I just updated to a recent -current and tried the new nullfs. Sockets (e.g. the MySQL one) work now with nullfs. No need to have e.g. jails on the same FS and hardlink the socket to not need to use TCP in MySQL (or an IP at all for the jail).
Great work!
Just before christmas I decided I will spend the “immense” amount of 40 EUR for a graphic card for a system which was without one. The system is supposed to replace my dying home-server. I already moved everything, except my Desktop-in-a-Jail (actually it is my home-cinema-jail).
The old system had a Radeon 9200SE, and it was enough for what I used it for. Now… for a few bucks you can get a lot more horsepower today. After looking around a little bit I decided to buy a NVidia card. I made this decision because it looks like I can get better driver support for it. So I got a GeForce GT 520 with 1 GB of RAM (I doubt I will be able to use that much RAM) and without a fan.
With the Radeon 9200SE I was not able to get the 3D stuff activated (at least in the jail, I did not try without), Xorg complains about a missing agpgart module but I have AGP in the kernel (no /dev/agpgart outside the jail). I did not spend time to investigate this, as the main purpose — playing movies — worked. Now with the NVidia card I decided to give the 3D part a try again.
After adding the NVidia device entries to the jail, and a little bit of fighting with the Xorg-HAL interaction, I got a working desktop. The biggest problem to verify that 3D is working was, that I did not had xdriinfo installed. After installing it, I noticed that it does not work with the NVidia driver. 
Next stop nvidia-settings: runs great, displays a nice FreeBSD+NVidia logo, and … tells me that OpenGL is configured. Hmmm… OK, but I want to see it!
As I decided to switch from Gnome to KDE 4 at the same time (I was using KDE when it was at V 0.x, switched to Gnome as it looked nicer to me, and now I switch back after reading all the stuff in the net that KDE 4 is “better” than Gnome 3), I was a little bit out of knowledge how to see the 3D stuff in action. So I quickly went to the settings and searched for something which looks like it may use 3D. To my surprise, it was already using 3D stuff. Nice. I fully realized how nice, when playing a video and using Alt-Tab to switch windows: the video was playing full speed scaled down in the window-switcher-thumbnail-view.
That was too easy. I am happy about it.
Now that I have a working setup of X11-in-a-jail for Radeon and GeForce cards, I want to cleanup my changes to the kernel and the config files (devfs.rules) and have a look to get this committed. A big part of this work is probably writing documentation (most probably in the wiki).
I still want to see some fancy 3D stuff now. I tried to install x11-clocks/glclock, but the build fails with an undefined reference to ‘glPolygonOffsetEXT’. Any recommendation for a fancy 3D display? My priority is on “fancy/nice” with as less violence as possible. Most probably I will look at it once and then deinstall it again, so it should be available in the Ports Collection (or included in KDE 4).
Everyone has his own way of setting up a machine to serve as a host of multiple jails. Here is my way, YMMV.
I use several harddisks in a Software–RAID setup. It does not matter much if you set them up with one big partition or with several partitions, feel free to follow your preferences here. My way of partitioning the harddisks is described in a previous post. That post only shows the commands to split the harddisks into two partitions and use ZFS for the rootfs. The commands to initialize the ZFS data partition are not described, but you should be able to figure it out yourself (and you can decide on your own what kind of RAID level you want to use). For this FS I set atime, exec and setuid to off in the ZFS options.
On the ZFS data partition I create a new dataset for the system. For this dataset I set atime, exec and setuid to off in the ZFS options. Inside this dataset I create datasets for /home, /usr/compat, /usr/local, /usr/obj, /usr/ports/, /usr/src, /usr/sup and /var/ports. There are two ways of doing this. One way is to set the ZFS mountpoint. The way I prefer is to set relative symlinks to it, e.g. “cd /usr; ln –s ../data/system/usr_obj obj”. I do this because this way I can temporary import the pool on another machine (e.g. my desktop, if the need arises) without fear to interfere with the system. The ZFS options are set as follows:
|
Dataset |
Option |
Value |
|---|---|---|
| data/system/home | exec | on |
| data/system/usr_compat | exec | on |
| data/system/usr_compat | setuid | on |
| data/system/usr_local | exec | on |
| data/system/usr_local | setuid | on |
| data/system/usr_obj | exec | on |
| data/system/usr_ports | exec | on |
| data/system/usr_ports | setuid | on |
| data/system/usr_src | exec | on |
| data/system/usr_sup | secondarycache | none |
| data/system/var_ports | exec | on |
The exec option for home is not necessary if you keep separate datasets for each user. Normally I keep separate datasets for home directories, but Jail-Hosts should not have users (except the admins, but they should not keep data in their homes), so I just create a single home dataset. The setuid option for the usr_ports should not be necessary if you redirect the build directory of the ports to a different place (WRKDIRPREFIX in /etc/make.conf).
The ports I install by default are net/rsync, ports-mgmt/portaudit, ports-mgmt/portmaster, shells/zsh, sysutils/bsdstats, sysutils/ezjail, sysutils/smartmontools and sysutils/tmux.
In the crontab of root I setup a job to do a portsnap update once a day (I pick a random number between 0 and 59 for the minute, but keep a fixed hour). I also have http_proxy specified in /etc/profile, so that all machines in this network do not download everything from far away again and again, but can get the data from the local caching proxy. As a little watchdog I have a little @reboot rule in the crontab, which notifies me when a machine reboots:
@reboot grep "kernel boot file is" /var/log/messages | mail -s "`hostname` rebooted" root >/dev/null 2>&1
This does not replace a real monitoring solution, but in cases where real monitoring is overkill it provides a nice HEADS-UP (and shows you directly which kernel is loaded in case a non-default one is used).
Some default aliases I use everywhere are:
alias portmlist="portmaster -L | egrep -B1 '(ew|ort) version|Aborting|installed|dependencies|IGNORE|marked|Reason:|MOVED|deleted|exist|update' | grep -v '^--'" alias portmclean="portmaster -t --clean-distfiles --clean-packages" alias portmcheck="portmaster -y --check-depends"
I have the need to give access to some specific devices in some jails. For this I need to setup a custom /etc/devfs.rules file. The files contains some ID numbers which need to be unique in the system. On a 9–current system the numbers one to four are already used (see /etc/defaults/devfs.rules). The next available number is obviously five then. First I present my devfs.rules entries, then I explain them:
[devfsrules_unhide_audio=5] add path 'audio*' unhide add path 'dsp*' unhide add path midistat unhide add path 'mixer*' unhide add path 'music*' unhide add path 'sequencer*' unhide add path sndstat unhide add path speaker unhide [devfsrules_unhide_printers=6] add path 'lpt*' unhide add path 'ulpt*' unhide user 193 group 193 add path 'unlpt*' unhide user 193 group 193 [devfsrules_unhide_zfs=7] add path zfs unhide [devfsrules_jail_printserver=8] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_printers add include $devfsrules_unhide_zfs [devfsrules_jail_withzfs=9] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_zfs
The devfs_rules_unhide_XXX ones give access to specific devices, e.g. all the sound related devices or to local printers. The devfsrules_jail_XXX ones combine all the unhide rules for specific jail setups. Unfortunately the include directive is not recursive, so that we can not include the default devfsrules_jail profile and need to replicate its contents. The first three includes of each devfsrules_jail_XXX accomplish this. The unhide_zfs rule gives access to /dev/zfs, which is needed if you attach one or more ZFS datasets to a jail. I will explain how to use those profiles with ezjail in a follow-up post.
I use ezjail to manage jails, it is more comfortable than doing it by hand while at the same time allows me to do something by hand. My jails normally reside inside ZFS datasets, for this reason I have setup a special area (ZFS dataset data/jails) which is handled by ezjail.The corresponding ezjail.conf settings are:
ezjail_jaildir=/data/jails ezjail_use_zfs="YES" ezjail_jailzfs="data/jails"
I also disabled procfs and fdescfs in jails (but they can be enabled later for specific jails if necessary).
Unfortunately ezjail (as of v3.1) sets the mountpoint of a newly created dataset even if it is not necessary. For this reason I always issue a “zfs inherit mountpoint ” after creating a jail. This simplifies the case where you want to move/rename a dataset and want to have the mountpoint automcatically follow the change.
The access flags of /data/jails directory are 700, this prevents local users (there should be none, but better safe than sorry) to get access to files from users in jails with the same UID.
After the first create/update of the ezjail basejail the ZFS options of basejail (data/jails/basejail) and newjail (data/jails/newjail) need to be changed. For both exec and setuid should be changed to “on” The same needs to be done after creating a new jail for the new jail (before starting it).
In my default ezjail flavour I create some default user(s) with a basesystem-shell (via /data/jails/flavours/mydef/ezjail.flavour) before the package install, and change the shell to my preferred zsh afterwards (this is only valid if the jails are used only by in-house people, if you want to offer lightweight virtual machines to (unknown) customers, the default user(s) and shell(s) are obviously up to discussion). At the end I also run a “/usr/local/sbin/portmaster –y –check-depends” to make sure everything is in a sane state.
For the packages (/data/jails/flavours/mydef/pkg/) I add symlinks to the unversioned packages I want to install. I have the packages in a common (think about setting PACKAGES in make.conf and using PACKAGES/Latest/XYZ.tbz) directory (if they can be shared over various flavours), and they are unversioned so that I do not have to update the version number each time there is an update. The packages I install by default are bsdstats, portaudit, portmaster, zsh, tmux and all their dependencies.
In case you use jails to virtualize services and consolidate servers (e.g. DNS, HTTP, MySQL each in a separate jail) instead of providing lightweight virtual machines to (unknown) customers, there is also a benefit of sharing the distfiles and packages between jails on the same machine. To do this I create /data/jails/flavours/mydef/shared/ports/{distfiles,packages} which are then mounted via nullfs or NFS into all the jails from a common directory. This requires the following variables in /data/jails/flavours/mydef/etc/make.conf (I also keep the packages for different CPU types and compilers in the same subtree, if you do not care, just remove the “/${CC}/${CPUTYPE}” from the PACAKGES line):
netchild 
DISTDIR= /shared/ports/distfiles
PACKAGES= /shared/ports/packages/${CC}/${CPUTYPE}
A future post will cover how I setup new jails in such a setup and how I customize the start order of jails or use some non–default settings for the jail-startup.
In the last days I migrated all my internal services to IPv6.
All my jails have an IPv4 and an IPv6 address now. All Apaches (I have one for my picture gallery, one for webmail, and one for internal management) now listen on the internal IPv6 address too. Squid is updated from 2.x to 3.1 (the most recent version in the Ports Collection) and I added some IPv6 ACLs. The internal Postfix is configured to handle IPv6 too (it is delivering everything via an authenticated and encrypted channel to a machine with a static IPv4 address for final delivery). My MySQL does not need an IPv6 address, as it is only listening to requests via IPC (the socket is hardlinked between jails). All ssh daemons are configured to listen to IPv6 too. The IMAP and CUPS server was picking the new IPv6 addresses automatically. I also updated Samba to handle IPv6, but due to lack of a Windows machine which prefers IPv6 over IPv4 for CIFS access (at least I think my Windows XP netbook only tries IPv4 connections) I can not really test this.
Only my Wii is a little bit behind, and I have not checked if my Sony-TV will DTRT (but for this I first have to get some time to have a look if I have to update my DD-WRT firmware on the little WLAN-router which is “extending the cable” from the TV to the internal network, and I have to look how to configure IPv6 with DD-WRT).
After enabling IPv6 in my WLAN router, I also enabled IPv6 in my FreeBSD systems. I have to tell that the IPv6 chapter in the FreeBSD handbook does not contain as much information as I would like to have about this.
Configuring the interfaces of my two 9–current systems to also carry a specific IPv6 address (an easy one from the ULA I use) was easy after reading the man-page for rc.conf. After a little bit of experimenting it came down to:
ifconfig_rl0_ipv6=“inet6 ::2:1 prefixlen 64 accept_rtadv“
ipv6_defaultrouter=”<router address>”
Apart from this address (I chose it because the IPv4 address ends in “.2″, this way I can add some easy to remember addresses for this machine if needed), I also have two automatically configured addresses. One is with the same ULA and some not so easy to remember end (constructed from the MAC address), and one is from the official prefix the router constructed out of the official IPv4 address from the ISP (+ the same end than the other end).
Additionally I also have all my jails on this machine with an IPv6 address now (yes, they are like “…:2:100″ with the :100 because the IPv4 address ends in “.100″). Still TODO is the conversion of all the services in the jails to also listen on the IPv6 address.
I already changed the config of my internal DNS to have the IPv6 addresses for all systems, listen on the IPv6 address (when I add an IPv6 network to allow-query/allow-query-cache/allow-recursion bind does not want to start). And as I was there, I also enabled the DNSSEC verification (but I get a lot of error messages in the logs: “unable to convert errno to isc_result: 42: Protocol not available”, one search result which talks exactly about this error tells it is a “cosmetic error”…).
I noticed that an IPv6 ping between two physical machines takes a little bit more time than an IPv4 ping (no IPsec enabled). It surprised me that this is such a noticeable difference (not within the std-dev at all):
— m87.Leidinger.net ping statistics —
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.168÷0.193÷0.220÷0.017 ms
— m87.Leidinger.net ping6 statistics —
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.207÷0.325÷0.370÷0.047 ms
The information I miss in the FreeBSD handbook in the IPv6 chapter is what those other IPv6 related services are and when/how to configure them. I have an idea now what this radvd is, but I am not sure what the interaction is with the accept_rtadv setting for ifconfig (and I do not think I need it, as my WLAN router seems to do it already). I know that I get the IPv6-friendly network neighborhood displayed with ndp(8). I did not have a look at enabling IPv6 multicast support in FreeBSD, and I do not know what those other IPv6 options for rc.conf do.
