# Favorite 3rd-party jail management tools?



## spork (Jul 16, 2018)

I've been using ezjail for about as long as I can remember.  The main reasons for this are:


ZFS integration - single command creates the jail and all dataset(s) needed, sets quotas (if desired)
single command to create a jail, and generally no configuration files to manage on an ongoing basis
shared "base" system, which originally was handy for saving space (and is again for cloud hosting or other limited disk space situations)
shared "base" is handy for upgrades, upgrade from 1 to 100 jails in one fell swoop
fairly sane configuration files if you need to override basics
very flexible network configuration exposed in config files - easy to add multiple IPs, specify interface binding for IPs, etc.
Sadly, it seems like as the FreeBSD jail system has changed, ezjail hasn't - partially because there seem to be differences of opinions between those working on jails and the author of ezjail and it appears jails will continue to be less compatible with ezjail. This is a shame, as I feel like the author has some good points - comparing the jail() manpage to jail.conf() there are so many holes between what jail() offers and what's exposed in the rc system for it via jail.conf().  While you can certainly work around that, the workarounds are kind of silly (basically stuffing pre-exec/post-exec commands into jail.conf, which sort of defeats the purpose of some kind of configuration schema).

So, that said, what are other people using?  Oddly enough, ezjail is still offered up in the Handbook as an option (https://www.freebsd.org/doc/handbook/jails-ezjail.html), but I think that's just a delay.

In an ideal world either the project would have adopted something like ezjail into base to make jails easier to use or crafted a replacement, but I'm not holding my breath. 

I'm open to any options, but the short list of requirements would be:


replicate all the ezjail benefits noted above
not be qjail (the author stole ezjail and claimed it as his own: http://erdgeist.org/posts/2017/dont-piss-in-my-beer.html)
not rely on much more than the base system to operate (no python, perl, php or any other nonsense - security-sensitive software should be simple)
Suggestions?


----------



## suntzu00 (Jul 16, 2018)

sysutils/cbsd 

Hey! have a look at CBSD. I've been using it for about 2 years now with no problems. 

https://www.bsdstore.ru/en/about.html


----------



## ShelLuser (Jul 16, 2018)

Well, this probably doesn't help you but when it comes to administrative tasks I prefer to automate the steps I need automated myself. If I need to automate them of course; although I do have a script which I use to add or remove a Jail the "cloning" part is still on my todo list because I don't think I'd ever use that feature myself.

Still, my point is basically that many people turn to premade automations for ease of use, but it's been my experience that the vanilla approach more than often isn't all that difficult (or not that hard to learn) in order to customize that to your meet your needs, for example by making a simple shell script to automate the steps you need taken.

As a result you'll be much more flexible and less dependent too.


----------



## spork (Jul 17, 2018)

suntzu00 said:


> sysutils/cbsd
> 
> Hey! have a look at CBSD. I've been using it for about 2 years now with no problems.
> 
> https://www.bsdstore.ru/en/about.html



I was poking through their site last night - it's interesting.  Do you have any experience with the feature they mention that allows you to automate replication of jails to another host?  That feature, if I understand it correctly, would be incredibly useful for my situation.

The overall landscape seems a bit of a mess though - the version of iocage out there now is still marked as "beta" and doesn't have what used to be one of the more intriguing features - resource limits.  There's a fork of the "old" iocage, but I'm not sure of the state of that.

It kind of feels like a dozen people went out and tried to invent a cool new jail management setup and they split the users/devs amongst them and there just isn't a critical mass of users behind any of them, so they're all sort of stagnating.  CBSD does kind of seem to have momentum.


----------



## Chris_H (Jul 17, 2018)

ShelLuser said:


> Well, this probably doesn't help you but when it comes to administrative tasks I prefer to automate the steps I need automated myself. If I need to automate them of course; although I do have a script which I use to add or remove a Jail the "cloning" part is still on my todo list because I don't think I'd ever use that feature myself.
> 
> Still, my point is basically that many people turn to premade automations for ease of use, but it's been my experience that the vanilla approach more than often isn't all that difficult (or not that hard to learn) in order to customize that to your meet your needs, for example by making a simple shell script to automate the steps you need taken.
> 
> As a result you'll be much more flexible and less dependent too.


I just want to add a +1 here, ShelLuser !
Whipping up a jail(8) is really quite trivial, IMHO. I build out all my servers _beforehand_ simply unpacking the desired version of the FreeBSD DVD into a folder, and call it a jail -- well, turn it into a jail.
After I initiate the jail(8) I pack it up

```
tar cvf - 12-CURRENT/ | xz -9e>./12-current-template.txz
```
following that. I cobble up my desired KERNCONF; cd /usr/src && make kernel-toolchain
followed by make kernel KERNCONF=sumkernel
Then it's off to build up all the (customized) packages I want on the target boxes.
This also works a treat for maintaining ports(7). I have essentially a virgin FreeBSD to test, create, or update packages on. So I know the results, as if I were any FreeBSD user trying out the port.
Honestly ( no offense spork ) I don't understand the aversion to simply cobbling up a jail(8), and going that route. It's by far-and-away more flexible than _any_ of the so-called "convenience" jails.

That's my 2¢ anyway. 

--Chris

P.S. For your apparent usage spork . You might find ports-mgmt/synth fits the bill, quite nicely. 
But I strongly urge you to give jail(8) another chance.


----------

