Running a FreeBSD server with jails

[wlanboy]

Well from your previous post it looks like re1 would be physical interface....or would it?  I mean it could really be either.  So my thought process says to add it like you would to a virtual hosted apache instance.  Where you apply the IP address to the virtual host and continue to use the mgmt IP to get into the main server.  Am I right in this being the way I want to go?  Is there something I need to do to the routing on the local server?  I am still new to FreeBSD.  I like it.  it forces me to learn. 

Thanks in advance!

I would not use any real network device for vms.

Look at my tutorial at the section of this code:


gateway_enable="YES"
cloned_interfaces="lo10"
ifconfig_lo10_alias0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_lo10_alias1="inet 10.10.10.10 netmask 255.255.255.0"

That will create a virtual network. alias0 is for the host, additional aliases for the vms.

After that you can use pf to forward ports.


The section with following code will guide you:


# nat jail traffic
nat pass on $external_if from $NET_JAIL to any -> $IP_PUBLIC

# web forward
rdr pass on $external_if proto tcp from any to $IP_PUBLIC port $PORT_WWW -> $IP_JAIL_WWW

So all vms can access the internet but the port 80 of the host is forwarded to the vm.

Basically the same setup as the IPV6 providers. One public ip for all vms.

 

[Abdussamad]

How would you rate freeBSD jails compared to other OS level virtualization in terms of security? For example compared to LXC/docker and OpenVZ

 

[wlanboy]

How would you rate freeBSD jails compared to other OS level virtualization in terms of security? For example compared to LXC/docker and OpenVZ

That is all about fancy names and marketing. 

They all do solve different problems. The root of all solutions is chroot.

Chroot does have it's flaws but mainly because it was build just to change the "root tree" of the filesystem. No virtual network and no separate process views and other main level of virtualization.

Thats not bad because chroot startet 1982...

The real virtualization startet with FreeBSD Jails and LXC. Both had in mind to make use of userspace isolation to provide another layer of security.

Back to the features:

• FreeBSD Jails:
  - Stable - since BSD 4.2
  
  
  - Well documented
  
  
  - still envolving
  
  
  - ezjail tool to help setup
  
  
  - rctl for resource limits
  
  
  - sysctl to limit actions of root
  
  
  - ZFS file system to easily clone jails
  
  
  - Hierarchical jails
  
  
  - Handling of linux userspace
  
  
  - Own network stack with vnet
  
  
  - nullfs to link local folders to a jail
  
• LXC
  - New tech build into the kernel -> no patching
  
  
  - GID and UID mapping within containers
  
  
  - Unprivileged containers
  
  
  - kernel namespaces - cool for storage - not so cool for networks
  
  
  - cgroups for resource limits
  
  
  - Great API (Docker)
  
• Docker
  - Great API
  
  
  - Based on LXC (kernel namespaces and cgroups)
  

For me Jails and LXC have a nice feature set and are working well on every machine.


The lean approach based on kernel functionality made both solutions rocket solid.

 

[wlanboy]

Update for current FreeBSD version - some parts are now easier.

freebsd-update fetch
freebsd-update install

pkg install nano
pkg install lighttpd
pkg install bash
pkg install ezjail
pkg install py27-fail2banNow "pkg install" is the default to install precompiled packages. Named all used in the tutorial.

Notes on fail2ban - now fully supported by pf.

Add custom script for fail2ban on:

• nano /usr/local/etc/fail2ban/jail.d/ssh-pf.local[ssh-pf]
  enabled = true
  filter = sshd
  action = pf
  logpath = /var/log/auth.log
  findtime = 600
  maxretry = 3
  bantime = 3600
  
• nano /usr/local/etc/fail2ban/action.d/pf.conf (only tablename is important to set)

  [Definition]
  actionstart = 
  actionstop = 
  actioncheck = 
  actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
  actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
  [Init]
  tablename = fail2ban

• nano /etc/pf.conf

  external_if="vtnet0"
  
  table <fail2ban> persist
  block quick proto tcp from <fail2ban> to $external_if port ssh

Important note: set correct external_if name