Re: Information on Setting up a Jailed Webserver
2009/8/28 Ruben de Groot > On Thu, Aug 27, 2009 at 12:28:26PM -0400, APseudoUtopia typed: > > Two more questions then I should be ready to go with my jail(s). > > > > In order to minimize the HDD space of the jail, can I add things in my > > src.conf such as > > WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF? > > Yes you can. Another option is to use read only nullfs mounts for e.g. > /usr, > /lib, /sbin/ /bin to populate the jail. That will cost you no HDD space at > all. > The ezjail port, allready mentioned, can more or less automate this. > > > I do use pf on the host system, but it isn't needed inside the jail as > > well, correct? > > Rather, it's not possible to use inside a standard (non-vimage) jail. > There's > only one network stack. > > > Also, is it possible to compile a port (specifically nginx) inside the > > host, then simply cp it into the jail and run it? I'd like to do this > > to avoid installing a compiler into the jail itself. > > make package-recursive > > Ruben > > > Thanks again for the help. > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > I've not seen all this post so sorry if this has been mentioned before. Apache has a module called mod_jail, that means (im pretty sure) you dont have to build the full jail environment. I've not looked at it in detail but it's probably worth looking at before you start hacking around with full jails http://www.freebsdsoftware.org/www/mod_jail.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
On Thu, Aug 27, 2009 at 12:28:26PM -0400, APseudoUtopia typed: > Two more questions then I should be ready to go with my jail(s). > > In order to minimize the HDD space of the jail, can I add things in my > src.conf such as > WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF? Yes you can. Another option is to use read only nullfs mounts for e.g. /usr, /lib, /sbin/ /bin to populate the jail. That will cost you no HDD space at all. The ezjail port, allready mentioned, can more or less automate this. > I do use pf on the host system, but it isn't needed inside the jail as > well, correct? Rather, it's not possible to use inside a standard (non-vimage) jail. There's only one network stack. > Also, is it possible to compile a port (specifically nginx) inside the > host, then simply cp it into the jail and run it? I'd like to do this > to avoid installing a compiler into the jail itself. make package-recursive Ruben > Thanks again for the help. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
Le 26/08/2009 à 22:59:34-0400, APseudoUtopia a écrit > Hello, > > I have a small site which runs PostgreSQL, Nginx, and PHP. I'm looking > into running nginx inside a jailed host on my server for security > reasons (eg, if there is a hole in a php script). > > The website root is actually a working copy of my subversion > repository. I have svnserve running through OpenVPN. My plan would be > to have svnserve and OpenVPN running on the "main" system, and > nginx/php running inside a jail. > > I was wondering if it would be somehow possible to run a command on > the main system that updates the svn working copy inside the jail for > nginx to serve. Would I need to do the "svn up" over tcp/ip from the > jail to the main system? Or can I somehow update it via > file://path/to/main/repo? I've never used or setup a jail before, so IMHO that's bad idea. Someday you maybe want to put your website in other machine, maybe you want to have two server to duplicate your website (just need rsync). If you want update you svn repository you can put in your subversion server in the hook-scripts something like wget http://your_website/some_where/update_repo > /dev/null and in your web serveur (jail or not) you create some script update_repo with cd /your_web_site_dir svn up You can add some deny in your apache conf to authorized only your svn serveur to make the wget > Also, how memory-intensive is a jail? I'm willing to run postgresql in If you have only 32Mo you can have some problem ;-) I run almost ~20 jail server on one physical server without any problem. Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26/06 86 69 95 71 Heure local/Local time: Jeu 27 aoû 2009 21:44:15 CEST ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
On Thu, Aug 27, 2009 at 11:03 AM, Adam Vande More wrote: > On Thu, Aug 27, 2009 at 9:13 AM, APseudoUtopia > wrote: >> >> On Wed, Aug 26, 2009 at 11:35 PM, Erich Dollansky >> wrote: >> > Hi, >> > >> > On 27 August 2009 am 11:10:37 Adam Vande More wrote: >> >> On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia >> > wrote: >> >> > >> >> > Also, how memory-intensive is a jail? >> >> >> >> Very light when compared to other virtualization methods. >> > >> > jails share the kernel but not the world. >> > >> > So, there will be only one kernel loaded but all libraries in use >> > will be loaded individually by each jail when needed. >> > >> > Jails need some more disk space as the world, all libraries needed >> > and all applications needed are installed individually in each >> > jail. >> > >> > This can be minimised with proper planning of what runs it what >> > jail. >> > >> > Erich >> > >> >> Thanks for the helpful replies. I have a couple of questions: >> >> When a jail is compromised, the only thing I have to do to recover the >> system is delete the jail and create a new one, correct? The host >> system is untouched even if a jail is compromised? > > Really depends on how you're using the jail, but under standard usage yes. >> >> >> And how does the upgrade process work? I know the userland must be the >> same for the host system and the jail. If I want to upgrade to, say, >> FreeBSD 8 when released, what is the process? I'd imagine it goes >> something like this, but I'm not sure: >> -Shut down jail >> -Upgrade host system >> -Install host binaries >> -Install jail binaries >> -Restart jail >> >> Or is there more to the process than what it seems? > > That's the basic process, however as mentioned before checkout ezjail. It > makes administering multiple jails much easier and can save you disk space. >> >> >> Thanks again. Ok, thanks. Two more questions then I should be ready to go with my jail(s). In order to minimize the HDD space of the jail, can I add things in my src.conf such as WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF? I do use pf on the host system, but it isn't needed inside the jail as well, correct? Also, is it possible to compile a port (specifically nginx) inside the host, then simply cp it into the jail and run it? I'd like to do this to avoid installing a compiler into the jail itself. Thanks again for the help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
On Thu, Aug 27, 2009 at 9:13 AM, APseudoUtopia wrote: > On Wed, Aug 26, 2009 at 11:35 PM, Erich Dollansky > wrote: > > Hi, > > > > On 27 August 2009 am 11:10:37 Adam Vande More wrote: > >> On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia > > wrote: > >> > > >> > Also, how memory-intensive is a jail? > >> > >> Very light when compared to other virtualization methods. > > > > jails share the kernel but not the world. > > > > So, there will be only one kernel loaded but all libraries in use > > will be loaded individually by each jail when needed. > > > > Jails need some more disk space as the world, all libraries needed > > and all applications needed are installed individually in each > > jail. > > > > This can be minimised with proper planning of what runs it what > > jail. > > > > Erich > > > > Thanks for the helpful replies. I have a couple of questions: > > When a jail is compromised, the only thing I have to do to recover the > system is delete the jail and create a new one, correct? The host > system is untouched even if a jail is compromised? Really depends on how you're using the jail, but under standard usage yes. > > > And how does the upgrade process work? I know the userland must be the > same for the host system and the jail. If I want to upgrade to, say, > FreeBSD 8 when released, what is the process? I'd imagine it goes > something like this, but I'm not sure: > -Shut down jail > -Upgrade host system > -Install host binaries > -Install jail binaries > -Restart jail > > Or is there more to the process than what it seems? That's the basic process, however as mentioned before checkout ezjail. It makes administering multiple jails much easier and can save you disk space. > > > Thanks again. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
On Wed, Aug 26, 2009 at 11:35 PM, Erich Dollansky wrote: > Hi, > > On 27 August 2009 am 11:10:37 Adam Vande More wrote: >> On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia > wrote: >> > >> > Also, how memory-intensive is a jail? >> >> Very light when compared to other virtualization methods. > > jails share the kernel but not the world. > > So, there will be only one kernel loaded but all libraries in use > will be loaded individually by each jail when needed. > > Jails need some more disk space as the world, all libraries needed > and all applications needed are installed individually in each > jail. > > This can be minimised with proper planning of what runs it what > jail. > > Erich > Thanks for the helpful replies. I have a couple of questions: When a jail is compromised, the only thing I have to do to recover the system is delete the jail and create a new one, correct? The host system is untouched even if a jail is compromised? And how does the upgrade process work? I know the userland must be the same for the host system and the jail. If I want to upgrade to, say, FreeBSD 8 when released, what is the process? I'd imagine it goes something like this, but I'm not sure: -Shut down jail -Upgrade host system -Install host binaries -Install jail binaries -Restart jail Or is there more to the process than what it seems? Thanks again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
may be it will better to imagine that jail is a different computer, so if your jail need connection to main host it will connect like other computer that not running in jail. you can do file:// from main host to jail but not from jail to main host. As far I know jail is a method so memory intensive is depend on your application. regards Thomas APseudoUtopia wrote: ... [cut] I was wondering if it would be somehow possible to run a command on the main system that updates the svn working copy inside the jail for nginx to serve. Would I need to do the "svn up" over tcp/ip from the jail to the main system? Or can I somehow update it via file://path/to/main/repo? I've never used or setup a jail before, so how everything works is a bit confusing to me. Right now, I use an svn post-commit hook to update the www working copy. Also, how memory-intensive is a jail? I'm willing to run postgresql in another jail as well if it wouldn't be too memory-intensive. And possibly even an IRC server. I'm running FreeBSD 7.2-RELEASE-p3. Thank you for the suggestions, advise, and criticisms. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
Hi, On 27 August 2009 am 11:10:37 Adam Vande More wrote: > On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia wrote: > > > > Also, how memory-intensive is a jail? > > Very light when compared to other virtualization methods. jails share the kernel but not the world. So, there will be only one kernel loaded but all libraries in use will be loaded individually by each jail when needed. Jails need some more disk space as the world, all libraries needed and all applications needed are installed individually in each jail. This can be minimised with proper planning of what runs it what jail. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Information on Setting up a Jailed Webserver
On Wed, Aug 26, 2009 at 9:59 PM, APseudoUtopia wrote: > Hello, > > I have a small site which runs PostgreSQL, Nginx, and PHP. I'm looking > into running nginx inside a jailed host on my server for security > reasons (eg, if there is a hole in a php script). > > The website root is actually a working copy of my subversion > repository. I have svnserve running through OpenVPN. My plan would be > to have svnserve and OpenVPN running on the "main" system, and > nginx/php running inside a jail. > > I was wondering if it would be somehow possible to run a command on > the main system that updates the svn working copy inside the jail for > nginx to serve. Would I need to do the "svn up" over tcp/ip from the > jail to the main system? Or can I somehow update it via > file://path/to/main/repo? > The second method, it's quite easy. > I've never used or setup a jail before, so > how everything works is a bit confusing to me. Right now, I use an svn > post-commit hook to update the www working copy. > > Also, how memory-intensive is a jail? Very light when compared to other virtualization methods. Usually, most setups won't run things that require a lot disk io in virtual systems, but jails are an exception. Practically native speed, it's easier to understand jails by thinking of them as an enhanced chroot enviro rather than a virtualization instance. > I'm willing to run postgresql in > another jail as well if it wouldn't be too memory-intensive. And > possibly even an IRC server. If you're going to run multiple jails, look at /usr/ports/sysutils/ezjail > > > I'm running FreeBSD 7.2-RELEASE-p3. Keep in mind jail needs to run same kernel as host. If you upgrade base system, do so with every jail as well. > > > Thank you for the suggestions, advise, and criticisms. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"