Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 May 2006 17:22:30 +0200
From:      "Philippe Lang" <philippe.lang@attiksystem.ch>
To:        "Jahilliya" <jahilliya@gmail.com>, "Michael Grant" <mg-fbsd3@grant.org>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: jails or chroot?
Message-ID:  <6C0CF58A187DA5479245E0830AF84F421D0CAA@poweredge.attiksystem.ch>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Hi,

Sure, jails require more work regarding administration. Ports are not the
biggest problem I think, it's the easy part. The problem is when you have to
update the world. But even here, with a good script, it's not such a
nightmare.

Maybe all you need is Michael's solution. But take into account that with
jails, you have a great flexibility regarding the application you install
for a particular client. And all the security that a jail system can offer,
plus a fantastic way of managing your backups.

I personally run a jail based VPS server, based on FreeBSD 6.0, with 13
jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI HDs. I
have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend to
run a maximum of 50 jails on this server. And until now, nothing seems to
oppose to my plans.

Beware of one thing with jails, though: a bug in FreeBSD does not permit a
clean shutdown of jails. But tust me: you never need to!

Hope this helps, and keep us informed of your choice.

Philippe Lang


-----Message d'origine-----
De : owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] De la part de Jahilliya
Envoy : mardi, 9. mai 2006 14:48
 : Michael Grant
Cc : freebsd-questions@freebsd.org
Objet : Re: jails or chroot?

On 5/9/06, Michael Grant <mg-fbsd3@grant.org> wrote:
>
> I host a bunch of websites on my box.  Recently I had some problems 
> with file access problems with php which caused me to look into 
> putting each of my clients into their own jail or chroot.  I have 
> roughly 100 different domains I'd need to split.
>
> Has anyone done this for more than a handfull of clients?  Using 
> apache and their "mass virtual hosting", 100 domains is a breeze.  But 
> with a jail or chroot, I need a separate apache process for each 
> domain.  This is going to mean hundreds of apache processes.  This 
> seems unreasonable.


Agreed that creation hundreds of chroots or jails would be an administrative
nightmare. File access can be solved with suexec (compile apache with suexec
enabled), this means that for each virtual host entry in your apache config
you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html
or your apache version doc set). This will make each apache process run as
the user specified in virtual host entry (not www) allowing you to restrict
their access to files with filesystem ACL's and even ugidfw, you could also
then setup process/memory restrictions in /etc/login.conf

It will also make updating pretty much as standard as it is now.

Give it a burl if it sounds like what you need.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


[-- Attachment #2 --]
0	*H
010	+0	*H
00sF/B;γ0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
060413135141Z
070413135141Z0g1
0ULang10U*Philippe10U
Philippe Lang1+0)	*H
	philippe.lang@attiksystem.ch00
	*H
0#?jc98>ut-k?	m]!p3cys\LCi8GCKf׼A
6;
t<9`
B(";075k';<57k[7
艑y9070'U 0philippe.lang@attiksystem.ch0U00
	*H
61Ɵo@,F=2w82
Xe-}EYv)Mؕ\]=SN~B,B88`-JRŠtrmQƍ|րl?VKHC{0-00
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
960101000000Z
201231235959Z010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com00
	*H
0i԰d[qGQr^}-
{߅%u(t:B,c'{K~ݹΖdnD|Mq@8x^^v]nz|KU)&j8$jDZڣyZ00U00
	*H
~Ngb*M`o`Xa&R5\0JbB#dG)ߝ^l`q\ynG
(|_#&	sC%/uQkw0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO100v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAsF/B;γ0	+0	*H
	1	*H
0	*H
	1
060509152230Z0#	*H
	1H-f#H{ˋ;:0g	*H
	1Z0X0
*H
0*H
0
*H
@0+0
*H
(0+0
*H
0	+71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAsF/B;γ0*H
	1xv0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAsF/B;γ0
	*H
]f4юgzUU>J<w7`*Dw(P)i$s@Qծ_mSP9ry5,eમͧuԯ!q;h}a#/T

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C0CF58A187DA5479245E0830AF84F421D0CAA>