Filesharing in jail?

bsus · May 5, 2012

Hello,

I have a conceptual question: what are your oppinions about the idea to have everything outsourced in jails? Benefits: An error which grants system access can't damage other services.

The question is how this practice works practically. So are there any limitations/issues when having samba and NFS daemons in a jail and the home directories mounted as nullfs?

Or is the whole idea deprecated?

Best Regards,
bsus

bsus · May 6, 2012

Code:

# /etc/rc.d/rpcbind start
rpcbind already running? (pid=53610).
# /etc/rc.d/nfsd start
sysctl: vfs.nfsd.nfs_privport: Operation not permitted
NFSv4 is disabled
sysctl: vfs.nfsd.server_max_nfsvers: Operation not permitted
Starting nfsd.

What else do I have to fix?

stuart · May 9, 2012

Within a jail? I think you'll need one or both of the below sysctls set

Code:

security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1

In answer to the previous post, I actually use jails a lot, but went down the route of using zfs snapshots of the base OS to keep the jails up to date. Effectively, I'd use ports to run and install the various services, and then create a clone of the base filesystem, mounting it as read only. I then mount a writable /etc 'on top' of it, and then run sshd etc. That way, upgrading all the jail software is a simple as portupgrade followed by a scripted refreshing of the snapshots and it all seems to work very well.

The trap that I fell into was spending ages configuring an environment for a jail and then not being able to keep up with the updates. I use xymon with a custom script that basically runs portversion 3 times a day to check for software updates, and it would be nearly impossible to keep everything upgraded if I had to manually check and rejail all processes.

Just my thoughts, but this system seems to work really well on several production and staging systems.

Beeblebrox · May 9, 2012

NFS servers from inside jail does not work! You have to serve NFS from host side.

I have several threads in the forum which asked this question and I also posted many of my findings in those threads. To make sure, I had asked the FreeBSD mailing list about 2 months ago and was informed that no one has gotten it to work (I also set a bunch of sysctl variables which in the end resulted in no solution).

bsus · May 10, 2012

@stuart

Hi,
I use ezjail, the basejail contains the world, can get easily updated and is mounted ro in the zfs jails. Additionally a ports tree is extracted to the base jail and mounted rw into /var/ports which gets managed from a build jail.

I will later on try your sysctl tuning.

@Beeblebrox
Hi,
I also searched a lot and it is really sad that it seems to be so hard to do filesharing out of a jail. Because this would make the real FreeBSD host serviceless (only the jails) and you could secure it with a strict firewall. The whole server would be quite safe.

However I think there is one more chance to go:
Vimage
You have three ways to make the jails available to the network:

alias additional IPs (the easiest)
use pf to internal route
vimage

That what I've have read until now says that it is possible to outsource the network device emulation to the kernel which improves performance and possibilities in hosting (e.g. filesharing).

bsus · May 10, 2012

Here is an interesting thread

EDIT:

VIMAGE is directly in kernel. I noticed that the em0 network device also has support for VLAN.

Is using the networks VLAN also an option for jails?