From owner-freebsd-jail@freebsd.org Mon May 30 13:40:37 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 775CCB539CE for ; Mon, 30 May 2016 13:40:37 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x243.google.com (mail-it0-x243.google.com [IPv6:2607:f8b0:4001:c0b::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3F81E13AD for ; Mon, 30 May 2016 13:40:37 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x243.google.com with SMTP id i127so4519898ita.3 for ; Mon, 30 May 2016 06:40:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=3NTkbfX/0F3h41UCkqGHL6eBvliweiWxTVbRFjwRru4=; b=p+oRHP1tWi2tSIDh/bXsBteWdXlYGvsjrCFpJ+XFVn0gmLdHa3jKWweyd/Rven+J9f 2hzErYO25zXPNU4/GuYX54G4FMbmBahbQu95Y8LsbrSG62lMEHDcHyync42hEn7MyErA XgSYlerZoAfWQpZeCF+NlyQyZ4S/tA+sB/0j6GpbPoZdO6cviOY9/XVWow8EoIblfIvl fJUmfvAmXVxXNcI90gRkrqFe7RSDprXsAZjy4JJYl2DjT7XZcHscnLJ80stlxfYUIUL9 AA4eGVYBDtjHrroWCFacHpw9TdC4cIKZPIQS1jQSaZInKQg1z5dtUCMwRx86sPF6dgVW LOdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=3NTkbfX/0F3h41UCkqGHL6eBvliweiWxTVbRFjwRru4=; b=ZBMmiI3xtMaDBdw6JUV8q6MR/ftoDisAY3GRPC32c93H9sNWO+mNy1k/8PB9yz0z3o uVYhAaUjoCcN170w0wXkuuRbZ7yxcLk57+7gEHiL/ioKn7gOmSFlGRhC2Fa5g0HowqfM u96jbsMo5VuxO8ZaoAo1hu4BHbjXdmuwKqmnYxcjvGct+rmxnGoHqvseeOFIp8FiGa+0 roRhV2J0G+PMqytID4o5v/Tt39PJKGjNxTxmx8VujDKsORWbk3jPKehLE0GBio56vKN4 Y4YSXYpnCF++XPk3svfdFD3OOLlaeq+0IoPv4cOKzSoMcRGMpcfOGsONqESTig4PjuIJ FU7w== X-Gm-Message-State: ALyK8tKOsHLzFXhOEkQzJInS6HYiR7sBtFlrKcDKDY32LbU8arX/nVyl2mS211+VdCGb2w== X-Received: by 10.36.92.199 with SMTP id q190mr7509999itb.25.1464615636580; Mon, 30 May 2016 06:40:36 -0700 (PDT) Received: from [10.0.10.3] (cpe-184-56-210-236.neo.res.rr.com. [184.56.210.236]) by smtp.googlemail.com with ESMTPSA id z138sm7753478itc.2.2016.05.30.06.40.35 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 30 May 2016 06:40:35 -0700 (PDT) Message-ID: <574C42DA.6030101@gmail.com> Date: Mon, 30 May 2016 09:40:42 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: =?UTF-8?B?U2ViYXN0acOhbiBNYXJ1Y2E=?= CC: freebsd-jail@freebsd.org, =?UTF-8?B?U2ViYXN0acOhbiBNYXJ1Y2E=?= Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? References: <366569840.1294540.1464534933908.JavaMail.yahoo.ref@mail.yahoo.com> <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2016 13:40:37 -0000 Here are the bare truths without any sugar coating. Vimage is officially described as experimental. You have to recompile the kernel to included vimage. Enabling pf or ipf firewalls cause the host to crash. ipfw firewall does not cause a crash but has next to no real life usage on vimage. When stopping vimage jails there is a problem with memory loss. You need a high proficiency in coding netgraph which is used to tie the hosts network to each vimage jail. Needs a public network with multiple static ip address & registered domain names even to test it. A few brave soles have accepted these short comings and have deployed vimage in a production environment with good results so they say, or at best they have not reported any problems. I guess it all depends of what your shop defines "production ready" as. At my shop vimage is NOT considered something management is willing to base the business on. Maybe your shop is different. There are a few write ups about how to configure vet/vimage jails, but their out of date. IE: 8.x & 9.x releases which are at EOL [end of life, unsupported]. The current production version of Freebsd is at 10.3 with 11.0 due out in August. Only know of one utility jail tool that has vnet/vimage function. Try the qjail port, it will shorten your learning curve. Now there is a guy who is patching vimage trying to get it so it can be incorporated into the base kernel. His goal was to get it into release 11.0, but updates to 11.0 source are now suspended until 11.0 is published so thats not going to happen. They sure would not incorporate viamge without a general announcement calling for users to test drive it first. This has not happened yet that I know of. vnet/vimage is like a stand alone computer. You have to login to it to manage any firewall or other system function or port application. This can be done from the host console or over the network. Going down this road will make the shop totally dependent on you and your ability. A mega size pay bump is in your future. The shop will be fubar-ed if you die or get hurt requiring a hospital stay and long recovery. User beware.