From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 23:02:38 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CFB9EA1 for ; Sun, 13 Jul 2014 23:02:38 +0000 (UTC) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B9722143 for ; Sun, 13 Jul 2014 23:02:37 +0000 (UTC) Received: by mail-ig0-f170.google.com with SMTP id h3so1138951igd.3 for ; Sun, 13 Jul 2014 16:02:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=38CwAGJvb91yaRAzzrXhSmUfhfyXzQbA3LAl2YlWgO8=; b=EkexH+YYAsHsh7i7WkpTDDgcf4DyIPuDNmCh8pxcxtOiQYVHMynAeT0+0yutKPOpf3 xvBI1qWH5QWboaXKSmuATs9UL3qw3wN9TN+fvXQgNiSl2CVSoqKT92MFoVRHF/GB1C/X XueUoR93QwIfbgHf888F4s9ny6uh/ktfm9UiVgQhoJGGTEtxUpbY+Xq2y9dJ27pkY1T3 dHtehVMnpSD/1DJ3IqWbYqBqkq/HnmMKmp8jxw5hmFbrF0Tkf5Qs721TQuCmOm4mG9O8 nhjzwwx5gpYXqRhhmK3+gl6T/9dbgi7WPLb/OHcyP7hUzpEJLHqK56OtsVyXzGM2nPRd pQaQ== MIME-Version: 1.0 X-Received: by 10.50.112.136 with SMTP id iq8mr20373603igb.38.1405292556039; Sun, 13 Jul 2014 16:02:36 -0700 (PDT) Received: by 10.43.59.6 with HTTP; Sun, 13 Jul 2014 16:02:35 -0700 (PDT) In-Reply-To: <001801cf9eb7$b4eeb3e0$1ecc1ba0$@gmail.com> References: <001801cf9eb7$b4eeb3e0$1ecc1ba0$@gmail.com> Date: Mon, 14 Jul 2014 11:02:35 +1200 Message-ID: Subject: Re: Re: Jail vnet features From: Peter Toth To: Marcin Michta Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 23:02:38 -0000 On Mon, Jul 14, 2014 at 4:30 AM, Marcin Michta wrote: > > > >wishmaster wrote: > >> > >> > >> --- Original message --- > >> From: "Fbsd8" > >> Date: 11 July 2014, 16:49:08 > >> > >> > >> > >>> Marcin Michta wrote: > >>>> Hello, > >>>> > >>>> > >>>> > >>>> I want to ask what are advantages and disadvantages using VNET? > >>>> > >>>> I know that it allows each jail to have a private networking stack, > >>>> but what else? > >>>> > >>>> > >>>> > >>>> Regards > >>>> > >>>> Marthin > >>>> > >>> Its experimental, it has many bugs posted in PR system, loses memory > >>> every time a vnet jail is stopped, firewalls in vnet jail don't work, > >>> other that these show stoppers, use at your own risk. > >> > >> Hey, man. Stop panic! > >> > >> Firewall works very well. Memory leak on shutdown it is not very big > problem. > >> Main advantage for me is: I am able to filtering and prioritization > traffic coming thought base system. My vnete'ed jails is like a regular LAN > clients and they share INET pipe with appropriate weight. I use ipfw. > >> > > > > > >Oh ya, host panic on boot is another common happing with vimage and > firewall ipf and pf trying to run inside of a vnet jail and on the host at > the same time. > > > >Many people DO consider any kind of memory leak in kernel software such > as vimage is a really big show stopper for not using it in a production > system. > > > >If you read a little bit closer the previous post you will see it's > talking about firewall running inside of a vnet/vimage jail. It doesn't > > say anything about running a host firewall directing traffic to a ip > number assigned to a vnet jail. > > > >Here is a list of some of the vnet outstanding PR's > > > >143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, > 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 > > > >vnet/vimage is experimental and should never be used in a production > system and be exposed to the public network. It is not a secure software > configuration. Sure you can disregard all warnings and common sense and > risk >your host system, thats your choice. > > I didn't know about these problems > I'll check these PR > Thanks for help for you all :) > > Regards > Marthin > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > The majority of those PR's were raised for 8.x and 9.x and on top of that not even for production releases but RC, BETA and PRERELEASE. Some of those were resolved already and some are completely irrelevant. The vast majority refers to PF inside a jail, which is a known issue anyway (just avoid it). You can run IPFW inside a jail however and PF on the host itself all at the same time given that you use 10-RELEASE (preferably amd64). If you want to test drive VNET here are a few hints to avoid problems: 1. Don't try to enable PF inside the jail 2. Only add a wired and epair interfaces into a bridge - avoid wireless (might trigger a crash) 3. Don't use ALTQ - as far as I know ALTQ is not supported with VNET anyway yet 4. Use the GENERIC kernel configuration and just add options "VIMAGE" And just for amusement, two of those completely irrelevant PR's, not even VNET related listed previously: 188010 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188010 (ACPI and BTW: Status: Issue Resolved FIXED) 176929 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=176929 (gnome-speech and Issue Resolved FIXED) Not going to dissect the other remaining PR's - as I mentioned above mostly outdated except the ones related to PF inside a jail and a memory leak which is not a showstopper and can be avoided. Also on another note, I constantly bump into alarmist and misinformation emails related to VNET by a certain individual. Telling folks off and actively deterring them from even trying to test drive VNET jails. This is not doing any favor to the community - VNET is one of the exciting features (like Crossbow in Illumos) people want to see mature. Actively deterring these efforts is definitely not going to help and has a very negative impact! As for the advantages, a VNET enabled jail will provide much better isolation (own network stack) and control than a shared IP based jail setup where the local traffic might be exposed across jails. Also VNET allows per jail IPFW firewall rules independent from the host's IPFW. With VNET you can build and simulate complex network setups I believe this was one of the main drives to create VIMAGE/VNET. Peter