Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Operating Systems BSD

BSD Jails, a Better Virtual Server? 61

gManZboy writes "Poul-Henning Kamp, a FreeBSD committer, has an article up about BSD Jails as part of Queue's special report on virtual machines. He describes BSD's interesting 'semi-permeable' approach to VMs, and the importance of security in VM architectures. The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research."
This discussion has been archived. No new comments can be posted.

BSD Jails, a Better Virtual Server?

Comments Filter:
  • In what way does this differ from a linux VM, what are the up's and downs?
    • by astrashe ( 7452 ) on Tuesday July 27, 2004 @09:49PM (#9818495) Journal
      I just saw a blog post today, about user mode linux, and the grief it inflicts:

      http://www.golden-gryphon.com/blog/manoj/softwar e/ misc/manoj.2004.07.27.html

      I don't know that's not a direct answer to your question, but I think it's one of the main differences between doing this sort of thing on BSD and Linux.
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Tuesday July 27, 2004 @10:05PM (#9818582)
      Comment removed based on user account deletion
      • by walt-sjc ( 145127 ) on Wednesday July 28, 2004 @08:37AM (#9821033)
        It seems it would be possible to start a jail, give it an IP address, install FreeBSD into the jail, NAT out the SSH port from the jail and give the root password of the jail to the "virtual server admin".

        Indeed, that is exactly what some hosting companies are doing. I played around inside a BSD jail as root with one of these $15 / month virtual servers. It actually worked Very well, allowing me to compile my own applications including installing the BSD ports collection. I'm quite impressed. Apparently this hosting company runs up to 120 jails per system. The system I was on only had about 30, and I was seeing loads of up to 20. For this reason, I canceled the account, but the concept is quite sound.

        The BSD jail more like a super chroot than usermode linux- a LOT more isolation than just the file system, but less than a true VM. It seems to have much less overhead than a full VM such as vmware or UML. Hardware is not virtualized, but rather just more restricted.

        This is great for running things like mail servers, web servers, etc. especially where you want to give applications the ability to run external scripts / CGI's without most the security issues that come along with it.
      • Yep, that's about right. In fact, that's how I run a newsserver and a Freenet node inside their own virtual environments.

        One non-obvious point is that the chroot directory need not be a full (or even partial) FreeBSD installation. At one time I managed to do a complete Gentoo install using FreeBSD's Linux emulation and pointed the "jail" command at that directory. Voila - a full simulated Linux environment. Other than the inability to load Linux kernel modules, it looked and acted pretty much exactly

    • The Linux VServer Project [linux-vserver.org] is a similar beast, if not the original inspiration. It's available as a kernel patch for linux-2.4 (and almost ready for 2.6), plus a handful of userspace utilities.

      The idea revolves around isolated contexts, each with a different IP address - so in practice you access each of the vservers as a different machine, with its own filesystem, users, processes, semaphores, ...

      As you can chroot your applications to make them see different parts of the filesystem as /, you use this pat
      • by tigga ( 559880 ) on Wednesday July 28, 2004 @02:46AM (#9819744)
        The Linux VServer Project is a similar beast, if not the original inspiration.

        Common, jail appeared in FreeBSD in 1999 and Vserver patches appeared in when, 2001 ?

      • The Linux VServer Project is a similar beast, if not the original inspiration.

        I believe somewhere on the VServer pages it mentions that it is basically the same thing as FreeBSD jail, so the inspiration most definitely comes from FreeBSD.

        However, I think the Linux VServer people right now have a leg up on FreeBSD jails. I really like the idea of contexts 0 and 1, where 'killall -HUP named' does not result in all named's in jails be restarted and ps and top aren't cluttered with jailed processes. The un

        • > However, I think the Linux VServer people right now have a leg up on FreeBSD jails. I really like the idea of contexts 0 and 1, where 'killall -HUP named' does not result in all named's in jails be restarted and ps and top aren't cluttered with jailed processes.

          Yep, that is a very nice idea, it is however seldom needed in practise. Why?

          First of all, your 'host' environment should nto be used to run anything like named or such, rather, it should be used to start, stop and administer jails. If you do o
      • And if you worry about disk space (as each vserver owns in fact a complete /), you can hardlink files between vservers, so that the second, third and son on vservers may have a disk space cost as small as 30MB.

        So if I give root password to one of the contexts to a user, and he proceeds to owerwrite the C library with "youresmartbutiamsmarterthanyouresmartbut..." I'm screwed ?

        Of course, you might make one context into an NFS server and have others mount the / filesystem through it (or just mount it rea

  • FreeBSD 4.10 Jail (Score:5, Informative)

    by jaredmauch ( 633928 ) <jared@puck.nether.net> on Tuesday July 27, 2004 @09:58PM (#9818538) Homepage
    I've been using the FreeBSD 4.8-4.10 system to host several Jails on a beefy machine that i have under my control. My personal e-mail system resides within a jail on this system, and there are very few problems i've encountered. The biggest issues i've encountered are as follows:

    • UDP Kernel bug [freebsd.org] that breaks SNMP (eg: mrtg) inside a jail
    • ICMP inside jail [nether.net] needs to be split out better to prevent ugly hacks/kernel patches being required
    • PostgreSQL needs sysvipc
      /sbin/sysctl -w jail.sysvipc_allowed=1
    I've managed to work around these various issues (running mrtg from the "jail-side" host, making it chroot to my directories to run. Enabling the required sysctls, including my own kernel patch to let ping/traceroute work..

    It lets me and others share a single host that is very beefy (2x2.8G Xeon, 4g ram, 315g raid-5 ultra-320 disk, etc..) on a fast link. The FreeBSD-5 jail subsystem is a bit more refined than that in FreeBSD-4... I'm pondering upgrading the system, but haven't done so yet.. You can also put a small bit of effort into the system and use rsync to keep various (important) system binaries (eg: sshd, sendmail) in-sync across all the systems so they're bug-free if an advisory comes out.. but that's basic sysadmin/patching stuff, not anything jail specific.. but if their jail is r00ted, i don't need to worry about my own files being compromised, unless they get at the 'host' system.. (which runs no services to speak of)...

  • by Dizzle ( 781717 ) on Tuesday July 27, 2004 @10:17PM (#9818645) Journal
    ...Host Intrusion Protection (HIP) Research Group...

    Research is not supposed to be "hip". It is a very somber and serious process. I think it's shameful how these researchers would rather run the streets with their "rad crew" than commit to serious discovery. For shame.
  • Zones (Score:4, Interesting)

    by Anonymous Coward on Wednesday July 28, 2004 @12:51AM (#9819390)
    Solaris 10 zones are based on the same idea.
    • Except, of course, that Solaris 10 zones are tied into the Resource Manager. In a zone, you can limit the percentage of CPU and Memory available. Way cool. Plus you can reboot a zone in seconds...
  • Robert Watson (Score:4, Informative)

    by cperciva ( 102828 ) on Wednesday July 28, 2004 @06:25AM (#9820287) Homepage
    The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research ... and three-term FreeBSD core team member, guy mostly responsible for FreeBSD network stack locking right now, president of the FreeBSD Foundation, and otherwise generally cool guy.
  • jail paper (Score:3, Informative)

    by endx7 ( 706884 ) on Wednesday July 28, 2004 @08:35AM (#9821018) Homepage Journal
    The jail paper [freebsd.org].
  • Any recommendations for freebsd Jailed "virtual server providers"? I was thinking about going the linux route, but I'd prefer BSD... I'm hoping for something in the $20 range. Thanks!

Nature is by and large to be found out of doors, a location where, it cannot be argued, there are never enough comfortable chairs. -- Fran Lebowitz

Working...