Date: Tue, 31 May 2016 14:53:54 +0000 (UTC) From: =?UTF-8?Q?Sebasti=C3=A1n_Maruca?= <juanperiz@yahoo.com.ar> To: Lars Engels <lars.engels@0x20.net>, Ernie Luzar <luzar722@gmail.com> Cc: "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, =?UTF-8?Q?Sebasti=C3=A1n_Maruca?= <seba@econ.uba.ar> Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? Message-ID: <1044161792.2386277.1464706434032.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: <20160531063930.GE15808@e-new.0x20.net> References: <366569840.1294540.1464534933908.JavaMail.yahoo.ref@mail.yahoo.com> <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com> <574C42DA.6030101@gmail.com> <20160531063930.GE15808@e-new.0x20.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeah, guess I'll have to wait till they release the brand-new iocage [iocage is being rewritten in a different language] >>> sysutils/iocage also supports VIMAGE Well, I can give a try to 10.3 Current and see if iocage do the trick... >>> You seem to forget that there have been fixes already in HEAD: http://freshbsd.org/search?branch=HEAD&project=freebsd&q=vimage+OR+vnet But as I said, some kind of API/framework to deal with "virtual isolated" PF(4) anchor files as a way of getting multi-tenant feature of OPNSense... From owner-freebsd-jail@freebsd.org Wed Jun 1 16:07:39 2016 Return-Path: <owner-freebsd-jail@freebsd.org> Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E95E9B6132D for <freebsd-jail@mailman.ysv.freebsd.org>; Wed, 1 Jun 2016 16:07:39 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E19481703 for <freebsd-jail@freebsd.org>; Wed, 1 Jun 2016 16:07:39 +0000 (UTC) (envelope-from marquis@roble.com) Date: Wed, 1 Jun 2016 09:07:33 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: freebsd-jail@freebsd.org Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>; List-Post: <mailto:freebsd-jail@freebsd.org> List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 01 Jun 2016 16:07:40 -0000 Ernie Luzar wrote: > the kernel to included vimage. Enabling pf or ipf firewalls cause the > host to crash. ipfw firewall does not cause a crash but has next to no > real life usage on vimage. Considering we have had ipfw/vimage/netgraph jails for several years I'd be interested in your data sources. > When stopping vimage jails there is a problem with memory loss. Have you tested this, on a recent release? > You need a high proficiency in coding netgraph which > is used to tie the hosts network to each vimage jail. This certainly used to be true and IMO has been a significant barrier to netgraph usage but the scripts in head/share/examples/jails/ are at least helpful. > Needs a public network with multiple static ip address & registered domain > names even to test it. How are you implementing vimage that needs a registered domain name? > There are a few write ups about how to configure vet/vimage jails, but > their out of date. IE: 8.x & 9.x releases which are at EOL [end of life, > unsupported]. Vimage gets little attention. Unfortunately the mapping of non-vimage localhost interfaces to the primary external interface isn't noted nearly enough either. These are weaknesses in bsd jails, the latter a non-trivial security issue on many non-vimage systems considering daemons like sendmail are installed and listening on "localhost" by default. > Going down this road will make the shop totally dependent on you and your > ability. A mega size pay bump is in your future. The shop will be fubar-ed > if you die or get hurt requiring a hospital stay and long recovery. Potentially true of any Unix or Linux application in my experience. Have you tried vimage with epair/if_bridge instead of netgraph? It's considerably simpler though the documentation is almost as conflicting and insufficient. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1044161792.2386277.1464706434032.JavaMail.yahoo>