Date: Wed, 1 Jun 2016 15:31:32 -0700 From: "Roger Marquis" <marquis@roble.com> To: "Ernie Luzar" <luzar722@gmail.com> Cc: freebsd-jail@freebsd.org Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? In-Reply-To: <574F54FC.3040203@gmail.com> References: <574f0851.ca0b620a.c7073.5becSMTPIN_ADDED_MISSING@mx.google.com> <574F54FC.3040203@gmail.com>
| previous in thread | raw e-mail | index | archive | help
>> Ernie Luzar wrote: >> Considering we have had ipfw/vimage/netgraph jails for several years I'd >> be interested in your data sources. > > The source is personal experience. Tested 9.3 & 10.0 with ipfw running > in vnet/vimage jails. At that time ipfw was logging to the host and not > to the vimage jail. Definitely a security violation. Kernel logging in general, not just for ipfw, is something that really should not propagate to jails but does. > You know I give you a lot of credit for risking things on vnet/vimage > jails in your shop. Most management just wouldn't take that risk. Wasn't me but the engineers here before me. My personal preference is for non-vimage jails, at least where the networking makes sense, Prefs aside we do have many vimage/netgraph/ipfw systems working well in the lab and field (of production high-volume financial applications). >> the scripts in head/share/examples/jails/ are at least helpful. > > I checked out those examples. Hardly any comments about what is > happening or why their being done. All they are is a starting point to > experiment doing trial and error testing The j?? scripts aren't meant as documentation but for easy of setup, to be called from /etc/jail.conf with a straightforward set of parameters. Agreed documentation here is still wholly insufficient. > I disagree with you about the security issue of using localhost. Running > sendmail in a non-vimage jail using its default config listening on > localhost is still contained in the jail. Localhost is internally > converted to the jails assigned ip address by jail(8). How is anything listening on localhost internally converted yet still contained in the jail? I mean what is the mechanism and why sendmail but not other daemons? > Why do you think this is a non-trivial security issue? telnet $jail 25 ehlo ... mail from: <...> rcpt to: <...> data Sendmail has never been a relatively secure app and DOS/DDOS and spam are vulnerabilities but point taken. Problem is the localhost to external mapping impacts not just sendmail but named, postfix and anything else listing on 127.0.0.1. > My time for playing around is very limited. I'll wait for 11.0 to be > published and see what the "release notes" say about vimage and the > firewalls becoming vimage aware. Also will be checking the closed bugs > for vimage to see what has been fixed. I have tested 11-CURRENT non-vimage, netgraph and if_bridge jails using iperf3 and not yet been able to trigger a crash. YMMV of course as the two bridging technologies do need far more substantial QA if we don't want to continue leaving this point strictly to Linux advocates. > I do hope vnet/vimage has finally become of age and reliable for > production like the non-vimage jails have become. More reliable, better documented AND simpler would be ideal. I believe the crux is A) in the code's complexity and readability, B) inherit difficulties of testing and of course C) funding. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>