Slashdot Mirror

← Back to Stories (view on slashdot.org)

BSD Jails, a Better Virtual Server?

Posted by michael on from the lockdown dept.

gManZboy writes "Poul-Henning Kamp, a FreeBSD committer, has an article up about BSD Jails as part of Queue's special report on virtual machines. He describes BSD's interesting 'semi-permeable' approach to VMs, and the importance of security in VM architectures. The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research."

61 comments

  1. How is this different? by shaitand · · Score: 1, Interesting

    In what way does this differ from a linux VM, what are the up's and downs?

    1. Re:How is this different? by astrashe · · Score: 3, Interesting

      I just saw a blog post today, about user mode linux, and the grief it inflicts:

      http://www.golden-gryphon.com/blog/manoj/softwar e/ misc/manoj.2004.07.27.html

      I don't know that's not a direct answer to your question, but I think it's one of the main differences between doing this sort of thing on BSD and Linux.

    2. Re:How is this different? by Anonymous Coward · · Score: 0

      UML should be getting merged into the kernel around 2.6.9 or so. With the 2.6 kernel's support for nonlinear mappings, UML can run with virtually no performance penalty.

      UML is the better way of doing a virtual environment because it isn't intrusive and provides a protected environment, which, even if it is hacked leaves the running kernel intact. Unlike jails, which partitions different tasks within the single kernel.

    3. Re:How is this different? by _Sharp'r_ · · Score: 5, Funny

      Naw, better to run Linux compatibility mode within a FreeBSD jail and then use UML inside that.

      If that doesn't confuse the users and crackers alike, I don't know what will....

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    4. Re:How is this different? by ptaff · · Score: 2, Informative

      The Linux VServer Project is a similar beast, if not the original inspiration. It's available as a kernel patch for linux-2.4 (and almost ready for 2.6), plus a handful of userspace utilities.

      The idea revolves around isolated contexts, each with a different IP address - so in practice you access each of the vservers as a different machine, with its own filesystem, users, processes, semaphores, ...

      As you can chroot your applications to make them see different parts of the filesystem as /, you use this patch to make each vserver see different parts of the global process table - so that each vserver doesn't know about the others. Should you want to access a vserver from another vserver, you must think like they're two different machines - use the network.

      As the gist of it is the isolation between processes and NOT emulation, you experience absolutely no overhead (unlike UML). And if you worry about disk space (as each vserver owns in fact a complete /), you can hardlink files between vservers, so that the second, third and son on vservers may have a disk space cost as small as 30MB. Memory-wise, it's a bit more hungry as you'd like to have crond, sshd and so on running in every vserver.

      Work is being done to circumvent one of the disadvantages: a vserver can drown the whole machine as resources are not really yet limited for a particular context.

    5. Re:How is this different? by Anonymous Coward · · Score: 0

      So can I have more than one jail cell on the same BSD system, and put them all in the same directory so they're all in one place? It would be like The Green Mile.

    6. Re:How is this different? by tigga · · Score: 3, Informative
      The Linux VServer Project is a similar beast, if not the original inspiration.

      Common, jail appeared in FreeBSD in 1999 and Vserver patches appeared in when, 2001 ?

    7. Re:How is this different? by Anonymous Coward · · Score: 0

      maybe colinux will... a sort of user mode linux on top of windows...

    8. Re:How is this different? by walt-sjc · · Score: 5, Informative

      It seems it would be possible to start a jail, give it an IP address, install FreeBSD into the jail, NAT out the SSH port from the jail and give the root password of the jail to the "virtual server admin".

      Indeed, that is exactly what some hosting companies are doing. I played around inside a BSD jail as root with one of these $15 / month virtual servers. It actually worked Very well, allowing me to compile my own applications including installing the BSD ports collection. I'm quite impressed. Apparently this hosting company runs up to 120 jails per system. The system I was on only had about 30, and I was seeing loads of up to 20. For this reason, I canceled the account, but the concept is quite sound.

      The BSD jail more like a super chroot than usermode linux- a LOT more isolation than just the file system, but less than a true VM. It seems to have much less overhead than a full VM such as vmware or UML. Hardware is not virtualized, but rather just more restricted.

      This is great for running things like mail servers, web servers, etc. especially where you want to give applications the ability to run external scripts / CGI's without most the security issues that come along with it.

    9. Re:How is this different? by mccoma · · Score: 3, Funny
      oh great, security through "My $DIETY, this guy is insane.... I need to hack something else"

      thinking about it, it would probably work.

    10. Re:How is this different? by Just+Some+Guy · · Score: 2, Informative
      Yep, that's about right. In fact, that's how I run a newsserver and a Freenet node inside their own virtual environments.

      One non-obvious point is that the chroot directory need not be a full (or even partial) FreeBSD installation. At one time I managed to do a complete Gentoo install using FreeBSD's Linux emulation and pointed the "jail" command at that directory. Voila - a full simulated Linux environment. Other than the inability to load Linux kernel modules, it looked and acted pretty much exactly like any typical bare-metal setup.

      Plug: for easy management, install my JailAdmin port. Loads of secure environment goodness!

      --
      Dewey, what part of this looks like authorities should be involved?
    11. Re:How is this different? by gtrubetskoy · · Score: 2, Interesting
      The Linux VServer Project is a similar beast, if not the original inspiration.

      I believe somewhere on the VServer pages it mentions that it is basically the same thing as FreeBSD jail, so the inspiration most definitely comes from FreeBSD.

      However, I think the Linux VServer people right now have a leg up on FreeBSD jails. I really like the idea of contexts 0 and 1, where 'killall -HUP named' does not result in all named's in jails be restarted and ps and top aren't cluttered with jailed processes. The unify tool that finds same files and hardlinks them is really nice, and the disk space limits per context is great.

    12. Re:How is this different? by ultranova · · Score: 1

      And if you worry about disk space (as each vserver owns in fact a complete /), you can hardlink files between vservers, so that the second, third and son on vservers may have a disk space cost as small as 30MB.

      So if I give root password to one of the contexts to a user, and he proceeds to owerwrite the C library with "youresmartbutiamsmarterthanyouresmartbut..." I'm screwed ?

      Of course, you might make one context into an NFS server and have others mount the / filesystem through it (or just mount it read-only and remove the capability to remount rw from all but one context)... But what's stopping this new admin from making a dev directory with devices for accessing my hard disks and proceeding to nuke these hard disks ?

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    13. Re:How is this different? by SillyNickName4me · · Score: 1

      > However, I think the Linux VServer people right now have a leg up on FreeBSD jails. I really like the idea of contexts 0 and 1, where 'killall -HUP named' does not result in all named's in jails be restarted and ps and top aren't cluttered with jailed processes.

      Yep, that is a very nice idea, it is however seldom needed in practise. Why?

      First of all, your 'host' environment should nto be used to run anything like named or such, rather, it should be used to start, stop and administer jails. If you do otherwise you break one of the most important defenses that jails can offer, the fact that a service runs in a 'protected' envrionment and cannot affect other environments on the same machine (at least not easily).

      So it is cool to have, but in practise a rather minor feature. If I want to restart the named in a specific jail, typing 'jexec x killall -HUP named' in the host environment will do the job.

      > The unify tool that finds same files and hardlinks them is really nice, and the disk space limits per context is great.

      I'd say that this introduces a much bigger risk of a compromise spreading from one jail to another, so I rather doubt the wisdom of this approach.

  2. Just think... by clifgriffin · · Score: 0

    Just think of the virtual servers that could be created with per-process namespaces.

    I'll let myself out.

    --
    clifgriffin > blog
  3. FreeBSD 4.10 Jail by jaredmauch · · Score: 5, Informative
    I've been using the FreeBSD 4.8-4.10 system to host several Jails on a beefy machine that i have under my control. My personal e-mail system resides within a jail on this system, and there are very few problems i've encountered. The biggest issues i've encountered are as follows:

    • UDP Kernel bug that breaks SNMP (eg: mrtg) inside a jail
    • ICMP inside jail needs to be split out better to prevent ugly hacks/kernel patches being required
    • PostgreSQL needs sysvipc
      /sbin/sysctl -w jail.sysvipc_allowed=1
    I've managed to work around these various issues (running mrtg from the "jail-side" host, making it chroot to my directories to run. Enabling the required sysctls, including my own kernel patch to let ping/traceroute work..

    It lets me and others share a single host that is very beefy (2x2.8G Xeon, 4g ram, 315g raid-5 ultra-320 disk, etc..) on a fast link. The FreeBSD-5 jail subsystem is a bit more refined than that in FreeBSD-4... I'm pondering upgrading the system, but haven't done so yet.. You can also put a small bit of effort into the system and use rsync to keep various (important) system binaries (eg: sshd, sendmail) in-sync across all the systems so they're bug-free if an advisory comes out.. but that's basic sysadmin/patching stuff, not anything jail specific.. but if their jail is r00ted, i don't need to worry about my own files being compromised, unless they get at the 'host' system.. (which runs no services to speak of)...

  4. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  5. This is no laughing matter. by Dizzle · · Score: 4, Funny

    ...Host Intrusion Protection (HIP) Research Group...

    Research is not supposed to be "hip". It is a very somber and serious process. I think it's shameful how these researchers would rather run the streets with their "rad crew" than commit to serious discovery. For shame.

    --
    -Dizzle
    "I most likely AM so interested in myself."
  6. Zones by Anonymous Coward · · Score: 4, Interesting

    Solaris 10 zones are based on the same idea.

    1. Re:Zones by sysadmn · · Score: 1

      Except, of course, that Solaris 10 zones are tied into the Resource Manager. In a zone, you can limit the percentage of CPU and Memory available. Way cool. Plus you can reboot a zone in seconds...

      --
      Envy my 5 digit Slashdot User ID!
  7. Re:Are BSD jails the only option? by seek31337 · · Score: 5, Funny

    Doesn't Linux 2.6.* have similar and better functionality now that SecureSomething patch has been merged into it?

    Wow, what an interesting comment! "Linux 2.?.? has a whoosit something whatcha hoo hoo I heard someone maybe talk about? It's better than BSD, tho!"

    --
    No SIG for you!
  8. Re:One drawback to jails by seek31337 · · Score: 3, Informative

    Just to be clear... A single jail is limited to a single IP. So you need one unique IP for each Jail on a machine.

    --
    No SIG for you!
  9. Re:One drawback to jails by mulvane · · Score: 2, Informative

    You can get around that by using local ip's (127.0.0.X) and then use nat or other preferred method of traffic routing to secure each jail even further and have easy access between them on the local network.

  10. Re:Are BSD jails the only option? by auzy · · Score: 2, Interesting

    You mean SElinux?? Thats improves linux security dramatically, but it all depends on the policies really..

    http://www.nsa.gov/selinux/

    Stuff like Selinux though and NX should be considered as the last line of defence though, because they wont prevent people crashing the daemon, and can be circumvented..

  11. Re:Are BSD jails the only option? by Anonymous Coward · · Score: 0
    Yes. You have to set up Jails in BSD. And you have to set up policies in Linux. It all depends. Linux is more flexible and able to give you whatever you want.

    OTOH, Jails are limited to 1 IP address, and you may have to waste disc space copying system programs around. You can configure Linux so that you won't have to do that.

    Also, don't forget user-level-linux!

    BSD jail system is good, but falls far behind compared to Linux nowadays.

  12. Re:Are BSD jails the only option? What about distr by auzy · · Score: 1

    distributed security is one thing I would like to see improved.. Currently I doubt any Unix OS has any system to secure over network, like distributed policies or something.. policies for openmosix or something similar.. I wonder how well jail systems would work over openmosix..

  13. Robert Watson by cperciva · · Score: 3, Informative

    The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research ... and three-term FreeBSD core team member, guy mostly responsible for FreeBSD network stack locking right now, president of the FreeBSD Foundation, and otherwise generally cool guy.

    --
    Tarsnap: Online backups for the truly paranoid
  14. Re:Are BSD jails the only option? by Green+Light · · Score: 1

    Dang it! Now I have to clean up all of this coffee that I spit all over my keyboard! Too funny!

    --
    "Send an Instant Karma to me" - Yes
  15. Please learn how to make links. by Anonymous Coward · · Score: 0
    Please learn how to make links.
    <a href="http://www.golden-gryphon.com/blog/manoj/sof tware/misc/manoj.2004.07.27.html">blog post</a>
    (without any spaces put there by Slashdot) yields: blog post
  16. jail paper by endx7 · · Score: 2, Informative

    The jail paper.

  17. Re:Are BSD jails the only option? by Homology · · Score: 2, Insightful
    BSD jail system is good, but falls far behind compared to Linux nowadays.

    This may be the case, but for many Linux users these security improvements are not easily available since they are not supported by the major Linux distributions.

    As an example, OpenBSD supports and integrates various technologies out of the box, while similar technologies is unavailable for most Linux users. Unless you do a huge amount of work, and have the required knowledge to patch your system, of course.

    It's like the old proverb "Better with one bird in the hand, than ten on the roof."

  18. Jails? by Anonymous Coward · · Score: 0

    Are those the places that BSDs are sent to before they're given the death penalty?

  19. Re:One drawback to jails by Perdurabo26 · · Score: 2, Informative

    There's actually a patch out for this that allows you to have multiple IPs for a single jail. There is also a few other scripts on that page which are kinda handy.

    --
    I will endure to the end.
  20. Recommendations for providers? by willis · · Score: 1

    Any recommendations for freebsd Jailed "virtual server providers"? I was thinking about going the linux route, but I'd prefer BSD... I'm hoping for something in the $20 range. Thanks!

    --

    there is no thing
    what else could you want?
    1. Re:Recommendations for providers? by Anonymous Coward · · Score: 1, Informative

      www.escapebox.net

    2. Re:Recommendations for providers? by Anonymous Coward · · Score: 0
      Check out www.HUB.org

      I believe it's owned/maintained by one of the Postgresql maintainers, so you are indirectly supporting open source development by using them, and we all know That's a Good Thing (R)

    3. Re:Recommendations for providers? by Anonymous Coward · · Score: 0

      More than your requested $20 -- www.johncompanies.com

    4. Re:Recommendations for providers? by Anonymous Coward · · Score: 0

      I like jvds (www.jvds.com) ... had a server there for about a year. Very professional, prompt service, your own BSD jail'ed server ...

  21. shilling Amazon referral-whore by Anonymous Coward · · Score: 0

    Cool Stuff For Your House
    Cool Stuff For Your House
    Cool Stuff For Your House
    Cool Stuff For Your House
    Cool Stuff For Your House

  22. Re:Are BSD jails the only option? by Anonymous Coward · · Score: 0

    the entire framework of NSA's SELinux (MAC/DTE/...) has been incorporated in FreeBSD 5.x, giving you exactly the same possibilities on a much more secure operating system. Considering Linux is a patched-up kernel with security issues every freaking month, I'd prefer this over Linux everyday.

    And don't get me started on Linux' PAX or GRSecurity or OpenWall or LIDS or StackGuard or WhateverFancyOfTheWeek... they're only futile attempts to secure an otherwise insecure, unaudited kernel (written by people with almost no experience) that is always run in cooperation with an insecure userland-of-choiche, accessible thru an infamously insecure bash shell.

    And since this is about jails, don't get met started on UserModeLinux either, it has been buggy, unsupported and not further developped for the last years.

    fuckin' freakin' linux propaganda... learn to read code you linux kiddies.

  23. Re:Are BSD jails the only option? by SillyNickName4me · · Score: 1

    I suggest looking also at MAC and posix 1e implementations which exist (and have existed for quite soem time) on FreeBSD. jails are only one of the options.

  24. Re:One drawback to jails by SillyNickName4me · · Score: 1

    > Just to be clear... A single jail is limited to a single IP.

    Unless you add unofficial (for now?) patches, true.

    > So you need one unique IP for each Jail on a machine.

    Not true. If you know what you are doing, 2 or more jails can share an IP. It is not advisable to do this because it gets very confusing very quickly, and since this is a security measure first of all, confusion for the admoin is really the last thing that you want.

    That said, I currently use exactly such a setup (multiple jails sharign a single IP)