Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

NEW - Jails How-To

jkh

Open Source Developer
Joined
Jul 22, 2013
Messages
1,967
I wouldn't recommend that anyone actually do this. For one thing, there's no information on how this might permute (or possibly destroy) your freenas installation, and mucking with things in your boot partition is NOT recommended, particularly as it may interfere with future upgrades.

For another, there's absolutely nothing to suggest that there are any actual advantages to this style of jail management. The PC-BSD warden system, which FreeNAS uses, already does a fine job of jail management and abstracts away a lot of the messy details of managing jails. If someone wants to manage jails from the CLI, they can already do that with the warden and also not run any risk of having competing jail management systems on the same system.
 
Joined
Mar 21, 2014
Messages
4
I wouldn't recommend that anyone actually do this.
Well, this is pretty much expected for the FreeNAS CTO to want to discourage people from using this product. As you already have fully developed in-house products :). But In all seriousness, there is no intent to step on anybody's toes.

People should stick with Warden if that is what they already prefer and are accustomed to. Indeed Warden is a very popular and well established tool (deservedly so) amongst FreeNAS users. So there should be no pressing need to defend it. We are all already aware of how popular it is.

But now how about this new tool, Finch? Well Finch was initially meant only to be for the NAS4Free platform. But during development I had to switch my NAS box over to FreeNAS (the NAS features). Upon finding that the two platforms were so similar it just ended up being no trouble to also make full support for FreeNAS also. Think of it as a bonus. You're welcome.

For one thing, there's no information on how this might permute (or possibly destroy) your freenas installation, and mucking with things in your boot partition is NOT recommended, particularly as it may interfere with future upgrades.
This is a completely new tool, and a little caution can be health thing. The Finch software tries it's best to be completely open about what it does. All of the source code is freely available on GitHub (as is FreeNAS too). This is a brand new project so such concerns are expected to be raised. Trying to be as transparent as possible about this, here is the relevant F.A.Q. entry on the Finch website:

http://dreamcat4.github.io/finch/faq/#toc_15

The hard truth is that Finch is not likely to interfere with future FreeNAS upgrades. Hoever in the event of any such issue, please just report / raise it as a bug on Finch from it's project's website (http://dreamcat4.github.io/finch/bugs). I am always happy to look at such issues and am always ready to make / provide an appropriate fix.

For another, there's absolutely nothing to suggest that there are any actual advantages to this style of jail management.
Perhaps the biggest advantage of Finch is that users are are completely free to choose from ANY of the publicly available jails management tools. Or indeed anything else that can be found in FreeBSD's official pkg-ng repository.

So it gives (the user), a great deal more options. Including (but not limited to) ez-jail, qjail, and zjails. Which are all equivalent tools that sit outside of the established FreeNAS ecosystem. For best ease-of-use (fewer end-to-end installation steps), Finch preinstalls QJAIL for you automatically. And the Finch documentation refers to QJAIL program. In that sense, Finch is opinionated software (just like FreeNAS). Those are just part of the defaults.*

But if you don't have any need for a jails tool, you are not forced into using any of them either. Finch may also be used to run VirtualBox, bhyve (FreeBSD-10+), or a hypervisor (qemu, xen) instead of jails.

For an example see: http://dreamcat4.github.io/finch/faq/#toc_25

The PC-BSD warden system, which FreeNAS uses, already does a fine job of jail management
I don't discourage people to use Warden in situations where they are more familiar with Warden and prefer to use that tool. It is a free choice. However open competition should be viewed as a healthy thing. Having alternatives is never bad and helps drive us to improve the quality of our software.

Indeed if you did not have such an obvious vested corporate responsibility to be against this project with a "not invented here" mentality right from the get-go, you might still have one eye open on flip-side of the coin. Which is to realise that there are other uses of this tool aside from jails management. FreeNAS may benefit more in the long run by viewing this tool not as a threat but a potential future ally. iXSystems inc are more than welcome to take, use, re-use, or re-make any and all part(s) of the Finch source code for the benefits of the FreeNAS community. It is released under open license. And I'm happy to answer questions / co-operate with members of the iXSystems development team towards that end.

This project is very new at the moment. It was announced just yesterday. If you don't think this tool is suitable for FreeNAS on the first day of it's release, then why not make it your own? Imitation is the best form of flattery.

If someone wants to manage jails from the CLI, they can already do that with the warden and also not run any risk of having competing jail management systems on the same system.
Nope. There are absolutely no risk of conflicts with Warden. The two systems will run entirely separate from one another. More information at:

http://dreamcat4.github.io/finch/faq/#toc_16

I would say (to someone who wants use to both systems) then by all means. Warden is especially good for FreeNAS plugins such as Plex. I'm not here to trash talk other people's hard work. Yet neither was this topic / thread created to talk about or discuss WARDEN at any great length. There are already many other FreeNAS discussions about that.

* Somewhat ironically, because Finch is not meant solely for FreeNAS platform, WARDEN itself was actually under consideration along with all the other jail management tools. In the end WARDEN wasn't ultimately chosen to be Finch's default jails management program. But it was fairly considered as part of a game of fair competition. QJAIL had a couple of little extra things going for it. There was no huge margin separating the two.

One reason that went against my decision to include Warden was that it wasn't present in the official freebsd ports tree / pkg-ng repository. Never found out why, there seems no obvious reasonsince Warden has an fully open source license.

Another main reason (in part) was what we have obviously been discussing here. FreeNAS already comes with Warden so including warden inside Finch would not benefit nor offer any different alternative options for the FreeNAS segment of the Finch user base. For example those who might need Finch anyway for running other non-jails software such as Virtualbox. Or recompiling their kernel, etc.

Wishing to end these discussions about Warden on a more positive note, you may be pleased to know (although it isn't the default), but with FINCH anyone can now install Warden onto NAS4Free. Just install Finch on NAS4Free. Then install WARDEN onto Finch. Consfused?

As of yesterday, you can now have Warden running on NAS4Free. It's not expected to be any major hit. But at least if anyone is switching over from an existing NAS4Free setup onto FreeNAS, there is now an way for them to trial the WARDEN software alongside it's major competitors and independently come to the conclusion that Warden is... well... all right too!

Again, I kindly remind people that this topic / thread created was not created to talk about or discuss WARDEN at any great length (having just done so myself!). Since there are already many other FreeNAS discussions about that.

Kind Regards,

Dreamcat4
Developer of Finch.
 

jkh

Open Source Developer
Joined
Jul 22, 2013
Messages
1,967
Well, it is pretty much expected the FreeNAS Chief Technology officer, it is part of your paid job to discourage people from using this product. As it is not part of, or produced inside the FreeNAS ecosystem where you have developed similar in-house products.

The real point of my message was simply to dissuade anyone from hacking on the base install of FreeNAS. It doesn't matter what the purpose of said hacking is, or who is advocating it for either free or commercial purposes, it's just fundamentally a dangerous idea because FreeNAS is an appliance, not a generic OS platform like FreeBSD itself. If you want a platform to hack on, FreeBSD already fulfills that purpose admirably. An appliance like FreeNAS, on the other hand, expects things to be configured and installed in very specific ways, which is one of the fundamental reasons why the root filesystem of FreeNAS is read-only. Furthermore, when things break, the folks hacking on people's systems by proxy aren't the first ones "called" in the form of bug reports or forum postings - we are. Not just the folks at iXsystems, where I work, but numerous admins on this forum who do their best (for free) to debug people's problems, and when the first hour or two of such debugging efforts are spent simply trying to determine whether or not the user has hacked their system in some way, well, that makes all of our jobs a lot harder.

So, in short, this is not a personal attack on finch, I actually have absolutely no opinion or axe to grind about finch itself, I simply don't think that anyone hacking on the base of this appliance is a good idea, and I have more than enough painful history with users who have (to our collective sorrow) to justify that point of view. That is also why we went to so much effort to design and implement the plugin system. We're not fundamentally against the idea of extending FreeNAS, since we know (and expect) that many users will want to do so, we simply want them to do it in a controlled fashion that we have at least some hope and prayer of being able to debug.

Even so, if you search the FreeNAS bug database under the "plugins" category, you will also quickly see that even that degree of control is frequently not enough, and any extension ecosystem as broad and deep as plugins is simply fraught with potential problems. Now you are proposing, however transparent and open source the implementation may be, to add yet another permutation to that puzzle. It should really come as no surprise to you or anyone else with software engineering experience that the notion of such additional complexity / unknown behavior would a matter of far more concern than rejoicing. This is a NAS appliance. It stores important data. I think a certain degree of innate conservatism ought to come with the territory, regardless of one's roles and responsibilities.
 
Joined
Mar 21, 2014
Messages
4
It's a fair point. And I both agree and encourage that those who are more corporate / enterprise customers of FreeNAS should exercise a greater level of caution with this tool. Specifically, in scenarios where you are in contact with existing and dedicated production IT systems that are being relied upon by other members of your business.

This particular project (Finch) is more aimed towards those smaller users who simply don't have the large corporate resources to run such dedicated systems. And who are already familiar with (and more tolerant / less critical) of thoes risks associated with installing any such kinds 3rd party software.

I can only say (in defense of Finch). It isn't terribly dependant on those few modifications it does do to the base filesystem / hierarchy. It's just a couple of configuration files, one-or-two symlinks and nothing more. All service execution is kicked off from POSTINIT, which the appropriate and correct / officially provided FreeNAS mechanism. Nearly everything is held within (and executed) inside a proper CHROOT directory (in a similar was as any jail would be). So those fewer possible areas of risk are comparatively small, well defined, and very well understood. Of which, most are merely there only to provide additional user convenience and a more seamless operating environment. It is important to emphasise here that users of the Finch software are in NO WAY given any additional opportunities to "hack" the FreeNAS base system. The very few base-system file modifications which Finch performs are all handled by Finch internally (automatically), and have been thoroughly tested before the Finch initial release.

Then there is your point about "well just install FreeBSD then". I would agree that decision may be the right choice for a large enterprise of corporate customer.

Wheras the whole point of this project is that "Full FreeBSD from scratch" is often too much hassle for many regular people to be bothered with. Where going too much the other way, a restricted distro (not specifically FreeNAS, also it's siblings) is easy enough for an individual to install, but may be too limited. So Finch forms a kind of middle-ground in-between those two extremes. To understand of "get" that is to also "get" what the Finch project is really all about. It is way to bridge a gap or void between the two.

Or to put it another way: For an individual who was otherwise going to install FreeBSD-GENERIC. With Finch, you have catches / gained a new and very content FreeNAS user / member of the FreeNAS community (who would otherwise would not have ended up on the FreeNAS platform). Such cross-pollination can help to increase the popularity of the platform amongst such FreeBSD purists / diehards. Indeed I was on the official FreeBSD IRC channel the other day, and there was quite a positive reaction to it (as a way of increasing the FreeBSD use base also). So (i guess my point here is:) don't ignore your potential customers - it's bad for business!
 

jgreco

Resident Grinch
Moderator
Joined
May 29, 2011
Messages
12,225
This does not belong in How To/Installation. It is more appropriate to the Hacking forum.
 

jgreco

Resident Grinch
Moderator
Joined
May 29, 2011
Messages
12,225
This has been moved to the Hacking forum, basically for all the reasons Jordan outlined in post #4 in this thread. Unlike Jordan I don't necessarily discourage people from modifying the system, just don't expect lots of help/sympathy/etc.
 

cyberjock

Moderator
Joined
Mar 25, 2012
Messages
19,148
Just FYI.. Jordan got involved because I asked for assistance with this thread. Personally, I think this thread shouldn't exist on the forum. I'm not a fan of deleting someone stuff I disagree with, but there's a few exceptions. If someone was recommending things that are just flat out dangerous for a FreeNAS installation I think it's appropriate to delete it from the forums. I seriously considered soft-deleting the thread, sending you a PM that we were considering whether to keep it or not, and then get feedback from the other admins. I didn't, and I'm not sure if that was for the better.

In the case of said project, I think there's just far far too much room for things to suddenly go very badly without warning. The FreeNAS project has no commitment to make your code work with FreeNAS either now and in the future. And all it takes is for them to release an update on a Friday evening(like the did for the last few releases) and you to not look at the code and notice some change for things to go badly.

How badly can it go? I'd like to think that the worst-case is the jails would be damaged beyond their future use. But, you must consider why many people choose to use FreeNAS(and ZFS). They want a reliable system that will perform and protect their data. We don't take risks on things that "might" be worse. We take conservative decision making and apply that to how things are designed and used. And I'm sorry, but choosing to use your program, while its not a part of FreeNAS itself, is a but more "risky" than many would want to take. If I had spare hardware I'd probably try your finch program on a VM just to see what it's about. But, I'd never under any circumstances even consider using your program in a system that would store real data that has any value, or would I ever use a jail with finch that I actually rely on to provide an important service. Your position, being outside of the FreeNAS project, puts you too far away from the design considerations for FreeNAS. And a quick change by them could spell disaster for your project and the users that use your project.

In any case, I think the usefulness of your project with FreeNAS is already sufficiently damaged on the forums just by the fact that 3 people that have fairly respected opinions in the forums have made the choice to admonish your project. So I'm already comfortable with it staying here because I consider anyone that wants to use your program to already be aware that they are treading on thin ice and will find it very difficult to get support for an FreeNAS box using this program.

I'm not really sure why you are putting a separation between "those smaller users who simply don't have the large corporate resources to run such dedicated systems" and everyone else. I'm a small user, and I run 6 or 7 jails for various small services for my home. It works fine and I've had no problem using the FreeNAS jails. I could(and have) helped businesses setup plugins for large server for small businesses that had high demands. But, that's neither here nor there. The built-in FreeNAS jail system is already very capable.
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
Jordan, of course, is absolutely right. One should not be mucking about with the way things are done in an APPLIANCE, and if one does so, one is completely on his own (as jgreco said).

And in any case, I think this is a solution in need of a problem.
 
Top