Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by martyb on Saturday March 06 2021, @04:52AM   Printer-friendly
from the Do-not-pass-Go,-Do-not-collect-$200 dept.

Klara Systems has an article with a deep dive into the origins of FreeBSD jails. These ideas have been around for many decades and taken form in several stages and finally became part of FreeBSD over 20 years ago. FreeBSD jails share the main system's kernel and are therefore a relatively light weight means for userspace isolation, compared to "containers". Within the jail, the environment appears as a normal system and processes within the jail can not see upward into the host or laterally into other jails.

In the late 1990s, [Poul-Henning] Kamp was contacted by a man from South Carolina named Derrick T. Woolworth. Woolworth had a problem and was looking for a solution. He ran a web hosting company named R&D Associates Inc and he “had this idea for running multiple different versions of Apache and MySQL on the same server”. Woolworth “complained about the fact that different customers in his webhotel needed different versions of apache, mysql, perl etc, and that this forced him to run many machines, each almost idle, just for these different software loads.”

Woolworth offered to pay for the development of such a feature. “The deal was that he would pay for the development and then after one year I would commit them to FreeBSD.” With that Jails were born. After Woolworth’s year of exclusivity expired, Jails were included in FreeBSD 4.

(Interestingly, the first use of jail in the computer world was in 1991. An AT&T researcher named Bill Cheswick created what he called a “chroot ‘Jail’ ” to watch a hacker trying to get into their systems.)

Jails allow “administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration.” Jails is a method for giving “permission to access certain isolated areas of the operating system. Other jails remain completely untouched. Almost the entire isolation magic occurs at the kernel level; users only ever see the components they are supposed to see.”

As Kamp explains it, “Jails is like a one-way mirror.” He said further, “This means that an unjailed process can see all the jailed processes and, subject to UNIX access controls, send them signals, attach debuggers to them and so on. But the jailed processes cannot ‘see’ out of their jails, neither into other jails, nor into the unjailed part of the system.”

chroot, the progenitor to jails, probably first turned up sometime between 1975 and 1979 in 2BSD.

Previously:
(2018) FreeBSD Celebrates 25th Anniversary, Tuesday, June 19th
(2016) FreeBSD Devs Ponder Changes to Security Processes
(2016) Beat This: Server Retired After 18 Years and 10 Months
(2014) How to Avoid Systemd?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Spam) by Anonymous Coward on Saturday March 06 2021, @05:24AM (2 children)

    by Anonymous Coward on Saturday March 06 2021, @05:24AM (#1120705)

    NIGGER

    • (Score: 2, Touché) by Rosco P. Coltrane on Saturday March 06 2021, @06:48AM

      by Rosco P. Coltrane (4757) on Saturday March 06 2021, @06:48AM (#1120715)

      Indeed, an excellent and a-propos social commentary on the abnormal race disparities in jails.

    • (Score: 0) by Anonymous Coward on Sunday March 07 2021, @06:17PM

      by Anonymous Coward on Sunday March 07 2021, @06:17PM (#1121100)

      Damn it Trump! How many times do we have to tell you to go away?!

  • (Score: 2, Interesting) by Anonymous Coward on Saturday March 06 2021, @07:33AM (7 children)

    by Anonymous Coward on Saturday March 06 2021, @07:33AM (#1120725)

    Indeed, almost everything you need to know about jails can be learned by reading the chroot()-related man pages, and it has been around for decades.

    The chroot() system call is integral to booting CDROMs - you have to load a copy of your filesystem into memory and then perform a chroot() to the root of the new filesystem, in memory. I think it played a role in ND (Network Disk, a predecessor to the Network File System, for diskless workstations, back in the 68000 days), as well, and NFS, following that.

    Jails are a practical application for a system call that was usually used just once, at boot time.

    Raise your hand if you know what L1-A does, and know that you are one of a steadily shrinking minority.

    • (Score: 4, Informative) by pe1rxq on Saturday March 06 2021, @09:39AM (3 children)

      by pe1rxq (844) on Saturday March 06 2021, @09:39AM (#1120733) Homepage

      jails do more than just chroot.
      chroot gives you a different view on the filesystem, but the rest of the system is still shared. For example with 'ps' you will still see binaries running outside your chroot.
      With jails you can actually get a separation of the rest of the system as well, including its network stack.

      • (Score: 4, Informative) by TheRaven on Saturday March 06 2021, @11:55AM

        by TheRaven (270) on Saturday March 06 2021, @11:55AM (#1120745) Journal
        This is true, but the original jails paper explicitly calls out the chroot system as inspiration and aimed to build a proper chroot. The main problem with chroot was that it didn't jail the root user, so you could always issue system calls such as mount and friends that let you escape. That was fixed with jails.

        The original jails implementation was far from complete. It didn't give you a separate namespace for SysV IPC, for example, which meant that you couldn't run PostgreSQL in a jail securely (there was a sysctl to turn of SysV IPC in jails entirely, but then PostgreSQL didn't run at all, if you turned it on then your jail could access any SysV IPC objects). This was fixed later, though Solaris Zones actually did it first.

        The network stack virtualization (VNET) was even more recent. Amusingly, part of the motivation for jails was that it's less overhead to share a kernel across virtual systems than to run a full VM, but with the network stack it turned out that you got a lot more resource contention by adding a load of jails to the network stack. It was much faster to have a separate copy of all network-stack state.

        --
        sudo mod me up
      • (Score: 2, Touché) by leon_the_cat on Saturday March 06 2021, @12:27PM (1 child)

        by leon_the_cat (10052) on Saturday March 06 2021, @12:27PM (#1120748) Journal

        Great! But I tried running epstein.sh script inside one and now its dead. Just checked the log and it says it didn't kill itself. Any ideas??

        • (Score: 0) by Anonymous Coward on Saturday March 06 2021, @03:51PM

          by Anonymous Coward on Saturday March 06 2021, @03:51PM (#1120811)

          Yes. Stop watching the news.

    • (Score: 2) by sjames on Saturday March 06 2021, @10:49AM

      by sjames (2882) on Saturday March 06 2021, @10:49AM (#1120739) Journal

      A caution though, chroot is not jail. On many systems (including Linux) chroot is not regarded as a security measure and so can be escaped.

    • (Score: 0) by Anonymous Coward on Saturday March 06 2021, @12:36PM (1 child)

      by Anonymous Coward on Saturday March 06 2021, @12:36PM (#1120750)

      Raises Hand

      Hello my friend.

      That is a sequence I haven't pressed since-

      • (Score: 1) by crotherm on Saturday March 06 2021, @06:49PM

        by crotherm (5427) Subscriber Badge on Saturday March 06 2021, @06:49PM (#1120854)

        Suns Only. Yep, it's been a while. Almost forgot, repressed memories. heh

  • (Score: 2, Informative) by toph on Saturday March 06 2021, @01:01PM (1 child)

    by toph (5509) on Saturday March 06 2021, @01:01PM (#1120758)
    Not sure how it compares to FreeBSD jails, but on my Linux machines I've been using Firejail.

    Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

    As others have said, chroot alone is not a jail.

    • (Score: 0) by Anonymous Coward on Saturday March 06 2021, @05:21PM

      by Anonymous Coward on Saturday March 06 2021, @05:21PM (#1120838)

      Prior chroots do not a prison make.

  • (Score: 2) by corey on Saturday March 06 2021, @10:29PM (2 children)

    by corey (2202) on Saturday March 06 2021, @10:29PM (#1120886)

    Why would I want to use jails? I’ve been running FreeBSD on my server for years, doing proxy, samba, nfs, zfs, pf firewall etc. I see so much discussion on the forums about jails but I’m not sure why someone like me would use this function, with no multi user system.

    • (Score: 2) by jimtheowl on Monday March 08 2021, @05:27PM

      by jimtheowl (5929) on Monday March 08 2021, @05:27PM (#1121430)
      To experiment perhaps. That is probably how you came to know some of the services you listed in the first place.

      It also makes it easier to run linux services.

      https://wiki.freebsd.org/LinuxJails [freebsd.org]
    • (Score: 0) by Anonymous Coward on Monday March 08 2021, @08:26PM

      by Anonymous Coward on Monday March 08 2021, @08:26PM (#1121493)

      to isolate an application that could get compromised?

(1)