general/other Desktop: Jail vs VM?

B

Bucky

Background: I have a server providing firewall, router, NAS, ntp, dns, smtp... etc, services. It is not a busy system, showing 99% idle on average. 32GiB RAM, Xeon E3-1230 v3 @ 3.30GHz, Supermicro X10SL7, FreeBSD 14.2p3...

You get the picture.

I'd like to be able to intermittently run a desktop environment (DE) on the server but want the DE isolated from the server itself. I'm facile with jail infrastructures (have two jails running presently) and recently learned how to set up a bhyve VM (very slick!) In scouring the web, I've found that folks use both jails and bhyve VMs to install/run DEs.

My question: Considering my underlying server, would it be better to run a DE in a jail or in a bhyve VM? Pros/Cons? Or are there other options I'm overlooking?

Thoughts?

TIA!
 
I'd switch it around: why not move those network services into a jail and then run X on your main environment? It'll save you a lot of potential hassle.
 
Bucky said:
So instead of running a DE on a server, run a server on a DE?
Click to expand...
I wouldn't phrase it like that, also considering that FreeBSD itself (so: the base system) also provides several network services 'out of the box', which would make it fair to call that a server environment as well.

But yeah... run the DE on the base system, then run the network services from inside the jail. While it can be done to get an X environment running inside a jail it's also going to cause you a lot of (potential) hassle. And basically... it wouldn't really provide all that many advantages.

Yet separating ("shielding") network services is pretty much always a good idea.
 
Bucky said:
I'd like to be able to intermittently run a desktop environment (DE) on the server
Click to expand...
Why? To me the answer to this could lead to a "best practices" approach.

Some would say "run all those services in their own jail" so a jail for firewall, a jail for dns a jail for smtp... to prevent possible pollution between them.
If running a DE is only a sometimes thing, I would go with jail everything else the server provides, install a WindowManager (not a DE like Gnome or KDE) and do "startx" as needed.
Is the DE intended to be run when you have physical access (sitting in front of the box) or will it be remote (you ssh in with X forwarding)
 
mer said:
Why? To me the answer to this could lead to a "best practices" approach.

Some would say "run all those services in their own jail" so a jail for firewall, a jail for dns a jail for smtp... to prevent possible pollution between them.
If running a DE is only a sometimes thing, I would go with jail everything else the server provides, install a WindowManager (not a DE like Gnome or KDE) and do "startx" as needed.
Is the DE intended to be run when you have physical access (sitting in front of the box) or will it be remote (you ssh in with X forwarding)
Click to expand...
"Pollution between the services". Presently I'm only jailing services that are full-time, internet-facing, such as the smtp server. Some years ago I experimented with jailing each service separately but maintaining all those jails was problematic and I decided to simply jail the biggest threat(s) - the smtp process.

I'm planning on accessing the DE (or WM) with a vnc client (tigervnc) but I might experiment with X forwarding or even RDP just to see how it goes. The DE/WM would not be internet-facing; just accessible from the LAN.

I was all set to go with a bhyve VM and got it to work but then wondered if a jail would be sufficient, hence I'm asking the question.

I'm in learning mode with all this. Just a hobbyist. And I agree with you - I'm seeking a 'best practices' result. I've got my test platform set up for jailing a DE/WM to see how that goes. If I get it to work fairly easily I can then do a VM/Jail side-by-side comparison to see which is easier and more practical.
 
  • Like
Reactions: mer
You must log in or register to reply here.
Back
Top