The Labs.Com OS Lab FreeBSD Jail Tools Jail Tools Cookbook

The Labs - Design & Functionality For The Net

How to Use Jail Tools - Some Recipes

A few hints and tips using jail and JailTools (aka jail_tools).

1. Shared Distfiles of the Ports
2. Shared /usr from Jail Host
3. Linux Compatibility Among Jails
4. Keeping an overview
5. Console for each Jail
6. X11 for each Jail

You may like to share the /usr/ports/distfiles from the host to all its jails.

You can achieve this by

mkdir -p /usr/jails/192.168.0.100/usr/ports/distfiles

mount -t null /usr/ports/distfiles /usr/jails/192.168.0.100/usr/ports/distfiles

If you have the depository of distfiles on another machine, just mount it via nfs:

mount nfs-server:/usr/ports/distfiles /usr/jails/192.168.0.100/usr/ports/distfiles

Jail Tools Cookbook 2. Shared /usr from Jail Host

You can save 90% of the disk-usage (aprx. 16MB only instead of 180MB) of a plain jail by sharing the /usr from the jail-host:

cd /opt/jails/192.168.0.100;

rm -rf usr; mkdir usr

mount -t null -o ro /usr /opt/jails/192.168.0.100/usr

and you need to change the /etc/rc.conf of the jail(s) with shared /usr slightly:

local_startup=""

So the jails do not search startup in the /usr/local/etc/rc.d (of the jail-host).

jail_install takes the argument -light which does all the steps described above, then jail_start and jail_stop mount and umount /usr for you.

Important Note: The jail_root (defined in /usr/local/etc/jail.conf) must lie outside /usr (not /usr/jails) but /opt or something else, otherwise mount -t null won't work as distinct paths (paths which are not part of each other) required.

I created a dedicated slice (/opt/) on my jail-host which only hosts the jails:

/dev/ad0s1a on / (ufs, local)

/dev/ad0s1e on /var (ufs, local, soft-updates)

/dev/ad0s1f on /tmp (ufs, local, soft-updates)

/dev/ad0s1g on /usr (ufs, local, soft-updates)

/dev/ad0s1h on /opt (ufs, NFS exported, local, soft-updates)

Jail Tools Cookbook 3. Linux Compatibility Among Jails

Install the linux_base and null-mount the /compat dir:

cd /usr/ports/compat/linux_base; make install clean

mount -t null /compat/ /usr/jails/192.168.0.100/compat/

mount -t linprocfs linprocfs /usr/jails/192.168.0.100/compat/linux/proc

and in /etc/rc.conf (host and its jails) add:

linux_enable="YES"

Jail Tools Cookbook 4. Keeping an overview

You literally can run dozens of jails on your host, use jail_ps to see which one are running. And mount gives a lengthy unsorted output, use

mount | sort

As mentioned before, check also the fbsd_jails WebGUI we developed, which gives an easy interface to install, start, stop, and deinstall jails.

Jail Tools Cookbook 5. Console for each Jail

I figured using screen (misc/screen) does the best job. Make a screenrc (e.g. /root/jscreenrc) with lines like:

screen -t alpha 0 jail_start alpha /etc/rc.jail

screen -t beta 1 jail_start beta /etc/rc.jail

screen -t gamma 2 jail_start gamma /etc/rc.jail

...

and call

screen -c /root/jscreenrc

as root, then you have one terminal running multiple jails and their logins, and you can switch screen with C-n or C-p (C = Control), best check man screen for details about this useful tool.

...
Initial rc.i386 initialization:.
Additional ABI support:.
Additional TCP options:.

Mon Feb  9 11:40:41 CET 2004

FreeBSD/i386 (alpha) (ttypf)

login: 

Jail Tools Cookbook 6. X11 for each Jail

I needed to test complex package installs (e.g. X11, KDE, OpenOffice etc) on each jail (several versions, and patches applied). Two different approaches are explored:

Xvnc

The JailTools supports VNC-based X11-server virtualization using Xvnc, you can define a jail to have a X11 server attached. The README.x11 contain the installation details. Once installed, you can define in jail.conf a line like:  jailconfig_alpha="ip 192.168.0.100 x11 800x600 depth 24"  So, you install a light-installation (shared /usr read-only), and start it:  jail_install -light alpha   jail_start alpha /etc/rc  Make sure the rlogin is enabled in /etc/inetd.conf of the jail. Check if the Xvnc is running, call:  vncviewer alpha:0  and then you should see the empty X11 screen of the jail "alpha". Then login into it:  rlogin alpha   Password:******   setenv DISPLAY :0.0   xterm &  The main advantage of Xvnc over other approaches is, that multiple viewers can attach to the same Xvnc screen (shared), e.g. roaming. NOTE: By default Xvnc is called without authentication, and so no password is required to connect. Don't use it when your jail is reachable on the Internet, solely use this feature in an trusted Intranet environment.

Xnest

Another approach to attach X11 to a jail, yet not sharable, is to use Xnest:  cd /usr/ports/x11-servers/XFree86-4-NestServer/; make install  When your jail-host is also your desktop (which I do not recommend):  Xnest :1.0 -geometry 800x600  If your jail-host is another machine, on the desktop:  xhost +jail-host  On the jail-host:  setenv DISPLAY desktop:0.0   Xnest :1.0 -geometry 800x600

X11 clients

Within the jail (with X11-clients installed):  xterm -display jail-host:1.0  or as example with KDE:  setenv DISPLAY jail-host:1.0   xterm &   startkde  Example: On my desktop (not the jail-host) two jails with their Xnest displays, both running KDE-3.1.3

                                                                                                                                   

Jail Tools

fbsd_jails Webmin