Jail vnet features

Peter Toth peter.toth198 at gmail.com
Sun Jul 13 23:02:38 UTC 2014


On Mon, Jul 14, 2014 at 4:30 AM, Marcin Michta <marcin.michta at gmail.com>
wrote:

> >
> >wishmaster wrote:
> >>
> >>
> >>  --- Original message ---
> >>  From: "Fbsd8" <fbsd8 at a1poweruser.com>
> >>  Date: 11 July 2014, 16:49:08
> >>
> >>
> >>
> >>> Marcin Michta wrote:
> >>>> Hello,
> >>>>
> >>>>
> >>>>
> >>>> I want to ask what are advantages and disadvantages using VNET?
> >>>>
> >>>> I know that it allows each jail to have a private networking stack,
> >>>> but what else?
> >>>>
> >>>>
> >>>>
> >>>> Regards
> >>>>
> >>>> Marthin
> >>>>
> >>> Its experimental, it has many bugs posted in PR system, loses memory
> >>> every time a vnet jail is stopped, firewalls in vnet jail don't work,
> >>> other that these show stoppers, use at your own risk.
> >>
> >> Hey, man. Stop panic!
> >>
> >> Firewall works very well. Memory leak on shutdown it is not very big
> problem.
> >> Main advantage for me is: I am able to filtering and prioritization
> traffic coming thought base system. My vnete'ed jails is like a regular LAN
> clients and they share INET pipe with appropriate weight. I use ipfw.
> >>
> >
> >
> >Oh ya, host panic on boot is another common happing with vimage and
> firewall ipf and pf trying to run inside of a vnet jail and on the host at
> the same time.
> >
> >Many people DO consider any kind of memory leak in kernel software such
> as vimage is a really big show stopper for not using it in a production
> system.
> >
> >If you read a little bit closer the previous post you will see it's
> talking about firewall running inside of a vnet/vimage jail. It doesn't
> > say anything about running a host firewall directing traffic to a ip
> number assigned to a vnet jail.
> >
> >Here is a list of some of the vnet outstanding PR's
> >
> >143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252,
> 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468
> >
> >vnet/vimage is experimental and should never be used in a production
> system and be exposed to the public network. It is not a secure software
> configuration. Sure you can disregard all warnings and common sense and
> risk >your host system, thats your choice.
>
> I didn't know about these problems
> I'll check these PR
> Thanks for help for you all :)
>
> Regards
> Marthin
>
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>

The majority of those PR's were raised for 8.x and 9.x and on top of that
not even for production releases but RC, BETA and PRERELEASE. Some of those
were resolved already and some are completely irrelevant.

The vast majority refers to PF inside a jail, which is a known issue anyway
(just avoid it). You can run IPFW inside a jail however and PF on the host
itself all at the same time given that you use 10-RELEASE (preferably
amd64).

If you want to test drive VNET here are a few hints to avoid problems:

1. Don't try to enable PF inside the jail
2. Only add a wired and epair interfaces into a bridge - avoid wireless
(might trigger a crash)
3. Don't use ALTQ - as far as I know ALTQ is not supported with VNET anyway
yet
4. Use the GENERIC kernel configuration and just add options "VIMAGE"

And just for amusement, two of those completely irrelevant PR's, not even
VNET related listed previously:
188010 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188010 (ACPI and
BTW: Status: Issue Resolved FIXED)
176929 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=176929
(gnome-speech and Issue Resolved FIXED)

Not going to dissect the other remaining PR's - as I mentioned above mostly
outdated except the ones related to PF inside a jail and a memory leak
which is not a showstopper and can be avoided.

Also on another note, I constantly bump into alarmist and misinformation
emails related to VNET by a certain individual.
Telling folks off and actively deterring them from even trying to test
drive VNET jails.

This is not doing any favor to the community - VNET is one of the exciting
features (like Crossbow in Illumos) people want to see mature.
Actively deterring these efforts is definitely not going to help and has a
very negative impact!

As for the advantages, a VNET enabled jail will provide much better
isolation (own network stack) and control than a shared IP based jail setup
where the local traffic might be exposed across jails. Also VNET allows per
jail IPFW firewall rules independent from the host's IPFW. With VNET you
can build and simulate complex network setups I believe this was one of the
main drives to create VIMAGE/VNET.

Peter


More information about the freebsd-jail mailing list