OPNsense Forum
English Forums => General Discussion => Topic started by: Jimlad on January 17, 2015, 10:25:59 pm
-
Hi,
Thanks for your efforts in producing a FreeBSD based alternative to pfsense. It looks very promising.
I was wondering if you had plans to use ZFS as a file system over UFS. I've yet to install so unsure what you're using, but feel ZFS would be hugely beneficial. Implementing something similar to FreeNAS and PC-BSD's Boot environments for easy upgrade and rollback. Also Jail isolation would seem like a useful technology aswell, are there any plans to use it?
I'm really excited to see where you go with OPNSense. I love pfSense but feel like it can be improved. OPNSense looks like its in with a chance.
-
There are no immediate plans to support ZFS, but the installer will be extended to handle this at some point (without help this won't happen before 15.7 is released). How far we'll take this is unclear, maybe PC-BSD's system is too much work for a small incremental improvement on top of ZFS.
Jail isolation for programs on the box? Chrooting and jails are certainly a possibility for the services we provide on a default install; some are already working in this way (or were once designed to eventually work that way).
If you mean jails as in OPNsense jails on a FreeBSD box--it is trivial to add a script to assemble such an image. Let me know if that is something you would be interested in.
-
Thanks for the reply Franco.
Its exciting to hear you guys plan to implement ZFS at some point. Again I've yet to install OPNsense but I have some hardware (super micro C2550 board) en route that was intended to replace my aging PFsense watchguard box. I recall that bsdinstall (assume you're not using it) was extend to add support for ZFS by Devin Teske and Allan Jude, I believe its just a shell script.
OPNsense in a Jail is certainly something of interest to me and I would imagine many others. There have been a lot of attempts and talk of PFSense in a jail (with various patches), but the end result always seems to be a kernel panic. In terms of cloud infrastructure, the ability to do lightweight "visualization" of a firewall is extremely exciting. If you're able to produce a script (with little effort/work, I can imagine you guys are busy) I would be very keen to test it.
Kind Regards
-
bsdinstall is not bsdinstaller. That was the previous installer that DragonFly still uses and I think at some point also FreeBSD (but not entirely sure--at least it has always been the case for pfSense). So it's a wee bit harder, but you are right, the workflow and code is there, it needs to be integrated in a sensible and easy way.
Building a jail for OPNsense is easy, running it in a vanilla FreeBSD is not since we inherited a couple of custom patches that don't match. I also don't know which parts won't work due to jail restrictions--some of them can't be circumvented. It's certainly something others could help to test and contribute patches to make this work eventually.
I can provide you with a jail tarball to play around with, drop me an email at franco@ (our website) and I will send you a link...
-
just out of curiosity? Whats wrong with the UFS? Why you would want ZFS? Any inherent advantages for a firewall?
-
The only advantage is rolling back unsuccessful upgrades. Other than that (which shouldn't happen anyway ;)) there's no other reason to do it.
There are far more important things to be dealt with, than this :)
-
I just installed and looking very promising, the interface is very refreshing.
Although I too was a bit disappointed with the lack of ZFS support.
On the surface ZFS support may seem like a lot of work for little benifit.
However proper boot environment support would be awesome (not sure freebsd has this though) (I mostly use OmniOS) It's great for versioning or even to test stuff and revert.
Additional benefits would be compression, lz4 especially adds little overhead but nice space savings. Imagine a caching http proxy, lots of small text files + lz4 would be awesome.
Replicating setups/backups would also be pretty cool, you could zfs send/receive certain snapshots or even datasets, e.g. http proxy cache on a seperate dataset, you can easily send it to a different install in one go with this.
I'm not much of a coder but I am willing to test if that would help.
-
With FreeBSD 10.1 and base upgrade support coming out today, the next immediate item will be the installer improvements, mainly embedded mode tweaks. While I'm there I can take a peek at if we could set up a ZFS install. It'll be experimental and will certainly require testing and feedback. Not yet giving out any ETA though.
How does that sound?
-
Sounds great, poke me on twitter (same handle) if you want some testing done.
-
Great news.
As mentioned above, there are lots of benefits to ZFS. Possibly not short term, but long term. Freebsd doesn't have Boot Environments, but the guys over at PC-BSD (Kris Moore and gang) have implemented it. They also use ZFS snapshots to update PC-BSD in place.
-
The goal here should be to migrate these boot environments to stock FreeBSD. I know that Kris does great work all the time, but I do not think that diverging too much from FreeBSD's code base is a good option in the long run as we have many battles to fight, most of them security and user experience related.
The first improvements to the bsdinstaller make their way into our ports tree now, hopefully I'll get a chance to try a ZFS install with that soon. The list of requested additions and garbage collection is long though. Let's see, shall we.
-
The only advantage is rolling back unsuccessful upgrades. Other than that (which shouldn't happen anyway ;)) there's no other reason to do it.
Not only unsuccessful upgrades but it is the sysadmin insurance policy in case of a regression or any serious issue would happen. Rebooting and rolling back in seconds can avoid extremely painful re-installation and downtimes. The cost to pay in return is more memory but any machine nowadays has several gigabytes of memory.