Date: Sun, 02 Jun 2019 11:41:58 +0000 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: to jail or not to jail Message-ID: <1231820b-830b-4a22-8b08-37242226d276@www.fastmail.com> In-Reply-To: <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org> References: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com> <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Jun 2019, at 10:00, Matthew Seaman wrote: > > For letsencrypt purposes, I use a DNS-01 challenge because that seemed > to make the most sense given I wasn't going to deploy most certs on web > servers. Then I just wrote a custom deploy hook script to copy certs > into the jail filesystems and restart servers. Although I've created at > lease a separate ZFS for each jail, I haven't gone down the route of > using 'zfs jail ...' to hide them from the main host system, as it makes > copying things into jails from the host that much easier. Minor clarification - when a jailed zfs dataset is mounted inside a running jail, it is accessible from the host server. This host server has a zroot/jailed parent to ensure that jailed datasets can't inherit a mountpoint from the host system, and also to remind me that they are indeed supposed to be jailed and not locally available: # zfs list -o canmount,mounted,readonly,name,jailed -r zroot/jailed CANMOUNT MOUNTED RDONLY NAME JAILED off no off zroot/jailed off on yes off zroot/jailed/couchdb2 on on yes off zroot/jailed/couchdb2/views on on yes off zroot/jailed/mu on on yes off zroot/jailed/www on # ls /jails/www/var/www/ ... It's only when the jail is not running, that the dataset is not available to the host system: # zfs mount zroot/jailed/www cannot mount 'zroot/jailed/www': dataset is exported to a local zone But you can deliberately bypass this temporarily via: # mount -t zfs zroot/jailed/www /mnt I wrote a minimal example of using "raw" jails as opposed to iocage driven jails a few years ago, this may be of use as it shows how to provide DNS, pf.conf settings, etc behind a single NAT IP: https://git.sr.ht/~dch/diy-jails/tree/master/zjail only try it on a test VM! If applications support it, you can run a jail that only contains a single process - there's no inherent need for cron, syslog (use the host's syslog directly via UNIX socket or via UDP), sshd, ntpd, sendmail etc. > think about using vimage jails on 12.0, as that makes the jails seem a > lot more like just regular VMs, and gives you the ability to effectively > create a private virtual switch inside your server, rather than having > services appear on external interfaces. Beware though that there are > currently some quite severe bandwidth limitations on this sort of > internally virtualized networking under FreeBSD, so this is not suitable > for a high-traffic system. Matthew, anything you can point me to about this limitation? A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1231820b-830b-4a22-8b08-37242226d276>