To design “FreeBSD Mastery: Jails” I need to look at the existing jail management tools. Jails have been around about fifteen years now, and FreeBSD has accumulated a whole bunch of wrappers and supporting tools. Many of these have wound up in the ports collection.
Jails have evolved over the years. Some of these add-on tools are not useful for FreeBSD 9.1 and later.
Here’s a few things I discovered in my research. I’m hoping that you lot will offer your own comments and help me decide which tools to cover in the book.
It seems we have five major jail management toolkits.
ezjail – perhaps the best known jail management tool. Written entirely in shell.
qjail – Designed for managing lots of jails at the command line, based on templates. The examples use ipfilter, which is my third choice of FreeBSD firewall. Does not need ZFS.
iocage – supports resource limiting, thin provisioning, cloning, and either vimage or NAT from the host’s main IP.
jadm – Python-based jail command shell, uses a bridge interface. Can migrate jails between hosts. ZFS integration. Lets you set global settings for all jails, per-jail settings, jail groups, and so on.
cbsd – web-based management of jails. Supports HAST, migration, CARP, etc.
The question for me is: which should I cover in the jails book? I’ll mention that all of them exist, but I can only give attention to one or two.
CBSD seems an obvious choice. It integrates CARP and HAST and vimage and just about everything. Plus, people like web GUIs. It seems to be the giant ape of jail management tools.
But I want to cover a command-line toolkit. Between ezjail, qjail, iocage, and jadm, I find myself leaning towards iocage.
There’s some other jail-related software in the ports collection. Here’s those I plan to investigate and possibly include. I might find that their functionality is now included in mainline FreeBSD, however.
jps and jtop – external wrappers that add jail info to ps and top.
jkill – shuts down a running jail and all its processes from outside the jail. I don’t know that this is still needed, but the functionality is important.
bsnmp-jails – feed jail info into snmpd.
Here are some jail-related ports I don’t plan to include, and why.
py-ploy_ezjail, bsdploy – ploy for jails. I don’t ploy.
py-ezjailremote – a python wrapper around ezjail. I don’t Python.
p5-BSD-Jail-Object – a Perl interface for jail management. I do Perl, but… no.
pkg_jail – build packages inside a jail. This looks like an old poudriere.
jailrc – improved startup/shutdown scripts for pre-9.1 jails. The key words here are “pre 9.1.”
pam_jail – drops the user into a jail upon successful login
jailme – a modified version of jexec with more sanity checking. Is setuid, lets normal users run jails.
jaildaemon – lets the jail talk to the host? I’m sure this solved a problem for someone, but not me.
jailctl – for FreeBSD 4.x and 5.x
jailaudit – portaudit for inside jails. I’d say this is superceded by pkg audit.
jail2 – advanced jail script. Uses /etc/jail.conf. I’m kinda, sorta sure that this or its descendant is the default FreeBSD 9.1 and later.