# Some Jail related questions



## Beeblebrox (Feb 12, 2012)

*Base Jail: *When populating the base Jail with world, some tools use the existing world on host, but handbook instructions are: 
`# make buildworld installlworld DESTDIR:/wherever`
- Is the difference just that the latter would be a more current world?
- What is the difference between make distribution vs make installworld?
- I don't want man pages, games, etc in my Jail - how can I disable the build for those?
- Would it be unwise to disable the build of clang since I use gcc42 to build world - I have not seen anything using clang for build other than clang its self.
- What advantage does zfs' jailed setting offer?
- What do you use to manage your jails? I looked at warden & qjail but ezjail looks more promising.

*Thinclinet/diskless:* This is one of the uses I plan for the Jail structure with root, dhcp + nfs/tftp in separate jail.
- Do you prefer tftp or nfs for shared root - and why?
- I plan 3 more jails for webserver, mysql, simplegroupware on amd64 server, while clients need a 386 kernel and world. I therefore need to have 2 base jails, right? I am thinking of keeping the 386 jail in image format (as a file).
- I am planing "ultra-thin" clients with access to only a web browser. All office (spreadsheet, word), bookmarking and file sharing will be done from simplegroupware. Internet browsing? Well, the browser... The jail housing sgw will only have a browser, maybe 3-4 more apps installed (sgw pulls in java). What desktop do you suggest? Even e17 is too luxurious for this setup.
- How should I setup flash for the above? same jail as sgw I presume? What about lpd (printing)?

Long list, I know - and your input is appreciated.


----------



## kpa (Feb 12, 2012)

Installworld is just the binaries, libraries and static data, distribution is the configuration files (initial version of master.passwd for example) and rc(8) scripts.


----------



## ecazamir (Feb 12, 2012)

A jail is designed for one thing, a diskless configuration is for another. 
A jailed process (or set of processes) is running under the same kernel as the host, with some restrictions. A diskless client is a distinct machine, using what image wants the system admin to run, depending on at least one bootp/dhcp server and one NFS server. A large diskless network may run different images on different clients. Most FreeBSD diskless configurations need dhcp +  tftp + NFS to start.
*make distribution* will probably overwrite existing configuration files in the target location, *mergemaster* may be a better tool to update existing jails.


----------



## Beeblebrox (Feb 13, 2012)

Thank you both for your comments and input.

@ecazamir:


> A jail is designed for one thing, a diskless configuration is for another


Yes, I know that - It's just that the diskless questions are related to the jail issue because I plan on running the diskless environment from inside its separate jail - most likely to be an image file mounted with mdconfig(8).


> Most FreeBSD diskless configurations need dhcp + tftp + NFS


OK, it seems I mis-read the Handbook chapter about this and all 3 services are needed.


> mergemaster may be a better tool to update existing jails


I plan on using something like warden, qjail or ezjail for updates, as I have no jails created yet.


----------



## ecazamir (Feb 13, 2012)

Beeblebrox said:
			
		

> I plan on running the diskless environment from inside its separate jail - most likely to be an image file mounted with mdconfig(8)().



What advantages do you have using this setup? The diskess client should access files via NFS, I assume a proper privilege setup on the tftp and NFS servers will suffice, along with a jailed dhcpd process.
Using the term 'jail' without a restricted proccess on the same machine running the jail does not make sense to me. Do you name 'jail' a filesystem hierarchy?


----------



## Beeblebrox (Feb 13, 2012)

> Do you name 'jail' a filesystem hierarchy


Certainly not; from man ezjail:


> There are also file-based jails, in which the storage space for the jail is kept in a file mounted with mdconfig(8).  There are two advantages to image jails. The amount of disk space allocated to the jail is limited, while normal jails have no bound on the amount of disk space they use. On the other hand, the space dedicated to the jail is no longer available to the host, even if the jail doesn't use all its allocated space. In addition, image jails contain a full copy of the basejail. This makes them portable between hosts running the same FreeBSD version as the image was created with.  Of course, the jail now needs to be updated independently from all other jails, and there is no longer any sharing of common files between the jails.
> Image jails may also be encrypted using bde(4) or geli(8), depending on the options given at creation time.



Also: http://forums.freebsd.org/showthread.php?t=23136


----------



## ecazamir (Feb 13, 2012)

I never installed sysutils/ezjail, the 'image jail' concept is not too familiar to me.
Anyway, I see your primary concern is a disk space constraint, which can be achieved on a per-user basis using quotas and NFS, with or without file-based filesystems mounted with mdconfig.
And yes, what do you name 'jail' is a constrained filesystem, exported to diskless clients. Those clients do not run jailed (in the way described by jail(8)) on their own hardware, they run without any restrictions. Someone on the diskless client may run any executable file without any jail(8) specific restrictions.
A jailed process, running on a 'jail host' has several limitations regarding networking, filesystem access access and more, which your diskless clients won't have in the way intended by using jail(8).
EDIT: IMO, running a jailed desktop on a diskless client is a too complicated setup with too little benefit.


----------



## Beeblebrox (Feb 18, 2012)

Some testing results for jail managers (warden - qjail - ezjail)
Warden - does not work and even worse, PC-BSD works through a windows-like Registry System, so warden sets up a registry infrastructure (not something I'm so sure I want on my system)
Qjail - PM'ed the port maintainer and his response states *a)* does not work on *9* due to ftp structure change for ver later than *8* and b) qjail does not seem to have the option to populate the base jail from an already built world. While certain work-arounds exist, they fail on *9*.
ezjail: Well that's the choice then. To populate from already made buildworld use below where *b* is build, *i* is source is ready.
`# ezjail-admin update -b -i`
Separate ezjail-admin discussion here:http://forums.freebsd.org/showthread.php?t=29914


----------



## Beeblebrox (Feb 18, 2012)

@ecazamir: I see what you mean here, a valid point:


> what do you name 'jail' is a constrained filesystem, exported to diskless clients. Those clients do not run jailed (in the way described by jail(8)) on their own hardware, they run without any restrictions. Someone on the diskless client may run any executable file without any jail(8) specific restrictions


But I disagree with this:


> IMO, running a jailed desktop on a diskless client is a too complicated setup with too little benefit.


The reasons are numerous: single point update-upgrades, maybe file sharing service which runs in the same jail, a jailed dhcp - tftp - nfs for the pxeboot process instead of running those services from host directly. The point is, if you are going to build jails for the other services, mind-as-well place and boot the client from the environment which already exists.


----------



## ecazamir (Feb 19, 2012)

I agree with: single point upgrades (via jailed NFS + jailed DHCP + jailed TFTP on a server ow two) to diskless clients. 
But I'm not sure if your diskless clients really run jailed apps, eg: jailed KDE or jailed Gnome on FreeBSD. You can't run a diskless jailed linux, because linux is not jail-able (but a viable diskless OS choice).


----------



## Beeblebrox (Feb 19, 2012)

Planning hard-core TC's:


> - I am planing "ultra-thin" clients with access to only a web browser. All office (spreadsheet, word), bookmarking and file sharing will be done from simplegroupware. Internet browsing? Well, the browser... The jail housing sgw will only have a browser, maybe 3-4 more apps installed (sgw pulls in java). What desktop do you suggest? Even e17 is too luxurious for this setup.


The ONLY app the client gets is a web-browser. All apps (word, spreadsheet, mail) are provided through the browser interface - even the accounting guys use a browser frontend, mysql backend program.


> linux is not jail-able


I wonder if this will cause problems for clients who try to view flash based web pages? Hmmm..

Separate DHCP-in Jail discussion here: http://forums.freebsd.org/showthread.php?t=29934


----------



## Beeblebrox (Feb 19, 2012)

*why separate IP for each jail*

What is the logic behind one-IP-per-jail?
Why can't several jails share IP's if they are listening on different ports (NOT /src/ports)? They are sharing the NIC through alias anyway.


----------

