# jail utility management for UFS system



## fred974 (Oct 20, 2016)

Hi,

I have a 4G Ram, 80GB disk VPS.
I have installed FreeBSD 11 with gpt / UFS file system.
In my other server running zfs, I use /sysutils/iocage to manage the jail.
Question: can /sysutils/iocage  be use for UFS system?
Am I better using /sysutils/ezjail in this situation?

thank you


----------



## SirDice (Oct 20, 2016)

At the moment neither is a good choice actually. IOCage seems to have gone AWOL. They're supposedly busy rewriting it but that was announced quite some time ago and there hasn't been much movement since. EZJail will produce a bunch of error messages on 11.0, it's using old jail configurations which have been deprecated.


----------



## Remington (Oct 20, 2016)

SirDice said:


> EZJail will produce a bunch of error messages on 11.0, it's using old jail configurations which have been deprecated.



That's true but there's a workaround by using /etc/jail.conf and disable `ezjail_enable="YES"` in /etc/rc.conf.  ezjail is still useful in managing jails by create, destroy, upgrade and console.  Hopefully, it'll be updated for FreeBSD 11 otherwise I might look into sysutils/cbsd


----------



## hukadan (Oct 20, 2016)

SirDice said:


> there hasn't been much movement since



There were some movements on Github here and there at the beginning of September. There is question mark in the "IT'S ALIVE" statement on the commit message though. To be continued I suppose...


----------



## vejnovic (Oct 20, 2016)

I'm currently migrate from sysutils/ezjail to sysutils/cbsd for preparation to upgrade my system to FreeBSD 11.
For now I'm very glad with sysutils/cbsd.


----------



## fred974 (Oct 20, 2016)

cool thank you guys. It look like sysutils/cbsd it is.
How easy it is to use/configure? My experience is with ezjail and iocage


----------



## vejnovic (Oct 20, 2016)

fred974 said:


> How easy it is to use/configure?


Just look some tutorials at https://www.bsdstore.ru/en/tutorial.html


----------



## Oko (Oct 20, 2016)

SirDice said:


> EZJail will produce a bunch of error messages on 11.0, it's using old jail configurations which have been deprecated.


So maybe wblock@ can tell us why the ezjail section has not be removed from the FreeBSD handbook for the 11.0 release? This is recurring pattern with FreeBSD community who like to brag so much about great documentation yet can't update the handbook for the major release. IMHO handbook should not
contain any information about third party software like ezjail which is a moving target. More importantly any inaccuracies should be fixed, updated or the entire sections should be removed from the Handbook if there is no man power to maintain it. FreeBSD is not Red Hat nor Ubuntu and no amount of posturing will mask the fact that BSD(s) community(ies) is/are minuscule.

Before anybody jumps on me yes I am contemplating contributing the Handbook since I think it is laughable to have the whole section on desktop application yet
the LDAP authentication is described in the contributing article

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/

which is based of obsolete pam_ldap and nss_ldap packages and I had to learn from this thread

https://forums.freebsd.org/threads/52989/#post-297614


about net/nss-pam-ldapd what I need to configure LDAP authorization.


----------



## sko (Oct 21, 2016)

vejnovic said:


> I'm currently migrate from sysutils/ezjail to sysutils/cbsd for preparation to upgrade my system to FreeBSD 11.
> For now I'm very glad with sysutils/cbsd.



I've been happy with iocage for now, mainly because there is a working set of roles for Ansible avaliable: https://galaxy.ansible.com/JoergFiedler/
As i'm in the process of setting up a new test environment at home, I was wondering if there is anything available for CBSD. I really like the idea of managing jails and bhyve VMs with one single tool. Especially for automation this is a huge win. I'm already used to this with the vmadm-tool on smartOS, which manages zones, LX-zones and KVM-zones through the same interface. Ansible roles, except for the very basic initial deployment, can be easily applied to either type and don't have to be unique like currently with bhyve (vm-bhyve) and jails (iocage).


----------



## vejnovic (Oct 21, 2016)

sko said:


> I've been happy with iocage for now, mainly because there is a working set of roles for Ansible avaliable: https://galaxy.ansible.com/JoergFiedler/
> As i'm in the process of setting up a new test environment at home, I was wondering if there is anything available for CBSD.


Maybe this can help: https://www.bsdstore.ru/en/11.0/wf_profiles_ssi.html.


----------



## wblock@ (Oct 21, 2016)

Oko said:


> So maybe wblock@ can tell us why the ezjail section has not be removed from the FreeBSD handbook for the 11.0 release?


Because one informational warning from the system when ezjail starts does not change the fact that ezjail works.  It also works on -CURRENT.

Even if it didn't work on 11, it still also works on 10.  The Handbook supports multiple releases, so that section would still be in there.

I encourage people to document other jail applications.



Oko said:


> IMHO handbook should not contain any information about third party software like ezjail which is a moving target.


Surprise!  It's all a moving target.  Documentation starts becoming obsolete before it even circulates.  The options are to suggest that it should be removed because it's not perfect, accept the reality that mostly-accurate is better than none at all, or to dig in and update it.  Warning: some options require more effort than others.


----------



## chrbr (Oct 21, 2016)

When I have started using sysutils/ezjail I have been very happy with the handbook, the how-to-do section of this forum and the erdgeist homepage . It is a good news that sysutils/ezjail works on 11 as well. Thank you for the good handbook and to all who contribute documenting things in the forum!


----------



## Purkuapas (Oct 22, 2016)

sko said:


> I've been happy with iocage for now, mainly because there is a working set of roles for Ansible avaliable: https://galaxy.ansible.com/JoergFiedler/
> As i'm in the process of setting up a new test environment at home, I was wondering if there is anything available for CBSD.



Take a look at https://forge.puppet.com/olevole/cbsd


----------



## abishai (Oct 22, 2016)

sysutils/cbsd utility is too complex from my point of view with strange deps like security/sudo (huh?) and  net/rsync and with fancy dialog configuration which do who knows what. It's like systemd. It's a pity that at the moment we don't have simple (and supported) tool for jails. Keeping them up to date manually is a well known pain.


----------



## Ole (Oct 22, 2016)

abishai said:


> sysutils/cbsd utility is too complex from my point of view with strange deps like security/sudo (huh?) and  net/rsync and with fancy dialog configuration which do who knows what. It's like systemd. It's a pity that at the moment we don't have simple (and supported) tool for jails. Keeping them up to date manually is a well known pain.


Yes, the monstrosity of some projects are not from a good life.
A long long time ago in a galaxy far away CBSD was very simple and small, and without sudo rsync dependencies ;-)
At the same time such project as qjail, ezjail, zjail and other was young, strong and supported.
But I did not have enough in their functions for large installations ( I had more than 400+ jails at same time ).
I originally was positioned CBSD as a comprehensive solution.
The FreeBSD from-the-box did not have the possibility to renaming or (remote) cloning environment (it is absolutely necessary
when you have a large park) on the remote server.
Therefore, there is a direct relationship - a utility most simple (and is not able to anything).
For example, jail.conf and /etc/rc.d/jail - it simple and well supported jail management tools.
If you need more automation and functional (RCTL support, snapshot, package and profiles, use ZFS feature and at the moment don't drop support to work on UFS) - you should be prepared to pay for this by monstrosity.

Therefore, FreeBSD currently has bsdinstall (which consists of a large number of scripts which do who knows what), you do not install FreeBSD each time
by command with manual execution of fdisk, gpart, zfs, tzsetup, sysrc, newfs, zfsinstall and so on.

If we talk about of CBSD, then sudo is used in order not to give the root access from the network. Rsync is used for cloning jail between servers.
And thanks DIALOG: I tried to make the entrance to the CBSD as simple as possible - from the command line you need to know only the minimum commands (jstop,jstart,jconstruct-tui,jremove,jconfig)
All other additional settings you can do via DIALOG which that does not require you to memorize the rest tons of command and arguments.

Specifically, I have a lot more worried about is not that jail management systems have become very large or inoperable, and the fact that jail does not develop for many years, FreeBSD has almost no developers.
For example patch for separation ipc shm was ready for more than 10 years ago, when no one knew about Docker and LXD. Another good sample: https://wiki.freebsd.org/Kload and another: https://wiki.freebsd.org/RudolfTomori/rudotSoC2011
Nobody cares to take it and make FreeBSD better.

This course offtopic, but I suggest not only regret that we still do not have a good jail management, as well as the need to regret that we had nothing at all does not develop of that requires good management ;-)


----------



## Remington (Oct 22, 2016)

FreeBSD jail is designed what it's supposed to do, however, it's not easy to manage without using tools like ezjail, qjail, iocage, etc.  Developers felt there was no need to make jails easier since third-party tools are already there.  Sure it would be easier if jail included all the neat features offered by third-party tools but some developers believes 'if it ain't broke, don't fix it' philosophy so best to leave it as it is without breaking something when adding new features.  ezjail does exactly what I need even its not fully functional in FreeBSD 11 but it gets the job done with some workarounds which isn't hard to do.  I agree if jail were to include all the neat features then there won't be a need for the third-party tools.

One thing I would like to see something included in jail is the network stacks, namely vimage, which allows jail users to have their own artificial network interface card but it's not production ready since it got some memory issues.  That's why it wasn't included in the base system in FreeBSD 11 like the developer promised.

FreeBSD jail is still evolving and getting better but it is a matter of when the developers feel the need to include the features offered by third-party tools.  I'm sure one day there won't be a need to use ezjail but it's a matter of when.


----------



## rigoletto@ (Oct 22, 2016)

I am using sysutils/qjail, quite similar to sysutils/ezjail but fully working on FreeBSD 11. I was willing to use sysutils/iocage due to `ZFS` integration but I did not due to the rewrite thing.


----------



## ANOKNUSA (Oct 22, 2016)

Remington said:


> FreeBSD jail is designed what it's supposed to do, however, it's not easy to manage without using tools like ezjail, qjail, iocage, etc. Developers felt there was no need to make jails easier since third-party tools are already there.



"Jails" (plural) is the operative term, here. It's not hard to create and run a jail, or a small number of jails. Third-party utilities help with managing many jails, but a simple jail.conf configuration works just fine for simple use cases. It it's all you need. Managing a single jail with ezjail takes more effort than just doing it manually, and if we're being honest, the current demand for running a FreeBSD host with a huge number of FreeBSD jail clients has to be very low. Adding an entire jail management framework to base seems pointless to me. There are numerous third-party utilities that arguably make system management easier, but don't serve a rudimentary purpose that justifies putting them in the base system. Automated ZFS snapshot and boot environment utilities come to mind.


----------



## abishai (Oct 30, 2016)

Ole said:


> Yes, the monstrosity of some projects are not from a good life.


Ahh, I assume that you are a developer of sysutils/cbsd and I can actually type in russian, but as we are on english forum..

I thought to give cbsd another chance as I really want to use 1 utility for jails and VMs (I need Windows 7)

I'm still not to far from the beginning, but I already have 2 questions so far:
1. I prefer to write my own pf rules. Al jail utilities I met before have the same issue- rather complex pf rule file can't be loaded until all ip address are populated and binded and, as pf loads pretty early it fails to load ruleset. Can we have an option to load pf rule file after cbsd initialize network (or start all jails/vms) ?
2. Windows7 guest can't be installed as a) xhci/tablet is not an option for it b) something unknown is emulated for harddrive. Can we have sata? 



lebarondemerde said:


> I am using sysutils/qjail


Not used it as I found no information about:
1. jail as zfs dataset to simplify backups.
2. is /etc updated on jail update? For sysutils/ezjail jails we must invoke mergemaster manually for each one.


----------



## Ole (Nov 16, 2016)

abishai said:


> 1. I prefer to write my own pf rules. Al jail utilities I met before have the same issue- rather complex pf rule file can't be loaded until all ip address are populated and binded and, as pf loads pretty early it fails to load ruleset. Can we have an option to load pf rule file after cbsd initialize network (or start all jails/vms) ?



You can use *pre/post* hooks for execution script within jail or on master host for this cases: https://www.bsdstore.ru/en/11.0/wf_jconfig_ssi.html#execscript



> 2. Windows7 guest can't be installed as a) xhci/tablet is not an option for it b) something unknown is emulated for harddrive. Can we have sata?



Unfortunately, Windows7 not work for me when i've try to install it via UEFI-GOP - problem with input ( no xhci/tablet driver on installer stage ?). 
As for hard-drive, you can choose driver ( ahci-hd or virtio ) via *cbsd bconfig -> storage config*

From Windows OS distros, I normally works only with windows 10 in bhyve ( I have not tried Windows 8 ). BTW, may be XEN can help you to get Windows7 on FreeBSD hoster ?


----------



## abishai (Nov 19, 2016)

Ole said:


> no xhci/tablet driver


Windows'7 has no working driver at all. The solution is not enable `xhci` for everything below Windows'10.


----------

