# Is it possible to install multiple roles on the same server?



## sdf (Aug 18, 2018)

Hello everyone,

Is it possible to install multiple roles on the same server, such as dns, dhcp, ntp, ftp, file server? What is the usual recommended practice or convention?

Thank you.


----------



## `Orum (Aug 18, 2018)

FreeBSD can run as many daemons as you have the hardware (RAM/CPU/etc.) to support.  The simplest way is to edit /etc/inetd.conf and uncomment the servers you want it to run (followed by `service inetd reload`), but it doesn't handle all protocols and they generally don't have a lot of bells and whistles.  You may want to check out ports(7) or pkg(8)s in order to install fancier, more flexible daemons, or those for services not supported by inetd.

As for recommendations, I suggest if you're running a lot of daemons accessible via the Internet, you may want to look at jail(8)ing them for better security.  However, that's a bit advanced so if you're not familiar with FreeBSD you may want to read the relevant sections of the handbook first.


----------



## Maelstorm (Aug 18, 2018)

sdf said:


> Hello everyone,
> 
> Is it possible to install multiple roles on the same server, such as dns, dhcp, ntp, ftp, file server? What is the usual recommended practice or convention?
> 
> Thank you.



Absolutely.  I have one machine that is a NAT'd firewall/router/gateway which runs a DNS, DHCP, and SSH servers.  I have another machine that's a web server (FAMP), SSH, and NFS.  Plus it's my development server as well.  The hardware is the hardware.  What daemons you run is up to you.

About inetd: inetd is the 'superserver' for FreeBSD.  It includes TCP wrappers.  It can generally support pretty much any networked service out there if configured properly.  Common ones are telnet, ssh, ftp, and tftp to name a few.  MTAs such as sendmail and qmail as well.


----------



## rigoletto@ (Aug 18, 2018)

And you still can install and run each one in a separated jail(8).


----------



## VladiBG (Aug 18, 2018)

Yes you can do it but it's not right. You need to think to establish high availability for every service that you run in the case of the hardware fail.


----------



## Phishfry (Aug 18, 2018)

sdf said:


> dns, dhcp, ntp, ftp, file server?





lebarondemerde said:


> And you still can install and run each one in a separated jail(8).


I totally agree, but a separate jail for only ntp seems excessful. What I use is groupings in jails.
Some things like ftp or a web server need a separate jail regardless of size.(my opinion)
NTP can only wack your clock time so group it with something that does not depend on time.
DNS and DHCP are networking based and I usually group them.

File server is a broad term. On a local network I don't jail my NFS servers.

Am I doing it wrong? Should I sandbox every single network capable service?


----------



## rigoletto@ (Aug 18, 2018)

Phishfry said:


> Am I doing it wrong? Should I sandbox every single network capable service?



Well, that is much of a taste decision too. I separate everything but NTP that I use the guest one.

Currently I have separated jails for syncthing ( using it in a server-like fashion ), unbound, znc, web server, postgresql. NTP and the ZFS back I do on the host.

About VladiBG comment, a cheap solution for redundancy would be to run everything from the 'same' server but having to identical ones in carp(4) mode.


----------



## ShelLuser (Aug 18, 2018)

sdf said:


> Is it possible to install multiple roles on the same server, such as dns, dhcp, ntp, ftp, file server?


Of course, so my counter question would be: what makes you think it couldn't?



sdf said:


> What is the usual recommended practice or convention?


Whatever works best for you. This isn't a Windows environment where you simply select and add a "role" to your server, in fact the whole concept of roles doesn't exist on Unix as it does on Windows.

At best you simply enable a service by starting it. Take an FTP server for example... All it takes is ftpd_enable="YES" in /etc/rc.conf. SSH? Just enable it. You can take a look at /etc/default/rc.conf for an overview of all the services and options which are available there. Just be careful not to edit it: that should be done in /etc/rc.conf instead.

Seriously though, read the FreeBSD handbook for a change. This is not an "RTFM" kind of answer but it contains answers to most basic questions, just like this one here. Not only that, it will also explain how you can set everything up.



`Orum said:


> The simplest way is to edit /etc/inetd.conf and uncomment the servers you want it to run (followed by `service inetd reload`), but it doesn't handle all protocols and they generally don't have a lot of bells and whistles.


That's actually not very good advice because inetd is disabled on FreeBSD by default. And if the OP needs to enable a service in /etc/rc.conf anyway it would make more sense to address the service(s) they actually want to run.



Phishfry said:


> Some things like ftp or a web server need a separate jail regardless of size.(my opinion)


So possible customers won't be able to use FTP to update their own websites?   Or do both jails get access to a shared storage section on the host? If you do this for enhanced security then that too could be tricky (depending on the situation)


----------



## rigoletto@ (Aug 18, 2018)

The only thing that I know still rely on inetd(8) is Heimdal when you run it in master/slave mode.


----------



## Maelstorm (Aug 18, 2018)

Back to my setup, since I am running this on a home network, and that there is another firewall in front of my firewall, I am not overly concerned about jailing things.  Now if this was in a business environment, then it would be a whole different matter.


----------



## `Orum (Aug 19, 2018)

ShelLuser said:


> That's actually not very good advice because inetd is disabled on FreeBSD by default. And if the OP needs to enable a service in /etc/rc.conf anyway it would make more sense to address the service(s) they actually want to run.


`service` will tell you this, e.g.: "Cannot 'reload' inetd. Set inetd_enable to YES in /etc/rc.conf or use 'onereload' instead of 'reload'."

It's not terribly difficult to run `echo "inetd_enable=YES" >> /etc/rc.conf`.


----------

