To jail, or not to jail?
fbsdq at peterk.org
Sun Jan 17 03:40:38 UTC 2010
> I've been having fun playing with jails on my home server. There's one
> for databases, one for a webserver, another for using as a play shell
> server, etc. We use jails heavily at work for encapsulating services,
> and I can make a pretty good argument there for doing so. In general,
> though, do you see jails as particularly important or useful when not in
> a hosting environment where you're giving root access to an untrusted
> party? How far do you go toward segregating services? Theoretically, you
> could have a jail per daemon, but it seems like down that path lies
> Kirk Strauser
For home machine, I don't use any jails. All services run on host system.
Not in a "hosting" environment with zero "untrusted" users, I still use
'jail'. I can always build 'newjail' duplicate services on it, test, and
very quick switch from 'oldjail' to 'newjail' when all tests come back
clean. Gives me a lot more room to play around/break things without
effecting running services.
Try not to have any services on the host system to keep it completely
clean, easy upgrade as I can wipe the OS out [or move HD to new server],
reinstall, mount the jails/zfs and have a running system in minutes.
More information about the freebsd-questions