# MySQL jails - Where to install MySQL to service two jails?



## master-richie (Nov 9, 2015)

I have two jails on my internal web development / groupware server that will run Drupal in one jail and egroupware in the other. Both ports use MySQL and both jails are on my internal network with no chance of getting attacked so I'm wondering what would the best installation for MySQL be?

Should I:

Install MySQL on the host and let the jails talk to the db with socket connections

Install MySQL in a third jail and use a socket connection to Mysql to pass through the jail

Install MySQL in a third jail and let the clients connect using a loopback interface
Install MySQL in a third jail and let the clients connect via the network
Personally I like MySQL on the host and using socket connections because it satisfies my desire to keep the vlans not talking to each other plus it sounds faster but I definitely do not know how to do that. I got that idea in my head because someone here briefly mentioned it on someone else's post that's what he did.

Advice?


----------



## yggdrasil (Nov 9, 2015)

When we talk about services, I always tend to ask "Does this need to run on the host itself?", not "Does it need to run in a jailed/chrooted environment?". So unless you have reason to do otherwise, jail MySQL.

Now, the easiest would be to have MySQL talk to the other jails over the network. If both other jails are already on a loopback interface, just add MySQL to it. If they are on your regular, outbound interface you can either add loopback interfaces to all three jails for the DB connection (so MySQL wont be able to talk to anyone else except the two jails), or you can have MySQL also running on the public interface. Depends a bit on you environment.

Another option would be to nullfs-mount a directory that is only used for the socket file into all three jails. Now the two jails can communicate via a socket file with the MySQL server. I wouldn't be so sure that this would be necessarily much faster than simply using the network.


----------



## master-richie (Nov 9, 2015)

yggdrasil said:


> When we talk about services, I always tend to ask "Does this need to run on the host itself?", not "Does it need to run in a jailed/chrooted environment?". So unless you have reason to do otherwise, jail MySQL.
> 
> Now, the easiest would be to have MySQL talk to the other jails over the network. If both other jails are already on a loopback interface, just add MySQL to it. If they are on your regular, outbound interface you can either add loopback interfaces to all three jails for the DB connection (so MySQL wont be able to talk to anyone else except the two jails), or you can have MySQL also running on the public interface. Depends a bit on you environment.
> 
> Another option would be to nullfs-mount a directory that is only used for the socket file into all three jails. Now the two jails can communicate via a socket file with the MySQL server. I wouldn't be so sure that this would be necessarily much faster than simply using the network.



Yeah I was thinking about it further last night after I typed this ... In my environment, each of my jails are on separate subnets that I do not want to allow the other network access to so I'm thinking MySQL inside a jail and connected to the other jails via sockets.


----------

