jails or chroot?

Tue May 9 15:36:49 UTC 2006

On Tuesday 09 May 2006 08:24, Michael Grant wrote:
> I'll try to be more explicit on my requirements.  I'm not worried
> about mail.  I'm mostly worried about web.  Each client has a web
> site with one or more domains.  I currently offer them
> apache+php+mysql+mod_perl+mod_ssl.  One of them needs java server
> pages, tomcat I think.  Everyone gets access to their own logs and
> to geolizer (webalizer).  Some clients would like shell access. 
> Most clients write their web site using ftp.  Certain ones need
> also the MS Front Page Extensions.  Some clients want an ftp upload
> area.  Ssl poses a special problem in that I need to allocate an ip
> address for those who have their own ssl certificate.  It's pretty
> much all standard stuff.
I use suphp with apache in a mass hosting configuration for about 50 
websites to take care of the php access issues.  You'll need to setup 
the ACLs correctly so there is no snooping.  I then use scponly to 
allow chrooted sftp access to their web directories.  Webalizer logs 
are automatically generated an placed in their chrooted directory for 
download.
As for shell access I don't allow it.  If people want easy command 
line access I just tell use sshfs on FreeBSD or Linux.  The Windows 
and Mac users don't care about shell access.
For the Tomcat, Frontpage, and SSL users just setup jails for them.  
With the inclusion of mergemaster -u subsequent base system upgrades 
are much less painful.  Using null mounts for the common areas should 
lessen the version sync issues.  Once unionfs is stable again, you 
could just use one jail as a base image and allow the others to be 
cloned off of that.
Hopefully some of the above helps you in your situation.

>
> But yes, I totally agree with you, it is an administration
> nightmare to set up separate jails and keep track of which has
> which version of what and so on.  There must be an easier way to do
> this.  Some of you folks who run hosting sites, how do you manage
> large numbers of clients?
>
> Michael Grant
>
> On 5/9/06, Subhro <subhro.kar at gmail.com> wrote:
> > On 5/9/06, Michael Grant <mg-fbsd3 at grant.org> wrote:
> > > I host a bunch of websites on my box.  Recently I had some
> > > problems with file access problems with php which caused me to
> > > look into putting each of my clients into their own jail or
> > > chroot.  I have roughly 100 different domains I'd need to
> > > split.
> >
> > I won't be doing this even if someone pays me twice for doing it.
> > This is going to create a HELL lot of problems later on,
> > especially during upgrades.
> >
> > BTW can you tell us your exact requirements?
> >
> > Thanks and Best Regards
> > Subhro
> >
> > --
> > Subhro Kar
> > Security Engineer
> > iViZ Techno Solutions Pvt. Ltd.
> > eRevMax House, 1st Floor
> > Plot XI-16, Sector V
> > Salt Lake City
> > 700091
> > India
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

-- 
Anish Mistry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060509/7179f1b8/attachment.pgp