FreeBSD jail
{{Short description|OS-level virtualisation}}
The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called jails, all sharing the same kernel, with very little overhead{{r|informit-2007|q=All jails share the same kernel, and so there is very little overhead.}}. It is implemented through a system call, jail(2),{{r|jail.2}} as well as a userland utility, jail(8),{{r|jail.8}} plus, depending on the system, a number of other utilities. The functionality was committed into FreeBSD in 1999 by Poul-Henning Kamp after some period of production use by a hosting provider, and was first released with FreeBSD 4.0, thus being supported on a number of FreeBSD descendants, including DragonFly BSD, to this day.
History
The need for the FreeBSD jails came from a small shared-environment hosting provider's (R&D Associates, Inc.'s owner, Derrick T. Woolworth) desire to establish a clean, clear-cut separation between their own services and those of their customers, mainly for security and ease of administration ([http://www.freebsd.org/cgi/man.cgi?query=jail jail(8)]). Instead of adding a new layer of fine-grained configuration options, the solution adopted by Poul-Henning Kamp was to compartmentalize the system – both its files and its resources – in such a way that only the right people are given access to the right compartments.{{cite web|last1=Kamp|first1=Poul-Henning|last2=N. M. Watson|first2=Robert|title=Jails: Confining the omnipotent root|url=http://phk.freebsd.dk/pubs/sane2000-jail.pdf|website=PHKs Bikeshed|access-date=15 June 2016|date=2000}}
Jails were first introduced in FreeBSD version 4.0, that was released on {{Start date|2000|03|14}}.{{cite web|url=https://www.freebsd.org/releases/4.0R/announce.html|title=FreeBSD 4.0 Announcement|publisher=FreeBSD Project|date=14 March 2000|access-date=3 October 2019}} Most of the original functionality is supported on DragonFly, and several of the new features have been ported as well.
Goals
{{More citations needed|section|date=January 2011}}
FreeBSD jails mainly aim at three goals:
- Virtualization: Each jail is a virtual environment running on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system.
- Security: Each jail is sealed from the others, thus providing an additional level of security.
- Ease of delegation: The limited scope of a jail allows system administrators to delegate several tasks which require superuser access without handing out complete control over the system.
Unlike chroot jail, which only restricts processes to a particular view of the filesystem, the FreeBSD jail mechanism restricts the activities of a process in a jail with respect to the rest of the system. In effect, jailed processes are sandboxed. They are bound to specific IP addresses, and a jailed process cannot access divert or routing sockets. Raw sockets are also disabled by default, but may be enabled by setting the security.jail.allow_raw_sockets sysctl option. Additionally, interaction between processes that are not running in the same jail is restricted.
The {{Mono|jail(8)}} utility and {{Mono|jail(2)}} system call first appeared in FreeBSD 4.0. New utilities (for example {{Mono|jls(8)}} to list jails) and system calls (for example {{Mono|jail_attach(2)}} to attach a new process to a jail) that render jail management much easier were added in FreeBSD 5.1. The jail subsystem received further significant updates with FreeBSD 7.2, including support for multiple IPv4 and IPv6 addresses per jail and support for binding jails to specific CPUs.
=Virtualization=
With {{Mono|jail}} it is possible to create environments, each having its own set of utilities installed and its own configuration. Jails permit software packages to view the system egoistically, as if each package had the machine to itself. Jails can also have their own, independent, jailed superusers.{{cite web |title=Chapter 16. Jails |url=https://docs.freebsd.org/en/books/handbook/jails/ |website=FreeBSD Documentation Portal |access-date=13 December 2022 |language=en}}
The FreeBSD jail does not however achieve true virtualization; it does not allow the virtual machines to run different kernel versions than that of the base system. All jails share the same kernel. There is no support for clustering or process migration.
=Security=
FreeBSD jails are an effective way to increase the security of a server because of the separation between the jailed environment and the rest of the system (the other jails and the base system).
FreeBSD jails are limited in the following ways:
- Jailed processes cannot interact with processes in a different jail, or on the main host. For example, the ps (Unix) command will only show the processes running in the jail.
- Modifying the running kernel by direct access and loading modules is prohibited. Modifying most sysctls and the securelevel is prohibited.
- Modifying the network configuration, including interfaces, interface or IP addresses, and the routing table, is prohibited. Accessing divert and routing sockets are also prohibited. Additionally, raw sockets are disabled by default. A jail is bound only to specific IP addresses and firewall rules cannot be changed. With the introduction of VNET(virtual network stack), the jails are free to modify their Network Configuration (including interfaces, IP addresses, etc.), provided the vnet is enabled for the jail.
- Mounting and unmounting filesystems is prohibited. Jails cannot access files above their root directory (i.e. a jail is chroot'ed).
- Jailed processes cannot create device nodes.
See also
{{Portal
| Free and open-source software
}}
{{div col |colwidth=24em}}
- Comparison of platform virtualization software
- Operating system-level virtualization
- chroot
- bhyve
- vkernel
- vnet
- Hypervisor
{{div col end}}
References
{{Reflist
|refs=
|url= http://www.informit.com/articles/printerfriendly/766375
|title= DragonFly BSD: UNIX for Clusters?
|author= David Chisnall
|publisher= Prentice Hall Professional
|website= InformIT
|date=2007-06-15 |access-date=2019-03-06
}}
|url= http://bxr.su/f/lib/libc/sys/jail.2
|title= jail(2) — create and manage system jails
|publisher= FreeBSD, DragonFly BSD
}}
- {{cite book |section=jail, jail_get, jail_set, jail_remove, jail_attach -- create and manage system jails |title=FreeBSD Manual Pages |url=https://www.freebsd.org/cgi/man.cgi?query=jail&sektion=2}}
- {{cite book |section=jail -- imprison current process and future descendants |title=DragonFly On-Line Manual Pages |url=https://www.dragonflybsd.org/cgi/web-man?command=jail§ion=2}}
|url= http://bxr.su/f/usr.sbin/jail/jail.8
|title= jail(8) — manage system jails
|publisher= FreeBSD, DragonFly BSD
}}
- {{cite book |section=jail -- manage system jails |title=FreeBSD Manual Pages |url=https://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8}}
- {{cite book |section=jail - imprison process and its descendants |title=DragonFly On-Line Manual Pages |url=https://www.dragonflybsd.org/cgi/web-man?command=jail§ion=8}}
}}
Further reading
- {{cite book|title=FreeBSD Mastery: Jails|last=Lucas|first=Michael W.|publisher=Tilted Windmill Press|date=2019|isbn=978-1-64235-023-4}}
External links
- [http://phk.freebsd.dk/sagas/jails/ Jails] by Poul-Henning Kamp
- [http://www.freebsd.org/cgi/man.cgi?query=jail&format=html jail(8) man page]
- [https://web.archive.org/web/20031008082513/http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html FreeBSD jails] at ONLamp
- [http://www.freebsddiary.org/jail-6.php Jail on FreeBSD 6]
- [https://www.freebsd.org/cgi/man.cgi?query=vnet&sektion=9 VNET manpage]
{{FreeBSD}}
{{DragonFly}}
{{Virtualization software}}
Category:Free software programmed in C
Category:Free virtualization software
Category:Operating system technology