frebsd jails advice
Matthew Seaman
matthew at FreeBSD.org
Mon Dec 10 11:51:57 UTC 2018
On 10/12/2018 10:17, Shyaka Rene via freebsd-questions wrote:
>
> hello, I don't have experience with freebsd or system administration, but i need your advice
>
> suppose I have this scenario with 2 computers
>
> 1) server (not big just 8GB RAM) machine with virtualbox or openstack installed with any OS
> - virtual machine 1 for java development with eclipse installed
> - virtual machine 2 for php development with eclipse
> - virtual machine 3 for testing anything
> all these virtual machines have graphical user interface installed (windows or gnome any OS)
> 2) client machine for accessing virtual machines using remote desktop or VNC client.
>
> my problem is
> Is it possible to change this senario to Freebsd and jails with x11server installed on jails
> and access them using x11client?
> 1) server machine (freebsd)
> - jail 1 (x11 server)
> - jail 2 (x11 server)
> - jail 3 (x11 server)
> 2) client machine (access jails with xclient)
> thank you for your advice
Yes, this is certainly possible, but a bit more complicated than you
might hope.
You've got the client and server sides of X mixed up. The X server is
the bit which controls the display -- ie. it runs on your laptop or
desktop machine. The X client is the piece of software that you are
trying to interact with through that display -- so, eclipse in this
case. Clients can be run either locally or remotely. It's confusing
because it is the other way round from just about any other network
accessible service where you run a local client to connect to a server
which could also be local but is almost always remote.
So, you don't need an X server in each of the jails. You just need your
X capable software in each jail and you need to set the DISPLAY
environment variable correctly so that will talk to your X server on
your local desktop.
Pease do not use remote X11 access across a network in plaintext.
That's roughly of the same order of badness as using things like rsh or
rlogin.
Instead, set up your jails with ssh and ssh into each of them,
forwarding an X connection over SSH (which will typically set up thigs
like DISPLAY appropriately in the environment for you.)
This means that the X client only needs to talk on the loopback address
in order to feed the traffic into the SSH session. Unfortunately with
standard FreeBSD jails, there isn't a loopback interface within the
jail, and any attempt to connect to the loopback is transparently
redirected to connect to the jail external interface, which kind of
confounds the whole security arrangement there. So make sure to write
your firewall rules carefully to prevent X traffic egressing from your
jails onto the network at large. You might consider investigating VNET
jails, which are new in 12.0-RELEASE (due out Real Soon Now), where
individual jails *do* have their own loopback addresses, but these are a
bit more complex to set up.
Cheers,
Matthew
More information about the freebsd-questions
mailing list