From owner-freebsd-questions@freebsd.org Sun Jun 2 11:42:07 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19DFE15B3126 for ; Sun, 2 Jun 2019 11:42:07 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C9768952BF for ; Sun, 2 Jun 2019 11:42:05 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id C800D22022 for ; Sun, 2 Jun 2019 07:41:59 -0400 (EDT) Received: from imap6 ([10.202.2.56]) by compute7.internal (MEProxy); Sun, 02 Jun 2019 07:41:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=eqI5816FSpym45c/p1igkjCieAWZ0Cr Uponn4Ho+f/Q=; b=UyER5kVOSof4Yhn+t760mGaAkyHyA8jWpy6ZqDSSvrATrF1 IkcCxy9C/kS9mcWG830jALVKFHJqGPkQ5Q6RTOVfxURjbD3BgI1rDVmNGhDuNHxO +UuPNvq59QjiIFgVFOOlAlyvWWVLIhdJ6Ec6jdOGoZXgmlxiFhza9csZvm1Zt5Rf USMe/9/xJ4s4v0A0W8+0pSWPtaQnwNJaS7nQJTKODc9ix/AKqR4O8W5Kuy5GOez1 BiBY4mrLPcFwVvTLa2hx6AzhB3SYmY1Xpu7ocQi6cUHwXBeIH366XExv8Fj7NtZq Vn2mSf0TxGAs2ImQNi8rPYDk4EyVY3rQk2NzcMw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=eqI581 6FSpym45c/p1igkjCieAWZ0CrUponn4Ho+f/Q=; b=P5O2O4KH9UhkR08fBoLyrK Om7KVUt+pYAqTBzefgHu49gwrK4oQMD+5UaTfhkQk4gboeFdVH5n9pFam8e1vtKi PuUjKKBJzEhfGMFAzd57mPiopCi9cHT9su05D0nL8Zn9oFSI2dulZfjTeieWBuQG eyPVVrst6z7/svtJGyRVMvXMnHvHTIhR743JpVOwMu1yUp8uoE9JxB1thmTsvvSs lmNsZYWdgVErhqCRMM+RtiLVTY9G6Ro6pNmlb7f75VyYv78ek1B6yk/WIR14BWc5 Y2jXbf4fX/1541cB5YXD9Oy3+7Qxiow75HqALs9uJXFeM+nZsd3HenwHJdnlQggw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudefhedggeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfffgrvhgvucevohhtthhlvghhuhgsvghrfdcuoegutghh sehskhhunhhkfigvrhhkshdrrghtqeenucffohhmrghinhepshhrrdhhthenucfrrghrrg hmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrthenucevlhhushht vghrufhiiigvpedt X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id D82081400A2; Sun, 2 Jun 2019 07:41:58 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.6-555-g49357e1-fmstable-20190528v2 Mime-Version: 1.0 Message-Id: <1231820b-830b-4a22-8b08-37242226d276@www.fastmail.com> In-Reply-To: <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org> References: <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org> Date: Sun, 02 Jun 2019 11:41:58 +0000 From: "Dave Cottlehuber" To: freebsd-questions Subject: Re: to jail or not to jail Content-Type: text/plain X-Rspamd-Queue-Id: C9768952BF X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm2 header.b=UyER5kVO; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=P5O2O4KH; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.27 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-6.11 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm2,messagingengine.com:s=fm2]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[skunkwerks.at]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: in2-smtp.messagingengine.com]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; NEURAL_HAM_SHORT(-0.99)[-0.992,0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; IP_SCORE(-3.52)[ip: (-9.73), ipnet: 66.111.4.0/24(-4.68), asn: 11403(-3.15), country: US(-0.06)]; MID_RHS_WWW(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[27.4.111.66.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jun 2019 11:42:07 -0000 On Sun, 2 Jun 2019, at 10:00, Matthew Seaman wrote: > > For letsencrypt purposes, I use a DNS-01 challenge because that seemed > to make the most sense given I wasn't going to deploy most certs on web > servers. Then I just wrote a custom deploy hook script to copy certs > into the jail filesystems and restart servers. Although I've created at > lease a separate ZFS for each jail, I haven't gone down the route of > using 'zfs jail ...' to hide them from the main host system, as it makes > copying things into jails from the host that much easier. Minor clarification - when a jailed zfs dataset is mounted inside a running jail, it is accessible from the host server. This host server has a zroot/jailed parent to ensure that jailed datasets can't inherit a mountpoint from the host system, and also to remind me that they are indeed supposed to be jailed and not locally available: # zfs list -o canmount,mounted,readonly,name,jailed -r zroot/jailed CANMOUNT MOUNTED RDONLY NAME JAILED off no off zroot/jailed off on yes off zroot/jailed/couchdb2 on on yes off zroot/jailed/couchdb2/views on on yes off zroot/jailed/mu on on yes off zroot/jailed/www on # ls /jails/www/var/www/ ... It's only when the jail is not running, that the dataset is not available to the host system: # zfs mount zroot/jailed/www cannot mount 'zroot/jailed/www': dataset is exported to a local zone But you can deliberately bypass this temporarily via: # mount -t zfs zroot/jailed/www /mnt I wrote a minimal example of using "raw" jails as opposed to iocage driven jails a few years ago, this may be of use as it shows how to provide DNS, pf.conf settings, etc behind a single NAT IP: https://git.sr.ht/~dch/diy-jails/tree/master/zjail only try it on a test VM! If applications support it, you can run a jail that only contains a single process - there's no inherent need for cron, syslog (use the host's syslog directly via UNIX socket or via UDP), sshd, ntpd, sendmail etc. > think about using vimage jails on 12.0, as that makes the jails seem a > lot more like just regular VMs, and gives you the ability to effectively > create a private virtual switch inside your server, rather than having > services appear on external interfaces. Beware though that there are > currently some quite severe bandwidth limitations on this sort of > internally virtualized networking under FreeBSD, so this is not suitable > for a high-traffic system. Matthew, anything you can point me to about this limitation? A+ Dave