to jail or not to jail

Matthew Seaman matthew at FreeBSD.org
Sun Jun 2 09:54:30 UTC 2019 

On 02/06/2019 01:30, David Mehler wrote:
> Hello,
> 
> I've got a newly installed FreeBSD 12 vps. It's going to be running a
> web server/php hosting multiple sites, with letsencrypt tls
> certificates for each. It's also going to be running an email server,
> postfix, dovecot, rspamd, mysql database backend, again with the same
> letsencrypt tls certificates. Previously I've had all this on one
> host.
> 
> What I'm wondering is if I should jail off these services, I've got a
> zfs setup, still trying to wrap my head around that, and am wondering
> should I run the database in one jail, the webserver/php in another
> jail, and the email server in a third jail? If I do this how would I
> get the tls certificates in to each jail, I'm looking for the maximum
> automation.

I too run a mail system with much the same components as you describe.
Well, postgresql rather than mysql, but otherwise pretty much the same.
 And similarly I've split everything out into jails.  It's more
complicated to set up, but actually running things where you have a set
of nice simple jails with one specific service in each makes things
easier to cope with day-to-day.  It's docker-esque, if that's something
that interests you.

I split things up as:

   - SMTP server (postfix)
   - IMAP server (dovecot)
   - SPAM filter (rspamd)
   - Database (postgresql)

except the the database is still running in the host system for
historical reasons and a dearth of round tuits.  I hook various
functions (DKIM, DMARC, rspamd) into postgresql using milters, and I
considered jailing off each milter separately, but ultimately ended up
just running all the milter processes in the same jail as postfix.

In terms of running PHP bassed web-apps, I'd dedicate a separate jail to
each application running under php-fpm, and then have a single frontend
running nginx to act as a reverse proxy / TLS endpoint / Layer-7 traffic
router.

For letsencrypt purposes, I use a DNS-01 challenge because that seemed
to make the most sense given I wasn't going to deploy most certs on web
servers.  Then I just wrote a custom deploy hook script to copy certs
into the jail filesystems and restart servers.  Although I've created at
lease a separate ZFS for each jail, I haven't gone down the route of
using 'zfs jail ...' to hide them from the main host system, as it makes
copying things into jails from the host that much easier.  I'd also
think about using vimage jails on 12.0, as that makes the jails seem a
lot more like just regular VMs, and gives you the ability to effectively
create a private virtual switch inside your server, rather than having
services appear on external interfaces.  Beware though that there are
currently some quite severe bandwidth limitations on this sort of
internally virtualized networking under FreeBSD, so this is not suitable
for a high-traffic system.

	Cheers,

	Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190602/7d5e9766/attachment.sig>

More information about the freebsd-questions mailing list