From owner-freebsd-questions@FreeBSD.ORG Sun Jan 17 03:40:38 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B6FD106566B for ; Sun, 17 Jan 2010 03:40:38 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id C44218FC14 for ; Sun, 17 Jan 2010 03:40:37 +0000 (UTC) Received: (qmail 27959 invoked by uid 89); 17 Jan 2010 03:40:28 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 17 Jan 2010 03:40:28 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Sat, 16 Jan 2010 20:40:28 -0700 Message-ID: <6b6c48a6d28df6c12f2319c0ea85d2ba.squirrel@pop.pknet.net> In-Reply-To: <4B525827.1090309@strauser.com> References: <4B525827.1090309@strauser.com> Date: Sat, 16 Jan 2010 20:40:28 -0700 From: "Peter" To: "Kirk Strauser" User-Agent: SquirrelMail/1.4.20-RC2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org Subject: Re: To jail, or not to jail? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jan 2010 03:40:38 -0000 > I've been having fun playing with jails on my home server. There's one > for databases, one for a webserver, another for using as a play shell > server, etc. We use jails heavily at work for encapsulating services, > and I can make a pretty good argument there for doing so. In general, > though, do you see jails as particularly important or useful when not in > a hosting environment where you're giving root access to an untrusted > party? How far do you go toward segregating services? Theoretically, you > could have a jail per daemon, but it seems like down that path lies > madness. > -- > Kirk Strauser For home machine, I don't use any jails. All services run on host system. Not in a "hosting" environment with zero "untrusted" users, I still use 'jail'. I can always build 'newjail' duplicate services on it, test, and very quick switch from 'oldjail' to 'newjail' when all tests come back clean. Gives me a lot more room to play around/break things without effecting running services. Try not to have any services on the host system to keep it completely clean, easy upgrade as I can wipe the OS out [or move HD to new server], reinstall, mount the jails/zfs and have a running system in minutes. ]Peter[