Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 26 Sep 2006 09:04:46 -0700
From:      Chris <snagit@cbpratt.prohosting.com>
To:        Don Munyak <don.munyak@gmail.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: ezjails, jails
Message-ID:  <DEFFA4C4-3060-408F-8937-C736C0B18D9D@cbpratt.prohosting.com>
In-Reply-To: <6207f7d90609260740i8bd9b9oac15f6b06cd3a339@mail.gmail.com>
References:  <6207f7d90609260740i8bd9b9oac15f6b06cd3a339@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Sep 26, 2006, at 7:40 AM, Don Munyak wrote:

>
> I think I need to setup two jails, one(1) for email services and
> one(1) for www services, on a single server.
>
I asked this question in a different way the other day (see thread  
"Patches for jail support of multiple IP...") and received a good  
answer on how to set up a single jail to support multiple IP  
addresses (as our domains and sites currently use) and servers. I'm  
in the process of doing this using nat and divert within the "host"  
right now, because I'm trying to avoid having multiple copies of all  
these programs running in multiple jails. I'm trying to model our  
jail environment after our non-virtual current environment. I'm not  
sure that is the best way. My answers are as a noob to FreeBSD jails  
and just what I've found thus far, I hope it's not inaccurate. It  
looks like one could do anything, yet if you are using jails for  
security, "anything", such as sharing between jails or the host,  
might compromise why you are putting in jails in the first place and  
everything I'm doing is for security reasons or I'd forget jails.

> q. If I am running a webserver for more than one(1) domain, should I
> be using a single jail for each domain, or is one jail needed for
> 'ALL' www processing ?
>
Are the domains on separate IPs? If not, one jail suffices for all  
rather easily. If they are on different IPs, you either need multiple  
jails or will need to receive packets for all IPs on the "host"  
environment and rewrite them to land on a single IP used by the jail.  
Then use NamedVirtualHost in httpd.conf to separate them back out.  
I'm currently only 3/4 of the way done because of the lack of  
information on using natd in this way (it's normally used for private  
IP space and there are no examples of this backward use).

There is a reason why you may want multiple jails for different  
websites. One CGI vulnerability on one site risks the other sites. If  
you have the memory on your server, separating the websites into  
different jails reduces the risk of cross-site hacking. This is  
extremely situational depending on who you have maintaining the  
different websites and how careful they are in their configuration  
and practices. If you control everything and know the code then  
obviously you "trust the web developer ;-)" and a single jail will be  
easier to manage.

> q. If I am using a jail for each domain, does this imply loading
> apache+php+mysql, for each www jail ?
>
Yes from a standpoint of loading, if you use multiple jails. You can  
set it up such that the source and ports are shared by using  
mount_nullfs, then after installation, drop the mount such that no  
changes to the binaries can be made. But the actual execution is  
separate (though for mysql it doesn't have to be, see below) and will  
duplicate the memory footprint. Seemed wasteful to me so I'm opting  
to funnel all IPs into one by the time it hits the jail and thus have  
only a single jail. To explain what I observed, when I built the  
jail, part of the process is to enter the jail, go (jailed-)root and  
build the applications needed, like apache or mysql. If I were  
running a copy of (for example) httpd within the jail and one within  
the host (or a different jail), they would be two separate  
installations and separate executing copies in memory. One could make  
them the same installation but the links would be a nightmare plus  
you increase the number accesses you make possible to the host  
environment. This seems like nullifying some of the value of the  
jail. From what I could see, there is no way obvious to share the in- 
RAM executable nor would this be desirable. If I'm wrong, I hope  
someone corrects me.

> q. Likewise with email and multiple domains, does multiple domains =
> multiple email jails, as well as multiple copies of smtp, pop3,
> webmail ??
>
Same as previous question. But the method of putting mail into one IP  
is far different. I don't have the application to do this because all  
mail for all domains already comes into one IP. If I move our mail  
server to this machine, it will have a separate jail because we  
separate mail, dns and websites on different servers already and the  
isolation seems prudent.

> q. Email and WWW services both require MySQL. Would I be installing
> MySQL 'x' number of times?
Yes if you use multiiple jails with discrete instances of mysql  
server. You could set up a separate jail to run the mysql server and  
service the mysql clients on the other jail(s), think... "separate  
database backend as a separate jail on a different IP". If you setup  
a single jail and put the server within that jail this would also  
keep it down to one copy.

I am not familiar with ez-jail but found it a breeze to create jails  
using man jail combined with other web how-tos. man jail is  
inaccurate in how you install world and I would look to the other  
resources on the web for more current information.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DEFFA4C4-3060-408F-8937-C736C0B18D9D>