Date: Mon, 30 May 2016 09:40:42 -0400 From: Ernie Luzar <luzar722@gmail.com> To: =?UTF-8?B?U2ViYXN0acOhbiBNYXJ1Y2E=?= <seba@econ.uba.ar> Cc: freebsd-jail@freebsd.org, =?UTF-8?B?U2ViYXN0acOhbiBNYXJ1Y2E=?= <juanperiz@yahoo.com.ar> Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? Message-ID: <574C42DA.6030101@gmail.com> In-Reply-To: <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com> References: <366569840.1294540.1464534933908.JavaMail.yahoo.ref@mail.yahoo.com> <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here are the bare truths without any sugar coating. Vimage is officially described as experimental. You have to recompile the kernel to included vimage. Enabling pf or ipf firewalls cause the host to crash. ipfw firewall does not cause a crash but has next to no real life usage on vimage. When stopping vimage jails there is a problem with memory loss. You need a high proficiency in coding netgraph which is used to tie the hosts network to each vimage jail. Needs a public network with multiple static ip address & registered domain names even to test it. A few brave soles have accepted these short comings and have deployed vimage in a production environment with good results so they say, or at best they have not reported any problems. I guess it all depends of what your shop defines "production ready" as. At my shop vimage is NOT considered something management is willing to base the business on. Maybe your shop is different. There are a few write ups about how to configure vet/vimage jails, but their out of date. IE: 8.x & 9.x releases which are at EOL [end of life, unsupported]. The current production version of Freebsd is at 10.3 with 11.0 due out in August. Only know of one utility jail tool that has vnet/vimage function. Try the qjail port, it will shorten your learning curve. Now there is a guy who is patching vimage trying to get it so it can be incorporated into the base kernel. His goal was to get it into release 11.0, but updates to 11.0 source are now suspended until 11.0 is published so thats not going to happen. They sure would not incorporate viamge without a general announcement calling for users to test drive it first. This has not happened yet that I know of. vnet/vimage is like a stand alone computer. You have to login to it to manage any firewall or other system function or port application. This can be done from the host console or over the network. Going down this road will make the shop totally dependent on you and your ability. A mega size pay bump is in your future. The shop will be fubar-ed if you die or get hurt requiring a hospital stay and long recovery. User beware.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?574C42DA.6030101>