Date: Mon, 10 Dec 2018 10:18:55 +0000 (UTC) From: Shyaka Rene <reneka10@yahoo.fr> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: freebsd jails advice Message-ID: <249307665.2300179.1544437135772@mail.yahoo.com> References: <249307665.2300179.1544437135772.ref@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hello, I don't have experience with freebsd or system administration, but i= need your advice suppose I have this scenario with 2 computers 1) server (not big just 8GB RAM) machine with virtualbox or openstack insta= lled with any OS =C2=A0=C2=A0 =C2=A0- virtual machine 1 for java development with eclipse in= stalled =C2=A0=C2=A0 =C2=A0- virtual machine 2 for php development with eclipse =C2=A0=C2=A0 =C2=A0- virtual machine 3 for testing anything all these virtual machines have graphical user interface installed (windows= or gnome any OS) 2) client machine for accessing virtual machines using remote desktop or VN= C client. my problem is Is it possible to change this senario to Freebsd and jails with x11server i= nstalled on jails and access them using x11client? 1) server machine (freebsd) =C2=A0=C2=A0 =C2=A0- jail 1 (x11 server) =C2=A0=C2=A0 =C2=A0- jail 2 (x11 server) =C2=A0=C2=A0 =C2=A0- jail 3 (x11 server) 2) client machine (access jails with xclient) thank you for your advice From owner-freebsd-questions@freebsd.org Mon Dec 10 11:51:57 2018 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0D341322A44 for <freebsd-questions@mailman.ysv.freebsd.org>; Mon, 10 Dec 2018 11:51:57 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E654474D9E for <freebsd-questions@freebsd.org>; Mon, 10 Dec 2018 11:51:56 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [88.202.132.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 71D5A77F9 for <freebsd-questions@freebsd.org>; Mon, 10 Dec 2018 11:51:48 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none (p=none dis=none) header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/71D5A77F9; dkim=none; dkim-atps=neutral Subject: Re: frebsd jails advice To: freebsd-questions@freebsd.org References: <556380033.2269176.1544437025342.ref@mail.yahoo.com> <556380033.2269176.1544437025342@mail.yahoo.com> From: Matthew Seaman <matthew@FreeBSD.org> Message-ID: <5f200ac3-68cb-84f3-02b2-f224ef392b91@FreeBSD.org> Date: Mon, 10 Dec 2018 11:51:30 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <556380033.2269176.1544437025342@mail.yahoo.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: E654474D9E X-Spamd-Result: default: False [-2.99 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/32, country:GB]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 10 Dec 2018 11:51:57 -0000 On 10/12/2018 10:17, Shyaka Rene via freebsd-questions wrote: > > hello, I don't have experience with freebsd or system administration, but i need your advice > > suppose I have this scenario with 2 computers > > 1) server (not big just 8GB RAM) machine with virtualbox or openstack installed with any OS > - virtual machine 1 for java development with eclipse installed > - virtual machine 2 for php development with eclipse > - virtual machine 3 for testing anything > all these virtual machines have graphical user interface installed (windows or gnome any OS) > 2) client machine for accessing virtual machines using remote desktop or VNC client. > > my problem is > Is it possible to change this senario to Freebsd and jails with x11server installed on jails > and access them using x11client? > 1) server machine (freebsd) > - jail 1 (x11 server) > - jail 2 (x11 server) > - jail 3 (x11 server) > 2) client machine (access jails with xclient) > thank you for your advice Yes, this is certainly possible, but a bit more complicated than you might hope. You've got the client and server sides of X mixed up. The X server is the bit which controls the display -- ie. it runs on your laptop or desktop machine. The X client is the piece of software that you are trying to interact with through that display -- so, eclipse in this case. Clients can be run either locally or remotely. It's confusing because it is the other way round from just about any other network accessible service where you run a local client to connect to a server which could also be local but is almost always remote. So, you don't need an X server in each of the jails. You just need your X capable software in each jail and you need to set the DISPLAY environment variable correctly so that will talk to your X server on your local desktop. Pease do not use remote X11 access across a network in plaintext. That's roughly of the same order of badness as using things like rsh or rlogin. Instead, set up your jails with ssh and ssh into each of them, forwarding an X connection over SSH (which will typically set up thigs like DISPLAY appropriately in the environment for you.) This means that the X client only needs to talk on the loopback address in order to feed the traffic into the SSH session. Unfortunately with standard FreeBSD jails, there isn't a loopback interface within the jail, and any attempt to connect to the loopback is transparently redirected to connect to the jail external interface, which kind of confounds the whole security arrangement there. So make sure to write your firewall rules carefully to prevent X traffic egressing from your jails onto the network at large. You might consider investigating VNET jails, which are new in 12.0-RELEASE (due out Real Soon Now), where individual jails *do* have their own loopback addresses, but these are a bit more complex to set up. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?249307665.2300179.1544437135772>