[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] Jails on a production box

Shane wrote:
> I'm building a new server with most core services running in individual
> jails (e.g. a webserver jail, mailserver jail, ftp, dnscache etc)
> I am trying to decide on the best approach to limit disk size in each
> jail - either...
> 1) partion the hard drive to provide each jail with its own file system
> parition

I've tried this approach with Xen. It was fairly easy to lock an instance
to a partition and the backup and management of each virtual system was
easy with the linux LVM. For BSD jails I couldn't work out how best to
manage/backup a disk full of partitions (one per host) in FreeBSD so I
went with image jails instead.

I think if I were jailing a service like mail or a webserver then I might
just lock the jail to a filesystem partition.  Even without jails it's
often best if files related to these processes are on a separate
partition: e.g. we mount separate partitions on /usr/local/data for many
of our web servers and /var/spool/postfix and /var/mail are usually
symlinks to separate partitions/drives.

> or
> 2) use image jails with each jail having its own fixed disk size image.

this is my preference at least for now when providing a more "full
service" jail (ssh, web server, etc.). One caveat re: getting stuck with
unclean file systems after unplanned shutdowns - not sure why this happens
at times with image jails. I would go this route for sure for jails where
you don't foresee the processes updating files and changing the file
system a lot (e.g. basic webserver, ftp) ... I might put a mailserver on
it's own native file system partition.  Just my instincts that's all ...

With the right basejail "flavour" you can create and manage lots of file
system jails of course (the ezjail-admin website or port could include
makefiles or scripts for building basic "flavours" like www,smtp, etc.).
I'm not sure how easy it is to manage a bunch of jails (10+) each having
its own partition though. This is why I am interested in how/if people are
using gjournal, gmirror, gvinum and gvirstor with ezjail-admin based jails
(with jails images on top of gjournal backed storage etc).

> Is there any major advantages with either?  From my limited experience with
> ezjail the native file system jails seem to have fewer problems with
> stopping and re-starting (ie mounts getting stuck) initial setup is a pain
> and not very flexible.  Image jails seem much more flexible as they can be
> easily resized and make regular backups very simple.

This pretty much sums up my experience. Except for the mounting and
fscking problems I've had (see earlier messages), image jails seem easier
to set up. I find images make things easier to manage "from the outside"
(i.e. on the jail host) too. Of course this might be because Xen and
VMWare have rotted my brain :-)

I've been trying to get a backup scheme in place that backs up images with
diffs (rdiff-backup might be useful), so that they don't take too much
space, and so that restoring to a point in time or moving the images to
another machine is quick and easy.  It's not ready yet :-) but I'm hoping
a command like:

ezjail-admin backup -t [daily|weekly|monthly] JAILNAME

will exist someday ... I want backup services to be handled outside the
jail environment via periodic(8) or something simple like that (hmm but
maybe restoration of files from inside the jail would be nice ...).

> FWIW The server hosts a couple of web sites as well as providing mail
> services to a small business.

Sorry for the long message, my conclusion: using images is "ok" for
production - even with the fsck and mounting issues (but you should make
sure folks know how to fix things if they occur!).  If you're really only
jailing a set of processes (web server, mail server) that provide shared
services, then a native file system jail on its own partition might be


Graham Todd -  Bellanet.org
tel/tél 613-236-6163 x2443