Renaming a jail

ulovko

FreeBSD jails are a great tool. Whether you are using them to virtualize some of your systems (like I am) or to isolate certain processes, they are flexible enough and reliable enough to use for production.

Recently, I had to retire some old jails and add some new jails. Instead of just deleting one and creating an new jail, I wanted to rename the existing jail. I figured this was easier than recompiling all the apps that my jail would require.

A few notes on this decision:

• My jails are all very similar.
• In this case, I was moving from one version of PostgreSQL to another
• One jail is called pg74 (as in PostgreSQL 7.4)
• I was going to retire pg74 (which does regression tests on Bacula against PostgreSQL 7.4) and create pg91
  

Also, I am using ezjail to administer my jails. This tool is used several times in this article. That said, you will still see what I'm doing, and if you're not using ezjail, you'll be able to do the same thing with your admin tool of choice.

Removing, but not deleting, the old jail
The first step: stop the old jail.

1. # /usr/local/etc/rc.d/ezjail stop pg74.example.org
   
2. Stopping jails: pg74.example.org.

复制代码

Now, let's remove the jail from ezjail's configuration. Note that I could have skipped the previous step by adding the -f flag to this step:

1. # ezjail-admin delete pg74_example_org

复制代码

At this point, the jail is no longer running. However, the files are still present on disk:

1. # ls /usr/jails/pg74.example.org/
   
2. .cshrc    COPYRIGHT bin       dev       home      libexec   mnt       rescue    sbin      tmp       var
   
3. .profile  basejail  boot      etc       lib       media     proc      root      sys       usr

复制代码

Modifying the DNS (optional)
In my case, I wanted to create a new hostname to go with the new jail. But I was going to use the same IP address. This is the patch to my DNS zone files.

1. $ cvs di example.org.db example.org.rev.db
   
2. Index: example.org.db
   
3. ===================================================================
   
4. RCS file: /home/repositories/websites/dns-private/example.org.db,v
   
5. retrieving revision 1.101
   
6. diff -r1.101 example.org.db
   
7. 5c5
   
8. <                               2012011700      ; Serial
   
9. ---
   
10. >                               2012060800      ; Serial
    
11. 157c157
    
12. < pg74     IN A 10.0.0.104
    
13. ---
    
14. > pg91     IN A 10.0.0.104
    
15. Index: example.org.rev.db
    
16. ===================================================================
    
17. RCS file: /home/repositories/websites/dns-private/example.org.rev.db,v
    
18. retrieving revision 1.32
    
19. diff -r1.32 example.org.rev.db
    
20. 3c3
    
21. <                               2011072600      ; Serial
    
22. ---
    
23. >                               2012060800      ; Serial
    
24. 33c33
    
25. < 104 IN  PTR pg74.example.org.
    
26. ---
    
27. > 104 IN  PTR pg91.example.org.

复制代码

Making these changes and updating your DNS is outside the scope of this article. I'm mentioning it here so I remember this step when I need to do this again.

'Creating' the 'new' jail
In this step, we rename the directory and create the new jail.

First, we rename the directory. Strictly speaking, this is optional. The name of the directory is not related to the hostname of the jail. But convention dictates that the jail directory name should reflect the hostname for that jail.

1. # cd /usr/jails/
   
2. # mv -i pg74.example.org pg91.example.org

复制代码

Now, let's start the new jail:

1. # ezjail-admin create -x pg91.example.org 10.0.0.104
   
2. Warning: Some services already seem to be listening on IP 10.0.0.104
   
3.   This may cause some confusion, here they are:
   
4. root     ntpd       1459  27 udp4   10.0.0.104:123       *:*
   
5. Warning: Some services already seem to be listening on all IP, (including 10.0.0.104)
   
6.   This may cause some confusion, here they are:
   
7. root     ntpd       1459  20 udp4   *:123                 *:*
   
8. root     ntpd       1459  21 udp6   *:123                 *:*

复制代码

Starting the new jail
This was easier than I thought. Starting the new jail is simple:

1. # /usr/local/etc/rc.d/ezjail start pg91.example.org

复制代码

Then you ssh to it and check the host name:

1. $ ssh -A pg91
   
2. The authenticity of host 'pg91.example.org (10.0.0.104)' can't be established.
   
3. RSA key fingerprint is 0a:03:db:1a:b4:28:da:fd:66:c0:29:a4:0a:4b:77:30.
   
4. Are you sure you want to continue connecting (yes/no)? yes
   
5. Warning: Permanently added 'pg91.example.org' (RSA) to the list of known hosts.
   
6. Last login: Fri Jun  8 22:58:22 2012 from 10.0.0.104
   
7. Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
   
8.         The Regents of the University of California.  All rights reserved.
   
9. 
   
10. FreeBSD 8.2-STABLE (KRAKEN) #3: Fri Nov 18 22:07:46 UTC 2011
    
11. 
    
12. Welcome to FreeBSD!
    
13. 
    
14. Before seeking technical support, please use the following resources:
    
15. 
    
16. o  Security advisories and updated errata information for all releases are
    
17.    at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
    
18.    for your release first as it's updated frequently.
    
19. 
    
20. o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
    
21.    along with the mailing lists, can be searched by going to
    
22.    http://www.FreeBSD.org/search/.  If the doc distribution has
    
23.    been installed, they're also available formatted in /usr/share/doc.
    
24. 
    
25. If you still have a question or problem, please take the output of
    
26. `uname -a', along with any relevant error messages, and email it
    
27. as a question to the questions@FreeBSD.org mailing list.  If you are
    
28. unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
    
29. manual page.  If you are not familiar with manual pages, type `man man'.
    
30. 
    
31. You may also use sysinstall(8) to re-enter the installation and
    
32. configuration utility.  Edit /etc/motd to change this login announcement.
    
33. 
    
34. You can install extra packages for FreeBSD by using the ports system.
    
35. If you have installed it, you can download, compile, and install software by
    
36. just typing
    
37. 
    
38.         # cd /usr/ports//
    
39.         # make install && make clean
    
40. 
    
41. as root.  The ports infrastructure will download the software, change it so
    
42. it works on FreeBSD, compile it, install it, register the installation so it
    
43. will be possible to automatically uninstall it, and clean out the temporary
    
44. working space it used.  You can remove an installed port you decide you do not
    
45. want after all by typing
    
46. 
    
47.         # cd /usr/ports//
    
48.         # make deinstall
    
49. 
    
50. as root.
    
51. $ hostname
    
52. pg91.example.org
    
53. $

复制代码

There. Done. Now all I need to do is remove PostgreSQ 7.4 and install PostgreSQL 9.1



FROM:  http://www.freebsddiary.org/jail-renaming.php

macafee

正式生产环境很少使用JAIL，除非对安全性有特殊要求。

ulovko

macafee 发表于 2012-07-26 07:53
正式生产环境很少使用JAIL，除非对安全性有特殊要求。

感谢分享宝贵的经验 赞！ ^_^

zeissoctopus

macafee 发表于 2012-07-26 07:53
正式生产环境很少使用JAIL，除非对安全性有特殊要求。

除了安全，Jail 提供不少管理上的方便。

ulovko

zeissoctopus 发表于 2012-07-29 14:44
除了安全，Jail 提供不少管理上的方便。

跟虚拟化有类似嘛 ^_^