jails or chroot?

Tue May 9 15:22:37 UTC 2006

Hi,

Sure, jails require more work regarding administration. Ports are not the
biggest problem I think, it's the easy part. The problem is when you have to
update the world. But even here, with a good script, it's not such a
nightmare.

Maybe all you need is Michael's solution. But take into account that with
jails, you have a great flexibility regarding the application you install
for a particular client. And all the security that a jail system can offer,
plus a fantastic way of managing your backups.

I personally run a jail based VPS server, based on FreeBSD 6.0, with 13
jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI HDs. I
have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend to
run a maximum of 50 jails on this server. And until now, nothing seems to
oppose to my plans.

Beware of one thing with jails, though: a bug in FreeBSD does not permit a
clean shutdown of jails. But tust me: you never need to!

Hope this helps, and keep us informed of your choice.

Philippe Lang

-----Message d'origine-----
De : owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org] De la part de Jahilliya
Envoyé : mardi, 9. mai 2006 14:48
À : Michael Grant
Cc : freebsd-questions at freebsd.org
Objet : Re: jails or chroot?

On 5/9/06, Michael Grant <mg-fbsd3 at grant.org> wrote:
>
> I host a bunch of websites on my box.  Recently I had some problems 
> with file access problems with php which caused me to look into 
> putting each of my clients into their own jail or chroot.  I have 
> roughly 100 different domains I'd need to split.
>
> Has anyone done this for more than a handfull of clients?  Using 
> apache and their "mass virtual hosting", 100 domains is a breeze.  But 
> with a jail or chroot, I need a separate apache process for each 
> domain.  This is going to mean hundreds of apache processes.  This 
> seems unreasonable.

Agreed that creation hundreds of chroots or jails would be an administrative
nightmare. File access can be solved with suexec (compile apache with suexec
enabled), this means that for each virtual host entry in your apache config
you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html
or your apache version doc set). This will make each apache process run as
the user specified in virtual host entry (not www) allowing you to restrict
their access to files with filesystem ACL's and even ugidfw, you could also
then setup process/memory restrictions in /etc/login.conf

It will also make updating pretty much as standard as it is now.

Give it a burl if it sounds like what you need.
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3125 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060509/75232b19/smime.bin