Mixing Jails and NFS servers

[pseudonomous]

Hello Everybody!

I'm new here (and to FreeBSD), so if I'm being stupid please give me constructive advice on how not to be stupid.

I run a single server, so it has to do everything , in particular I was hoping to run ssh, hostapd, squid, either nfs or samba, a webserver (probably apache), possibly cups, unison and possibly also git.

Most of these services, though, are to be locally accessible only, blocked by the firewall on a SOHO router, and then blocked again by pf, the only services I actually want to be internet accessible are ssh and http/https. So I thought I would setup a jail to run the webserver, and then just run everything else on the "host".

But the jail man page suggests that nfs cannot be run from the host (or at least that it's not easy, and may not be a good idea), so I wonder then, can I serve nfs from a jail instead? Is it still possible to serve the nfs shares via "zfs share"?

I guess if I were to take that approach, it would probably make sense to sandbox all the network services, either running each in their own jail, or running one jail for all the internal services and running one jail for external services, though I would still want to run ssh on the host.

Well, I appreciate it if anybody could help me out, here, I've been scouring the internet for hours, but all I've found are people who want to mount nfs shares in jails, which isn't really what I want to do.

 

[pseudonomous]

Not sure how to edit threads yet, but anyway

All of the nfs daemons actually seem to be configurable to bind to
particular address, that is:

mountd
nfsd
rpcbind
rpc.statd
rpc.lockd

all take an "-h" flag which binds them to a particular address. But yet I quote from the
jail(8) man page:

     In addition, a number of services must be recompiled in order to run them
     in the host environment.  This includes most applications providing ser-
     vices using rpc(3), such as rpcbind(8), nfsd(8), and mountd(8).  In gen-
     eral, applications for which it is not possible to specify which IP
     address to bind should not be run in the host environment unless they
     should also service requests sent to jail IP addresses.  Attempting to
     serve NFS from the host environment may also cause confusion, and cannot
     be easily reconfigured to use only specific IPs, as some NFS services are
     hosted directly from the kernel.

Is perhaps the above section of the jail page out of date? Or is there a problem beyond binding the nfs daemons to particular addresses?

I suppose if I don't hear back from someone who knows, I'll just try it (running nfs on the host) and find out if it works.

 

[vivek]

I don't see any problem for running nfs server from host. If you use drop all policy on router or pf and open only ssh; than no one can access NFS over the Internet. May be you need to provide a little more info.

 

[pseudonomous]

Thanks for your response Vivek, I think my problem is that I just don't really understand how jails work and the man pages for jail(8) seem to suggest that there is an issue with running nfs securely in a jail host environment. The main thing which confuses me is how networking is handled in jails, because I don't think it works like either chroot or full-OS virtualization, where either there is no seperation between host and guest networking or there is a complete virtualized network interface for communication to the guest. I'll just play around with it a bit on my internal network before I open the webserver up to the big bad internet.

I may try and answer my own question about whether or not you can run an NFS server in a jail while I'm at it.

Thanks again!

 

[kniveton]

You might be a bit confused by the terminology. "Host" means the main OS instance of the machine, whereas "jail" is one of the system instances running in a virtualized mode.

The problem is that the Host machine is configured with all of the IP addresses to be used, and then individual Jails are given one IP each, out of that pool. So when you run something that can not bind to an individual IP address or range on the Host, it is going to answer requests for that service on all Host IPs, which include all of the IPs that should be "containerized" into only what's running in the Jail.

So the solution would be to run those types of services in a Jail, so they only answer to the Jail's IP address. However it sounds like there may be issues running certain services inside of a Jail; that is an orthagonal but related issue.

Does that make sense?