Slashdot Mirror
BSD Jails, a Better Virtual Server?
gManZboy writes "Poul-Henning Kamp, a FreeBSD committer, has an article up about BSD Jails as part of Queue's special report on virtual machines. He describes BSD's interesting 'semi-permeable' approach to VMs, and the importance of security in VM architectures. The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research."
I just saw a blog post today, about user mode linux, and the grief it inflicts:
r e/ misc/manoj.2004.07.27.html
http://www.golden-gryphon.com/blog/manoj/softwa
I don't know that's not a direct answer to your question, but I think it's one of the main differences between doing this sort of thing on BSD and Linux.
- UDP Kernel bug that breaks SNMP (eg: mrtg) inside a jail
- ICMP inside jail needs to be split out better to prevent ugly hacks/kernel patches being required
- PostgreSQL needs sysvipc
I've managed to work around these various issues (running mrtg from the "jail-side" host, making it chroot to my directories to run. Enabling the required sysctls, including my own kernel patch to let ping/traceroute work..It lets me and others share a single host that is very beefy (2x2.8G Xeon, 4g ram, 315g raid-5 ultra-320 disk, etc..) on a fast link. The FreeBSD-5 jail subsystem is a bit more refined than that in FreeBSD-4... I'm pondering upgrading the system, but haven't done so yet.. You can also put a small bit of effort into the system and use rsync to keep various (important) system binaries (eg: sshd, sendmail) in-sync across all the systems so they're bug-free if an advisory comes out.. but that's basic sysadmin/patching stuff, not anything jail specific.. but if their jail is r00ted, i don't need to worry about my own files being compromised, unless they get at the 'host' system.. (which runs no services to speak of)...
Comment removed based on user account deletion
...Host Intrusion Protection (HIP) Research Group...
Research is not supposed to be "hip". It is a very somber and serious process. I think it's shameful how these researchers would rather run the streets with their "rad crew" than commit to serious discovery. For shame.
-Dizzle
"I most likely AM so interested in myself."
Naw, better to run Linux compatibility mode within a FreeBSD jail and then use UML inside that.
If that doesn't confuse the users and crackers alike, I don't know what will....
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
The Linux VServer Project is a similar beast, if not the original inspiration. It's available as a kernel patch for linux-2.4 (and almost ready for 2.6), plus a handful of userspace utilities.
...
/, you use this patch to make each vserver see different parts of the global process table - so that each vserver doesn't know about the others. Should you want to access a vserver from another vserver, you must think like they're two different machines - use the network.
/), you can hardlink files between vservers, so that the second, third and son on vservers may have a disk space cost as small as 30MB. Memory-wise, it's a bit more hungry as you'd like to have crond, sshd and so on running in every vserver.
The idea revolves around isolated contexts, each with a different IP address - so in practice you access each of the vservers as a different machine, with its own filesystem, users, processes, semaphores,
As you can chroot your applications to make them see different parts of the filesystem as
As the gist of it is the isolation between processes and NOT emulation, you experience absolutely no overhead (unlike UML). And if you worry about disk space (as each vserver owns in fact a complete
Work is being done to circumvent one of the disadvantages: a vserver can drown the whole machine as resources are not really yet limited for a particular context.
Solaris 10 zones are based on the same idea.
Doesn't Linux 2.6.* have similar and better functionality now that SecureSomething patch has been merged into it?
Wow, what an interesting comment! "Linux 2.?.? has a whoosit something whatcha hoo hoo I heard someone maybe talk about? It's better than BSD, tho!"
No SIG for you!
Just to be clear... A single jail is limited to a single IP. So you need one unique IP for each Jail on a machine.
No SIG for you!
Common, jail appeared in FreeBSD in 1999 and Vserver patches appeared in when, 2001 ?
You can get around that by using local ip's (127.0.0.X) and then use nat or other preferred method of traffic routing to secure each jail even further and have easy access between them on the local network.
You mean SElinux?? Thats improves linux security dramatically, but it all depends on the policies really..
http://www.nsa.gov/selinux/
Stuff like Selinux though and NX should be considered as the last line of defence though, because they wont prevent people crashing the daemon, and can be circumvented..
The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research ... and three-term FreeBSD core team member, guy mostly responsible for FreeBSD network stack locking right now, president of the FreeBSD Foundation, and otherwise generally cool guy.
Tarsnap: Online backups for the truly paranoid
The jail paper.
It seems it would be possible to start a jail, give it an IP address, install FreeBSD into the jail, NAT out the SSH port from the jail and give the root password of the jail to the "virtual server admin".
Indeed, that is exactly what some hosting companies are doing. I played around inside a BSD jail as root with one of these $15 / month virtual servers. It actually worked Very well, allowing me to compile my own applications including installing the BSD ports collection. I'm quite impressed. Apparently this hosting company runs up to 120 jails per system. The system I was on only had about 30, and I was seeing loads of up to 20. For this reason, I canceled the account, but the concept is quite sound.
The BSD jail more like a super chroot than usermode linux- a LOT more isolation than just the file system, but less than a true VM. It seems to have much less overhead than a full VM such as vmware or UML. Hardware is not virtualized, but rather just more restricted.
This is great for running things like mail servers, web servers, etc. especially where you want to give applications the ability to run external scripts / CGI's without most the security issues that come along with it.
This may be the case, but for many Linux users these security improvements are not easily available since they are not supported by the major Linux distributions.
As an example, OpenBSD supports and integrates various technologies out of the box, while similar technologies is unavailable for most Linux users. Unless you do a huge amount of work, and have the required knowledge to patch your system, of course.
It's like the old proverb "Better with one bird in the hand, than ten on the roof."
There's actually a patch out for this that allows you to have multiple IPs for a single jail. There is also a few other scripts on that page which are kinda handy.
I will endure to the end.
thinking about it, it would probably work.
One non-obvious point is that the chroot directory need not be a full (or even partial) FreeBSD installation. At one time I managed to do a complete Gentoo install using FreeBSD's Linux emulation and pointed the "jail" command at that directory. Voila - a full simulated Linux environment. Other than the inability to load Linux kernel modules, it looked and acted pretty much exactly like any typical bare-metal setup.
Plug: for easy management, install my JailAdmin port. Loads of secure environment goodness!
Dewey, what part of this looks like authorities should be involved?
I believe somewhere on the VServer pages it mentions that it is basically the same thing as FreeBSD jail, so the inspiration most definitely comes from FreeBSD.
However, I think the Linux VServer people right now have a leg up on FreeBSD jails. I really like the idea of contexts 0 and 1, where 'killall -HUP named' does not result in all named's in jails be restarted and ps and top aren't cluttered with jailed processes. The unify tool that finds same files and hardlinks them is really nice, and the disk space limits per context is great.