Date: Mon, 29 Jul 2013 23:50:55 +0300 From: wishmaster <artemrts@ukr.net> To: Ollivier Robert <roberto@keltia.net> Cc: freebsd-jail@freebsd.org Subject: Re: jail design Message-ID: <1375129684.51112329.bbke8h7m@zebra-x17.ukr.net> In-Reply-To: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> References: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Original message --- From: "Ollivier Robert" <roberto@keltia.net> Date: 29 July 2013, 16:44:11 > Hello, > > I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root. > > What is the best practices about jails knowing that: > - I have only one IPv4 > - I have a full /48 IPv6 to play with > > I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support. ezjail is good tool, but not suitable for vnet, so from my experience: - I use slightly patched ezjail for create jail environment, update and so on. Also I have made 'newjail' suitable for login and network and have populated it with base packages like mc, perl and so on. - I use jail2 from ports as startup script which reads configs from jail.conf, not from rc.conf - I use vnet jails which communicate with world and each others via epair interface - as firewall - ipfw, disabled in each jails, but filter on each epair*a interface. ipfw configured with per-interface acl. > Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications? > > I need something as easy as ezjail or a way to tweek it, with > - one jail for smtp/imap > - one for www stuff, ideally one jail per hosted domain (using nginx) Use nginx in separate jail with virtual hosts. Why do you need vhost/jail? > > I'm a jail newbie, in case you haven't found it already :) > > Thanks, > > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.net > In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1375129684.51112329.bbke8h7m>