Date: Wed, 24 Apr 2013 09:22:02 -0400 From: Joe <fbsd8@a1poweruser.com> To: Laurent Alebarde <l.alebarde@free.fr> Cc: freebsd-jail@freebsd.org Subject: Re: state of the art ? Message-ID: <5177DC7A.5060500@a1poweruser.com> In-Reply-To: <5177B1A4.6060502@free.fr> References: <5177AE9C.1020300@free.fr> <5177B1A4.6060502@free.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Laurent Alebarde wrote: > Hi all, > > I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials, > mainly : > > * http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet > * > http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project > > > I have some questions please : > > 1. Are they still up-to-date ? > 2. Is the jail rc script still have to be patched to be able to use pf > instead of IPFW ? > 3. What are the best up-to-date links for tutorials to setup ZFS > ipv4/ipv6 vnet jails ? > 4. Can it be put in production safely or is it still considered > experimental ? > > Cheers, > > > Laurent. > In my opinion vimage is a very long way from being production safe. The biggest show stopper is the lose of memory pages when a vnet jail is stopped. See the year old PR http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/164763 Besides the the memory lose problem there is the problem of no support for SCTP. So YES vimage is still experimental. Use at your own risk. About vimage and firewalls, ipfw and pf in 9.1-RELEASE are vimage aware. That means when you boot your host and the hosts /etc/rc.conf file has ipfw_enable="YES" or pf_enable="YES" statements in it the system will come up without a page fault or panic. This does not necessary mean that you can get one of those firewalls started inside of a vnet jail. Now that ipfilter has a maintainer it should be vimage aware in 10.0-RELEASE when it's published for general public use. The short coming of both of those links is getting the vnet jail access to the public internet. Playing with vimage on 9.1 is a great learning experience, but stick with regular jails for your production world for the maximum jail security. zfs is a separate subject for vimage jails and normal jails. zfs is a very large and complicated subject. You need to become experienced using zfs on you host first before trying to combine zfs with jails.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5177DC7A.5060500>