Date: Sun, 2 Jun 2019 10:54:24 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: to jail or not to jail Message-ID: <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org> In-Reply-To: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com> References: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lBX21JVCKUDiifgOOOA5WMZJhbcYYh3GN Content-Type: multipart/mixed; boundary="O1RG1d1hzIN7Y2KTKQTTt0HG2mSZ1UmKz"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org> Subject: Re: to jail or not to jail References: <CAPORhP4pbfCC96PXOeErJgswX_2dh+mXcBb1TrH6F0f5oN-wDw@mail.gmail.com> In-Reply-To: <CAPORhP4pbfCC96PXOeErJgswX_2dh+mXcBb1TrH6F0f5oN-wDw@mail.gmail.com> --O1RG1d1hzIN7Y2KTKQTTt0HG2mSZ1UmKz Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 02/06/2019 01:30, David Mehler wrote: > Hello, >=20 > I've got a newly installed FreeBSD 12 vps. It's going to be running a > web server/php hosting multiple sites, with letsencrypt tls > certificates for each. It's also going to be running an email server, > postfix, dovecot, rspamd, mysql database backend, again with the same > letsencrypt tls certificates. Previously I've had all this on one > host. >=20 > What I'm wondering is if I should jail off these services, I've got a > zfs setup, still trying to wrap my head around that, and am wondering > should I run the database in one jail, the webserver/php in another > jail, and the email server in a third jail? If I do this how would I > get the tls certificates in to each jail, I'm looking for the maximum > automation. I too run a mail system with much the same components as you describe. Well, postgresql rather than mysql, but otherwise pretty much the same. And similarly I've split everything out into jails. It's more complicated to set up, but actually running things where you have a set of nice simple jails with one specific service in each makes things easier to cope with day-to-day. It's docker-esque, if that's something that interests you. I split things up as: - SMTP server (postfix) - IMAP server (dovecot) - SPAM filter (rspamd) - Database (postgresql) except the the database is still running in the host system for historical reasons and a dearth of round tuits. I hook various functions (DKIM, DMARC, rspamd) into postgresql using milters, and I considered jailing off each milter separately, but ultimately ended up just running all the milter processes in the same jail as postfix. In terms of running PHP bassed web-apps, I'd dedicate a separate jail to each application running under php-fpm, and then have a single frontend running nginx to act as a reverse proxy / TLS endpoint / Layer-7 traffic router. For letsencrypt purposes, I use a DNS-01 challenge because that seemed to make the most sense given I wasn't going to deploy most certs on web servers. Then I just wrote a custom deploy hook script to copy certs into the jail filesystems and restart servers. Although I've created at lease a separate ZFS for each jail, I haven't gone down the route of using 'zfs jail ...' to hide them from the main host system, as it makes copying things into jails from the host that much easier. I'd also think about using vimage jails on 12.0, as that makes the jails seem a lot more like just regular VMs, and gives you the ability to effectively create a private virtual switch inside your server, rather than having services appear on external interfaces. Beware though that there are currently some quite severe bandwidth limitations on this sort of internally virtualized networking under FreeBSD, so this is not suitable for a high-traffic system. Cheers, Matthew --O1RG1d1hzIN7Y2KTKQTTt0HG2mSZ1UmKz-- --lBX21JVCKUDiifgOOOA5WMZJhbcYYh3GN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAlzznNBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5 RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp 5Oco9BAAjQO8yoq+1V3ljD1ZX9KPZ10bJ9pWMA+uxMvBgCwBsr9GsfscsschK/hT CBZ88TNxLnvl2zCVPFfOfTA9CAx9OE8+YuoKDNbaCJQyNowPXl8g+xUJPkE6BPBx yn4p4Wj3//Co6MjzOFZQuvFOSG/5xkBhmTLZjf/HMabuWz5tQTnNfOvsPj6F+Ste Q7hD7QTrX6lscT+QtdStyNjSxhULG303nUHAoPHdi8QfPoZOf62kp4YBc1li6/mJ W32jaQgVzn2jzwDh3jTX0KkNxCyb1fjhGwYBETdXPLkXv0OMu33fe0U0BLzs37HK a5lxdhB7J12U7cX6j2CdS9HfndDa0NYRwUJT+L5JWXg17aHFek/UBlz8xG15IX/H Y12GOvgaBG892PUHdWs5TwerkpwYvguYBw/l8275O69DL+EdQy8z88VMyGj+dhRd sozQ/b8r8iKvP6nFF/O98kFkGcMoSZUGzLXzBFZdUT4uMZB42a0r9T8Y+PnnmteL Mw2fr7fMGwGm5UkoOYKDquI4O8zOGVXWj9+fjCnViIEbJE2iUZDhovJ+WV1OPOq0 7wj9PCK79K8IxMC8tsJ43rKTjcCiK9q9MctNza6D1PHaQIm95lyuF1yIYSa+Je5v LfdUsRyPcNVxreMXlNhrDXz/AVzbHcNJHaPWTv/0PyW4YOpePYQ= =c8fu -----END PGP SIGNATURE----- --lBX21JVCKUDiifgOOOA5WMZJhbcYYh3GN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9783db6e-959e-b177-89d5-84af47fd5c3f>