|
|
| (2 dazwischenliegende Versionen von einem anderen Benutzer werden nicht angezeigt) |
| Zeile 1: |
Zeile 1: |
| == ZFS ==
| |
| [[ZFS]] soll (mindestens) in der Version 28 zum Einsatz kommen.
| |
|
| |
|
| == Datasets ==
| |
| Pro Dataset lassen sich zahlreiche Parameter einstellen, die die Datensicherheit, die Geschwindigkeit, Kompression, Deduplikation etc beinhalten. Dazu gehören auch sicherheitsrelevante Properties, etwa noexec.
| |
|
| |
| === Layout 1 ===
| |
| Alle Jails bestehen aus mehreren ZFS Datasets, die jeweils zu kompletten Jails zusammen gemountet werden:
| |
| <pre>
| |
| Dataset Mountpoint Properties
| |
| rpool/ROOT/top3-current / ...
| |
| rpool/ROOT/top3-previous / ...
| |
| rpool/usr /usr ...
| |
| rpool/var /var ...
| |
| rpool/var/crash /var/crash ...
| |
| rpool/usr/ports /usr/ports ...
| |
| rpool/jails /jails ...
| |
| rpool/jails/root /jails ...
| |
| rpool/jails/root/foo.uugrn.org /jails/foo.uugrn.org ...
| |
| rpool/jails/root/bar.uugrn.org /jails/bar.uugrn.org ...
| |
| ...
| |
| rpool/jails/var/foo.uugrn.org /jails/foo.uugrn.org/var ...
| |
| ...
| |
| rpool/jails/log/foo.uugrn.org /jails/foo.uugrn.org/var/log ...
| |
| ...
| |
| rpool/jails/tmp/foo.uugrn.org /jails/foo.uugrn.org/tmp ...
| |
| ...
| |
| rpool/jails/local/foo.uugrn.org /jails/foo.uugrn.org/usr/local ...
| |
| ...
| |
| rpool/jails/etc/foo.uugrn.org /jails/foo.uugrn.org/etc ...
| |
| ...
| |
| rpool/jails/data/foo.uugrn.org /jails/foo.uugrn.org/data ...
| |
| ...
| |
| rpool/jails/distfiles/foo.uugrn.org /jails/foo.uugrn.org/var/ports/distfiles ...
| |
| ...
| |
| rpool/jails/packages/foo.uugrn.org /jails/foo.uugrn.org/var/ports/packages ...
| |
| ...
| |
| rpool/shared/ports /shared/usr/ports ...
| |
| rpool/shared/ports/distfiles /shared/usr/ports/distfiles ...
| |
| rpool/shared/ports/packages-8.2-release /shared/usr/ports/packages ...
| |
| </pre>
| |
|
| |
|
| |
| === Layout 2 ===
| |
| Ähnlich wie Layout 1 bestehen Jails aus mehrere ZFS-Volumens, allerdings werden die Jails beim Starten erst durch Nullmounts tatsächlich in die Zielstruktur gemountet. Das bedeutet weniger ZFS-Datasets, dafür aber pro Jail eine eigene /etc/fstab. Außerdem können gemeinsam genutzte Verzeichnisse read-only in allen jails reingemountet werden, insbesondere /usr/ports/* innerhalb aller Jails.
| |
|
| |
| <pre>
| |
| ZFS Dataset ZFS Mountpoint Properties Jail-Mount
| |
| rpool/ROOT/top3-current / ... -
| |
| rpool/ROOT/top3-old / ... -
| |
| rpool/usr /usr ... -
| |
| rpool/var /var ... -
| |
| rpool/var/crash /var/crash ... -
| |
| rpool/usr/ports /usr/ports ... -
| |
| rpool/jails/root /data/jails/root ... /jails/<jailname>
| |
| +-- foo.uugrn.org /data/jails/root/foo.uugrn.org /jails/foo.uugrn.org/
| |
| +-- bar.uugrn.org /data/jails/root/bar.uugrn.org /jails/bar.uugrn.org/
| |
| rpool/jails/var /data/jails/var ... /jails/<jailname>/var
| |
| +-- foo.uugrn.org /data/jails/var/foo.uugrn.org /jails/foo.uugrn.org/var
| |
| +-- bar.uugrn.org /data/jails/var/bar.uugrn.org /jails/bar.uugrn.org/var
| |
| rpool/jails/log /data/jails/var/log ... /jails/<jailname>/var/log
| |
| rpool/jails/local /data/jails/usr/local ... /jails/<jailname>/usr/local
| |
| rpool/jails/data /data/jails/data ... /jails/<jailname>/data
| |
| rpool/jails/tmp /data/jails/tmp ... /jails/<jailname>/tmp
| |
| rpool/jails/etc /data/jails/etc ... /jails/<jailname>/etc
| |
| rpool/jails/ports /data/jails/distfiles ... /jails/<jailname>/var/ports
| |
| rpool/jails/ports/distfiles /data/jails/distfiles ... /jails/<jailname>/var/ports/distfiles
| |
| rpool/jails/ports/packages /data/jails/packages ... /jails/<jailname>/var/ports/packages
| |
| rpool/shared /data/jails/shared ... -
| |
| rpool/shared/ports /data/jails/shared/ports (!) ... /jails/<jailname>/usr/ports (r/o)
| |
| /data/jails/shared/ports (!) /jails/foo.uugrn.org/usr/ports (r/o)
| |
| /data/jails/shared/ports (!) /jails/bar.uugrn.org/usr/ports (r/o)
| |
| rpool/shared/distfiles /data/jails/shared/distfiles ... /jails/<jailname>/usr/ports/distfiles (r/o)
| |
| /data/jails/shared/distfiles (!) /jails/foo.uugrn.org/usr/ports/packages (r/o)
| |
| /data/jails/shared/distfiles (!) /jails/bar.uugrn.org/usr/ports/packages (r/o)
| |
| rpool/shared/packages /data/jails/shared/packages ... /jails/<jailname>/usr/ports/packages (r/o)
| |
| /data/jails/shared/packages (!) /jails/foo.uugrn.org/usr/ports/packages (r/o)
| |
| /data/jails/shared/packages (!) /jails/bar.uugrn.org/usr/ports/packages (r/o)
| |
| rpool/shared/empty /jails/var/empty
| |
| </pre>
| |
|
| |
| Die Zeilen, die mit rpool/ beginnen sind ZFS Mountpoints. Die dazwischen liegenden Zeilen sind Beispiele, wie Unterverzeichnisse auf den ZFS Mounts per NullMount in die jeweiligen Jails gemountet wird.
| |
|
| |
|
| |
| Im Folgenden noch einmal nur die Nullmounts für das Beispieljail example.uugrn.org. Die jeweiligen ZFS Mountpoints sind von darin enthaltenen Unterverzeichnissen durch /./ abgegrenzt (Veranschaulichung):
| |
| <pre>
| |
| ZFS mount/./subdir Jail-Mount
| |
| /data/jails/root/./example.uugrn.org /jails/example.uugrn.org/ # Jail-Root
| |
| /data/jails/var/./example.uugrn.org …/var # Jail-/var
| |
| /data/jails/data/./example.uugrn.org …/data # Jail-/data
| |
| /data/jails/tmp/./example.uugrn.org …/tmp # Jail-/tmp
| |
| /data/jails/etc/./example.uugrn.org …/etc # Jail-/etc
| |
| /data/jails/ports/./example.uugrn.org …/var/ports # lokale Ports unter /var/ports (r/w!!)
| |
| /data/jails/packages/./example.uugrn.org …/var/ports/packages/ # … Packages, die in diesem Jail gebaut wurden
| |
| /data/jails/distfiles/./example.uugrn.org …/var/ports/distfiles/ # … Distfiles, die in diesem Jail heruntergeladen wurden
| |
| …
| |
| /data/jails/shared/ports …/usr/ports # gemeinsames /usr/ports, wird zentral gepflegt!, read-only
| |
| /data/jails/shared/packages/8.2-release …/usr/ports/packages # … mit vorkompilierten UUGRN-Packages, read-only
| |
| /data/jails/shared/distfiles …/usr/ports/distfiles # … die hierzu verwendeten Distfiles, read-only
| |
| /data/jails/shared/empty …/var/empty # empty, readonly, immutable und alles ... wird verwendet als Home für daemons.
| |
| …
| |
| </pre>
| |
|
| |
|
| |
| Vorteil dieser Methode: Auf ZFS-Ebene werden die jeweilgen Teile eines Jails jeweils mit typischen Properties konfiguriert, zum Beispiel
| |
| ;rpool/jails/root: copies=3, deduplication
| |
| ;rpool/jails/tmp: compression
| |
| ;rpool/jails/var: copies=3
| |
| ;rpool/jails/log: copies=1, compression(max)
| |
| ;rpool/jails/local: deduplication
| |
| ;rpool/jails/ports: compression (wegen INDEX...), exec
| |
| ;rpool/jails/distfiles: deduplication, noexec
| |
| ;rpool/jails/packages: noexec
| |
| ;rpool/shared/ports: compression(max)
| |
| ;rpool/shared/distfiles: noexec
| |
| ;rpool/shared/packages: noexec
| |
| ;rpool/shared/empty: noexec, readonly, (leer)
| |
