jirib
July 18th, 2004, 11:01
Hi,
i'm thinking about setting up several full jails or various light/full jails, but i don't know what would be the best way to do it - such as to jail almost all deamons separately and what to do if i'd like to update same parts of several jails?

so i'd like to have this:

1. ssh, trusted users can ssh and use some progs (mutt, elinks, irssi, silc,...).
they should be able to check their mail in ssh, ie via mutt
they also have their web site
2. scponly, untrusted users can only scp/sftp to their www dirs
3. jailed postfix with mysql
4. jailed apache, i'd like to have dirs somewhere out of the jail

i was thinking about nullfs to mount such as www dirs in apache jail... the same way for mounting www dirs into jailed ssh...

well, what about logging?... this scenario is for me, i'd like to log all logs from all jails in one place.

what would be the best way, what put in jail and how to share data between them?

if i have various i'd like to make as easy as it could be - upgrading progs or all jails.

thanks for replies.

jirib

elmore
July 20th, 2004, 20:44
You know Soup4you2 is a jail god, perhaps he'd be able to help you out. I do think he's written up several docs on the subject as well.

soup4you2
July 20th, 2004, 21:03
ok first i could go on for days on ways to setup jails and ways of making a large network reside in 1 box.. for all the cool things there's also drawbacks.. as i'm sure you will discover when a new patch comes out so you have to do a installworld on 8 jails, portupgrade 8 jails and mergemaster those 8 jails.. so plan accordingly.. thats important.. some pre-reqs i stongly recommend you setup is NAT (preferable pf) and DNS.


1. ssh, trusted users can ssh and use some progs (mutt, elinks, irssi, silc,...).
they should be able to check their mail in ssh, ie via mutt
they also have their web site
2. scponly, untrusted users can only scp/sftp to their www dirs


this would have to be the same jail/subsystem since both reside on port 22

logging is simple since each jail can be treated as it's own computer..

read the jail manpage.. it talks a lot about setting them up.. but certain things (ahem samba..) just refuses to run inside a jail.. but read it.. play with it.. their fun..

jirib
July 22nd, 2004, 21:25
Hi,
well I hope "jail god" - Soup4you could show some of his techniques :)

Anyway... I'd like to know, what would you do if you CAN'T re-partition a disk for you jail. So, you have just one file system and you want to make a jail on that.

Of course you can make a dir for jail, but you want this:

- /home, /var, /tmp with mounting options like for normal fs - such as noexec etc.
- manage size of the whole jail - ie jail1 is 2 gb big, jail2 is 4 gb big

So my current view is this one:

- make a jail as fs via vnode driver; the file would be owned by some user which would be under quota
- inside a jail move such as /var into /.var and than mount it as nullfs - mount -t null options /path/to/jail/.var /path/to/jail/var (this must be done in host system as jail can't manipulate with mounting)
- due to nullfs you can use quotas in jails' fs

Do you have better solution? Is it possible to use nullfs inside v fs mounted as vnode?

Thanks for your help and ideas.

jirib