Laurent Alebarde wrote:
Hi all,
I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials,
mainly :
* http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet
*
http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project
I have some questions please :
1. Are they still up-to-date ?
2. Is the jail rc script still have to be patched to be able to use pf
instead of IPFW ?
3. What are the best up-to-date links for tutorials to setup ZFS
ipv4/ipv6 vnet jails ?
4. Can it be put in production safely or is it still considered
experimental ?
Cheers,
Laurent.
In my opinion vimage is a very long way from being production safe. The
biggest show stopper is the lose of memory pages when a vnet jail is
stopped. See the year old PR
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/164763
Besides the the memory lose problem there is the problem of no support
for SCTP.
So YES vimage is still experimental. Use at your own risk.
About vimage and firewalls, ipfw and pf in 9.1-RELEASE are vimage aware.
That means when you boot your host and the hosts /etc/rc.conf file has
ipfw_enable="YES" or pf_enable="YES" statements in it the system will
come up without a page fault or panic. This does not necessary mean that
you can get one of those firewalls started inside of a vnet jail.
Now that ipfilter has a maintainer it should be vimage aware in
10.0-RELEASE when it's published for general public use.
The short coming of both of those links is getting the vnet jail access
to the public internet.
Playing with vimage on 9.1 is a great learning experience, but stick
with regular jails for your production world for the maximum jail security.
zfs is a separate subject for vimage jails and normal jails. zfs is a
very large and complicated subject. You need to become experienced using
zfs on you host first before trying to combine zfs with jails.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"
