to jail or not to jail

Julien Cigar julien at
Mon Jun 3 10:19:35 UTC 2019

On Sat, Jun 01, 2019 at 08:30:31PM -0400, David Mehler wrote:
> Hello,


> I've got a newly installed FreeBSD 12 vps. It's going to be running a
> web server/php hosting multiple sites, with letsencrypt tls
> certificates for each. It's also going to be running an email server,
> postfix, dovecot, rspamd, mysql database backend, again with the same
> letsencrypt tls certificates. Previously I've had all this on one
> host.
> What I'm wondering is if I should jail off these services, I've got a
> zfs setup, still trying to wrap my head around that, and am wondering
> should I run the database in one jail, the webserver/php in another
> jail, and the email server in a third jail? If I do this how would I
> get the tls certificates in to each jail, I'm looking for the maximum
> automation.

I would highly suggest to jail everything, not only for the added
security, but also for maintainability.

- Script everything with some CMS (I highly recommend SaltStack)
- Use ZFS (and clones) and two datasets per jail: one for the things you
  deploy with your CMS and one for the "data" (= things generated by
  the installed applications within the jail), with some nullfs mounts
  from the HOST into the jails. It will facilitate the updates a lot.
  At the end the goal is to be able to zfs destroy tank/jails/your_jail
  and re-create it from scratch with one command.
- With VIMAGE, tagged VLANs, some orchestration tool (SaltStack), and
  ZFS snapshots send/receive your can achieve nearly real-time
- Use HAProxy and SNI, and manage certs from there. At work we have an
  orchestration script which 1) generate Let's Encrypt certificates in
  somejail (certbot.lan) and if it succeed 2) rsync them on the HAProxy


> Thanks.
> Dave.
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

Julien Cigar
Belgian Biodiversity Platform (
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the freebsd-questions mailing list