Sunday, May 20, 2007

[EN] FreeBSD multiple Jails with "ezjail"

Linux has a great support for VPS systems, so that you can easily create
multiple virtual environments using xen f.e.

As my favourite OS is FreeBSD I've decided to look for a similar solution.
I've been aware of great "jail" feature, but managing multiple jails
is not that handy as it is in linux.

Recently, I found a great solution , "ezjail". ( /usr/ports/sysutils/ezjail )

"ezjail" is a shell script which lets you easily:

- create new jails
- running/shutting down jails
- update existing jails

You can create jail environment as:
- file system in your existing os
- file system in either plain, gdbe or geli encrypted image

Before you begin, make sure you are familiar with jails by reading:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html

A very interesting note is that "ezjail" doesn't create a completely new base system for new jails.
Instead it makes use of mount_nullfs and create "ro" mounts of the main base system
dirs like "/bin", "/sbin" etc.

When you create a new jail, it creates the "basejail" which in my case was 114MB size.
Any other jails (in case you don't do any other customizations) is 2MB large!.


Let's get started with "ezjail" !

First, create the base jail system.

# ezjail-admin install

This will fetch files needed for base system according to your current os version (`uname -r`)

# ezjail-admin create testjail 192.168.3.1
where IP is the IP you assing to your jail. Make sure it's already existing and set up.

Let's list existing jails now.

# ezjail-admin list
STA JID IP Hostname Root Directory
--- ----- --------------- ---------------------------- -------------------------
DS N/A 192.168.3.21 testjail /usr/jails/testjail
#

"DS" flags mean that it's a Directory Based jail and it's Stopped.

To create a geli encrypted image you would:

# ezjail-admin create -s 200M -c eli gelibasedjail 192.168.3.22
200+0 records in
200+0 records out
209715200 bytes transferred in 12.010512 secs (17460971 bytes/sec)
Initialising crypto device. Enter a new passphrase twice...
Enter new passphrase:
Reenter new passphrase:

Your jails is ready!
You can easily attach your jail filesystem:

# ezjail-admin config -i attach gelibasedjail
Attaching eli device for image jail ...
Enter passphrase:

Let's check the system mounts
# mount
...
/dev/md0.eli on /usr/jails/gelibasedjail (ufs, local)
...

and go into your jail file system:

# cd /usr/jails/gelibasedjail

# ls
.snap bin etc media rescue sys var
COPYRIGHT boot lib mnt root tmp
basejail dev libexec proc sbin usr


To start your jails on reboot, add ezjail_enable="YES" entry into your /etc/rc.conf file.

After reboot all your jails (which do not require password) will start.

You can also start/shutdown particular jails with:

# /usr/local/etc/rc.d/ezjail.sh start|stop gelibasedjail

You would ask "What if I want some customizations when creating new jails?".

"ezjail" comes with "flavours" functionality.

Let's say you want to create a new bunch of jails for HTTP web serving.
Your customers will put the Web data in /web/sites, and you want to avoid creating
this directories anytime you create a new jail.

With ezjail it's simple!

# cd /usr/jails/flavours/
# mkdir httpd
# cd httpd
# mkdir -p /web/sites

Now when creating new jail let "ezjail" know about the flavour:
# ezjail-admin create -f httpd newjail JAILIP

This will create a new jail with /web/sites directory created within your new jail!
The directory tree will recursively be copied to your new jail.

You can also perform other desired actions like running script when initiating a new jail install.
Create users, fetch packages.. do whatever you want.

Put the "ezjail-flavour" script in your new flavour jail definition (/usr/jails/httpd/ezjail-flavour) in my example.

Hope I convinced you to try "ezjail".

Some notes:
- it does create/delete /etc/fstab.jailname entries, so you don't have to worry about filesystem mountpoints after reboot. (you can avoid running specified jail at startup by `ezjail-admin config -r run|norun jailname` command)
- it's about creating/deleting/running/shutting down jails at the moment. It does not allow you
to manage jail f.e. resource usage. Look at: http://wiki.freebsd.org/JailResourceLimits for more information.


Look at the URL below, to find out more about the functionality of "ezjail".
Also, consider donation :)

http://erdgeist.org/arts/software/ezjail