Slashdot Mirror
BSD Jails, a Better Virtual Server?
gManZboy writes "Poul-Henning Kamp, a FreeBSD committer, has an article up about BSD Jails as part of Queue's special report on virtual machines. He describes BSD's interesting 'semi-permeable' approach to VMs, and the importance of security in VM architectures. The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research."
- UDP Kernel bug that breaks SNMP (eg: mrtg) inside a jail
- ICMP inside jail needs to be split out better to prevent ugly hacks/kernel patches being required
- PostgreSQL needs sysvipc
I've managed to work around these various issues (running mrtg from the "jail-side" host, making it chroot to my directories to run. Enabling the required sysctls, including my own kernel patch to let ping/traceroute work..It lets me and others share a single host that is very beefy (2x2.8G Xeon, 4g ram, 315g raid-5 ultra-320 disk, etc..) on a fast link. The FreeBSD-5 jail subsystem is a bit more refined than that in FreeBSD-4... I'm pondering upgrading the system, but haven't done so yet.. You can also put a small bit of effort into the system and use rsync to keep various (important) system binaries (eg: sshd, sendmail) in-sync across all the systems so they're bug-free if an advisory comes out.. but that's basic sysadmin/patching stuff, not anything jail specific.. but if their jail is r00ted, i don't need to worry about my own files being compromised, unless they get at the 'host' system.. (which runs no services to speak of)...
Comment removed based on user account deletion
The Linux VServer Project is a similar beast, if not the original inspiration. It's available as a kernel patch for linux-2.4 (and almost ready for 2.6), plus a handful of userspace utilities.
...
/, you use this patch to make each vserver see different parts of the global process table - so that each vserver doesn't know about the others. Should you want to access a vserver from another vserver, you must think like they're two different machines - use the network.
/), you can hardlink files between vservers, so that the second, third and son on vservers may have a disk space cost as small as 30MB. Memory-wise, it's a bit more hungry as you'd like to have crond, sshd and so on running in every vserver.
The idea revolves around isolated contexts, each with a different IP address - so in practice you access each of the vservers as a different machine, with its own filesystem, users, processes, semaphores,
As you can chroot your applications to make them see different parts of the filesystem as
As the gist of it is the isolation between processes and NOT emulation, you experience absolutely no overhead (unlike UML). And if you worry about disk space (as each vserver owns in fact a complete
Work is being done to circumvent one of the disadvantages: a vserver can drown the whole machine as resources are not really yet limited for a particular context.
Just to be clear... A single jail is limited to a single IP. So you need one unique IP for each Jail on a machine.
No SIG for you!
Common, jail appeared in FreeBSD in 1999 and Vserver patches appeared in when, 2001 ?
You can get around that by using local ip's (127.0.0.X) and then use nat or other preferred method of traffic routing to secure each jail even further and have easy access between them on the local network.
The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research ... and three-term FreeBSD core team member, guy mostly responsible for FreeBSD network stack locking right now, president of the FreeBSD Foundation, and otherwise generally cool guy.
Tarsnap: Online backups for the truly paranoid
The jail paper.
It seems it would be possible to start a jail, give it an IP address, install FreeBSD into the jail, NAT out the SSH port from the jail and give the root password of the jail to the "virtual server admin".
Indeed, that is exactly what some hosting companies are doing. I played around inside a BSD jail as root with one of these $15 / month virtual servers. It actually worked Very well, allowing me to compile my own applications including installing the BSD ports collection. I'm quite impressed. Apparently this hosting company runs up to 120 jails per system. The system I was on only had about 30, and I was seeing loads of up to 20. For this reason, I canceled the account, but the concept is quite sound.
The BSD jail more like a super chroot than usermode linux- a LOT more isolation than just the file system, but less than a true VM. It seems to have much less overhead than a full VM such as vmware or UML. Hardware is not virtualized, but rather just more restricted.
This is great for running things like mail servers, web servers, etc. especially where you want to give applications the ability to run external scripts / CGI's without most the security issues that come along with it.
There's actually a patch out for this that allows you to have multiple IPs for a single jail. There is also a few other scripts on that page which are kinda handy.
I will endure to the end.
www.escapebox.net
One non-obvious point is that the chroot directory need not be a full (or even partial) FreeBSD installation. At one time I managed to do a complete Gentoo install using FreeBSD's Linux emulation and pointed the "jail" command at that directory. Voila - a full simulated Linux environment. Other than the inability to load Linux kernel modules, it looked and acted pretty much exactly like any typical bare-metal setup.
Plug: for easy management, install my JailAdmin port. Loads of secure environment goodness!
Dewey, what part of this looks like authorities should be involved?