From owner-freebsd-hackers@FreeBSD.ORG Mon May 14 20:47:59 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8443C16A40D for ; Mon, 14 May 2007 20:47:59 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id ED79413C469 for ; Mon, 14 May 2007 20:47:58 +0000 (UTC) (envelope-from andre@freebsd.org) Received: (qmail 43063 invoked from network); 14 May 2007 20:06:53 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 14 May 2007 20:06:53 -0000 Message-ID: <4648CAFD.4020009@freebsd.org> Date: Mon, 14 May 2007 22:47:57 +0200 From: Andre Oppermann User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Julian Elischer References: <45F1C355.8030504@digitaldaemon.com> <20070511075857.GL23313@hoeg.nl> <4644773E.60909@freebsd.org> <20070514141416.GR23313@hoeg.nl> <20070514155727.Y2939@maildrop.int.zabbadoz.net> <4648993A.4060709@elischer.org> In-Reply-To: <4648993A.4060709@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , Ed Schouten , FreeBSD Hackers Subject: Re: Multiple IP Jail's patch for FreeBSD 6.2 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 20:47:59 -0000 Julian Elischer wrote: > Bjoern A. Zeeb wrote: >> On Mon, 14 May 2007, Ed Schouten wrote: >> >> Hi, >> >>> * Andre Oppermann wrote: >>>> I'm working on a "light" variant of multi-IPv[46] per jail. It >>>> doesn't >>>> create an entirely new network instance per jail and probably is more >>>> suitable for low- to mid-end (virtual) hosting. In those cases you >>>> normally want the host administrator to excercise full control over >>>> IP address and firewall configuration of the individual jails. For >>>> high-end stuff where you offer jail based virtual machines or network >>>> and routing simulations Marco's work is more appropriate. >>> >>> Is there a way for us to colaborate on this? I'd really love to work on >>> this sort of stuff and I think it's really interesting to dig in that >>> sort of code. >>> >>> I already wrote an initial patch which changes the system call and >>> sysctl format of the jail structures which allow you to specify lists of >>> addresses for IPv4 and IPv6. >> > > talk with Marko Zec about "immunes". > > http://www.tel.fer.hr/zec/vimage/ > and http://www.tel.fer.hr/imunes/ > > It has a complete virtualized stack for each jail. > ipfw, routing table, divert sockets, sysctls, statistics, netgraph etc. Like I said there is a place for both approaches and they are complementary. A couple of hosting ISPs I know do not want to give a full virtualized stack to their customers. They want to retain full control over the network configuration inside and outside of the jail. In those (mass-hosting) cases it is done that way to ease support (less stuff users can fumble) and to properly position those products against full virtual machines and dedicated servers. Something like this: jail < vimage < virtual machine < dedicated server. > He as a set of patches against 7-current that now implements nearly all the > parts you need. It Will be discussed at the devsummit on Wed/Thurs > and we'll be discussing whether it is suitable for general inclusion or > to be kept as patches. Note, it can be compiled out, which leaves a > pretty much binarily compatible OS, so I personally would like to see it > included. I don't think it is mature enough for inclusion into the upcoming 7.0R. Not enough integration time. Food for FreeBSD 8.0. -- Andre