Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 02 Jun 2019 11:41:58 +0000
From:      "Dave Cottlehuber" <dch@skunkwerks.at>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: to jail or not to jail
Message-ID:  <1231820b-830b-4a22-8b08-37242226d276@www.fastmail.com>
In-Reply-To: <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org>
References:  <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com> <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 2 Jun 2019, at 10:00, Matthew Seaman wrote:
>
> For letsencrypt purposes, I use a DNS-01 challenge because that seemed
> to make the most sense given I wasn't going to deploy most certs on web
> servers.  Then I just wrote a custom deploy hook script to copy certs
> into the jail filesystems and restart servers.  Although I've created at
> lease a separate ZFS for each jail, I haven't gone down the route of
> using 'zfs jail ...' to hide them from the main host system, as it makes
> copying things into jails from the host that much easier.

Minor clarification - when a jailed zfs dataset is mounted inside a running
jail, it is accessible from the host server.

This host server has a zroot/jailed parent to ensure that jailed datasets
can't inherit a mountpoint from the host system, and also to remind me
that they are indeed supposed to be jailed and not locally available:

# zfs list -o canmount,mounted,readonly,name,jailed -r zroot/jailed
CANMOUNT  MOUNTED  RDONLY  NAME                         JAILED
     off       no     off  zroot/jailed                    off
      on      yes     off  zroot/jailed/couchdb2            on
      on      yes     off  zroot/jailed/couchdb2/views      on
      on      yes     off  zroot/jailed/mu                  on
      on      yes     off  zroot/jailed/www                 on

# ls /jails/www/var/www/
...

It's only when the jail is not running, that the dataset is not available
to the host system:

# zfs mount zroot/jailed/www
cannot mount 'zroot/jailed/www': dataset is exported to a local zone

But you can deliberately bypass this temporarily via:

# mount -t zfs zroot/jailed/www /mnt

I wrote a minimal example of using "raw" jails as opposed to iocage
driven jails a few years ago, this may be of use as it shows how
to provide DNS, pf.conf settings, etc behind a single NAT IP:

https://git.sr.ht/~dch/diy-jails/tree/master/zjail only try it on a test VM!

If applications support it, you can run a jail that only contains a single
process - there's no inherent need for cron, syslog (use the host's  syslog
directly via UNIX socket or via UDP), sshd, ntpd, sendmail etc.

> think about using vimage jails on 12.0, as that makes the jails seem a
> lot more like just regular VMs, and gives you the ability to effectively
> create a private virtual switch inside your server, rather than having
> services appear on external interfaces.  Beware though that there are
> currently some quite severe bandwidth limitations on this sort of
> internally virtualized networking under FreeBSD, so this is not suitable
> for a high-traffic system.

Matthew, anything you can point me to about this limitation?

A+
Dave

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1231820b-830b-4a22-8b08-37242226d276>