Multiple interface support for jails VIMAGE

Status
Not open for further replies.

stranger

Dabbler
Joined
Apr 11, 2014
Messages
31
This has already been reported in https://bugs.freenas.org/issues/3321

Currently a jail's network interface can only be bound to the interface that connects to the default route (for the host not the jail). As far as I've been able to ascertain it searches for the interface and then adds the epair interface to the same bridge as the physical interface.

First, let me commend FreeNAS. It's a great job and manages to simplify administration of a FreeBSD system extremely well and in most aspects is a good enterprise product. However (and of course this is a however) it currently only manages to be a small business class product as regards multiple interfaces for jails.
For an enterprise the main attraction of Jails are delegation and demarcation of responsibility and security. It is routine to segment subnets to achieve this aim and so one type of system will only be allowed on one subnet etc..
VLANs go some way to achieve this but physical separation is much better in protecting data from the prying eyes of network support (the assumption is the no one part of an organisation can be trusted to see everything).

While LACP solves the issue of using available network interfaces to their utmost performance capabilities, it does not handle the security requirements of an enterprise.

This should be a relatively simple fix, either some gui dropdown, a command line configuration to warden or an automatic binding to a physical interface depending on configured default route. The last one is my preferred option but it does imply less flexibility.

I hope that you consider this important. I think that though this won't speed up adoption in enterprises, it should at least remove a potential negative for TrueNAS etc....
 
D

dlavigne

Guest
This info should be added to that feature request as the devs don't read this sub-forum.
 

Sol42

Dabbler
Joined
Aug 9, 2014
Messages
22
I second this idea. As a DBA we always want our databases inaccessible to the outside world. Only the adminstrators and applications that need access to the server are given the appropriate rights. A good analysis would be setting up a WordPress website on a FreeNAS device. Having a separate jail to host the database that only has an internal ip address on the server is best. The website portions (i.e. lighttpd, Apache, etc..) can then be setup with an internal nic to talk to the database and an external nic to serve the web pages outside the server.
 
Status
Not open for further replies.
Top