Best Practices with Jails for home server

J

James B.

Thank you very much for your time!

I am planning on migrating my Ubuntu home server to FreeBSD. I will be running Samba, Plex, Syncthing and rclone.

Is it worth setting up jails for such a simple home setup? Using ezjail makes the administrative overhead pretty simple, and I could restrict each application to it’s own jail, and also give each access to only the datasets it needs.

Is it overkill to put all four in separate jails?

How would you set this up?

I'm doing a mock setup in a VM to test everything out.
 
James B. said:
I am planning on migrating my Ubuntu home server to FreeBSD. I will be running Samba, Plex, Syncthing and rclone.
Click to expand...
Well, all those programs seem to be part of the ports collection so it shouldn't be too much bother to install them. Either by using the ports or binary packages I suppose. If its security you want though I'd recommend using the ports collection and building the software yourself. At the very least you'll be able to customize it (if applicable) and you'll know if it actually builds cleanly.

Fair warning though: FreeBSD is not Linux. That may sound obvious enough but I've seen many people try to apply their Linux habits onto FreeBSD only to often fail. Focus on achieving whatever goal you have, not on how you think it should be done.

So back to your question...

James B. said:
Is it worth setting up jails for such a simple home setup? Using ezjail makes the administrative overhead pretty simple, and I could restrict each application to it’s own jail, and also give each access to only the datasets it needs.
Click to expand...
Depends on what you hope to gain by this. Do you trust your home network? If so then I guess you could simply skip the jails and run the processes it on your main OS. FreeBSD has plenty of native security measures to help you keep things under control. sysctl kern.securelevel comes to mind as well as security.bsd.see_other_uids and security.bsd.unprivileged_read_msgbuf. See /etc/sysctl.conf as well as sysctl(8) for more information.

Or perhaps set up one jail for "external processes" and group the whole set in there. It will definitely harden your system a bit, assuming you're setting it up in the right way of course ;)

Jails can definitely help, and using jails can even help you learn about this technology which is a good thing. However don't rely on software or features such as jails to keep you safe. It can help, but security isn't gained by simply installing or using something; it's gained by knowing what you're doing and properly setting up your system.

Sorry for all the clichés here but trust me when I say that it's based on past experience as well as your comment. Yes, ezjail can make it easy, but what does that gain you if you don't know exactly what a jail does? Keep well in mind that a jail is still a process running on the same host using the same kernel. Breaking out of those isn't totally impossible.

How would I go about this?

Depends. If I want to keep these services secured I'd probably rely on one single jail and run them all in there. Just like I'd use a second jail to actually build the software so that I can be sure it actually builds and I'll have the whole setup separated. Then again, I even wouldn't rely on ezjail but simply edit /etc/jail.conf and set up my jail(s) manually. It's seriously easy, just be sure to check jail(8) as well as jail.conf(5).

Hope this can give you some ideas.
 
ShelLuser: Thanks a lot for the detailed reply. I'm actually not new to FreeBSD. I read through all of Michael Lucas' Absolute FreeBSD back when the 2nd edition came out, and ran it on my server for a number of years. I only stopped because I stopped having a home server until recently. But it's been a while, and although I can think of a number of ways to set things up I was unsure of the best practices approach. Thanks for such a detailed answer!

Hukadan: thanks for the warning. Maybe I'll look into Emby instead. I'm not married to Plex, I just need something with simple enough endpoints for my 7 year old to access her movies.
 
Hey! I did almost the exact same thing you're talking about. I ran my server with Ubuntu 16.04 using LXD for system containers. I ran Nextcloud, SAMBA, plex, HAProxy, and a couple other for fun projects. I wound up switching to FreeBSD 11.1 and use iocage to handle my jails. The CLI is reminiscent of LXD, which I like, and it has been good to me so far for the last almost 6 months. I'd say do it if you plan on having internal and external services. Management with iocage is very easy too. Technically, it is still in pre-release so features are being continually added, and I only have issues when I update iocage (reboot is required after an update). ezjail still manages jails the old way, which is on its way out. iocage manages jails the new way, so you can just go on your merry way without having to worry about that.

Currently what I have is an SSD with my host OS, and 2 4TB HDDs in a ZFS mirrored pool, which houses my iocage jails. It is sweet and simple and effective. And if you ever want to add new services to your server later, it's easy to just spin up a new jail and build it
 
James B. said:
I am planning on migrating my Ubuntu home server to FreeBSD. I will be running Samba, Plex, Syncthing and rclone.

Is it worth setting up jails for such a simple home setup?
Click to expand...

I am in similar use case scenario as you. Currently I do not use any form of containing or virtualization. However I like Bittorrent (with legal sites) but since this really puts your IP address out there, then I think i will sooner set up something (likely a vm system) and run Bittorrent and maybe a couple other programs in the vm as well. In a nutshell look at it from a security perspective. But running lots of programs on bare metal FreeBSD OS works flawlessly for me.

James B. said:
Maybe I'll look into Emby instead. I'm not married to Plex, I just need something with simple enough endpoints for my 7 year old to access her movies.
Click to expand...

Some Google searching will show you that there has been small camp of people who have left Plex for Emby. I am one of them. I still run it, am still evaluating Emby, but so far so good. I expect some time this 2018 year I will remove Plex from my system for good. Shame because I bought the lifetime plexplass, but it is what it is.
 
I keep hearing Emby flutter around...the reason why I have been hesitant is because of the MASSIVE amount of dependencies...but my question is, why switch? Honest question. Does Emby not have the strange file open issue that Plex does?
 
Am sorry if i am derailing on the topic, i am news here and i am planning to use FreeBSD but i don't know if it's possible to install it on my server easily.
 
stratacast1 said:
I keep hearing Emby flutter around...the reason why I have been hesitant is because of the MASSIVE amount of dependencies...but my question is, why switch? Honest question. Does Emby not have the strange file open issue that Plex does?
Click to expand...

We're getting off-topic now, my bad, I opened that door. I don't have any file system issues. Yeah IOnotify doesn't work, but I don't need Plex or Emby to instantly update the catalog when I add new content. I have Emby scheduled to update every 24 hours; easy.
Ask those questions in Thread 63163 I say.
 
MrFaroukM said:
Am sorry if i am derailing on the topic, i am news here and i am planning to use FreeBSD but i don't know if it's possible to install it on my server easily.
Click to expand...

That depends on your server hardware. Please follow the handbook as Snurg mentioned, and start reading into the various discussion threads found in the relevant categories in this forum. And welcome to FreeBSD, it has a bit of a learning curve, but its well worth it. :)
 
James B. said:
Thank you very much for your time!

I am planning on migrating my Ubuntu home server to FreeBSD. I will be running Samba, Plex, Syncthing and rclone.

Is it worth setting up jails for such a simple home setup? Using ezjail makes the administrative overhead pretty simple, and I could restrict each application to it’s own jail, and also give each access to only the datasets it needs.

Is it overkill to put all four in separate jails?

How would you set this up?

I'm doing a mock setup in a VM to test everything out.
Click to expand...

I've got this setup at home as well, super pleased with it. All the packages you need are pretty common so you shouldn't have too much trouble. The most important thing I found is that plex needs MDNS broadcasts to "just work" for things like DLNA sharing of media, and for tablet/laptop clients to find the server correctly. See https://support.plex.tv/hc/en-us/articles/201543147 for more details, but basically you want to give the plex jail an IP on the same subnet as everything else, and not via firewall port forwarding. I'm sure I could get MDNS and the other protocols to work eventually but it simply wasn't worth the fiddling in the end.

BTW sysutils/iocage is a well maintained modern jail system with lots of zfs goodness if you're interested in an alternative to ezjail.

The main thing you should consider is what data might be shared between all these things - this would maybe change your mountpoints and jail definitions. I have filesharing & plex separate, so these are separate jails and have their own zfs datasets to go with them.
 
To follow up on dch's comment about having a plex jail in the same subnet as everything else, that can get bypassed with this https://forums.plex.tv/discussion/281790/freebsd-jail-plex-looking-for-servers and go to the accepted answer. This was my thread that I started there because my plex server and home network were separate

Another note pertaining to jail security, as I assume you'll have some jails be internal-use only and some both internal and external...you can set up pf to very nicely say "if this jail tries to talk to this jail, just block it". So having the separation of software via jailing, and network security via a good firewall :)
 
You must log in or register to reply here.
Back
Top