Well... The spirit of this post inspires me the good way!
Now we're talking about 10.3-HEAD wiht Jails+vnet... but then again, has anyone
tried it? Roger, it seems you are thumbing up my challenge...
But I guess i'll have to stick with netgraph instead epair/if_bridge because
the later is not so documented as the first one...
Best regards,again...
De: Roger Marquis <marq...@roble.com>
Para: freebsd-jail@freebsd.org
Enviado: Miércoles, 1 de junio, 2016 13:07:33
Asunto: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?
Ernie Luzar wrote:
> the kernel to included vimage. Enabling pf or ipf firewalls cause the
> host to crash. ipfw firewall does not cause a crash but has next to no
> real life usage on vimage.
Considering we have had ipfw/vimage/netgraph jails for several years I'd
be interested in your data sources.
> When stopping vimage jails there is a problem with memory loss.
Have you tested this, on a recent release?
> You need a high proficiency in coding netgraph which
> is used to tie the hosts network to each vimage jail.
This certainly used to be true and IMO has been a significant barrier to
netgraph usage but the scripts in head/share/examples/jails/ are
at least helpful.
> Needs a public network with multiple static ip address & registered domain
> names even to test it.
How are you implementing vimage that needs a registered domain name?
> There are a few write ups about how to configure vet/vimage jails, but
> their out of date. IE: 8.x & 9.x releases which are at EOL [end of life,
> unsupported].
Vimage gets little attention. Unfortunately the mapping of non-vimage
localhost interfaces to the primary external interface isn't noted
nearly enough either. These are weaknesses in bsd jails, the latter a
non-trivial security issue on many non-vimage systems considering
daemons like sendmail are installed and listening on "localhost" by
default.
> Going down this road will make the shop totally dependent on you and your
> ability. A mega size pay bump is in your future. The shop will be fubar-ed
> if you die or get hurt requiring a hospital stay and long recovery.
Potentially true of any Unix or Linux application in my experience.
Have you tried vimage with epair/if_bridge instead of netgraph? It's
considerably simpler though the documentation is almost as conflicting
and insufficient.
Roger
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
