Re: state of the art ?
zulu wrote: Maybe this is what you need http://sourceforge.net/projects/zjails/ , doesn't require any advanced ZFS or VNET knowledge (just a working ZFS pool and VIMAGE kernel). VNET is supported and there is a soft jail restart option which prevents the kern/164763: Memory leak in VNET issue from appearing. You can also run non VNET ZFS jails - you can turn on or off VNET by simply executing zjail set vnet=off/on myjailname then restarting the jail with zjail restart -c myjailname. On FreeBSD 9.1 amd64, pf inside a jail will cause an immediate kernel panic once you run pfctl in the jail - IPFW works as already stated by others. You can have pf enabled on the host however and have IPFW firewall in jails. Cheers, Peter What exactly do you mean by ipfw will run in a vimage jail? Running a open ipfw rule set only proves the the ipfw program will run in a vimage jail. How about the simple or client types that need the outbound interface device name and use divert / nat? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
Thanks very much zulu. It looks great but there are very few downloads and reading the README, it requires some patches. So I won't take the risk to put it in production. If I was an expert, I think I would give it a try, but I am not and I cannot. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
Thank you Dave, I have posted some questions on the author's site. Can you manage thin jails with it ? What about ZFS ? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
zulu zulu@... writes: No patches are mentioned in the README, there was a simple change required for /etc/rc.d/devfs on 9.0 which is not needed anymore with 9.1. Thanks for the precision and update. VNET is not officially production ready, this is relative though, as some folks are already using it in production environments. Nice to ear. To use ZFS and Jails (or even VNET) you will need to become an expert to some degree anyway :). To some extent yes with a compromize with productivity. Thanks a lot. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
On 04/25/2013 07:40 AM, zulu wrote: VNET is supported and there is a soft jail restart option which prevents the kern/164763: Memory leak in VNET issue from appearing. This is a really interesting workaround! Yes, ipfw is vnet-capable since a long time and it works as good as the non-virtualized version. Well... except for dummynet which isn't virtualized yet. My point is, VIMAGE is really stable except for: 1) tearing-down a vnet 2) running non-vnet-ready code (pf, dummynet, lagg, ipf etc) Number one is trigged by destroying a jail. Number two is usually triggered *immediately* after trying to use a non-vnet-ready driver. You can avoid these two and if you avoid them it is perfectly stable... Also, I have to say that i like vimage very much so i might be biased:) Just my 2 cents, Nikos ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
I am afraid you have convinced me with zulu to go on. Though not being able to use dummynet nor altq is a real drawback. But if I don't abuse myself, I read contradictory things. So I raise the question : Is pf/altq usable in the host when you have vnet jails ? Same question with dummynet ? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
Laurent Alebarde wrote: Hi all, I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials, mainly : * http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet * http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project I have some questions please : 1. Are they still up-to-date ? 2. Is the jail rc script still have to be patched to be able to use pf instead of IPFW ? 3. What are the best up-to-date links for tutorials to setup ZFS ipv4/ipv6 vnet jails ? 4. Can it be put in production safely or is it still considered experimental ? Cheers, Laurent. In my opinion vimage is a very long way from being production safe. The biggest show stopper is the lose of memory pages when a vnet jail is stopped. See the year old PR http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/164763 Besides the the memory lose problem there is the problem of no support for SCTP. So YES vimage is still experimental. Use at your own risk. About vimage and firewalls, ipfw and pf in 9.1-RELEASE are vimage aware. That means when you boot your host and the hosts /etc/rc.conf file has ipfw_enable=YES or pf_enable=YES statements in it the system will come up without a page fault or panic. This does not necessary mean that you can get one of those firewalls started inside of a vnet jail. Now that ipfilter has a maintainer it should be vimage aware in 10.0-RELEASE when it's published for general public use. The short coming of both of those links is getting the vnet jail access to the public internet. Playing with vimage on 9.1 is a great learning experience, but stick with regular jails for your production world for the maximum jail security. zfs is a separate subject for vimage jails and normal jails. zfs is a very large and complicated subject. You need to become experienced using zfs on you host first before trying to combine zfs with jails. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
On 04/24/2013 06:47, Laurent Alebarde wrote: Thank you very much Joe for your detailed answer. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org We use vimages pretty extensively. Is use them both at work and on my personal sites. Devin wrote up a pretty good page about them. http://devinteske.com/vimage-jails-on-freebsd-8 HTH -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) da...@vicor.com david.robi...@fisglobal.com _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: state of the art ?
Maybe this is what you need http://sourceforge.net/projects/zjails/ , doesn't require any advanced ZFS or VNET knowledge (just a working ZFS pool and VIMAGE kernel). VNET is supported and there is a soft jail restart option which prevents the kern/164763: Memory leak in VNET issue from appearing. You can also run non VNET ZFS jails - you can turn on or off VNET by simply executing zjail set vnet=off/on myjailname then restarting the jail with zjail restart -c myjailname. On FreeBSD 9.1 amd64, pf inside a jail will cause an immediate kernel panic once you run pfctl in the jail - IPFW works as already stated by others. You can have pf enabled on the host however and have IPFW firewall in jails. Cheers, Peter On Wednesday, 24-04-2013 on 22:19 Laurent Alebarde wrote: Hi all, I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials, mainly : * http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet * http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project I have some questions please : 1. Are they still up-to-date ? 2. Is the jail rc script still have to be patched to be able to use pf instead of IPFW ? 3. What are the best up-to-date links for tutorials to setup ZFS ipv4/ipv6 vnet jails ? 4. Can it be put in production safely or is it still considered experimental ? Cheers, Laurent. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org