2-RELEASE-base --unlink |
| 522 |
.... |
522 |
.... |
| 523 |
|
523 |
|
| 524 |
Once the userland is extracted n the templates directory, it will be necessary to copy the timezone and the DNS servers files to the template directory executing the following command: |
524 |
Once the userland is extracted in the templates directory, it will be necessary to copy the timezone and DNS server files to the template directory by executing the following command: |
| 525 |
|
525 |
|
| 526 |
[source,shell] |
526 |
[source,shell] |
| 527 |
.... |
527 |
.... |
|
Lines 529-535
Once the userland is extracted n the templates directory, it will be necessary t
Link Here
|
| 529 |
# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE-base/etc/localtime |
529 |
# cp /etc/localtime /usr/local/jails/templates/13.2-RELEASE-base/etc/localtime |
| 530 |
.... |
530 |
.... |
| 531 |
|
531 |
|
| 532 |
With the files moved to the template, the next thing to do is update to the latest patch level executing the following command: |
532 |
With the files moved to the template, the next thing to do is update to the latest patch level by executing the following command: |
| 533 |
|
533 |
|
| 534 |
[source,shell] |
534 |
[source,shell] |
| 535 |
.... |
535 |
.... |
|
Lines 569-575
Execute the following commands to create the directories:
Link Here
|
| 569 |
# mv /usr/local/jails/templates/13.2-RELEASE-base/root /usr/local/jails/templates/13.2-RELEASE-skeleton/root |
569 |
# mv /usr/local/jails/templates/13.2-RELEASE-base/root /usr/local/jails/templates/13.2-RELEASE-skeleton/root |
| 570 |
.... |
570 |
.... |
| 571 |
|
571 |
|
| 572 |
The next step will be to create the symlinks to the `skeleton` by executing the following commands: |
572 |
The next step is to create the symlinks to the `skeleton` by executing the following commands: |
| 573 |
|
573 |
|
| 574 |
[source,shell] |
574 |
[source,shell] |
| 575 |
.... |
575 |
.... |
|
Lines 585-591
The next step will be to create the symlinks to the `skeleton` by executing the
Link Here
|
| 585 |
|
585 |
|
| 586 |
With the `skeleton` ready, it will be necessary to copy the data to the jail directory. |
586 |
With the `skeleton` ready, it will be necessary to copy the data to the jail directory. |
| 587 |
|
587 |
|
| 588 |
In case of using OpenZFS, the OpenZFS snapshots will be a good ally to create as many jails as necessary by executing the following commands: |
588 |
In case of using OpenZFS, OpenZFS snapshots can be used to easily create as many jails as necessary by executing the following commands: |
| 589 |
|
589 |
|
| 590 |
[source,shell] |
590 |
[source,shell] |
| 591 |
.... |
591 |
.... |
|
Lines 593-599
In case of using OpenZFS, the OpenZFS snapshots will be a good ally to create as
Link Here
|
| 593 |
# zfs clone zroot/jails/templates/13.2-RELEASE-skeleton@base zroot/jails/containers/thinjail |
593 |
# zfs clone zroot/jails/templates/13.2-RELEASE-skeleton@base zroot/jails/containers/thinjail |
| 594 |
.... |
594 |
.... |
| 595 |
|
595 |
|
| 596 |
In case of using UFS the man:cp[1] program can be used executing the following commands: |
596 |
In case of using UFS the man:cp[1] program can be used by executing the following commands: |
| 597 |
|
597 |
|
| 598 |
[source,shell] |
598 |
[source,shell] |
| 599 |
.... |
599 |
.... |
|
Lines 608-614
Then create the directory in which the base template and the skeleton will be mo
Link Here
|
| 608 |
# mkdir -p /usr/local/jails/thinjail-nullfs-base |
608 |
# mkdir -p /usr/local/jails/thinjail-nullfs-base |
| 609 |
.... |
609 |
.... |
| 610 |
|
610 |
|
| 611 |
Add the jail entry in [.filename]#/etc/jail.conf# as follows: |
611 |
Add a jail entry in [.filename]#/etc/jail.conf# or a file in [.filename]#jail.conf.d# as follows: |
| 612 |
|
612 |
|
| 613 |
[.programlisting] |
613 |
[.programlisting] |
| 614 |
.... |
614 |
.... |
|
Lines 644-650
Then the create the [.filename]#/usr/local/jails/thinjail-nullfs-base.fstab# fil
Link Here
|
| 644 |
/usr/local/jails/containers/thinjail /usr/local/jails/thinjail-nullfs-base/skeleton nullfs rw 0 0 |
644 |
/usr/local/jails/containers/thinjail /usr/local/jails/thinjail-nullfs-base/skeleton nullfs rw 0 0 |
| 645 |
.... |
645 |
.... |
| 646 |
|
646 |
|
| 647 |
Then the jail can be started as usual: |
647 |
Execute the following command to start the jail: |
| 648 |
|
648 |
|
| 649 |
[source,shell] |
649 |
[source,shell] |
| 650 |
.... |
650 |
.... |
|
Lines 654-662
Then the jail can be started as usual:
Link Here
|
| 654 |
[[creating-vnet-jail]] |
654 |
[[creating-vnet-jail]] |
| 655 |
=== Creating a VNET Jail |
655 |
=== Creating a VNET Jail |
| 656 |
|
656 |
|
| 657 |
FreeBSD VNET Jails have its own distinct networking stack, including interfaces, IP addresses, routing tables and firewall rules. |
657 |
FreeBSD VNET Jails have their own distinct networking stack, including interfaces, IP addresses, routing tables, and firewall rules. |
| 658 |
|
658 |
|
| 659 |
The first step will be to create the man:bridge[4] executing the following command: |
659 |
The first step to create a VNET jail is to create the man:bridge[4] by executing the following command: |
| 660 |
|
660 |
|
| 661 |
[source,shell] |
661 |
[source,shell] |
| 662 |
.... |
662 |
.... |
|
Lines 670-683
The output should be similar to the following:
Link Here
|
| 670 |
bridge0 |
670 |
bridge0 |
| 671 |
.... |
671 |
.... |
| 672 |
|
672 |
|
| 673 |
With the `bridge` already created, it will be necessary to attach it to the `em0` interface by executing the following commands: |
673 |
With the `bridge` created, it will be necessary to attach it to the `em0` interface by executing the following command: |
| 674 |
|
674 |
|
| 675 |
[source,shell] |
675 |
[source,shell] |
| 676 |
.... |
676 |
.... |
| 677 |
# ifconfig bridge0 addm em0 |
677 |
# ifconfig bridge0 addm em0 |
| 678 |
.... |
678 |
.... |
| 679 |
|
679 |
|
| 680 |
To make this setting persist across reboots add the following lines to [.filename]#/etc/rc.conf#: |
680 |
To make this setting persist across reboots, add the following lines to [.filename]#/etc/rc.conf#: |
| 681 |
|
681 |
|
| 682 |
[.programlisting] |
682 |
[.programlisting] |
| 683 |
.... |
683 |
.... |
|
Lines 686-698
cloned_interfaces="bridge0"
Link Here
|
| 686 |
ifconfig_bridge0="inet 192.168.1.150/24 addm em0 up" |
686 |
ifconfig_bridge0="inet 192.168.1.150/24 addm em0 up" |
| 687 |
.... |
687 |
.... |
| 688 |
|
688 |
|
| 689 |
With the bridge already created, the next step will be to create the jail as indicated above. |
689 |
The next step is to create the jail as indicated above. |
| 690 |
|
690 |
|
| 691 |
Either the <<classic-jail>> procedure and the <<thin-jail>> procedure can be used, the only thing that will change will be the configuration of the [.filename]#/etc/jail.conf# file. |
691 |
Either the <<classic-jail>> procedure and the <<thin-jail>> procedure can be used. |
|
|
692 |
The only thing that will change is the configuration in the [.filename]#/etc/jail.conf# file. |
| 692 |
|
693 |
|
| 693 |
The path [.filename]#/usr/local/jails/containers/vnet# will be used as an example for the created jail. |
694 |
The path [.filename]#/usr/local/jails/containers/vnet# will be used as an example for the created jail. |
| 694 |
|
695 |
|
| 695 |
This configuration for the VNET jail will be used as an example: |
696 |
The following is an example configuration for a VNET jail: |
| 696 |
|
697 |
|
| 697 |
[.programlisting] |
698 |
[.programlisting] |
| 698 |
.... |
699 |
.... |
|
Lines 740-748
vnet {
Link Here
|
| 740 |
[[creating-linux-jail]] |
741 |
[[creating-linux-jail]] |
| 741 |
=== Creating a Linux Jail |
742 |
=== Creating a Linux Jail |
| 742 |
|
743 |
|
| 743 |
FreeBSD can run Linux inside a jail using the crossref:linuxemu[linuxemu,Linux Binary Compatibility] and man:debootstrap[8]. |
744 |
FreeBSD can run Linux inside a jail using crossref:linuxemu[linuxemu,Linux Binary Compatibility] and man:debootstrap[8]. |
| 744 |
Jails do not have a kernel, they run on the host's kernel. |
745 |
Jails do not have a kernel. |
| 745 |
Therefore it is necessary to enable the Linux Binary Compatibility in the host system. |
746 |
They run on the host's kernel. |
|
|
747 |
Therefore it is necessary to enable Linux Binary Compatibility in the host system. |
| 746 |
|
748 |
|
| 747 |
To enable the Linux ABI at boot time, execute the following command: |
749 |
To enable the Linux ABI at boot time, execute the following command: |
| 748 |
|
750 |
|
|
Lines 759-767
Once enabled, it can be started without rebooting by executing the following com
Link Here
|
| 759 |
.... |
761 |
.... |
| 760 |
|
762 |
|
| 761 |
The next step will be to create a jail as indicated above, for example in <<creating-thin-jail-openzfs-snapshots>>, but *without* performing the configuration. |
763 |
The next step will be to create a jail as indicated above, for example in <<creating-thin-jail-openzfs-snapshots>>, but *without* performing the configuration. |
| 762 |
The FreeBSD Linux jails require a specific configuration that will be detailed below. |
764 |
FreeBSD Linux jails require a specific configuration that will be detailed below. |
| 763 |
|
765 |
|
| 764 |
Once the machine has been created as explained above, execute the following command to perform some configurations to the machine and start it: |
766 |
Once the jail has been created as explained above, execute the following command to perform required configuration for the jail and start it: |
| 765 |
|
767 |
|
| 766 |
[source,shell] |
768 |
[source,shell] |
| 767 |
.... |
769 |
.... |
|
Lines 785-791
Once the machine has been created as explained above, execute the following comm
Link Here
|
| 785 |
enforce_statfs=1 |
787 |
enforce_statfs=1 |
| 786 |
.... |
788 |
.... |
| 787 |
|
789 |
|
| 788 |
Then it will be necesary to access the jail to install package:sysutils/debootstrap[]. |
790 |
To access the jail, it will be necessary to install package:sysutils/debootstrap[]. |
| 789 |
|
791 |
|
| 790 |
Execute the following command to access the FreeBSD Linux jail: |
792 |
Execute the following command to access the FreeBSD Linux jail: |
| 791 |
|
793 |
|
|
Lines 794-800
Execute the following command to access the FreeBSD Linux jail:
Link Here
|
| 794 |
# jexec -u root ubuntu |
796 |
# jexec -u root ubuntu |
| 795 |
.... |
797 |
.... |
| 796 |
|
798 |
|
| 797 |
Inside the jail execute the following commands to install package:sysutils/debootstrap[] and prepare the Ubuntu environment: |
799 |
Inside the jail, execute the following commands to install package:sysutils/debootstrap[] and prepare the Ubuntu environment: |
| 798 |
|
800 |
|
| 799 |
[source,shell] |
801 |
[source,shell] |
| 800 |
.... |
802 |
.... |
|
Lines 852-858
Then the jail can be started as usual with the following command:
Link Here
|
| 852 |
# service jail start ubuntu |
854 |
# service jail start ubuntu |
| 853 |
.... |
855 |
.... |
| 854 |
|
856 |
|
| 855 |
And access to the Ubuntu environment using the following command: |
857 |
The Ubuntu environment can be accessed using the following command: |
| 856 |
|
858 |
|
| 857 |
[source,shell] |
859 |
[source,shell] |
| 858 |
.... |
860 |
.... |
|
Lines 864-876
More information can be found in the chapter crossref:linuxemu[linuxemu,Linux Bi
Link Here
|
| 864 |
[[jail-management]] |
866 |
[[jail-management]] |
| 865 |
== Jail Management |
867 |
== Jail Management |
| 866 |
|
868 |
|
| 867 |
Once the jail is created, there are a number of operations that can be performed like starting, rebooting or deleting the jail, installing software in it, etc. |
869 |
Once the jail is created, there are a number of operations that can be performed, like starting, rebooting or deleting the jail, installing software in it, etc. |
| 868 |
In this section the different actions that can be done with the jails created in the host will be described. |
870 |
In this section the different actions that can be done with jails from the host will be described. |
| 869 |
|
871 |
|
| 870 |
[[list-running-jails]] |
872 |
[[list-running-jails]] |
| 871 |
=== List Running Jails |
873 |
=== List Running Jails |
| 872 |
|
874 |
|
| 873 |
To list the different jails that are running on the host system, the command man:jls[8] can be used: |
875 |
To list the jails that are running on the host system, the command man:jls[8] can be used: |
| 874 |
|
876 |
|
| 875 |
[source,shell] |
877 |
[source,shell] |
| 876 |
.... |
878 |
.... |
|
Lines 900-906
The output should be similar to the following:
Link Here
|
| 900 |
.... |
902 |
.... |
| 901 |
|
903 |
|
| 902 |
[[start-jail]] |
904 |
[[start-jail]] |
| 903 |
=== Start, Restart and Stop a Jail |
905 |
=== Start, Restart, and Stop a Jail |
| 904 |
|
906 |
|
| 905 |
man:service[8] is used to start, reboot, or stop a jail on the host. |
907 |
man:service[8] is used to start, reboot, or stop a jail on the host. |
| 906 |
|
908 |
|
|
Lines 916-963
Change the `start` argument to `restart` or `stop` to perform other actions on t
Link Here
|
| 916 |
[[destroy-jail]] |
918 |
[[destroy-jail]] |
| 917 |
=== Destroy a Jail |
919 |
=== Destroy a Jail |
| 918 |
|
920 |
|
| 919 |
Destroying a jail is not as simple as stopping the jail using man:service[8], removing the jail directory and the [.filename]#/etc/jail.conf# entry. |
921 |
Destroying a jail is not as simple as stopping the jail using man:service[8] and removing the jail directory and [.filename]#/etc/jail.conf# entry. |
| 920 |
|
922 |
|
| 921 |
FreeBSD takes system security very seriously. |
923 |
FreeBSD takes system security very seriously. |
| 922 |
For this reason there are certain files that not even the root user can delete. |
924 |
For this reason there are certain files that not even the root user can delete. |
| 923 |
This functionality is known as File Flags. |
925 |
This functionality is known as File Flags. |
| 924 |
|
926 |
|
| 925 |
The first step will be to stop the desired jail executing the following command: |
927 |
The first step is to stop the desired jail executing the following command: |
| 926 |
|
928 |
|
| 927 |
[source,shell] |
929 |
[source,shell] |
| 928 |
.... |
930 |
.... |
| 929 |
# service jail stop jailname |
931 |
# service jail stop jailname |
| 930 |
.... |
932 |
.... |
| 931 |
|
933 |
|
| 932 |
The second step will be to remove these flags with man:chflags[1] executing the following command, in which `classic` is the name of the jail to remove: |
934 |
The second step is to remove these flags with man:chflags[1] by executing the following command, in which `classic` is the name of the jail to remove: |
| 933 |
|
935 |
|
| 934 |
[source,shell] |
936 |
[source,shell] |
| 935 |
.... |
937 |
.... |
| 936 |
# chflags -R 0 /usr/local/jails/classic |
938 |
# chflags -R 0 /usr/local/jails/classic |
| 937 |
.... |
939 |
.... |
| 938 |
|
940 |
|
| 939 |
The third step will be to delete the directory where the jail was: |
941 |
The third step is to delete the directory where the jail was: |
| 940 |
|
942 |
|
| 941 |
[source,shell] |
943 |
[source,shell] |
| 942 |
.... |
944 |
.... |
| 943 |
# rm -rf /usr/local/jails/classic |
945 |
# rm -rf /usr/local/jails/classic |
| 944 |
.... |
946 |
.... |
| 945 |
|
947 |
|
| 946 |
Finally, it will be necessary to remove the jail entry in the file [.filename]#/etc/jail.conf#. |
948 |
Finally, it will be necessary to remove the jail entry in [.filename]#/etc/jail.conf# or in [.filename]#jail.conf.d#. |
| 947 |
|
949 |
|
| 948 |
[[handle-packages-jail]] |
950 |
[[handle-packages-jail]] |
| 949 |
=== Handle Packages in a Jail |
951 |
=== Handle Packages in a Jail |
| 950 |
|
952 |
|
| 951 |
The man:pkg[8] tool supports the `-j` argument in order to handle packages installed inside the jail. |
953 |
The man:pkg[8] tool supports the `-j` argument in order to handle packages installed inside the jail. |
| 952 |
|
954 |
|
| 953 |
For example, to install package:nginx-lite[] in the jail, the next command will be executed *from the host*: |
955 |
For example, to install package:nginx-lite[] in the jail, the next command can be executed *from the host*: |
| 954 |
|
956 |
|
| 955 |
[source,shell] |
957 |
[source,shell] |
| 956 |
.... |
958 |
.... |
| 957 |
# pkg -j classic install nginx-lite |
959 |
# pkg -j classic install nginx-lite |
| 958 |
.... |
960 |
.... |
| 959 |
|
961 |
|
| 960 |
For more information on working with packages on FreeBSD see the chapter // TODO: Link to the chapter |
962 |
For more information on working with packages in FreeBSD, see crossref:ports[ports,"Installing Applications: Packages and Ports"]. |
| 961 |
|
963 |
|
| 962 |
[[access-jail]] |
964 |
[[access-jail]] |
| 963 |
=== Access a Jail |
965 |
=== Access a Jail |
|
Lines 974-980
The jail can be entered by running man:jexec[8] from the host:
Link Here
|
| 974 |
When gaining access to the jail, the message configured in man:motd[5] will be displayed. |
976 |
When gaining access to the jail, the message configured in man:motd[5] will be displayed. |
| 975 |
|
977 |
|
| 976 |
[[execute-commands-jail]] |
978 |
[[execute-commands-jail]] |
| 977 |
=== Execute commands in a Jail |
979 |
=== Execute Commands in a Jail |
| 978 |
|
980 |
|
| 979 |
To execute a command from the host system in a jail the man:jexec[8] can be used. |
981 |
To execute a command from the host system in a jail the man:jexec[8] can be used. |
| 980 |
|
982 |
|
|
Lines 995-1003
Upgrading FreeBSD Jails ensures that the isolated environments remain secure, up
Link Here
|
| 995 |
|
997 |
|
| 996 |
Jails *must be updated from the host* operating system. |
998 |
Jails *must be updated from the host* operating system. |
| 997 |
The default behavior in FreeBSD is to disallow the use of man:chflags[1] in a jail. |
999 |
The default behavior in FreeBSD is to disallow the use of man:chflags[1] in a jail. |
| 998 |
This will prevent the update of some fails so updating from withing the jail will fail. |
1000 |
This will prevent the update of some files so updating from withing the jail will fail. |
| 999 |
|
1001 |
|
| 1000 |
To update the jail to the latest patch release of the version of FreeBSD it is already running, execute the following commands on the host: |
1002 |
To update the jail to the latest patch release of the version of FreeBSD it is running, execute the following commands on the host: |
| 1001 |
|
1003 |
|
| 1002 |
[source,shell] |
1004 |
[source,shell] |
| 1003 |
.... |
1005 |
.... |
|
Lines 1026-1033
For example to upgrade from 13.1-RELEASE to 13.2-RELEASE, execute the following
Link Here
|
| 1026 |
|
1028 |
|
| 1027 |
[NOTE] |
1029 |
[NOTE] |
| 1028 |
==== |
1030 |
==== |
| 1029 |
It is necessary to execute two times the `install` step. |
1031 |
It is necessary to execute the `install` step two times. |
| 1030 |
The first one to upgrade the kernel and the second one to the rest of the components. |
1032 |
The first one upgrades the kernel, and the second one upgrades the rest of the components. |
| 1031 |
==== |
1033 |
==== |
| 1032 |
|
1034 |
|
| 1033 |
Then, if it was a major version upgrade, reinstall all installed packages and restart the jail again. |
1035 |
Then, if it was a major version upgrade, reinstall all installed packages and restart the jail again. |
|
Lines 1042-1053
From the host:
Link Here
|
| 1042 |
.... |
1044 |
.... |
| 1043 |
|
1045 |
|
| 1044 |
[[upgrading-thin-jail]] |
1046 |
[[upgrading-thin-jail]] |
| 1045 |
=== Upgrading a Thin Jail using NullFS |
1047 |
=== Upgrading a Thin Jail Using NullFS |
| 1046 |
|
1048 |
|
| 1047 |
Since Thin Jails that use NullFS share the majority of system directories, they are very easy to update, it is enough to update the template. |
1049 |
Since Thin Jails that use NullFS share the majority of system directories, they are very easy to update. |
| 1048 |
This will allow to update multiple jails at the same time. |
1050 |
It is enough to update the template. |
|
|
1051 |
This allows updating multiple jails at the same time. |
| 1049 |
|
1052 |
|
| 1050 |
To update the template to the latest patch release of the version of FreeBSD it is already running, then execute the following commands on the host: |
1053 |
To update the template to the latest patch release of the version of FreeBSD it is running, execute the following commands on the host: |
| 1051 |
|
1054 |
|
| 1052 |
[source,shell] |
1055 |
[source,shell] |
| 1053 |
.... |
1056 |
.... |
|
Lines 1058-1064
To update the template to the latest patch release of the version of FreeBSD it
Link Here
|
| 1058 |
To upgrade the template to a new major or minor version, first upgrade the host system as described in crossref:cutting-edge[freebsdupdate-upgrade,"Performing Major and Minor Version Upgrades"]. |
1061 |
To upgrade the template to a new major or minor version, first upgrade the host system as described in crossref:cutting-edge[freebsdupdate-upgrade,"Performing Major and Minor Version Upgrades"]. |
| 1059 |
Once the host has been upgraded and rebooted, the template can then be upgraded. |
1062 |
Once the host has been upgraded and rebooted, the template can then be upgraded. |
| 1060 |
|
1063 |
|
| 1061 |
For example to upgrade from 13.1-RELEASE to 13.2-RELEASE, execute the following commands on the host: |
1064 |
For example, to upgrade from 13.1-RELEASE to 13.2-RELEASE, execute the following commands on the host: |
| 1062 |
|
1065 |
|
| 1063 |
[source,shell] |
1066 |
[source,shell] |
| 1064 |
.... |
1067 |
.... |
|
Lines 1069-1076
For example to upgrade from 13.1-RELEASE to 13.2-RELEASE, execute the following
Link Here
|
| 1069 |
# service jail restart |
1072 |
# service jail restart |
| 1070 |
.... |
1073 |
.... |
| 1071 |
|
1074 |
|
| 1072 |
[[jail-resources-limits]] |
1075 |
[[jail-resource-limits]] |
| 1073 |
== Jail Resources Limits |
1076 |
== Jail Resource Limits |
| 1074 |
|
1077 |
|
| 1075 |
Controlling the resources that a jail uses from the host system is a task to be taken into account by the system administrator. |
1078 |
Controlling the resources that a jail uses from the host system is a task to be taken into account by the system administrator. |
| 1076 |
|
1079 |
|
|
Lines 1081-1094
man:rctl[8] allows you to manage the resources that a jail can use from the host
Link Here
|
| 1081 |
The `kern.racct.enable` tunable must be enabled at [.filename]#/boot/loader.conf#. |
1084 |
The `kern.racct.enable` tunable must be enabled at [.filename]#/boot/loader.conf#. |
| 1082 |
==== |
1085 |
==== |
| 1083 |
|
1086 |
|
| 1084 |
The syntax to limit the resources of a jail would be: |
1087 |
The syntax to limit the resources of a jail is as follows: |
| 1085 |
|
1088 |
|
| 1086 |
[.programlisting] |
1089 |
[.programlisting] |
| 1087 |
.... |
1090 |
.... |
| 1088 |
rctl -a jail:<jailname>:resource:action=amount/percentage |
1091 |
rctl -a jail:<jailname>:resource:action=amount/percentage |
| 1089 |
.... |
1092 |
.... |
| 1090 |
|
1093 |
|
| 1091 |
For example, to limit the maximum RAM that a jail can access run the following command: |
1094 |
For example, to limit the maximum RAM that a jail can access, run the following command: |
| 1092 |
|
1095 |
|
| 1093 |
[source,shell] |
1096 |
[source,shell] |
| 1094 |
.... |
1097 |
.... |
|
Lines 1104-1114
jail:classic:memoryuse:deny=2G/jail
Link Here
|
| 1104 |
|
1107 |
|
| 1105 |
More information on resource limits can be found in the security chapter in the crossref:security[security-resourcelimits,"Resource Limits section"]. |
1108 |
More information on resource limits can be found in the security chapter in the crossref:security[security-resourcelimits,"Resource Limits section"]. |
| 1106 |
|
1109 |
|
| 1107 |
[[jail-managers-and-container]] |
1110 |
[[jail-managers-and-containers]] |
| 1108 |
== Jail Managers and Containers |
1111 |
== Jail Managers and Containers |
| 1109 |
|
1112 |
|
| 1110 |
As previously explained, the different FreeBSD Jails can be created and configured manually. |
1113 |
As previously explained, each type of FreeBSD Jail can be created and configured manually, but FreeBSD also has third-party utilities to make configuration and administration easier. |
| 1111 |
But FreeBSD has some third-party utilities to make configuration and administration easier. |
|
|
| 1112 |
|
1114 |
|
| 1113 |
Below is an incomplete list of the different FreeBSD Jail managers: |
1115 |
Below is an incomplete list of the different FreeBSD Jail managers: |
| 1114 |
|
1116 |
|
| 1115 |
- |
|
|