Good afternoon everyone, we are currently contemplating how to handle multi-tenant Jails best to allow ProjectFiFo to administer FreeBSD Jails along with Solaris Zones.
The hurdle we have run into is the following: With vnet Jails the owner could change the IP, making it impractical for multi-tenancy. With no-vnet Jails, all the jails would share the same network stack removing a layer of isolation and risking a noisy neighbour problem. There are a few possible solutions it seems. Allen suggested using the firewall to restrict the traffic from a vnet in the global zone (host system, not sure how BSD calls it). The top of mind issue with this is that it would block multicast. An alternative Kevin came up with was putting a jail inside another jail, with the outer jail being a vimage jail and the inner jail using a static (non-vnet IP). This would also mean later on beehive inside a jail would be easier as it could follow the same logic. On the other hand, I am a bit worried about unforeseen consequences of this approach. Also, I am not 100% positive whether the inner jail would use the vnet network stack for it is IP and not the global one. Thank you for your input. Cheers, Heinz — Heinz N. Gies Project-FiFo Cloud Orchestration Web: project-fifo.net<https://project-fifo.net/> Docs: Documentation<https://docs.project-fifo.net/en/latest/index.html> Tickets: GPG: Ticket Tracker<https://project-fifo.atlassian.net/> 452B6F98<https://project-fifo.net/heinz.gpg> _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[email protected]"
