deploy multiple vnets with VIMAGE/VNET + Production Ready?

Wed Jun 1 22:31:34 UTC 2016

>> Ernie Luzar wrote:
>> Considering we have had ipfw/vimage/netgraph jails for several years I'd
>> be interested in your data sources.
>
> The source is personal experience. Tested 9.3 & 10.0 with ipfw running
> in vnet/vimage jails. At that time ipfw was logging to the host and not
> to the vimage jail. Definitely a security violation.

Kernel logging in general, not just for ipfw, is something that really should
not propagate to jails but does.

> You know I give you a lot of credit for risking things on vnet/vimage
> jails in your shop. Most management just wouldn't take that risk.

Wasn't me but the engineers here before me.  My personal preference is for
non-vimage jails, at least where the networking makes sense,  Prefs aside we
do have many vimage/netgraph/ipfw systems working well in the lab and field
(of production high-volume financial applications).

>> the scripts in head/share/examples/jails/ are at least helpful.
>
> I checked out those examples. Hardly any comments about what is
> happening or why their being done. All they are is a starting point to
> experiment doing trial and error testing

The j?? scripts aren't meant as documentation but for easy of setup, to be
called from /etc/jail.conf with a straightforward set of parameters.  Agreed
documentation here is still wholly insufficient.

> I disagree with you about the security issue of using localhost. Running
> sendmail in a non-vimage jail using its default config listening on
> localhost is still contained in the jail. Localhost is internally
> converted to the jails assigned ip address by jail(8).

How is anything listening on localhost internally converted yet still
contained in the jail?  I mean what is the mechanism and why sendmail but not
other daemons?

>  Why do you think this is a non-trivial security issue?

 telnet $jail 25
 ehlo ...
 mail from: <...>
 rcpt to: <...>
 data

Sendmail has never been a relatively secure app and DOS/DDOS and spam are
vulnerabilities but point taken.

Problem is the localhost to external mapping impacts not just sendmail but
named, postfix and anything else listing on 127.0.0.1.

> My time for playing around is very limited. I'll wait for 11.0 to be
> published and see what the "release notes" say about vimage and the
> firewalls becoming vimage aware. Also will be checking the closed bugs
> for vimage to see what has been fixed.

I have tested 11-CURRENT non-vimage, netgraph and if_bridge jails using iperf3
and not yet been able to trigger a crash.  YMMV of course as the two bridging
technologies do need far more substantial QA if we don't want to continue
leaving this point strictly to Linux advocates.

> I do hope vnet/vimage has finally become of age and reliable for
> production like the non-vimage jails have become.

More reliable, better documented AND simpler would be ideal.  I believe the
crux is A) in the code's complexity and readability, B) inherit difficulties
of testing and of course C) funding.

Roger