{"id":282,"date":"2005-11-01T14:39:06","date_gmt":"2005-11-01T13:39:06","guid":{"rendered":"http:\/\/wp.devco.net\/?p=282"},"modified":"2009-10-09T16:57:20","modified_gmt":"2009-10-09T15:57:20","slug":"sharing_directories_between_jails_using_nullfs","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2005\/11\/01\/sharing_directories_between_jails_using_nullfs.php","title":{"rendered":"Sharing Directories between Jails using nullfs"},"content":{"rendered":"<p>I run a number of <a href=\"http:\/\/www.freebsd.org\/cgi\/man.cgi?query=jail&#038;apropos=0&#038;sektion=8&#038;manpath=FreeBSD+6.0-current&#038;format=html\">jail<\/a> on my servers and each of these have the same files over and over, the biggest problems are of course \/usr\/ports and \/usr\/src, they&#8217;re a total waste of space and a lot of work running multiple portsnap&#8217;s etc to keep them all synced.<\/p>\n<p><a href=\"http:\/\/www.serendipity.org.za\/bje\/\">BJE<\/a> mentioned he is using <a href=\"http:\/\/www.freebsd.org\/cgi\/man.cgi?query=mount_nullfs&#038;apropos=0&#038;sektion=8&#038;manpath=FreeBSD+6.0-current&#038;format=html\">nullfs<\/a> to mount his main \/usr\/ports into the jails.  I did some hunting of information on this and found its a bit thin on the ground, the main reason is that up till 6.0 it&#8217;s considered broken, though testing shows it works ok, at least for normal use.<\/p>\n<p>FreeBSD 6.0 will have extensions to its <a href=\"http:\/\/www.freebsd.org\/cgi\/man.cgi?query=rc.conf&#038;sektion=5&#038;apropos=0&#038;manpath=FreeBSD+6.0-current\">rc.conf<\/a> to make all of this easy.<\/p>\n<p>You can create per-jail fstab files, by default they are stored in \/etc\/fstab.<i>jailname<\/i> but you can override the filename using <i>jail_example_fstab<\/i>.  Below is a sample fstab file for one of my jails:<\/p>\n<blockquote><p>\n\/usr\/ports           \/jails\/example\/usr\/ports     nullfs  rw              1       1<br \/>\n\/usr\/src                \/jails\/example\/usr\/src        nullfs  ro              1       1\n<\/p><\/blockquote>\n<p>To enable the mounting of these file systems at boot time if you use the rc.conf method of booting your jails simply add a <i>jail_example_mount_enable=&#8221;YES&#8221;<\/i> to your jail section.  A full rc.conf extract to start one example jail below:<\/p>\n<blockquote><p>\njail_enable=&#8221;YES&#8221;<br \/>\njail_list=&#8221;example&#8221;<br \/>\njail_socket_unixiproute_only=&#8221;YES&#8221;<br \/>\njail_sysvipc_allow=&#8221;NO&#8221;<\/p>\n<p>jail_example_rootdir=&#8221;\/jails\/example&#8221;<br \/>\njail_example_hostname=&#8221;example.com&#8221;<br \/>\njail_example_ip=&#8221;192.168.1.100&#8243;<br \/>\njail_example_exec=&#8221;\/bin\/sh \/etc\/rc&#8221;<br \/>\njail_example_devfs_enable=&#8221;YES&#8221;<br \/>\njail_example_fdescfs_enable=&#8221;NO&#8221;<br \/>\njail_example_procfs_enable=&#8221;YES&#8221;<br \/>\njail_example_devfs_ruleset=&#8221;devfsrules_jail&#8221;<br \/>\njail_example_mount_enable=&#8221;YES&#8221;\n<\/p><\/blockquote>\n<p>I&#8217;ll investigate also sharing \/bin, \/sbin, \/lib, \/libexec, \/usr\/sbin, \/usr\/sbin and a few others between jails but it gets a bit tricky if you want to install other versions of perl from ports since they maintain symlinks in \/usr\/bin etc.  This could however simplify world upgrades a lot.<\/p>\n<p>While researching this I came across <a href=\"http:\/\/erdgeist.org\/arts\/software\/ezjail\/\">ezjail<\/a> which is a script compatible with FreeBSD 6.0 and later to maintain jails that uses nullfs extensively to share a lot of directories from a base jail install.  This gives a big potential security improvement because you can mount the system directories read only to give further protection in the event of a compromise.  Will definitely investigate this before I start building my new hosted server once FreeBSD 6.0 is out.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I run a number of jail on my servers and each of these have the same files over and over, the biggest problems are of course \/usr\/ports and \/usr\/src, they&#8217;re a total waste of space and a lot of work running multiple portsnap&#8217;s etc to keep them all synced. BJE mentioned he is using nullfs [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[7],"tags":[62,33],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/282"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=282"}],"version-history":[{"count":2,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/282\/revisions"}],"predecessor-version":[{"id":644,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/282\/revisions\/644"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}