When to use Jails with VNET, and when not?!

Matthew Seaman matthew at FreeBSD.org
Tue Jan 29 07:17:36 UTC 2019 

On 28/01/2019 18:13, Parsa Samet via freebsd-questions wrote:
> Would someone please give me a brief explanation of when to use
> jails with VNET and when not to? If VLAN-ing is not my concern, and 
> services I use do not need a separate network stack - let’s say I run
> anything from DNS server to MailServer, Database, Java Application
> Server, VCS, CICD implementations, Streamers, Log Analyzers and etc.,
> but believe they don’t in all scenarios need separate stacks - would
> there be anything else left for me to benefit from VNET?

There is no general clear-cut reason to use VNET jails over traditional
ones -- for the vast majority of cases, either style will serve you
well.  There are some edge cases where the decision is easier:

  * Jails with no networking -- these might not sound very useful, but
    for example, they are used heavily by poudriere for providing clean
    build environments.  In this case, there's no need to add all the
    host-side pieces for a VNET jail, like configuring a bridge0

  * Jails where they need an independent routing table or firewall
    config, typically because management of the jail has been delegated
    to a different group than manages the containing host.  Not always
    though: on a multi-homed system jailed applications can quite easily
    need different routing than the main host.  These are certainly best
    served through VNET jails.

  * Jails where the software needs access to a standard loopback
    interface or where loopback traffic should not be routed via a
    network accessible interface for security reasons.  Again, VNET
    jails are appropriate here.

  * In a mixed environment of bare-metal servers and jails, configuring
    jails to use VNET means that they behave much more like standard
    hosts.  This may simplify management, particularly if you use
    configuration management systems like ansible or puppet.

An example of software that benefits from the third case is unbound
where it rejects packets that appear on a different interface than it
expects.

I suspect that for the services you mention, there is no compelling case
either way between VNET and traditional jails.  You get to choose fairly
arbitrarily.

> All services I run on my servers are in a jail, and only some rare
> services are in an OpenBSD vm on top of bhyve. Also, I’m on FreeBSD
> 12.0-RELEASE-p2 with ZFS.

Yes -- 12.0-RELEASE is most suitable for running VNET enabled jails.
You could do it on older FreeBSD versions, but the code was a lot less
polished and you'ld need a custom kernel.  ZFS works nicely with jails
-- consider investigating the iocage jail management software:
https://github.com/iocage/iocage which stores jail configurations as ZFS
properties.

	Cheers,

	Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190129/53c6e323/attachment.sig>

More information about the freebsd-questions mailing list