During the last couple of days I am intensively using ezjail to administer several jails on my machines. They are currently IPv6 only (internet-facing) and are used to build pfsense images to test locally (still setting this up, need to cross compile to i386 from amd64), offer a testjail to a collegue to work together on a Opsview implementation on FreeBSD, whether or not we are going to succeed in that, and I just installed a test environment for my webservices. They are all contained in their own little box, having IPv4 connectivity outgoing through NAT, and native IPv6 connectivity from my “Vendor” on an extra subnet that I obtained.
I like this, so I am probably going to setup some more services here and there to perform some magic for me that might need external access. I will also tie them together with LDAP and the like so that it’s an uniform base. At the moment I do not have additional ideas about moving production services towards jails as well though.
Thanks to FreeBSD this all is damned easy. You should try it, or poke me in case you want to know more! 
Just before christmas I decided I will spend the “immense� amount of 40 EUR for a graphic card for a system which was without one. The system is supposed to replace my dying home-server. I already moved everything, except my Desktop-in-a-Jail (actually it is my home-cinema-jail).
The old system had a Radeon 9200SE, and it was enough for what I used it for. Now… for a few bucks you can get a lot more horsepower today. After looking around a little bit I decided to buy a NVidia card. I made this decision because it looks like I can get better driver support for it. So I got a GeForce GT 520 with 1 GB of RAM (I doubt I will be able to use that much RAM) and without a fan.
With the Radeon 9200SE I was not able to get the 3D stuff activated (at least in the jail, I did not try without), Xorg complains about a missing agpgart module but I have AGP in the kernel (no /dev/agpgart outside the jail). I did not spend time to investigate this, as the main purpose — playing movies — worked. Now with the NVidia card I decided to give the 3D part a try again.
After adding the NVidia device entries to the jail, and a little bit of fighting with the Xorg-HAL interaction, I got a working desktop. The biggest problem to verify that 3D is working was, that I did not had xdriinfo installed. After installing it, I noticed that it does not work with the NVidia driver. 
 Next stop nvidia-settings: runs great, displays a nice FreeBSD+NVidia logo, and … tells me that OpenGL is configured. Hmmm… OK, but I want to see it!
As I decided to switch from Gnome to KDE 4 at  the same time (I was using KDE when it was at V 0.x, switched to Gnome as it looked nicer to me, and now I switch back after reading all the stuff in the net that KDE 4 is “better� than Gnome 3), I was a little bit out of knowledge how to see the 3D stuff in action. So I quickly went to the settings and searched for something which looks like it may use 3D. To my surprise, it was already using 3D stuff. Nice. I fully realized how nice, when playing a video and using Alt-Tab to switch windows: the video was playing full speed scaled down in the window-switcher-thumbnail-view.
That was too easy. I am happy about it.
Now that I have a working setup of X11-in-a-jail for Radeon and GeForce cards, I want to cleanup my changes to the kernel and the config files (devfs.rules) and have a look to get this committed. A big part of this work is probably writing documentation (most probably in the wiki).
I still want to see some fancy 3D stuff now. I tried to install x11-clocks/glclock, but the build fails with an undefined reference to ‘glPolygonOffsetEXT’. Any recommendation for a fancy 3D display? My priority is on “fancy/nice� with as less violence as possible. Most probably I will look at it once and then deinstall it again, so it should be available in the Ports Collection (or included in KDE 4).
Everyone has his own way of setting up a machine to serve as a host of multiple jails. Here is my way, YMMV.
I use several harddisks in a Software–RAID setup. It does not matter much if you set them up with one big partition or with several partitions, feel free to follow your preferences here. My way of partitioning the harddisks is described in a previous post. That post only shows the commands to split the harddisks into two partitions and use ZFS for the rootfs. The commands to initialize the ZFS data partition are not described, but you should be able to figure it out yourself (and you can decide on your own what kind of RAID level you want to use). For this FS I set atime, exec and setuid to off in the ZFS options.
On the ZFS data partition I create a new dataset for the system. For this dataset I set atime, exec and setuid to off in the ZFS options. Inside this dataset I create datasets for /home, /usr/compat, /usr/local, /usr/obj, /usr/ports/, /usr/src, /usr/sup and /var/ports. There are two ways of doing this. One way is to set the ZFS mountpoint. The way I prefer is to set relative symlinks to it, e.g. “cd /usr; ln –s ../data/system/usr_obj obj�. I do this because this way I can temporary import the pool on another machine (e.g. my desktop, if the need arises) without fear to interfere with the system. The ZFS options are set as follows:
Dataset | Option | Value |
|---|---|---|
| data/system/home | exec | on |
| data/system/usr_compat | exec | on |
| data/system/usr_compat | setuid | on |
| data/system/usr_local | exec | on |
| data/system/usr_local | setuid | on |
| data/system/usr_obj | exec | on |
| data/system/usr_ports | exec | on |
| data/system/usr_ports | setuid | on |
| data/system/usr_src | exec | on |
| data/system/usr_sup | secondarycache | none |
| data/system/var_ports | exec | on |
The exec option for home is not necessary if you keep separate datasets for each user. Normally I keep separate datasets for home directories, but Jail-Hosts should not have users (except the admins, but they should not keep data in their homes), so I just create a single home dataset. The setuid option for the usr_ports should not be necessary if you redirect the build directory of the ports to a different place (WRKDIRPREFIX in /etc/make.conf).
The ports I install by default are net/rsync, ports-mgmt/portaudit, ports-mgmt/portmaster, shells/zsh, sysutils/bsdstats, sysutils/ezjail, sysutils/smartmontools and sysutils/tmux.
In the crontab of root I setup a job to do a portsnap update once a day (I pick a random number between 0 and 59 for the minute, but keep a fixed hour). I also have http_proxy specified in /etc/profile, so that all machines in this network do not download everything from far away again and again, but can get the data from the local caching proxy. As a little watchdog I have a little @reboot rule in the crontab, which notifies me when a machine reboots:
@reboot grep "kernel boot file is" /var/log/messages | mail -s "`hostname` rebooted" root >/dev/null 2>&1
This does not replace a real monitoring solution, but in cases where real monitoring is overkill it provides a nice HEADS-UP (and shows you directly which kernel is loaded in case a non-default one is used).
Some default aliases I use everywhere are:
alias portmlist="portmaster -L | egrep -B1 '(ew|ort) version|Aborting|installed|dependencies|IGNORE|marked|Reason:|MOVED|deleted|exist|update' | grep -v '^--'" alias portmclean="portmaster -t --clean-distfiles --clean-packages" alias portmcheck="portmaster -y --check-depends"
I have the need to give access to some specific devices in some jails. For this I need to setup a custom /etc/devfs.rules file. The files contains some ID numbers which need to be unique in the system. On a 9-current system the numbers one to four are already used (see /etc/defaults/devfs.rules). The next available number is obviously five then. First I present my devfs.rules entries, then I explain them:
[devfsrules_unhide_audio=5] add path 'audio*' unhide add path 'dsp*' unhide add path midistat unhide add path 'mixer*' unhide add path 'music*' unhide add path 'sequencer*' unhide add path sndstat unhide add path speaker unhide [devfsrules_unhide_printers=6] add path 'lpt*' unhide add path 'ulpt*' unhide user 193 group 193 add path 'unlpt*' unhide user 193 group 193 [devfsrules_unhide_zfs=7] add path zfs unhide [devfsrules_jail_printserver=8] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_printers add include $devfsrules_unhide_zfs [devfsrules_jail_withzfs=9] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_zfs
The devfs_rules_unhide_XXX ones give access to specific devices, e.g. all the sound related devices or to local printers. The devfsrules_jail_XXX ones combine all the unhide rules for specific jail setups. Unfortunately the include directive is not recursive, so that we can not include the default devfsrules_jail profile and need to replicate its contents. The first three includes of each devfsrules_jail_XXX accomplish this. The unhide_zfs rule gives access to /dev/zfs, which is needed if you attach one or more ZFS datasets to a jail. I will explain how to use those profiles with ezjail in a follow-up post.
I use ezjail to manage jails, it is more comfortable than doing it by hand while at the same time allows me to do something by hand. My jails normally reside inside ZFS datasets, for this reason I have setup a special area (ZFS dataset data/jails) which is handled by ezjail.The corresponding ezjail.conf settings are:
ezjail_jaildir=/data/jails ezjail_use_zfs="YES" ezjail_jailzfs="data/jails"
I also disabled procfs and fdescfs in jails (but they can be enabled later for specific jails if necessary).
Unfortunately ezjail (as of v3.1) sets the mountpoint of a newly created dataset even if it is not necessary. For this reason I always issue a “zfs inherit mountpoint � after creating a jail. This simplifies the case where you want to move/rename a dataset and want to have the mountpoint automcatically follow the change.
The access flags of /data/jails directory are 700, this prevents local users (there should be none, but better safe than sorry) to get access to files from users in jails with the same UID.
After the first create/update of the ezjail basejail the ZFS options of basejail (data/jails/basejail) and newjail (data/jails/newjail) need to be changed. For both exec and setuid should be changed to “on� The same needs to be done after creating a new jail for the new jail (before starting it).
In my default ezjail flavour I create some default user(s) with a basesystem-shell (via /data/jails/flavours/mydef/ezjail.flavour) before the package install, and change the shell to my preferred zsh afterwards (this is only valid if the jails are used only by in-house people, if you want to offer lightweight virtual machines to (unknown) customers, the default user(s) and shell(s) are obviously up to discussion). At the end I also run a “/usr/local/sbin/portmaster –y –check-depends� to make sure everything is in a sane state.
For the packages (/data/jails/flavours/mydef/pkg/) I add symlinks to the unversioned packages I want to install. I have the packages in a common (think about setting PACKAGES in make.conf and using PACKAGES/Latest/XYZ.tbz) directory (if they can be shared over various flavours), and they are unversioned so that I do not have to update the version number each time there is an update. The packages I install by default are bsdstats, portaudit, portmaster, zsh, tmux and all their dependencies.
In case you use jails to virtualize services and consolidate servers (e.g. DNS, HTTP, MySQL each in a separate jail) instead of providing lightweight virtual machines to (unknown) customers, there is also a benefit of sharing the distfiles and packages between jails on the same machine. To do this I create /data/jails/flavours/mydef/shared/ports/{distfiles,packages} which are then mounted via nullfs or NFS into all the jails from a common directory. This requires the following variables in /data/jails/flavours/mydef/etc/make.conf (I also keep the packages for different CPU types and compilers in the same subtree, if you do not care, just remove the “/${CC}/${CPUTYPE}� from the PACAKGES line):
DISTDIR=Â /shared/ports/distfiles
PACKAGES= /shared/ports/packages/${CC}/${CPUTYPE}A future post will cover how I setup new jails in such a setup and how I customize the start order of jails or use some non-default settings for the jail-startup.
pkgng c'est cool, ça va être tout beau tout ça, mais voila c'est pas encore fini, il y a beaucoup de boulot à prévoir dessus encore pour que ça rentre en production.
En attendant des babasses FreeBSD on en veut toujours en production.
Voici donc comment je gère mes machines FreeBSD en full binaires.
Tout d'abord il vous faut une machine de build. (Je n'aime pas prendre les packages officiels, parce que je veux des versions plus récentes ou des set d'options différents, parce que avoir un mirroir avec 22000 packages ça ne me sert à rien sinon bouffer de l'espace disque.)
Faire les packages à la main n'est pas non plus très industriel, ni très sérieux.
Utiliser tinderbox me donne des boutons.
J'ai donc réutilisé un outil maison poudriere.
J'y ai rajouté une fonction bulk.
Petit rappel pour commencer, poudriere est un outil très simple ne nécessitant rien qui ne soit pas dans base. Son but est de permettre le test et la génération de packages pour FreeBSD.
Avec cette fonctionnalité de bulk, l'utilisateur donne une liste de packages à manger à poudriere et celui-ci va tous les générer, ainsi que leurs dépendances. Il va présenter le tout sous la forme d'un répertoire de packages identique à ceux officiels.
Commençons donc par créer nos environnements de build en considérant poudriere comme déjà installé.
Voici le fichier de configuration de mon poudriere:
ZPOOL=data
FTPHOST=ftp.free.org
IP=192.168.1.58
ETH=nfe0
PORTSDIR=/usr/local/poudriere/ports
POUDRIERE_DATA=/usr/local/pdata
WRKDIRPREFIX=/tmp/wrk
MFSSIZE=4G
poudriere utilise zfs il suffit de lui donner un zpool il se débrouille avec. Ici nous avons choisi "data". poudriere utilise les jails, il a donc besoin de connaître un host ftp pour récupérer les éléments nécessaires à la construction automatique des jails, une adresse IP et une interface réseau sur laquelle rajouter en alias l'adresse IP donnée.
Il a besoin de connaître l'arbre des ports sur lequel il va travailler, et où il va générer ses données: packages et logs.
Enfin quelques informations comme le WRKDIRPREFIX seront nécessaires si l'on veut tout construire en RAM (mdmfs et tmpfs possibles).
poudriere est maintenant utilisable, préparons donc les machines de build:
# poudriere createjail -v 8.2-RELEASE -n 82amd64 -a amd64 -s
Voila c'est tout ! Vous disposez désormais d'une machine de build pour FreeBSD 8.2-RELEASE pour l'architecture amd64. Vous pouvez en rajouter autant que vous voulez bien sûr.
Il s'agit maintenant de construire ses premiers packages. poudriere souhaite une liste, alors allons y:
# cat ~/listpkgs
ports-mgmt/portmaster
editors/vim
www/newsbeuter
www/elinks
devel/git
C'est déjà pas mal pour tester. Il est bien sûr possible de spécifier des options de compilation via: /usr/local/etc/poudriere.d/make.conf pour les options globales et/ou /usr/local/etc/poudriere.d/82amd64-make.conf pour les options spécifiques à la jail 82amd64.
# cat /usr/local/etc/poudriere.d/82amd64-make.conf
NOPORTDOCS=yes
WITHOUT_NLS=yes
WITHOUT_X11=yes
NO_GUI=yes
C'est prêt on peut lancer le build:
# poudriere bulk -f ~/listpkgs -j 82amd64
Si l'option -j n'est pas donnée alors il fera sur le boulot sur chacune des jails disponibles.
Ce que fait poudriere là c'est construire dans la jail vierge (merci les snapshots zfs) tous les packages demandés, en ayant pris soin de supprimer tout résidu d'un précédent bulk. Puis il va générer l'INDEX et le compresser en bzip2.
Cette étape peut donc être très longue.
Une fois terminée les résultats se trouveront dans : /usr/local/pdata/packages/bulk-82amd64
Le Répertoire étant utilisable tel quel.
On part donc d'une installation toute fraiche de freebsd sans l'arbre des ports
# export PACKAGESITE=http://monjoliserver/avec/mes/packages/
# pkg_add -r portmaster
Quelques options pour le portmaster.rc
# cat /usr/local/etc/portmaster.rc
MASTER_SITE_INDEX=http://monjoliserver/avec/mes/packages/
LOCALBASE=/usr/local
PACKAGESITE=http://monjoliserver/avec/mes/packages/
PM_PACKAGES=only
PM_INDEX=yes
PM_INDEX_ONLY=pm_index_only
Comme portmaster recherche encore quelques informations sur l'arbre des ports et que l'on ne souhaite pas ce comportement :
# mkdir /usr/ports/Mk
# touch /usr/ports/Mk/bsd.port.mk
portmaster est maintenant utilisable:
# portmaster www/newsbeuter
[...]
===>>> The following actions will be taken if you choose to proceed:
Install www/newsbeuter
Install devel/gettext
Install converters/libiconv
Install devel/pkg-config
Install devel/stfl
Install ftp/curl
Install security/ca_root_nss
Install textproc/libxml2
Install databases/sqlite3
===>>> Proceed? y/n [y]
[...]
===>>> The following actions were performed:
Installation of converters/libiconv (libiconv-1.13.1_1)
Installation of devel/gettext (gettext-0.18.1.1)
Installation of devel/pkg-config (pkg-config-0.25_1)
Installation of devel/stfl (stfl-0.21_1)
Installation of security/ca_root_nss (ca_root_nss-3.12.9)
Installation of ftp/curl (curl-7.21.3_1)
Installation of textproc/libxml2 (libxml2-2.7.8_1)
Installation of databases/sqlite3 (sqlite3-3.7.5)
Installation of www/newsbeuter (newsbeuter-2.4)
#
Voila retour/docs/patchs bienvenus, as usual :)
A la demande populaire voici un micro howto sur comment créer des nanos jails(8).
Pour cela je vais vous monter comment tourne mon blog (Ã base de cblog).
Quelques petites commandes pour bien montrer de quoi on parle
$ jls -j cblog
JID IP Address Hostname Path
1 10.50.0.1 cblog /zdata/jails/cblog/
$ du -hs /zdata/jails/cblog/
2,3M /zdata/jails/cblog
c'est tout rien de plus.
Il y a même des choses en trop par exemple cette jail n'a pas besoin de réseau pour fonctionner normalement.
En fait une jail n'a pas besoin de grand chose pour fonctionner et depuis que l'on dispose des jails persistantes elles ont même besoin de rien du tout.
Examinons un peu le contenu de cette jail :
/zdata/jails/cblog
/zdata/jails/cblog/bin
/zdata/jails/cblog/bin/cblog.fcgi
/zdata/jails/cblog/data
/zdata/jails/cblog/data/*
/zdata/jails/cblog/usr/local/etc
/zdata/jails/cblog/usr/local/etc/cblog.conf
/zdata/jails/cblog/libexec
/zdata/jails/cblog/libexec/ld-elf.so.1
/zdata/jails/cblog/lib
/zdata/jails/cblog/lib/libfcgi.so.0
/zdata/jails/cblog/lib/libz.so.5
/zdata/jails/cblog/lib/libc.so.7
Nous y retrouvons donc le strict nécessaire pour faire tourner cblog.
pour en arriver là il faut préparer le fs. (je suis utilisateur de zfs :))
$ zfs create /zdata/jails/cblog
$ mkdir /zdata/jails/cblog/bin
$ mkdir /zdata/jails/cblog/lib
$ mkdir /zdata/jails/cblog/libexec
Je dépose ensuite le binaire cblog.fcgi (je l'ai pris dans le paquet officiel)
$ cp /tmp/cblog-0.1.15/libexec/cblog.fcgi /zdata/jails/cblog/bin
Je regarde ce que demande ce binaire:
$ ldd /zdata/jails/cblog/bin/cblog.fcgi
/zdata/jails/cblog/bin/cblog.fcgi:
libfcgi.so.0 => /usr/local/lib/libfcgi.so.0 (0x80066b000)
libz.so.5 => /lib/libz.so.5 (0x800775000)
libc.so.7 => /lib/libc.so.7 (0x80088a000)
Je rajoute donc ce qui va bien dans ma future jail:
$ cp /lib/libz.so.5 /zdata/jails/cblog/lib
$ cp /lib/libc.so.7 /zdata/jails/cblog/lib
$ cp /usr/local/lib/libfcgi.so.0 /zdata/jails/cblog/lib
J'ai vérifié les dépendances de la libfcgi et elle ne ramène rien d'autre.
Le paquet cblog est compilé avec comme prefix /usr/local du coup il cherche son fichier de conf dans /usr/local/etc/cblog.conf (vu de la jail)
$ mkdir /zdata/jails/cblog/usr/local/etc
Je prévoie de mettre les données que le binaire va manipuler dans /data (vu de la jail)
$ mkdir /zdata/jails/cblog/data
Je prépare le fichier de conf de mon cblog pour lui dire de trouver ses données dans /data (je zappe cette partie ce n'est pas le but de ce post). Le fichier de conf est déposé dans /zdata/jails/cblog/usr/local/etc sous le nom cblog.conf comme attendu.
C'est là que ça devient intéressant. Il est impossible de faire tourner une jail sans son runtime link-editor.
$ cp /libexec/lib-elf.so.1 /zdata/jails/cblog/libexec/ld-elf.so.1
Ici j'ai pris celui du système hôte car les binaire sont ceux du même format que ceux de l'hôte. Dans le cas d'un jail linux par exemple, il faudra prendre l'équivalent au format linux.
Nous pouvons maintenant démarrer la jail en question.
Ne surtout pas passer par /etc/rc.d/jail qui est complètement dépassé maintenant.
$ jail -c persist name=cblog path=/zdata/jails/cblog/ host.hostname=cblog ip4.addr=10.50.0.1
Si vous ne voulez pas d'adresse ip ni de hostname
$ jail -c persist name=cblog path=/zdata/jails/cblog/
jls vous montrera la jail qui tourne.
Démarrons le cblog pour qu'il écoute sur une socket unix.
$ jexec cblog /sbin/cblog.fcgi unix:/cblog.sock
Il suffit de donner le chemin /zdata/jails/cblog/cblog.sock à nginx par exemple dans sa config fastcgi pour que votre cblog soit accessible au plus grand nombre.
Pour stopper la jail:
$ jail -r cblog
In the last days I migrated all my internal services to IPv6.
All my jails have an IPv4 and an IPv6 address now. All Apaches (I have one for my picture gallery, one for webmail, and one for internal management) now listen on the internal IPv6 address too. Squid is updated from 2.x to 3.1 (the most recent version in the Ports Collection) and I added some IPv6 ACLs. The internal Postfix is configured to handle IPv6 too (it is delivering everything via an authenticated and encrypted channel to a machine with a static IPv4 address for final delivery). My MySQL does not need an IPv6 address, as it is only listening to requests via IPC (the socket is hardlinked between jails). All ssh daemons are configured to listen to IPv6 too. The IMAP and CUPS server was picking the new IPv6 addresses automatically. I also updated Samba to handle IPv6, but due to lack of a Windows machine which prefers IPv6 over IPv4 for CIFS access (at least I think my Windows XP netbook only tries IPv4 connections) I can not really test this.
Only my Wii is a little bit behind, and I have not checked if my Sony-TV will DTRT (but for this I first have to get some time to have a look if I have to update my DD-WRT firmware on the little WLAN-router which is “extending the cable� from the TV to the internal network, and I have to look how to configure IPv6 with DD-WRT).
After enabling IPv6 in my WLAN router, I also enabled IPv6 in my FreeBSD systems. I have to tell that the IPv6 chapter in the FreeBSD handbook does not contain as much information as I would like to have about this.
Configuring the interfaces of my two 9-current systems to also carry a specific IPv6 address (an easy one from the ULA I use) was easy after reading the man-page for rc.conf. After a little bit of experimenting it came down to:
ifconfig_rl0_ipv6=“inet6 ::2:1 prefixlen 64 accept_rtadv“
ipv6_defaultrouter=�<router address>�
Apart from this address (I chose it because the IPv4 address ends in “.2″, this way I can add some easy to remember addresses for this machine if needed), I also have two automatically configured addresses. One is with the same ULA and some not so easy to remember end (constructed from the MAC address), and one is from the official prefix the router constructed out of the official IPv4 address from the ISP (+ the same end than the other end).
Additionally I also have all my jails on this machine with an IPv6 address now (yes, they are like “…:2:100″ with the :100 because the IPv4 address ends in “.100″). Still TODO is the conversion of all the services in the jails to also listen on the IPv6 address.
I already changed the config of my internal DNS to have the IPv6 addresses for all systems, listen on the IPv6 address (when I add an IPv6 network to allow-query/allow-query-cache/allow-recursion bind does not want to start). And as I was there, I also enabled the DNSSEC verification (but I get a lot of error messages in the logs: “unable to convert errno to isc_result: 42: Protocol not available�, one search result which talks exactly about this error tells it is a “cosmetic error�…).
I noticed that an IPv6 ping between two physical machines takes a little bit more time than an IPv4 ping (no IPsec enabled). It surprised me that this is such a noticeable difference (not within the std-dev at all):
— m87.Leidinger.net ping statistics —
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.168/0.193/0.220/0.017 ms
— m87.Leidinger.net ping6 statistics —
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.207/0.325/0.370/0.047 ms
The information I miss in the FreeBSD handbook in the IPv6 chapter is what those other IPv6 related services are and when/how to configure them. I have an idea now what this radvd is, but I am not sure what the interaction is with the accept_rtadv setting for ifconfig (and I do not think I need it, as my WLAN router seems to do it already). I know that I get the IPv6-friendly network neighborhood displayed with ndp(8). I did not have a look at enabling IPv6 multicast support in FreeBSD, and I do not know what those other IPv6 options for rc.conf do.
The 7-stable system on which I have stability problems after an update from 7.1 to 7.2/7-stable is now semi-stable.
The watchdog reboots after one minute of no reaction (currently it is able to run 3–4 hours), and the jails come up without problems now.
The problem with the jails was, that e.g. the mysql-server startup went into the STOP state because TTY-input was “requested”. I solved the problem by using /dev/null as input on jail-startup. On –current I do not see this behavior (I have a 9-current system with a lot of jails which reboots every X days, and there mysql does not go into the STOP state).
I also start the jails in the background, so that one blocking jail does not block everything (done like in –current).
To say this with code:
--- /usr/src/etc/rc.d/jail 2009-02-07 15:04:35.000000000 +0100
+++ /etc/rc.d/jail 2009-12-16 17:03:12.000000000 +0100
@@ -556,7 +556,8 @@
fi
_tmp_jail=${_tmp_dir}/jail.$$
eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
- \\"${_addrl}\\" ${_exec_start} > ${_tmp_jail} 2>&1
+ \\"${_addrl}\\" ${_exec_start} > ${_tmp_jail} 2>&1 \\
+ </dev/null
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
@@ -623,4 +624,4 @@
if [ -n "$*" ]; then
jail_list="$*"
fi
-run_rc_command "${cmd}"
+run_rc_command "${cmd}" &
I also identified 57 patches for ZFS which are in 8-stable, but not in 7-stable (I do not think they could solve the deadlock, but I do not really know, and now that there is one FS on ZFS, I would like to get as much fixed as possible). Some of them should be merged, some would be nice to merge, and some I do not care much about (but if they are easy to merge, why not…). I already have all revisions and the corresponding commit logs available in an email-draft.
Now I just need to write a little bit of text and find some people willing to help (some of the changes need a review if they are applicable to 7-stable, and everything should be tested on a scratch-box).
The more time passes with tarsnap, the more impressive it is.
Following is a list of all my privately used systems (2 machines which only host jails — here named Prison1 and Prison2 — and several jails — here named according to their functionality) together with some tarsnap statistics. For each backup tarsnap prints out some statistics. The amount of uncompressed storage space of all archives of this machine, the compressed storage space of all archives, the unique uncompressed storage space of all archives, the unique compressed storage space of all archives, and the same mount of info for the current archive. The unique storage space is after deduplication. The most interesting information is the unique and compressed one. For a specific archive it shows the amount of data which is different to all other archives, and for the total amount it tells how much storage space is used on the tarsnap server. I do not backup all data in tarsnap. I do a full backup on external storage (zfs snapshot + zfs send | zfs receive) once in a while and tarsnap is only for the stuff which could change daily or is very small (my mails belong to the first group, the config of applications or the system to the second group). At the end of the post there is also an overview of the money I have spend so far in tarsnap for the backups.
Attention: the following graphs are displaying small values in KB, while the text is telling about sizes in MB or even GB!
The backup of one day covers 1.1 GB of uncompressed data, the subtrees I backup are /etc, /usr/local/etc, /home, /root, /var/db/pkg, /var/db/mergemaster.mtree, /space/jails/flavours and a subversion checkout of /usr/src (excluding the kernel compile directory; I backup this as I have local modifications to FreeBSD). If I want to have all days uncompressed on my harddisk, I would have to provide 10 GB of storage space. Compressed this comes down to 2.4 GB, unique uncompressed this is 853 MB, and unique compressed this is 243 MB. The following graph splits this up into all the backups I have as of this writting. I only show the unique values, as including the total values would make the unique values disappear in the graph (values too small).
In this graph we see that I have a constant rate of new data. I think this is mostly references to already stored data (/usr/src being the most likely cause of this, nothing changed in those directories).
One day covers 7 MB of uncompressed data, all archives take 56 MB uncompressed, unique and compressed this comes down to 1.3 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/named, and /var/db/mergemaster.mtree.
This graph is strange. I have no idea why there is so much data for the second and the last day. Nothing changed.
One day covers 8 MB of uncompressed data, all archives take 62 MB uncompressed, unique and compressed this comes down to 1.5 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/spool/postfix, and /var/db/mergemaster.mtree.
This looks not bad. I was sending a lot of mails on the 25th. And the days in the middle I was not sending much.
One day covers about 900 MB of uncompressed data, all archives take 7.2 GB uncompressed, unique and compressed this comes down to 526 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /home (mail folders) and /usr/local/share/courier-imap.
Obviously I have a not so small amount of change in my mailbox. As my spamfilter is working nicely this is directly correlated to mails from various mailinglists (mostly FreeBSD).
One day covers 100 MB of uncompressed data, all archives take 801 MB uncompressed, unique and compressed this comes down to 19 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mysql and /var/db/mergemaster.mtree.
This is correlated with the use of my webmail interface, and as such is also correlated with the amount of mails I get and send. Obviously I did not use my webmail interface at the weekend (as the backup covers the change of the previous day).
One day covers 121 MB of uncompressed data, all archives take 973 MB uncompressed, unique and compressed this comes down to 33 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /usr/local/www/horde and /home.
This one is strange again. Nothing in the data changed.
One day covers 10 MB of uncompressed data, all archives take 72 MB uncompressed, unique and compressed this comes down to 1.9 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree and /var/db/samba.
Here we see the changes to /var/db/samba, this should be mostly my Wii accessing multimedia files there.
One day covers 31 MB of uncompressed data, all archives take 223 MB uncompressed, unique and compressed this comes down to 6.6 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg and /var/db/mergemaster.mtree.
This is also a strange graph. Again, nothing changed there (the cache directory is not in the backup).
One day covers 44 MB of uncompressed data, all archives take 310 uncompressed, unique and compressed this comes down to 11 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /home and /usr/local/www/phpMyAdmin.
And again a strange graph. No changes in the FS.
One day covers 120 MB of uncompressed data, all archives take 845 MB uncompressed, unique and compressed this comes down to 25 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /usr/local/www/gallery2 and /home/gallery (excluding some parts of /home/gallery).
This one is OK. Friends and Family accessing the pictures.
One day covers 7 MB of uncompressed data, all archives take 28 MB uncompressed, unique and compressed this comes down to 1.3 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /space/jails/flavours and /home.
This one looks strange to me again. Same reasons as with the previous graphs.
One day covers 56 MB of uncompressed data, all archives take 225 MB uncompressed, unique and compressed this comes down to 5.4 MB. This covers /etc, /usr/local/etc, /usr/local/www/postfixadmin, /root/, /var/db/pkg, /var/db/mysql, /var/spool/postfix and /var/db/mergemaster.mtree.
This graph looks OK to me.
One day covers 59 MB of uncompressed data, all archives take 478 MB uncompressed, unique and compressed this comes down to 14 MB. This covers /etc, /usr/local/etc, /root, /home, /var/db/pkg, /var/db/mergemaster.mtree, /var/db/mysql and /var/spool/ejabberd (yes, no backup of the web-data, I have it in another jail, no need to backup it again).
With the MySQL and XMPP databases in the backup, I do not think this graph is wrong.
The total amount of stored data per system is:
Since I use tarsnap (8 days), I have spend 38 cents, most of this is bandwidth cost for the transfer of the initial backup (29.21 cents). According to the graphs, I am currently at about 8–14 cents per week (or about half a dollar per month) for my backups (I still have a machine to add, and this may increase the amount in a similar way than the Prison1 system with 2–3 jails). The amount of money spend in US-cents (rounded!) per day is:
As FreeBSD 8.0 is right around the corner it's the right time to get it some more exposure. Just for kicks I got the idea to stress the Jails subsystem - the cheap (both in $$$ and resource requirements) OS-level virtualization technology present in FreeBSD for nearly 10 years now. Behold... the bootup of 1,000, count them - 1,000 virtual machines on a single host with 4 GB of RAM.