Jailctl: Creating Chroot Environments (Jails)
Introduction
Jailctl is a shell tool for creating/launching/stopping/updating/backing up/restoring/destroying jails. By jail, we mean here a “virtual server” and not simply a method for isolating a service.
Installation
Here’s the command to install the package:
|
|
or
|
|
Configuration
- You need a config file:
/usr/local/etc/jails.conf
- You also need: a directory where the jails will be stored (
/data
in this example) - A runme.sh script provided with jailctl that lives by default in
/usr/local/jails/addons/
- A file dellist4.txt that contains a list of files to delete in the jails because they are not needed (for example commands like mount)
- A file dellist5.txt that contains more files to delete in case jailctl runs on a 5.x or a 6.x (jailctl is indeed compatible with all versions from 4.x to 6.x)
- And finally an etc/ directory with configuration files to install in the new jails (by default, login.conf and make.conf).
All this lives in /usr/local/jails/addons/
which we will need to move to /data/addons/
in our example.
Changes in login.conf
It is recommended to modify the following line:
|
|
to use a closer mirror:
|
|
You can also customize the default editor and other settings if needed.
Changes in jails.conf
Here is the main configuration. Since the file is very well documented internally, here are just the mandatory elements to get started quickly.
Interface on which to add the jail IPs:
|
|
Where the jails will be stored:
|
|
Where the jail backups will be stored (by default in the same place):
|
|
What not to back up:
|
|
The jails themselves:
|
|
Note a special feature recently added to jailctl. You can customize the directory where a specific jail will be stored.
Until now, jails were always stored in $JAIL_HOME/name.of.domain.com. Now, you can either specify another general directory (if you don’t put a / at the end, for example here yuzuki will be in /usr/local/jails/yuzuki.domaine.com/
) or a full directory for a given jail (if you put a / at the end, yoshiyuki will be in /data2/yoshi/
).
An rc.conf will be placed in the jail, containing:
|
|
Finally, you need to provide a DNS for the jail’s resolv.conf:
|
|
It is essential that this DNS is reachable during the “create” of the jail, as packages will be installed by runme.sh at the end of the creation.
Finally, if desired, you can specify scripts that will be executed before/after certain jailctl commands (the scripts will receive as argument $1 the name of the jail and as $2 its jail ID as long as you’re at least on a 5.x):
|
|
Advice
WARNING: It is STRONGLY advised against creating jails with a different environment than the host machine, for example a host in -STABLE and jails in -RELEASE, or vice versa. With jailctl, this essentially means that you should not do a cvsup between compiling the host and installing the jails.
Take the time to read jails.conf as well as runme.sh before doing anything to customize them.
Practical Implementation
Jail status
|
|
In this example, all jails are installed and yoshiyuki is not running. A jail not yet created would be marked with an exclamation mark.
Creating a jail
|
|
The use.perl is still there for compatibility reasons. This is not an error. The only information needed for the installation is the root password of the jail, if jailctl is not run in batch mode.
Starting a jail
|
|
The errors are normal and simply due to jail peculiarities.
Stopping a jail
|
|
Backing up a jail (not running)
|
|
A nice tar.gz appears in the directory where the jails are located.
Restoring a jail (necessarily not running)
|
|
But what’s happening?
To restore a jail, it must not exist.
Deleting a jail
|
|
Restoring a jail, second attempt
|
|
Backing up a jail (running)
This is the “premium option”.
|
|
The errors are normal.
Last updated 15 Apr 2007, 21:50 CEST.