# Best practice guide: managing jails



## trutlze (Aug 5, 2014)

Hi,

I'm searching for a best practice guide considering jail-management (create, update, ...). The only requirement is that it should work without FreeBSD sources. ZFS can be involved.

There is ezjail for instance. But it is not possible (to my knowledge) to update ezjail-managed jails totally and cleanly with binary updates. There are ezjail solutions, but they use mergemaster() or etcupdate() and therefore need /usr/src.

How do people manage tons of jails?

Regards,
trutlze


----------



## fonz (Aug 5, 2014)

trutlze said:
			
		

> How do people manage tons of jails?


For what it's worth: I mostly use a somewhat customised variant of the approach listed in the Handbook for a common read-only part.
I usually create the first jail (and the skeleton) from the install media. No sources required. No `make buildworld`, `make installworld` and `make distribution`, just `tar xfp {base,games,...}.txz`.
I update the jails by mounting the read-only part read-write for one jail (typically a build jail if there is one) and running freebsd-update from the outside with -b. Of course I'd have to manually update any files in other jails' /etc, /root and /var, but that's such a rare occasion that I don't mind having to do that.

Obviously, this only applies to systems running a -RELEASE version of FreeBSD. But then again, tracking -STABLE or -CURRENT requires a complete source tree and you indicated you didn't want that, so I'll assume you're using -RELEASE only.

And yes, it might be a bit more laborious than using e.g. ezjail, but I'm okay with that because it allows finer control over exactly what's going on.


----------



## trutlze (Aug 5, 2014)

Thanks for your answer.

Are you referring to this article? To get it right: when upgrading you have to do freebsd-update for each jail? Does this mean fetch and install for each jail? To me this wouldn't be very comfortable.


----------



## fonz (Aug 5, 2014)

trutlze said:
			
		

> Are you referring to this article?


As said I use some slight variations here and there, but that's essentially it, yes.



			
				trutlze said:
			
		

> To get it right: when upgrading you have to do freebsd-update for each jail? Does this mean fetch and install for each jail?


Nah, not really. Most updates done by freebsd-update tend to involve the shared read-only part of the jails, so it needs to be done only once: (re)mount the shared part read-write in one jail and update that one. Just be sure to check whether freebsd-update changes anything that every jail has its own copy of. This is rarely (if ever) something in /usr/local, /tmp, /root or /var, which only leaves /etc and even that doesn't happen too often.


----------



## trutlze (Aug 5, 2014)

fonz said:
			
		

> Most updates done by freebsd-update tend to involve the shared read-only part of the jails, so it needs to be done only once: (re)mount the shared part read-write in one jail and update that one. Just be sure to check whether freebsd-update changes anything that every jail has its own copy of. This is rarely (if ever) something in /usr/local, /tmp, /root or /var, which only leaves /etc and even that doesn't happen too often.


So if you checked whether anything that every jail has its own copy of has changed, and something has changed, does this lead to freebsd-update fetch and install in each jail afterwards?


----------

