Dec 092013
 

I have an exciting project ahead of me. I will soon be configuring a new server. It will be ZFSROOT running a pair of mirrored 500GB disks. I plan to use a configuration tool for management of this server. The final choice of tools is yet to be decided. The services provided by this server will be primarily based on jails. The use of a configuration tool will simplify future redeployments. I’m doing the work now, to make future work easier.

I’m not sure if I want one jail per website. At a minimum, this server will be running:

  1. www.bsdcan.org
  2. www.pgcon.org
  3. www.freebsddiary.org
  4. dan.langille.org
  5. www.langille.org
  6. several mailman mailing lists
  7. mail servers for the above
  8. DNS
  9. PostgreSQL
  10. MySQL

Clearly, I can easily put DNS, PostgreSQL, and MySQL into their own jail.

In all, there are at least 25 virtual hosts that need a website. I’m not so sure I want 25 instances of a web server. Some websites will have their own jails. Some websites are managed by a group of people, not just myself. For example, bsdcan.org will have its own jail for that very reason. Simple websites, such as www.langille.org or www.unixathome.org, will be grouped together and placed on one webserver.

One thing I very much want to do is have access to each jail via VPN, specifically OpenVPN. How I do that, I’m not sure. Each jail would have two IP addresses; the public one, and the VPN one. That’s about all I know.

I have many questions.

Will the jail have two network interfaces? Or just one, with two different IP addresses on it?

How will the routing work?

My existing OpenVPN setup gives each physical server a setup like this:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet6 fe80::203:6dff:fe1e:59b0%tun0 prefixlen 64 scopeid 0xb 
	inet 10.3.0.75 --> 10.3.0.76 netmask 0xffffffff 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	Opened by PID 5261

I highly doubt I want to import tun0 into every jail. I think it’s more a case of allocating a non-routable subnet per physical server, for example, 10.7.0.0/24. Each jail would have a an IP address from that subnet. Then it should be a simple matter of routing to get to and from the jails. Is is really that simple?

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive