From owner-freebsd-questions Tue Dec 3 19: 5:49 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1F7B37B401 for ; Tue, 3 Dec 2002 19:05:46 -0800 (PST) Received: from server.simon1.net (user23.net263.oh.sprint-hsd.net [208.17.71.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16A4243ECD for ; Tue, 3 Dec 2002 19:05:46 -0800 (PST) (envelope-from simon1@server.simon1.net) Received: from server.simon1.net (localhost [127.0.0.1]) by server.simon1.net (8.12.5/8.12.5) with ESMTP id gB435aRC001651; Tue, 3 Dec 2002 22:05:36 -0500 (EST) Received: from localhost (simon1@localhost) by server.simon1.net (8.12.5/8.12.5/Submit) with ESMTP id gB435aqL001648; Tue, 3 Dec 2002 22:05:36 -0500 (EST) Date: Tue, 3 Dec 2002 22:05:36 -0500 (EST) From: Simon1 To: Philip Hallstrom Cc: Greg Goodman , Subject: Re: Virtual Private Servers/Jails In-Reply-To: <20021203173839.P94322-100000@cypress.adhesivemedia.com> Message-ID: <20021203214038.U471-100000@server.simon1.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I run them for development servers. oak is the physical box and runs > postgresql. I've got 4 jails running apache so each developer can have > his own sandbox and can royally screw things up without affecting the rest > of us. Works awesome. That's always useful. Like I said, I just never got the jails to speak to each other. It might have had something to do with the specific setup I had going. I no longer manage the webhosting I was using the jails in, but I'll see if I can't get some time with one of my development boxes to play with. Postgres I've never used, MySQL on the other hand.. > I don't use quotas since this isn't for a commercial web hosting > environment.... That's what I was using them for. All of the work I did with jails was targeted towards that environment. > > What I've found: > > 1) Connecting (aka telnet, ftp, ssh) from one jail to another or even to > > the physical host is supposed to work, but I was never able to make it [snip] > Works great for me... I can do all three b/n jails, host, and remote > servers or any combination. Also updating ports with cvsup and/or > installing them with porteasy also works just fine. Never tried using > sysinstall. I seem to be the only person unable to get it to go. I think it may have had something to do with the firewall rules, but even allow any from any didn't seem to have a big effect. Not sure if dummynet may have had anything to do with it either, though I doubt it. > Not realtime, but you could run a "du -hcs *" on the top level directory > that holds the jails to get a count, then substract what a "bare" jail > contains and this would give you a snapshot of how much space is being > used. Granted in a commercial environment your users could use as much as > they want and then remove it before you run the script, but that's life :) Realtime quotas are a must in web hosting. The stuff I've had users do was incredible. At one point, there were no quotas except as you described above. The amount of trouble that caused.. *shakes head* Anything that has to scan the files works okay in smaller environments. But when you break 10-20k accounts things really bog down. > > with root in a jail can't trash the main system, they can still do a lot > > of damage. > > They can? How? Other than destroying that jail and thus anything on that > IP, they can't touch the rest of the system.. at least that's my > understanding. Please correct me if I'm wrong. No, you can't mess with processes or files outside of the jail. However, you can run processes which bring the system to its knees (think while(1) { fork; } <--don't laugh, I'm not making this up. People really do run commands like that "just to see what would happen") Also, if someone doesn't know any better (or doesn't have an option) they might put the jail on one of their main partitions. FreeBSD may still function, but it gets unhappy when a drive is totally full. Should you have anything running that needs to save state (think databases here) you'll have some problems. That's what I was thinking of when I wrote what I did. I should have clarified that, sorry. > Check out the following ports which do what you want with maybe the > exception of #2, but maybe even that, I don't remember. > > jailer-1.1.1 Manage FreeBSD jail startup, shutdown and console > jailutils-0.5.1 Several utilies for managing jails I also saw a post made right after I composed mine with a JailAdmin tool that looked very promising. I haven't used any of the tools above, but I'm glad to see that many of my 'wishes' have already come true. =) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message