Slashdot Mirror
BSD Jails, a Better Virtual Server?
gManZboy writes "Poul-Henning Kamp, a FreeBSD committer, has an article up about BSD Jails as part of Queue's special report on virtual machines. He describes BSD's interesting 'semi-permeable' approach to VMs, and the importance of security in VM architectures. The article is co-written by Robert Watson, a DARPA principal investigator in the Host Intrusion Protection (HIP) Research Group at McAfee Research."
- UDP Kernel bug that breaks SNMP (eg: mrtg) inside a jail
- ICMP inside jail needs to be split out better to prevent ugly hacks/kernel patches being required
- PostgreSQL needs sysvipc
I've managed to work around these various issues (running mrtg from the "jail-side" host, making it chroot to my directories to run. Enabling the required sysctls, including my own kernel patch to let ping/traceroute work..It lets me and others share a single host that is very beefy (2x2.8G Xeon, 4g ram, 315g raid-5 ultra-320 disk, etc..) on a fast link. The FreeBSD-5 jail subsystem is a bit more refined than that in FreeBSD-4... I'm pondering upgrading the system, but haven't done so yet.. You can also put a small bit of effort into the system and use rsync to keep various (important) system binaries (eg: sshd, sendmail) in-sync across all the systems so they're bug-free if an advisory comes out.. but that's basic sysadmin/patching stuff, not anything jail specific.. but if their jail is r00ted, i don't need to worry about my own files being compromised, unless they get at the 'host' system.. (which runs no services to speak of)...
Comment removed based on user account deletion
...Host Intrusion Protection (HIP) Research Group...
Research is not supposed to be "hip". It is a very somber and serious process. I think it's shameful how these researchers would rather run the streets with their "rad crew" than commit to serious discovery. For shame.
-Dizzle
"I most likely AM so interested in myself."
Naw, better to run Linux compatibility mode within a FreeBSD jail and then use UML inside that.
If that doesn't confuse the users and crackers alike, I don't know what will....
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
Solaris 10 zones are based on the same idea.
Doesn't Linux 2.6.* have similar and better functionality now that SecureSomething patch has been merged into it?
Wow, what an interesting comment! "Linux 2.?.? has a whoosit something whatcha hoo hoo I heard someone maybe talk about? It's better than BSD, tho!"
No SIG for you!
It seems it would be possible to start a jail, give it an IP address, install FreeBSD into the jail, NAT out the SSH port from the jail and give the root password of the jail to the "virtual server admin".
Indeed, that is exactly what some hosting companies are doing. I played around inside a BSD jail as root with one of these $15 / month virtual servers. It actually worked Very well, allowing me to compile my own applications including installing the BSD ports collection. I'm quite impressed. Apparently this hosting company runs up to 120 jails per system. The system I was on only had about 30, and I was seeing loads of up to 20. For this reason, I canceled the account, but the concept is quite sound.
The BSD jail more like a super chroot than usermode linux- a LOT more isolation than just the file system, but less than a true VM. It seems to have much less overhead than a full VM such as vmware or UML. Hardware is not virtualized, but rather just more restricted.
This is great for running things like mail servers, web servers, etc. especially where you want to give applications the ability to run external scripts / CGI's without most the security issues that come along with it.