headers
Marc G. Fournier | 1 Jan 2008 22:54
Favicon

Re: Future development of Jail


You mean like:

     <http://wiki.freebsd.org/JailResourceLimits>

and:

     <http://docs.freevps.com/doku.php?id=freebsd:index>

--On Monday, December 31, 2007 19:10:51 -0800 Karl Triebes 
<karl.triebes <at> gmail.com> wrote:

> On Dec 31, 2007 5:51 PM, Andy Dills <andy <at> xecu.net> wrote:
>
>> Not that I have a pile of money laying around I could throw at it, but the
>> thing I wish for most from FreeBSD is a more mature and robust jail
>> implementation. Specifically, the ability to implement per-jail quotas and
>> resource limitations on disk, memory, network and cpu. I'd really love a
>> seperate network stack for each jail...that's critical for a plethora of
>> reasons. I'd be curious what sort of commitment (in $) that would require.
>
> I would like to see per-jail quotas such as the ones Andy mentions,
> and would like to hear if anyone would be interested in doing it for
> the right price. You may contact me via this list or in private.
>
> Cheers, and, a happy New Year.
>
> Karl.
> _______________________________________________
> freebsd-questions <at> freebsd.org mailing list
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Hotlab | 2 Jan 2008 13:10
Picon
Favicon

Re: How to better update a jail host system

--------------------------------------------------
From: "Jon Passki" <jon.passki@...>
Sent: Tuesday, December 25, 2007 5:48 AM
To: "Andrew Hotlab" <andrew.hotlab@...>
Cc: "FreeBSD-Jail" <freebsd-jail@...>
Subject: Re: How to better update a jail host system

> You can re-create your binary jail setup easily from sysinstall:
>
> sysinstall _ftpPath=ftp://ftp.FreeBSD.org/pub/FreeBSD/
> nonInteractive=yes mediaSetFTP releaseName=6.2-RELEASE dists=base
> distSetCustom installRoot=/path/to/jail installCommit
>
> Then, the only thing you have to manage is packages.  With a patched
> freebsd-update [2], you can even update from 6.2 to 6.3.  If ezjail
> supports a binary tarball update, it would be trivial to take the
> output of the sysinstall and freebsd-update and roll one.
>

I had not ever considered using sysinstall(8) as an option to create jails: 
it sounds good, expecially to a sysadmin who had never had to compile 
nothing, like me!

As you pointed out, until ezjail(5) doesn't support that procedure I won't 
likely use it in production, since the advantages that Dirk's framework 
brings in managing jails are more valuable to me than the "annoyance" of 
compiling from sources! :)

Andrew
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Hotlab | 2 Jan 2008 13:12
Picon
Favicon

Re: How to better update a jail host system

--------------------------------------------------
From: "Alexander Leidinger" <Alexander@...>
Sent: Sunday, December 30, 2007 12:41 AM
To: "Andrew Hotlab" <andrew.hotlab@...>
Cc: "FreeBSD-Jail" <freebsd-jail@...>
Subject: Re: How to better update a jail host system

>> I've spent some time on the past days to find how to build a world
>> which contains only the "Binary base" and "man" distributions (as I
>> always select from the sysinstall menu options during the first server
>> setup), but I didn't found any article or man page which helped me.
>
> I don't know exactly what is in the binary and man dists, but what you 
> need to do is either to just grab the new dists from an FTP server and 
> extract them over the old ones, or to have a look what is installed by  a 
> make world what is not in those dists and have a look for WITHOUT_  knobs 
> which exclude those parts from the build/install. There may be  not enough 
> WITHOU_ knobs to produce those dists, as they are generated  in a 
> different way (make release).

Ok, thank you Alexander! But what do you think about upgrading the server on 
the "installed binary distribution" basis? Perhaps it sounds good to me 
because I'm coming from Windows Server experience (where it's important to 
maintain only the Windows components you need, in order to reduce the attack 
surface). Maintaining as few as possible binary distributions is so 
important in FreeBSD too, or it helps only to grow unnecessary system 
complexity?

TIA
(Continue reading)

Permalink | Reply | 7 comments |
headers
Alexander Leidinger | 2 Jan 2008 14:10
Favicon

Re: How to better update a jail host system

Quoting "Andrew Hotlab" <andrew.hotlab@...> (Wed, 2 Jan 2008
13:12:24 +0100):

> --------------------------------------------------
> From: "Alexander Leidinger" <Alexander@...>
> Sent: Sunday, December 30, 2007 12:41 AM
> To: "Andrew Hotlab" <andrew.hotlab@...>
> Cc: "FreeBSD-Jail" <freebsd-jail@...>
> Subject: Re: How to better update a jail host system
> 
> >> I've spent some time on the past days to find how to build a world
> >> which contains only the "Binary base" and "man" distributions (as I
> >> always select from the sysinstall menu options during the first server
> >> setup), but I didn't found any article or man page which helped me.
> >
> > I don't know exactly what is in the binary and man dists, but what you 
> > need to do is either to just grab the new dists from an FTP server and 
> > extract them over the old ones, or to have a look what is installed by  a 
> > make world what is not in those dists and have a look for WITHOUT_  knobs 
> > which exclude those parts from the build/install. There may be  not enough 
> > WITHOU_ knobs to produce those dists, as they are generated  in a 
> > different way (make release).
> 
> Ok, thank you Alexander! But what do you think about upgrading the server on 
> the "installed binary distribution" basis? Perhaps it sounds good to me 
> because I'm coming from Windows Server experience (where it's important to 
> maintain only the Windows components you need, in order to reduce the attack 
> surface). Maintaining as few as possible binary distributions is so 
> important in FreeBSD too, or it helps only to grow unnecessary system 
> complexity?
(Continue reading)

Permalink | Reply | 6 comments |
headers
Yong Taro | 3 Jan 2008 11:27
Picon

web services in host and jailed systems

hello,
you can welcome another jail-user.

So far have some confusions, and need to clarify them out.

On the host system I want to have a webserver IP1:80 that expose some 
static content with not {POST,CGI} support.
On the jailed system I want to have another webserver IP2:80 that expose 
some blogging services that has full HTTP support.

Question: once the IP2 is on the same network card (alias to the IP1 - 
if I got it right. IP1 is a real IP) how those two services
will serve the right users ? Did I missed something ?

thanks.
Permalink | Reply | 5 comments |
headers
Michel | 3 Jan 2008 11:59

Re: web services in host and jailed systems

Le jeudi 3 janvier 2008, Yong Taro a écrit :
> hello,
> you can welcome another jail-user.
>
> So far have some confusions, and need to clarify them out.
>
> On the host system I want to have a webserver IP1:80 that expose some
> static content with not {POST,CGI} support.
> On the jailed system I want to have another webserver IP2:80 that expose
> some blogging services that has full HTTP support.
>
> Question: once the IP2 is on the same network card (alias to the IP1 -
> if I got it right. IP1 is a real IP) how those two services
> will serve the right users ? Did I missed something ?
>
> thanks.
> _______________________________________________

Yes : from the man page

The following frequently deployed ser-
     vices must have their individual configuration files modified to limit
     the application to listening to a specific IP address:

     To configure sshd(8), it is necessary to modify /etc/ssh/sshd_config.

     To configure sendmail(8), it is necessary to modify
     /etc/mail/sendmail.cf.

     For named(8), it is necessary to modify /etc/namedb/named.conf.
(Continue reading)

Permalink | Reply | 4 comments |
headers
Yong Taro | 3 Jan 2008 12:19
Picon

Re: web(HTTP) services in host and jailed systems

Sorry, I will reformulate

I want to have the following:
"mydomain.com" and "myblog.com" will resolve to IP1.
"mydomain.com" will be serverved by the webserver listening on IP1:80
"myblog.com" will be server by the webserver listening on IP2:80 - which 
is a jailed system.

is this possible ?

Michel wrote:
> Le jeudi 3 janvier 2008, Yong Taro a écrit :
>   
>> hello,
>> you can welcome another jail-user.
>>
>> So far have some confusions, and need to clarify them out.
>>
>> On the host system I want to have a webserver IP1:80 that expose some
>> static content with not {POST,CGI} support.
>> On the jailed system I want to have another webserver IP2:80 that expose
>> some blogging services that has full HTTP support.
>>
>> Question: once the IP2 is on the same network card (alias to the IP1 -
>> if I got it right. IP1 is a real IP) how those two services
>> will serve the right users ? Did I missed something ?
>>
>> thanks.
>> _______________________________________________
>>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Michel | 3 Jan 2008 12:53

Re: web(HTTP) services in host and jailed systems

Le jeudi 3 janvier 2008, Yong Taro a écrit :
> Sorry, I will reformulate
>
> I want to have the following:
> "mydomain.com" and "myblog.com" will resolve to IP1.
> "mydomain.com" will be serverved by the webserver listening on IP1:80
> "myblog.com" will be server by the webserver listening on IP2:80 - which
> is a jailed system.
>
> is this possible ?
>

Use a proxy on the host to rewrite IP on a per-domain way ?
For apache the proxy directive may be used in a virtual host context (this is 
for the per-domain way) ... but I never use the proxying capability of 
apache !
Permalink | Reply | 1 comment |
headers
Yong Taro | 3 Jan 2008 13:10
Picon

Re: web(HTTP) services in host and jailed systems

merci.

Michel wrote:
> Le jeudi 3 janvier 2008, Yong Taro a écrit :
>   
>> Sorry, I will reformulate
>>
>> I want to have the following:
>> "mydomain.com" and "myblog.com" will resolve to IP1.
>> "mydomain.com" will be serverved by the webserver listening on IP1:80
>> "myblog.com" will be server by the webserver listening on IP2:80 - which
>> is a jailed system.
>>
>> is this possible ?
>>
>>     
>
> Use a proxy on the host to rewrite IP on a per-domain way ?
> For apache the proxy directive may be used in a virtual host context (this is 
> for the per-domain way) ... but I never use the proxying capability of 
> apache !
> _______________________________________________
> freebsd-jail@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@..."
>
>
Permalink | Reply | 0 comments |
headers
Loïc Pefferkorn | 3 Jan 2008 12:50

Re: web(HTTP) services in host and jailed systems

Hello,

Yes it is possible using a "reverse proxy". Apache is able to do it with
its mod_proxy* modules.

Loic

Yong Taro a écrit :
> Sorry, I will reformulate
> 
> I want to have the following:
> "mydomain.com" and "myblog.com" will resolve to IP1.
> "mydomain.com" will be serverved by the webserver listening on IP1:80
> "myblog.com" will be server by the webserver listening on IP2:80 - which
> is a jailed system.
> 
> is this possible ?
> 
> 
> Michel wrote:
>> Le jeudi 3 janvier 2008, Yong Taro a écrit :
>>  
>>> hello,
>>> you can welcome another jail-user.
>>>
>>> So far have some confusions, and need to clarify them out.
>>>
>>> On the host system I want to have a webserver IP1:80 that expose some
>>> static content with not {POST,CGI} support.
>>> On the jailed system I want to have another webserver IP2:80 that expose
(Continue reading)

Permalink | Reply | 0 comments |

Gmane