Women in Technology

Hear us Roar



Article:
  FreeBSD Jails
Subject:   Freebsd Jail To good to be true?
Date:   2003-10-27 00:31:11
From:   anonymous2
I work at a ISP as a assistant admin.
they have been having alot of problems with security so we have implemented a new security scheme using jails and consistent patching (reson for the hire) anyway i have talked to some oracle admins who advised against using freebsd jails and said your services will fail ( stability ).
i hear only good things about freebsd jail, so what am asking what are the bad things other from some services not running in a jail. for example
we were able to jail qmail and other services which i had a hard time using chroot with.
Full Threads Newest First

Showing messages 1 through 1 of 1.

  • Freebsd Jail To good to be true?
    2004-05-23 13:39:49  Nemesi [View]

    Hallo,

    I coordinate the IT services of a group of large research centers.

    Since 2 years all of our primary services (mail/qmail+courier, web/apache2+mysql+imp+egroupware, dns/isc-bind, dhcp/isc-dhcpd, proxy/squid, vmps/OpenVMPS, kerberos/mit-krb5, ldap/openldap, etc etc) run on FreeBSD.

    Since the beginning some, nowadays ALL the services run on jail'ed "virtual machines", on separate IP addresses, on separate disk partitions... running into jails.

    Essentially all the daemons worked without any problem at first shot by setting up a "full jail environment" (that is an entire envirinment containing /etcv, the libraries, the binaries, etc etc), most of them worked happily into a "microenvironment" built into a directory and started as jail, only for a few we decided to apply local patches to further minimize the amount of "stuff" inside the jail. In example we have a local patch for dhcpd that makes it "self-jail" at startup (but after loading the dynamic libraries....) so that into the dhcpd jail there are in total less than 20 files.

    Since one year ALL the services (about 30 daemons running on a cluster of 8 different machines) run into a jail environment. We never experienced a single problem that we could correlate with the jails (of course some daemons had some stability problems by themselves, namely openldap and apache2) but nothing that could be in any way correlated with the use of the jails.

    We also have a few instances of Oracle running on a separate set of machines (an OpenVMS cluster, one linux box and one OSX box). There yes: we had a number of issues. But those were all installations on platforms "recommended" by Oracle thus I would say that the problem is Oracle.

    If for some reason you need Oracle then consider that it is anyway going to be "officially supported" only on the systems that they choose configured in the ways that they choose. And I think that at Oracle they don't even know what FreeBSD is. Thus the minimization of the issues will be running Oracle on dedicated machines on the OS they want you to... and of course behind a very well configured (FreeBSD) firewall.

    A.