Date: Tue, 26 Sep 2006 09:04:46 -0700 From: Chris <snagit@cbpratt.prohosting.com> To: Don Munyak <don.munyak@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: ezjails, jails Message-ID: <DEFFA4C4-3060-408F-8937-C736C0B18D9D@cbpratt.prohosting.com> In-Reply-To: <6207f7d90609260740i8bd9b9oac15f6b06cd3a339@mail.gmail.com> References: <6207f7d90609260740i8bd9b9oac15f6b06cd3a339@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 26, 2006, at 7:40 AM, Don Munyak wrote: > > I think I need to setup two jails, one(1) for email services and > one(1) for www services, on a single server. > I asked this question in a different way the other day (see thread "Patches for jail support of multiple IP...") and received a good answer on how to set up a single jail to support multiple IP addresses (as our domains and sites currently use) and servers. I'm in the process of doing this using nat and divert within the "host" right now, because I'm trying to avoid having multiple copies of all these programs running in multiple jails. I'm trying to model our jail environment after our non-virtual current environment. I'm not sure that is the best way. My answers are as a noob to FreeBSD jails and just what I've found thus far, I hope it's not inaccurate. It looks like one could do anything, yet if you are using jails for security, "anything", such as sharing between jails or the host, might compromise why you are putting in jails in the first place and everything I'm doing is for security reasons or I'd forget jails. > q. If I am running a webserver for more than one(1) domain, should I > be using a single jail for each domain, or is one jail needed for > 'ALL' www processing ? > Are the domains on separate IPs? If not, one jail suffices for all rather easily. If they are on different IPs, you either need multiple jails or will need to receive packets for all IPs on the "host" environment and rewrite them to land on a single IP used by the jail. Then use NamedVirtualHost in httpd.conf to separate them back out. I'm currently only 3/4 of the way done because of the lack of information on using natd in this way (it's normally used for private IP space and there are no examples of this backward use). There is a reason why you may want multiple jails for different websites. One CGI vulnerability on one site risks the other sites. If you have the memory on your server, separating the websites into different jails reduces the risk of cross-site hacking. This is extremely situational depending on who you have maintaining the different websites and how careful they are in their configuration and practices. If you control everything and know the code then obviously you "trust the web developer ;-)" and a single jail will be easier to manage. > q. If I am using a jail for each domain, does this imply loading > apache+php+mysql, for each www jail ? > Yes from a standpoint of loading, if you use multiple jails. You can set it up such that the source and ports are shared by using mount_nullfs, then after installation, drop the mount such that no changes to the binaries can be made. But the actual execution is separate (though for mysql it doesn't have to be, see below) and will duplicate the memory footprint. Seemed wasteful to me so I'm opting to funnel all IPs into one by the time it hits the jail and thus have only a single jail. To explain what I observed, when I built the jail, part of the process is to enter the jail, go (jailed-)root and build the applications needed, like apache or mysql. If I were running a copy of (for example) httpd within the jail and one within the host (or a different jail), they would be two separate installations and separate executing copies in memory. One could make them the same installation but the links would be a nightmare plus you increase the number accesses you make possible to the host environment. This seems like nullifying some of the value of the jail. From what I could see, there is no way obvious to share the in- RAM executable nor would this be desirable. If I'm wrong, I hope someone corrects me. > q. Likewise with email and multiple domains, does multiple domains = > multiple email jails, as well as multiple copies of smtp, pop3, > webmail ?? > Same as previous question. But the method of putting mail into one IP is far different. I don't have the application to do this because all mail for all domains already comes into one IP. If I move our mail server to this machine, it will have a separate jail because we separate mail, dns and websites on different servers already and the isolation seems prudent. > q. Email and WWW services both require MySQL. Would I be installing > MySQL 'x' number of times? Yes if you use multiiple jails with discrete instances of mysql server. You could set up a separate jail to run the mysql server and service the mysql clients on the other jail(s), think... "separate database backend as a separate jail on a different IP". If you setup a single jail and put the server within that jail this would also keep it down to one copy. I am not familiar with ez-jail but found it a breeze to create jails using man jail combined with other web how-tos. man jail is inaccurate in how you install world and I would look to the other resources on the web for more current information.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DEFFA4C4-3060-408F-8937-C736C0B18D9D>