# Jails in production environments (resources, limits, immutable)



## storvi_net (May 21, 2013)

Hello guys,

*M*y name is Markus and I am new to FreeBSD. My background is IT Security and mainly Linux, but I am open to new experiences. For production use I am looking for a*n* effic*i*ent solution to put several parallel servers on one big host - jails seem to be a good solution.

Before I build my test environment I want to ask for some points:

For a secure usage of the jails I have to recompile the kernel with rctl(8) to prevent processes using all bandwidth (network), all RAM / CPU or starting fork bombs (also root in the jail)
If I want to use ZFS as the filesystem for the jail-storage: is it possible to create an immutable jail (as far as I read the flag is just available in UFS)? Do I have to use ZFS ACLs? Immutable jail means that even the root-user can not change some files inside the jail.

As *E*nglish is not my native language I probably didn't use the correct search terms, so beside answers I would take links and hints 

Thanks
Markus


----------



## ta0kira (May 21, 2013)

storvi_net said:
			
		

> For a secure usage of the jails I have to recompile the kernel with rctl(8) to prevent processes using all bandwidth (network), all RAM / CPU or starting fork bombs (also root in the jail)


This is half true. You need rctl to reliably limit resources consumed by jail processes, but you'd use ipfw+dummynet to limit bandwidth.





			
				storvi_net said:
			
		

> If I want to use ZFS as the filesystem for the jail-storage: is it possible to create an immutable jail (as far as I read the flag is just available in UFS)? Do I have to use ZFS ACLs? Immutable jail means that even the root-user can not change some files inside the jail.


Take a look at Application of Jails. The idea is that the writable filesystem resides outside of the jail and you selectively mount directories into the jail with nullfs.

Kevin Barry


----------



## storvi_net (May 22, 2013)

Hello again,

So thanks for the first answer. I will read through the documentation of rctl(8) again and combine it with the information I will find about dummynet (are there any recommended examples?).

I read the part about jails you pointed out for me - thanks for that, too.

Regards.
Markus


----------



## ta0kira (May 22, 2013)

The ipfw manpage has some examples. You load the dummynet module and manage it via ipfw. pf also has something similar build into it, in case you're using pf to set up NAT for the jail.

Kevin Barry


----------

