Jails in production environments (resources, limits, immutable)

S

storvi_net

Hello guys,

My name is Markus and I am new to FreeBSD. My background is IT Security and mainly Linux, but I am open to new experiences. For production use I am looking for an efficient solution to put several parallel servers on one big host - jails seem to be a good solution.

Before I build my test environment I want to ask for some points:
  1. For a secure usage of the jails I have to recompile the kernel with rctl(8) to prevent processes using all bandwidth (network), all RAM / CPU or starting fork bombs (also root in the jail)
  2. If I want to use ZFS as the filesystem for the jail-storage: is it possible to create an immutable jail (as far as I read the flag is just available in UFS)? Do I have to use ZFS ACLs? Immutable jail means that even the root-user can not change some files inside the jail.

As English is not my native language I probably didn't use the correct search terms, so beside answers I would take links and hints :)

Thanks
Markus
 
storvi_net said:
For a secure usage of the jails I have to recompile the kernel with rctl(8) to prevent processes using all bandwidth (network), all RAM / CPU or starting fork bombs (also root in the jail)
Click to expand...
This is half true. You need rctl to reliably limit resources consumed by jail processes, but you'd use ipfw+dummynet to limit bandwidth.
storvi_net said:
If I want to use ZFS as the filesystem for the jail-storage: is it possible to create an immutable jail (as far as I read the flag is just available in UFS)? Do I have to use ZFS ACLs? Immutable jail means that even the root-user can not change some files inside the jail.
Click to expand...
Take a look at Application of Jails. The idea is that the writable filesystem resides outside of the jail and you selectively mount directories into the jail with nullfs.

Kevin Barry
 
Hello again,

So thanks for the first answer. I will read through the documentation of rctl(8) again and combine it with the information I will find about dummynet (are there any recommended examples?).

I read the part about jails you pointed out for me - thanks for that, too.

Regards.
Markus
 
The ipfw manpage has some examples. You load the dummynet module and manage it via ipfw. pf also has something similar build into it, in case you're using pf to set up NAT for the jail.

Kevin Barry
 
You must log in or register to reply here.
Back
Top