BSD Jails, a Better Virtual Server?

gManZboy writes "Poul-Henning Kamp, a FreeBSD committer, has an article up about BSD Jails as part of Queue's special report on virtual machines. He describes BSD's interesting 'semi-permeable' approach to VMs, and the importance of security in VM architectures. The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research."

How is this different?

[shaitand]

In what way does this differ from a linux VM, what are the up's and downs?

Re:How is this different?

[astrashe]

I just saw a blog post today, about user mode linux, and the grief it inflicts:

http://www.golden-gryphon.com/blog/manoj/softwar e/ misc/manoj.2004.07.27.html

I don't know that's not a direct answer to your question, but I think it's one of the main differences between doing this sort of thing on BSD and Linux.

Re:How is this different?

[gtrubetskoy]

The Linux VServer Project is a similar beast, if not the original inspiration.

I believe somewhere on the VServer pages it mentions that it is basically the same thing as FreeBSD jail, so the inspiration most definitely comes from FreeBSD.

However, I think the Linux VServer people right now have a leg up on FreeBSD jails. I really like the idea of contexts 0 and 1, where 'killall -HUP named' does not result in all named's in jails be restarted and ps and top aren't cluttered with jailed processes. The unify tool that finds same files and hardlinks them is really nice, and the disk space limits per context is great.

Zones

Solaris 10 zones are based on the same idea.

Re:Are BSD jails the only option?

[auzy]

You mean SElinux?? Thats improves linux security dramatically, but it all depends on the policies really..

http://www.nsa.gov/selinux/

Stuff like Selinux though and NX should be considered as the last line of defence though, because they wont prevent people crashing the daemon, and can be circumvented..