From owner-freebsd-questions@FreeBSD.ORG Tue May 9 15:22:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDCE916A462 for ; Tue, 9 May 2006 15:22:36 +0000 (UTC) (envelope-from philippe.lang@attiksystem.ch) Received: from mail.attiksystem.ch (f29.attiksystem.ch [212.147.59.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9A2043D66 for ; Tue, 9 May 2006 15:22:33 +0000 (GMT) (envelope-from philippe.lang@attiksystem.ch) Received: from poweredge.attiksystem.ch (poweredge.attiksystem.ch [10.0.0.29]) by mail.attiksystem.ch (8.12.11/8.12.11) with ESMTP id k49FMUAN045860; Tue, 9 May 2006 17:22:31 +0200 (CEST) (envelope-from philippe.lang@attiksystem.ch) Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Tue, 9 May 2006 17:22:30 +0200 Content-Type: multipart/signed; boundary="----=_NextPart_000_004E_01C6738D.26F17860"; micalg=SHA1; protocol="application/x-pkcs7-signature" X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Message-ID: <6C0CF58A187DA5479245E0830AF84F421D0CAA@poweredge.attiksystem.ch> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: jails or chroot? Thread-Index: AcZzZvNLp4VxQ9XBTdyG6T4Xty3zvgAElN9w From: "Philippe Lang" To: "Jahilliya" , "Michael Grant" X-Spam-Score: -1.44 () ALL_TRUSTED X-Scanned-By: MIMEDefang 2.49 on 10.0.0.111 Cc: freebsd-questions@freebsd.org Subject: RE: jails or chroot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 15:22:37 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_004E_01C6738D.26F17860 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, Sure, jails require more work regarding administration. Ports are not = the biggest problem I think, it's the easy part. The problem is when you = have to update the world. But even here, with a good script, it's not such a nightmare. Maybe all you need is Michael's solution. But take into account that = with jails, you have a great flexibility regarding the application you = install for a particular client. And all the security that a jail system can = offer, plus a fantastic way of managing your backups. I personally run a jail based VPS server, based on FreeBSD 6.0, with 13 jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI = HDs. I have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend = to run a maximum of 50 jails on this server. And until now, nothing seems = to oppose to my plans. Beware of one thing with jails, though: a bug in FreeBSD does not permit = a clean shutdown of jails. But tust me: you never need to! Hope this helps, and keep us informed of your choice. Philippe Lang -----Message d'origine----- De : owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] De la part de Jahilliya Envoy=E9 : mardi, 9. mai 2006 14:48 =C0 : Michael Grant Cc : freebsd-questions@freebsd.org Objet : Re: jails or chroot? On 5/9/06, Michael Grant wrote: > > I host a bunch of websites on my box. Recently I had some problems=20 > with file access problems with php which caused me to look into=20 > putting each of my clients into their own jail or chroot. I have=20 > roughly 100 different domains I'd need to split. > > Has anyone done this for more than a handfull of clients? Using=20 > apache and their "mass virtual hosting", 100 domains is a breeze. But = > with a jail or chroot, I need a separate apache process for each=20 > domain. This is going to mean hundreds of apache processes. This=20 > seems unreasonable. Agreed that creation hundreds of chroots or jails would be an = administrative nightmare. File access can be solved with suexec (compile apache with = suexec enabled), this means that for each virtual host entry in your apache = config you add User and Group (check = http://httpd.apache.org/docs/2.2/suexec.html or your apache version doc set). This will make each apache process run = as the user specified in virtual host entry (not www) allowing you to = restrict their access to files with filesystem ACL's and even ugidfw, you could = also then setup process/memory restrictions in /etc/login.conf It will also make updating pretty much as standard as it is now. Give it a burl if it sounds like what you need. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" ------=_NextPart_000_004E_01C6738D.26F17860 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCCAocw ggHwoAMCAQICEH9zwUYvHtvw6IJCOxLOs/kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDQxMzEzNTE0MVoXDTA3MDQxMzEzNTE0 MVowZzENMAsGA1UEBBMETGFuZzERMA8GA1UEKhMIUGhpbGlwcGUxFjAUBgNVBAMTDVBoaWxpcHBl IExhbmcxKzApBgkqhkiG9w0BCQEWHHBoaWxpcHBlLmxhbmdAYXR0aWtzeXN0ZW0uY2gwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMPPDiMakqY/55dqY6Y59M/0OBmPPnXodC2Da6SCydQ/noAJ sQttXSG0BR6zcA7WM+Kt9efIYwB5FnNcTEPIaTjbR0NLZq/XvEGQDTb7Owp0PDlghZsN+kK8KJAi OzCcN+fWNbnR9u6HayepO9Q84DU3a1sFqTebCuiJkR8DvJZ5AgMBAAGjOTA3MCcGA1UdEQQgMB6B HHBoaWxpcHBlLmxhbmdAYXR0aWtzeXN0ZW0uY2gwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQA2FzHGn2/pAED5DqKvHSz+ExQb6UbeAT0yxHc4jDINHY3sWGXO9C19RcBZ1Ol2KU3YlY69 XBAc3Phd5T3YU6CC3vMDTq5+QpXM1yysQtw4OGAfLbQISlKjA8WgdOQAk7BybRvkUbgV2+erDsaN fNaAbD+zEc9WS+VIQ7oZe5n8fzCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3 DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEy MzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQH EwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZp Y2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0tDY97Et+FJXUodDpC LGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11u enwMpUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzARMA8GA1UdEwEB/wQF MAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41gWGGsJrtSNVwIzzD7 qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3kmv0T9KbZfLH43F8j JgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM/MIICqKADAgECAgENMA0G CSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0 aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN MDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5o wHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH 5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v Y3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYw KQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUA A4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NW IXiC3CEZNd4ksdMdRv9dX2VPMYIC+DCCAvQCAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZy ZWVtYWlsIElzc3VpbmcgQ0ECEH9zwUYvHtvw6IJCOxLOs/kwCQYFKw4DAhoFAKCCAdgwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTA5MTUyMjMwWjAjBgkqhkiG 9w0BCQQxFgQUEEgt5+FmnODlvyPJSHvLizsQOocwZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw BwYFKw4DAhowCgYIKoZIhvcNAgUwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAj BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhB/c8FGLx7b8OiCQjsSzrP5MIGHBgsqhkiG9w0BCRAC CzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhB/c8FGLx7b 8OiCQjsSzrP5MA0GCSqGSIb3DQEBAQUABIGAXYxmrDSl0Y5nepgIhqNVVaU+7opKxjwWv3c3gmAq RAjVd7S59bmWjoSnKFAPKeJpmCR/cxZAUfnv1a6sX23m0OT0uIroU1A5oRuM2XJ5hzXV7iyHvGX2 Auji4KquqMrNp4511K8hER2v68hxOxiB/mh9YQOJ/O2x0iPD3C9UHX8AAAAAAAA= ------=_NextPart_000_004E_01C6738D.26F17860--