state of the art ?

[Joe]

Laurent Alebarde wrote:
> Hi all,
> 
> I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials, 
> mainly :
> 
>  * http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet
>  * 
> http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project 
> 
> 
> I have some questions please :
> 
> 1. Are they still up-to-date ?
> 2. Is the jail rc script still have to be patched to be able to use pf
>    instead of IPFW ?
> 3. What are the best up-to-date links for tutorials to setup ZFS
>    ipv4/ipv6 vnet jails ?
> 4. Can it be put in production safely or is it still considered
>    experimental ?
> 
> Cheers,
> 
> 
> Laurent.
> 

In my opinion vimage is a very long way from being production safe. The 
biggest show stopper is the lose of memory pages when a vnet jail is 
stopped. See the year old PR 
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/164763

Besides the the memory lose problem there is the problem of no support 
for SCTP.

So YES vimage is still experimental. Use at your own risk.

About vimage and firewalls, ipfw and pf in 9.1-RELEASE are vimage aware.
That means when you boot your host and the hosts /etc/rc.conf file has 
ipfw_enable="YES" or pf_enable="YES" statements in it the system will 
come up without a page fault or panic. This does not necessary mean that 
you can get one of those firewalls started inside of a vnet jail.

Now that ipfilter has a maintainer it should be vimage aware in 
10.0-RELEASE when it's published for general public use.

The short coming of both of those links is getting the vnet jail access 
to the public internet.

Playing with vimage on 9.1 is a great learning experience, but stick 
with regular jails for your production world for the maximum jail security.

zfs is a separate subject for vimage jails and normal jails. zfs is a 
very large and complicated subject. You need to become experienced using 
zfs on you host first before trying to combine zfs with jails.