Date: Wed, 1 Jun 2016 19:22:41 +0000 (UTC) From: =?UTF-8?Q?Sebasti=C3=A1n_Maruca?= <juanperiz@yahoo.com.ar> To: Roger Marquis <marquis@roble.com>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org> Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? Message-ID: <140851342.3380283.1464808961455.JavaMail.yahoo@mail.yahoo.com> References: <140851342.3380283.1464808961455.JavaMail.yahoo.ref@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Well... The spirit of this post inspires me the good way!
Now we're talking about 10.3-HEAD wiht Jails+vnet... but then again, has an=
yone tried it? Roger, it seems you are thumbing up my challenge...
But I guess i'll have to stick with netgraph instead epair/if_bridge becaus=
e the later is not so documented as the first one...
Best regards,again...
De: Roger Marquis <marquis@roble.com>
Para: freebsd-jail@freebsd.org=20
Enviado: Mi=C3=A9rcoles, 1 de junio, 2016 13:07:33
Asunto: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?
=20
Ernie Luzar wrote:
> the kernel to included vimage. Enabling pf or ipf firewalls cause the
> host to crash. ipfw firewall does not cause a crash but has next to no
> real life usage on vimage.
Considering we have had ipfw/vimage/netgraph jails for several years I'd
be interested in your data sources.
> When stopping vimage jails there is a problem with memory loss.
Have you tested this, on a recent release?
> You need a high proficiency in coding netgraph which
> is used to tie the hosts network to each vimage jail.
This certainly used to be true and IMO has been a significant barrier to
netgraph usage but the scripts in head/share/examples/jails/ are
at least helpful.
> Needs a public network with multiple static ip address & registered domai=
n
> names even to test it.
How are you implementing vimage that needs a registered domain name?
> There are a few write ups about how to configure vet/vimage jails, but
> their out of date. IE: 8.x & 9.x releases which are at EOL [end of life,
> unsupported].
Vimage gets little attention.=C2=A0 Unfortunately the mapping of non-vimage
localhost interfaces to the primary external interface isn't noted=20
nearly enough either.=C2=A0 These are weaknesses in bsd jails, the latter a
non-trivial security issue on many non-vimage systems considering
daemons like sendmail are installed and listening on "localhost" by
default.
> Going down this road will make the shop totally dependent on you and your
> ability. A mega size pay bump is in your future. The shop will be fubar-e=
d
> if you die or get hurt requiring a hospital stay and long recovery.
Potentially true of any Unix or Linux application in my experience.
Have you tried vimage with epair/if_bridge instead of netgraph?=C2=A0 It's
considerably simpler though the documentation is almost as conflicting
and insufficient.
Roger
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
From owner-freebsd-jail@freebsd.org Wed Jun 1 21:34:37 2016
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3C66B65C64
for <freebsd-jail@mailman.ysv.freebsd.org>;
Wed, 1 Jun 2016 21:34:37 +0000 (UTC)
(envelope-from luzar722@gmail.com)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com
[IPv6:2607:f8b0:4001:c0b::22e])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "smtp.gmail.com",
Issuer "Google Internet Authority G2" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 8D95C1B29
for <freebsd-jail@freebsd.org>; Wed, 1 Jun 2016 21:34:37 +0000 (UTC)
(envelope-from luzar722@gmail.com)
Received: by mail-it0-x22e.google.com with SMTP id z123so35364239itg.0
for <freebsd-jail@freebsd.org>; Wed, 01 Jun 2016 14:34:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=message-id:date:from:user-agent:mime-version:to:cc:subject
:references:in-reply-to:content-transfer-encoding;
bh=ag4U0GtqbZUWOcn4BLd9q1z11e9vVnM+b/JsefO6rXs=;
b=NoMb/no6USsK4t4SkSxCsY0OkkR0ILicVs8rQ/g17Wwye2JJ/UnqIiM2QliTCbmoTt
7GTZbWoKOj+uvyIzkGD4aRPKcqX3QJgDJTHWl4AuFc9hr3XHM0d7qjPnrvtPAt5n0jzt
tSgOdtVMA1VirVZNFbhT9sauA8Z1l6KCLLn/Cah18aJVn8j2ejVSn/HdupjcBKcAFn2b
1Q/fDBvxqLWa6ei1CjcBN0A3FF6mAohMpkR6gNT0rUPj983lcZYhDOYEXgerRWvgjaG4
Cl5DNBcowkMC64wAGs8k5V8QS3/+jZorE/U4hglplghpQM7U4c+uDudYlFFbo0lWTXmn
gPnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
:cc:subject:references:in-reply-to:content-transfer-encoding;
bh=ag4U0GtqbZUWOcn4BLd9q1z11e9vVnM+b/JsefO6rXs=;
b=mJUOZNEIkdidzFZKUOucsX9eWnZiv0viQMCm64ZgMldxXIqxpfHkQFekzpaEk7kZT6
vMgohMdZPy71XBjB5UUgBv9HRm4gMnTCzAIVWS+qPHrgmxGGh3JZjhZfUYXgNSRx8Yye
pWu0tIyUXRa0Lr7GHpCP3JBlO9E3NLyZ0eNCEfaYPB7v7U1mb0oeoKT7bHlz5dL5sT9U
u1UQ+DaHXH1Su0W8Q8dF6vfNQNkHaDJ4y0ahW4cpX599XHvaJ/Hsit0sluSLqIXDzNrz
5Zin3D5QJ6uNYZ6hM4v1ZpdU40U9ZEol2dUeKKOa2W27O0oKetc7IShhiW6nBoZV22ib
WmmQ==
X-Gm-Message-State: ALyK8tLav0I+VS5IdC8j1ifFQgmzvNY3v3n4DC5xG1uDcSzv+d8CdcLx/xJBTt+yK89inA==
X-Received: by 10.36.160.5 with SMTP id o5mr133612ite.31.1464816876831;
Wed, 01 Jun 2016 14:34:36 -0700 (PDT)
Received: from [10.0.10.3] (cpe-184-56-210-236.neo.res.rr.com.
[184.56.210.236])
by smtp.googlemail.com with ESMTPSA id r65sm16101510iod.7.2016.06.01.14.34.35
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 01 Jun 2016 14:34:35 -0700 (PDT)
Message-ID: <574F54FC.3040203@gmail.com>
Date: Wed, 01 Jun 2016 17:34:52 -0400
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Roger Marquis <marquis@roble.com>
CC: freebsd-jail@freebsd.org
Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?
References: <574f0851.ca0b620a.c7073.5becSMTPIN_ADDED_MISSING@mx.google.com>
In-Reply-To: <574f0851.ca0b620a.c7073.5becSMTPIN_ADDED_MISSING@mx.google.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>;
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 21:34:37 -0000
Roger Marquis wrote:
> Ernie Luzar wrote:
>> the kernel to included vimage. Enabling pf or ipf firewalls cause the
>> host to crash. ipfw firewall does not cause a crash but has next to no
>> real life usage on vimage.
>
> Considering we have had ipfw/vimage/netgraph jails for several years I'd
> be interested in your data sources.
The source is personal experience. Tested 9.3 & 10.0 with ipfw running
in vnet/vimage jails. At that time ipfw was logging to the host and not
to the vimage jail. Definitely a security violation.
You know I give you a lot of credit for risking things on vnet/vimage
jails in your shop. Most management just wouldn't take that risk.
>
>> When stopping vimage jails there is a problem with memory loss.
>
> Have you tested this, on a recent release?
NO why would I when release notes didn't say anything about vimage
changes or pf, ipf firewall becoming vimage aware.
>
>> You need a high proficiency in coding netgraph which
>> is used to tie the hosts network to each vimage jail.
>
> This certainly used to be true and IMO has been a significant barrier to
> netgraph usage but the scripts in head/share/examples/jails/ are
> at least helpful.
>
I checked out those examples. Hardly any comments about what is
happening or why their being done. All they are is a starting point to
experiment doing trial and error testing
>> Needs a public network with multiple static ip address & registered
>> domain names even to test it.
>
> How are you implementing vimage that needs a registered domain name?
>
Maybe the real question is how do you drive un-solicited public traffic
to your vnet/vimage jail without them. The real point here is, are you
talking about a production config or some home play ground? There is no
need for a vnet/vimage jail setup just for some server on the lan
restricted to local usage only. The power of vnet/image comes to shine
when used by a ISP or hosting company. There you have customers with
static ip address and domain names. They have what looks like a real
FreeBSd system to use when in reality its just one jail of many.
>> There are a few write ups about how to configure vet/vimage jails, but
>> their out of date. IE: 8.x & 9.x releases which are at EOL [end of life,
>> unsupported].
>
> Vimage gets little attention. Unfortunately the mapping of non-vimage
> localhost interfaces to the primary external interface isn't noted
> nearly enough either. These are weaknesses in bsd jails, the latter a
> non-trivial security issue on many non-vimage systems considering
> daemons like sendmail are installed and listening on "localhost" by
> default.
>
After learning the usage of the jail(8) command doing testing the manual
way, I found it to be so tedious keeping all the many different jail
config options and command formats in my head, mistakes were common.
qjail changed all that. Its so user friendly. In qjail sendmail is
disabled by default and the cron status reports run faster because all
the sendmail status checks are turned off.
I disagree with you about the security issue of using localhost. Running
sendmail in a non-vimage jail using its default config listening on
localhost is still contained in the jail. Localhost is internally
converted to the jails assigned ip address by jail(8). Why do you think
this is a non-trivial security issue?
>> Going down this road will make the shop totally dependent on you and your
>> ability. A mega size pay bump is in your future. The shop will be
>> fubar-ed
>> if you die or get hurt requiring a hospital stay and long recovery.
>
> Potentially true of any Unix or Linux application in my experience.
> Have you tried vimage with epair/if_bridge instead of netgraph? It's
> considerably simpler though the documentation is almost as conflicting
> and insufficient.
>
Yes epair/if_bridge is way simpler, but far less flexible when you want
to re-point your public network ip address to different jails as
circumstances change. Yep netgraph documentation sucks big time.
My time for playing around is very limited. I'll wait for 11.0 to be
published and see what the "release notes" say about vimage and the
firewalls becoming vimage aware. Also will be checking the closed bugs
for vimage to see what has been fixed. Then I will make up my mind about
giving vimage another ride. But qjail will be the tool I use to perform
the test ride.
http://freshbsd.org/search?branch=HEAD&project=freebsd&q=vimage+OR+vnet
shows 286 commits for vnet/vimage. This worries me that there has not
been a call for vnet/vimage testers of -current. Just have to wait and
see what happens. Maybe letting other vnet/vimage users lead the way
with what is a bleeding edge version of vimage is the conservative way
to approach this. I just think about zfs and how many releases
containing zfs bug fixes before it became reliable. Its been many years
and FreeBSD releases since vimage first became available as a kernel
compile option. There is no way to know if vimage development will
continue or even if bugs will be addresses. Vimage is not enjoying paid
support.
I do hope vnet/vimage has finally become of age and reliable for
production like the non-vimage jails have become.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?140851342.3380283.1464808961455.JavaMail.yahoo>