September 10th, 2008
Migration to BSD near complete
With today’s named and dhcpd activation on a new FreeBSD jail, all the most important IT services  in my corporate network (databases, web applications, network services, e-mail and collaboration) have been migrated onto the Unix BSD architecture! Surely a lot of work should still be done: inbound and outbound web proxing for example, is still made by ISA Server because the last Exchange virtual machine needs to be published by that, but NGINX and Squid have been successfully tested in another production environment during the last months.
I’m too tired to write a complete report showing all the advantages gained thanks to the new platform, but I can say that I’m particulary satisfied by performance, functionalities and manegeability of the integrated communications server (about whom I’ve just posted) and the DNS and DHCP services (which are able to manage the DDNS requirements of both Windows client and server machines).
September 23rd, 2008 at 8:24 am
Can you provide details on how you got dhcpd running inside a full jail sandbox? The isc-dhcpd (3.0.5) gives an error message “unable to create icmp socket”. I configured the compile to use sockets instead of bpf. I can’t figure out how to get everything to work correctly without exposing every single jail on that interface to packet snooping from the other jails on that same interface.
September 23rd, 2008 at 11:36 am
I’m using isc-dhcpd 3.0.5 too, on a FreeBSD 7.0-p4/amd64 release. The first time I installed it in a jail with the DHCP_SOCKETS build option: the daemon started up without any error, but it was not issuing any lease. Thus I installed the daemon on the host (without jailing it) with the same build option, in order to get what it was wrong and… it didn’t issue any lease yet!
Then I rebuild it on the same host machine, but without the DHCP_SOCKETS option, and it started working immediately. I didn’t have the time to investigate further (I’m pretty sure it was a configuration-related problem, since it was the first time I was working with this product), so I created a new devfs ruleset by writing these lines in /etc/devfs.rules:
[devfsrules_jail_dhcpd=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path ‘bpf*’ unhide
then I allowed only the dhcpd jail to access the bpf device by setting the variable jail_jailname_devfs_ruleset=”devfsrules_jail_dhcpd”. All is working like a charm since then!