On Sep 26, 2006, at 7:40 AM, Don Munyak wrote:
I asked this question in a different way the other day (see thread
"Patches for jail support of multiple IP...") and received a good
answer on how to set up a single jail to support multiple IP
addresses (as our domains and sites currently use) and servers. I'm
in the process of doing this using nat and divert within the "host"
right now, because I'm trying to avoid having multiple copies of all
these programs running in multiple jails. I'm trying to model our
jail environment after our non-virtual current environment. I'm not
sure that is the best way. My answers are as a noob to FreeBSD jails
and just what I've found thus far, I hope it's not inaccurate. It
looks like one could do anything, yet if you are using jails for
security, "anything", such as sharing between jails or the host,
might compromise why you are putting in jails in the first place and
everything I'm doing is for security reasons or I'd forget jails.
I think I need to setup two jails, one(1) for email services and
one(1) for www services, on a single server.
Are the domains on separate IPs? If not, one jail suffices for all
rather easily. If they are on different IPs, you either need multiple
jails or will need to receive packets for all IPs on the "host"
environment and rewrite them to land on a single IP used by the jail.
Then use NamedVirtualHost in httpd.conf to separate them back out.
I'm currently only 3/4 of the way done because of the lack of
information on using natd in this way (it's normally used for private
IP space and there are no examples of this backward use).
q. If I am running a webserver for more than one(1) domain, should I
be using a single jail for each domain, or is one jail needed for
'ALL' www processing ?
There is a reason why you may want multiple jails for different
websites. One CGI vulnerability on one site risks the other sites. If
you have the memory on your server, separating the websites into
different jails reduces the risk of cross-site hacking. This is
extremely situational depending on who you have maintaining the
different websites and how careful they are in their configuration
and practices. If you control everything and know the code then
obviously you "trust the web developer ;-)" and a single jail will be
easier to manage.
Yes from a standpoint of loading, if you use multiple jails. You can
set it up such that the source and ports are shared by using
mount_nullfs, then after installation, drop the mount such that no
changes to the binaries can be made. But the actual execution is
separate (though for mysql it doesn't have to be, see below) and will
duplicate the memory footprint. Seemed wasteful to me so I'm opting
to funnel all IPs into one by the time it hits the jail and thus have
only a single jail. To explain what I observed, when I built the
jail, part of the process is to enter the jail, go (jailed-)root and
build the applications needed, like apache or mysql. If I were
running a copy of (for example) httpd within the jail and one within
the host (or a different jail), they would be two separate
installations and separate executing copies in memory. One could make
them the same installation but the links would be a nightmare plus
you increase the number accesses you make possible to the host
environment. This seems like nullifying some of the value of the
jail. From what I could see, there is no way obvious to share the in-
RAM executable nor would this be desirable. If I'm wrong, I hope
someone corrects me.
q. If I am using a jail for each domain, does this imply loading
apache+php+mysql, for each www jail ?
Same as previous question. But the method of putting mail into one IP
is far different. I don't have the application to do this because all
mail for all domains already comes into one IP. If I move our mail
server to this machine, it will have a separate jail because we
separate mail, dns and websites on different servers already and the
isolation seems prudent.
q. Likewise with email and multiple domains, does multiple domains =
multiple email jails, as well as multiple copies of smtp, pop3,
Yes if you use multiiple jails with discrete instances of mysql
server. You could set up a separate jail to run the mysql server and
service the mysql clients on the other jail(s), think... "separate
database backend as a separate jail on a different IP". If you setup
a single jail and put the server within that jail this would also
keep it down to one copy.
q. Email and WWW services both require MySQL. Would I be installing
MySQL 'x' number of times?
I am not familiar with ez-jail but found it a breeze to create jails
using man jail combined with other web how-tos. man jail is
inaccurate in how you install world and I would look to the other
resources on the web for more current information.
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"