Klara Systems has an article with a deep dive into the origins of FreeBSD jails. These ideas have been around for many decades and taken form in several stages and finally became part of FreeBSD over 20 years ago. FreeBSD jails share the main system's kernel and are therefore a relatively light weight means for userspace isolation, compared to "containers". Within the jail, the environment appears as a normal system and processes within the jail can not see upward into the host or laterally into other jails.
In the late 1990s, [Poul-Henning] Kamp was contacted by a man from South Carolina named Derrick T. Woolworth. Woolworth had a problem and was looking for a solution. He ran a web hosting company named R&D Associates Inc and he “had this idea for running multiple different versions of Apache and MySQL on the same server”. Woolworth “complained about the fact that different customers in his webhotel needed different versions of apache, mysql, perl etc, and that this forced him to run many machines, each almost idle, just for these different software loads.”
Woolworth offered to pay for the development of such a feature. “The deal was that he would pay for the development and then after one year I would commit them to FreeBSD.” With that Jails were born. After Woolworth’s year of exclusivity expired, Jails were included in FreeBSD 4.
(Interestingly, the first use of jail in the computer world was in 1991. An AT&T researcher named Bill Cheswick created what he called a “chroot ‘Jail’ ” to watch a hacker trying to get into their systems.)
Jails allow “administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration.” Jails is a method for giving “permission to access certain isolated areas of the operating system. Other jails remain completely untouched. Almost the entire isolation magic occurs at the kernel level; users only ever see the components they are supposed to see.”
As Kamp explains it, “Jails is like a one-way mirror.” He said further, “This means that an unjailed process can see all the jailed processes and, subject to UNIX access controls, send them signals, attach debuggers to them and so on. But the jailed processes cannot ‘see’ out of their jails, neither into other jails, nor into the unjailed part of the system.”
chroot, the progenitor to jails, probably first turned up sometime between 1975 and 1979 in 2BSD.
Previously:
(2018) FreeBSD Celebrates 25th Anniversary, Tuesday, June 19th
(2016) FreeBSD Devs Ponder Changes to Security Processes
(2016) Beat This: Server Retired After 18 Years and 10 Months
(2014) How to Avoid Systemd?
(Score: 4, Informative) by pe1rxq on Saturday March 06 2021, @09:39AM (3 children)
jails do more than just chroot.
chroot gives you a different view on the filesystem, but the rest of the system is still shared. For example with 'ps' you will still see binaries running outside your chroot.
With jails you can actually get a separation of the rest of the system as well, including its network stack.
(Score: 4, Informative) by TheRaven on Saturday March 06 2021, @11:55AM
The original jails implementation was far from complete. It didn't give you a separate namespace for SysV IPC, for example, which meant that you couldn't run PostgreSQL in a jail securely (there was a sysctl to turn of SysV IPC in jails entirely, but then PostgreSQL didn't run at all, if you turned it on then your jail could access any SysV IPC objects). This was fixed later, though Solaris Zones actually did it first.
The network stack virtualization (VNET) was even more recent. Amusingly, part of the motivation for jails was that it's less overhead to share a kernel across virtual systems than to run a full VM, but with the network stack it turned out that you got a lot more resource contention by adding a load of jails to the network stack. It was much faster to have a separate copy of all network-stack state.
sudo mod me up
(Score: 2, Touché) by leon_the_cat on Saturday March 06 2021, @12:27PM (1 child)
Great! But I tried running epstein.sh script inside one and now its dead. Just checked the log and it says it didn't kill itself. Any ideas??
(Score: 0) by Anonymous Coward on Saturday March 06 2021, @03:51PM
Yes. Stop watching the news.