Jail strategies for web host?

Brandwalla · Jul 9, 2009

I'm upgrading my web server and am intrigued by the capabilities of jails.

I do 3 things with the server: 1)host paying clients 2)host my own business-related sites 3)host student media experiments. As you can imagine, jails are perfect for this situation.

My question, what are good strategies for using jails? Is it better to jail single processes or entire user spaces?

My thought is this:
1. Build a jail for the the paying clients environment running Apache1.3 and isolating this from experiments gone awry

2. Build individual environment jails for the affilate and experimental areas (Apache2.2 and LightHTTPD for example)

3. Build individual jails tuned to serve larger client websites.

4. Put the mailserver in it's own jail.

Does this make sense? Any comments or pointers?
Thank you for your help,
Bill

estrabd · Jul 9, 2009

You should check out http://www.rootbsd.net; I've used them for over a year now, and love it. I have a jail, but I do believe they've moved over to virtualization for new accounts.

Brett

Brandwalla · Jul 9, 2009

Thanks, Brett, but my situation requires I have a dedicated server, that's why I am looking for virtualization strategies.

vivek · Jul 9, 2009

Yes, set jail for each task and/or paying client. I run it as follows

MySQL - /jails/mysql
qmail - /jails/qmail
example.com - /jails/example.com
example.net - /jails/example.net
bind9 - /jails/named
testing - /jails/testing - for lighttpd / apache and what not..

Take a help of ezjail. It saves lots of disk space and automate everything for you - http://www.cyberciti.biz/faq/howto-setup-freebsd-jail-with-ezjail/ and also FreeBSD jail @ http://www.freebsd.org/doc/en/books/handbook/jails.html

estrabd · Jul 9, 2009

Brandwalla said:
Thanks, Brett, but my situation requires I have a dedicated server, that's why I am looking for virtualization strategies.

I am not suggesting you use them, only that they seem to have done what you wish to do.

Cheers,
Brett

Brandwalla · Jul 10, 2009

My apologies, Brett. You are right, it's pretty much what I want to do if I can get my head around the structure.

Vivek, are you using the same IP for jails/MySQL, jails/Postfix, etc? If so, how do they talk to one another?

I have 8 IPs to work with. Is my assumption correct that I would create each task bound to the same IP and running only the one process (e.g., MySQL), and a new IP number for each site with a full-blown userland?

In other words:
jails/Apache 75.22.33.11
jails/MySQL 75.22.33.11
jails/PHP 75.22.33.11
jails/Postfix 75.22.33.11

jails/example.com 75.22.33.12
jails.example.net 75.22.33.13

Or do you lump the tasks together:
jails/www (Apache, PHP, MySQL) 75.22.33.11
jails/mail (Cyrus Postfix, etc) 75.22.33.11

I've been working with ezjails for about a day, very nice, very powerful.

Thank you again for your time and insight.
Bill

vivek · Jul 10, 2009

You can use single IP and use pf firewall to redirect traffic between jails and host to the Internet using NAT.

You can assign public IP to each jail and no need to use NAT. This is easy. Some services such as mysql can work w/o public IP.

Brandwalla · Jul 10, 2009

Excellent, thanks for that. I'll give it a try, and I'm sure I'll have a question or two.

Brandwalla · Jul 31, 2009

PF users, would you kindly take a look at my rules and see if these make sense? I'm new to PF, so not confident.

What I'm trying to do: run 3+ jailed services that talk to one another and to the outside world.

Setup

Code:

mailjail 10.0.0.15
apachejail 10.0.0.20
dbjail 10.0.0.25
client1 10.0.0.30

ifconfig

Code:

defaultrouter="x.x.x.11"
ifconfig_em0="inet x.x.x.12 netmask 255.255.255.248"
ifconfig_em0_alias0="inet x.x.x.13 netmask 255.255.255.255"
ifconfig_em0_alias1="inet x.x.x.14 netmask 255.255.255.255"
ifconfig_em0_alias2="inet x.x.x.15 netmask 255.255.255.255"
ifconfig_em0_alias3="inet x.x.x.16 netmask 255.255.255.255"

My rules

Code:

lan="em0"
lan_subnet="10.0.0.0/8"
lan_ip="10.0.0.10"
jailserver_ip="x.x.x.12/29"
nat on $lan inet proto { tcp, udp, icmp } from $jailserver_ip to $lan_subnet -> $lan_ip

Any comments or suggestions would be greatly appreciated.
Thanks!
Bill

wonslung · Sep 10, 2009

Brandwalla said:
PF users, would you kindly take a look at my rules and see if these make sense? I'm new to PF, so not confident.

What I'm trying to do: run 3+ jailed services that talk to one another and to the outside world.

Setup

Code:

mailjail 10.0.0.15 apachejail 10.0.0.20 dbjail 10.0.0.25 client1 10.0.0.30

ifconfig

Code:

defaultrouter="x.x.x.11" ifconfig_em0="inet x.x.x.12 netmask 255.255.255.248" ifconfig_em0_alias0="inet x.x.x.13 netmask 255.255.255.255" ifconfig_em0_alias1="inet x.x.x.14 netmask 255.255.255.255" ifconfig_em0_alias2="inet x.x.x.15 netmask 255.255.255.255" ifconfig_em0_alias3="inet x.x.x.16 netmask 255.255.255.255"

My rules

Code:

lan="em0" lan_subnet="10.0.0.0/8" lan_ip="10.0.0.10" jailserver_ip="x.x.x.12/29" nat on $lan inet proto { tcp, udp, icmp } from $jailserver_ip to $lan_subnet -> $lan_ip

Any comments or suggestions would be greatly appreciated.
Thanks!
Bill

did these rules work? I remember i tried this awhile back and ran into problems...i ended up getting a public ip for each but now on a new box i find myself with only a single ip.

I have a single interface and i've set up a cloned interface lo1 for the 10.0.0.1/24 subnet

thanks