Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 May 2006 17:22:30 +0200
From:      "Philippe Lang" <philippe.lang@attiksystem.ch>
To:        "Jahilliya" <jahilliya@gmail.com>, "Michael Grant" <mg-fbsd3@grant.org>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: jails or chroot?
Message-ID:  <6C0CF58A187DA5479245E0830AF84F421D0CAA@poweredge.attiksystem.ch>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.

------=_NextPart_000_004E_01C6738D.26F17860
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,

Sure, jails require more work regarding administration. Ports are not =
the
biggest problem I think, it's the easy part. The problem is when you =
have to
update the world. But even here, with a good script, it's not such a
nightmare.

Maybe all you need is Michael's solution. But take into account that =
with
jails, you have a great flexibility regarding the application you =
install
for a particular client. And all the security that a jail system can =
offer,
plus a fantastic way of managing your backups.

I personally run a jail based VPS server, based on FreeBSD 6.0, with 13
jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI =
HDs. I
have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend =
to
run a maximum of 50 jails on this server. And until now, nothing seems =
to
oppose to my plans.

Beware of one thing with jails, though: a bug in FreeBSD does not permit =
a
clean shutdown of jails. But tust me: you never need to!

Hope this helps, and keep us informed of your choice.

Philippe Lang


-----Message d'origine-----
De : owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] De la part de Jahilliya
Envoy=E9 : mardi, 9. mai 2006 14:48
=C0 : Michael Grant
Cc : freebsd-questions@freebsd.org
Objet : Re: jails or chroot?

On 5/9/06, Michael Grant <mg-fbsd3@grant.org> wrote:
>
> I host a bunch of websites on my box.  Recently I had some problems=20
> with file access problems with php which caused me to look into=20
> putting each of my clients into their own jail or chroot.  I have=20
> roughly 100 different domains I'd need to split.
>
> Has anyone done this for more than a handfull of clients?  Using=20
> apache and their "mass virtual hosting", 100 domains is a breeze.  But =

> with a jail or chroot, I need a separate apache process for each=20
> domain.  This is going to mean hundreds of apache processes.  This=20
> seems unreasonable.


Agreed that creation hundreds of chroots or jails would be an =
administrative
nightmare. File access can be solved with suexec (compile apache with =
suexec
enabled), this means that for each virtual host entry in your apache =
config
you add User and Group (check =
http://httpd.apache.org/docs/2.2/suexec.html
or your apache version doc set). This will make each apache process run =
as
the user specified in virtual host entry (not www) allowing you to =
restrict
their access to files with filesystem ACL's and even ugidfw, you could =
also
then setup process/memory restrictions in /etc/login.conf

It will also make updating pretty much as standard as it is now.

Give it a burl if it sounds like what you need.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"


------=_NextPart_000_004E_01C6738D.26F17860
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCCAocw
ggHwoAMCAQICEH9zwUYvHtvw6IJCOxLOs/kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDQxMzEzNTE0MVoXDTA3MDQxMzEzNTE0
MVowZzENMAsGA1UEBBMETGFuZzERMA8GA1UEKhMIUGhpbGlwcGUxFjAUBgNVBAMTDVBoaWxpcHBl
IExhbmcxKzApBgkqhkiG9w0BCQEWHHBoaWxpcHBlLmxhbmdAYXR0aWtzeXN0ZW0uY2gwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMPPDiMakqY/55dqY6Y59M/0OBmPPnXodC2Da6SCydQ/noAJ
sQttXSG0BR6zcA7WM+Kt9efIYwB5FnNcTEPIaTjbR0NLZq/XvEGQDTb7Owp0PDlghZsN+kK8KJAi
OzCcN+fWNbnR9u6HayepO9Q84DU3a1sFqTebCuiJkR8DvJZ5AgMBAAGjOTA3MCcGA1UdEQQgMB6B
HHBoaWxpcHBlLmxhbmdAYXR0aWtzeXN0ZW0uY2gwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQA2FzHGn2/pAED5DqKvHSz+ExQb6UbeAT0yxHc4jDINHY3sWGXO9C19RcBZ1Ol2KU3YlY69
XBAc3Phd5T3YU6CC3vMDTq5+QpXM1yysQtw4OGAfLbQISlKjA8WgdOQAk7BybRvkUbgV2+erDsaN
fNaAbD+zEc9WS+VIQ7oZe5n8fzCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG
A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3
DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEy
MzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQH
EwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZp
Y2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0tDY97Et+FJXUodDpC
LGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11u
enwMpUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzARMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41gWGGsJrtSNVwIzzD7
qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3kmv0T9KbZfLH43F8j
JgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM/MIICqKADAgECAgENMA0G
CSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD
VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0
aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN
MDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5o
wHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH
5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7
AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
Y3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYw
KQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUA
A4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ
Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NW
IXiC3CEZNd4ksdMdRv9dX2VPMYIC+DCCAvQCAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZy
ZWVtYWlsIElzc3VpbmcgQ0ECEH9zwUYvHtvw6IJCOxLOs/kwCQYFKw4DAhoFAKCCAdgwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTA5MTUyMjMwWjAjBgkqhkiG
9w0BCQQxFgQUEEgt5+FmnODlvyPJSHvLizsQOocwZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw
BwYFKw4DAhowCgYIKoZIhvcNAgUwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAj
BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhB/c8FGLx7b8OiCQjsSzrP5MIGHBgsqhkiG9w0BCRAC
CzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhB/c8FGLx7b
8OiCQjsSzrP5MA0GCSqGSIb3DQEBAQUABIGAXYxmrDSl0Y5nepgIhqNVVaU+7opKxjwWv3c3gmAq
RAjVd7S59bmWjoSnKFAPKeJpmCR/cxZAUfnv1a6sX23m0OT0uIroU1A5oRuM2XJ5hzXV7iyHvGX2
Auji4KquqMrNp4511K8hER2v68hxOxiB/mh9YQOJ/O2x0iPD3C9UHX8AAAAAAAA=

------=_NextPart_000_004E_01C6738D.26F17860--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C0CF58A187DA5479245E0830AF84F421D0CAA>