Re: Jail, and specifically iocage, best practices

In reply to: Norman Gray : "Jail, and specifically iocage, best practices"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: David Christensen <dpchrist_at_holgerdanske.com>
Date: Sun, 06 Feb 2022 20:24:09 UTC

On 2/6/22 04:58, Norman Gray wrote:
> 
> 
> Greetings.
> 
> On the freebsd-questions list recently, there was a useful thread about 
> freebsd-update and jails.  This prompts a related question of mine.
> 
> Is there anywhere a collection of recommended practices with respect to 
> jails?
> 
> The handbook [1] talks of jails in general, and mentions ezjail in 
> passing at the end.  I've used ezjail with success, but I get the 
> impression (is this correct?) that ezjail is now at least 
> semi-abandoned, and that iocage is the 'obvious' replacement tool for 
> those (such as me) who would rather do the 'obvious'/normal/usual/POLA 
> thing, rather than having any need, yet, to learn how to roll their own.
> 
> The Lucas 'Absolute FreeBSD' chapter on jails is also good, but also 
> focuses on roll-your-own solutions [3].
> 
> The iocage documentation [2] is good (I've used it to get a few jails 
> going), and terse (which is a virtue), but sometimes leaves questions 
> unanswered.  For example, what should I worry about when picking a 
> suitable private address range for the jail?  Is it a good idea to clone 
> lo0 when setting up jail networking, or a good idea not to?  What are 
> the important differences between the different jail types (clone and 
> basejail have distinct explanations, but I don't have a clear picture of 
> the difference, or of the respective tradeoffs)?  What _is_ the 
> recommended way to update a jail (see the other thread)?  And is an 
> iocage-created jail importantly different from a by-hand jail?
> 
> I've worked out answers to some of these questions, based on these 
> resources and forum posts, but I'm not particularly confident in my 
> answers, nor confident that there aren't other bear-traps that haven't 
> occurred to me.
> 
> So: am I missing something?  Is there anywhere an article or HOWTO which 
> describes the 'what everyone knows' about how to look after jails 
> _properly_?
> 
> Best wishes,
> 
> Norman
> 
> 
> [1] https://docs.freebsd.org/en/books/handbook/jails/
> [2] https://iocage.readthedocs.io/en/latest/basic-use.html
> [3] https://nostarch.com/absfreebsd3


Another resource is Lucas' book on jails:

https://mwl.io/nonfiction/os#fmjail


I have one 12.3-R server in my SOHO environment with two jails (Samba 
and SSH/CVS) that are always running and are relatively constant.  So, 
the base FreeBSD tools plus a few scripts inspired by Lucas are enough 
for me.


David