Klara Systems has an article with a deep dive into the origins of FreeBSD jails. These ideas have been around for many decades and taken form in several stages and finally became part of FreeBSD over 20 years ago. FreeBSD jails share the main system's kernel and are therefore a relatively light weight means for userspace isolation, compared to "containers". Within the jail, the environment appears as a normal system and processes within the jail can not see upward into the host or laterally into other jails.
In the late 1990s, [Poul-Henning] Kamp was contacted by a man from South Carolina named Derrick T. Woolworth. Woolworth had a problem and was looking for a solution. He ran a web hosting company named R&D Associates Inc and he “had this idea for running multiple different versions of Apache and MySQL on the same server”. Woolworth “complained about the fact that different customers in his webhotel needed different versions of apache, mysql, perl etc, and that this forced him to run many machines, each almost idle, just for these different software loads.”
Woolworth offered to pay for the development of such a feature. “The deal was that he would pay for the development and then after one year I would commit them to FreeBSD.” With that Jails were born. After Woolworth’s year of exclusivity expired, Jails were included in FreeBSD 4.
(Interestingly, the first use of jail in the computer world was in 1991. An AT&T researcher named Bill Cheswick created what he called a “chroot ‘Jail’ ” to watch a hacker trying to get into their systems.)
Jails allow “administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration.” Jails is a method for giving “permission to access certain isolated areas of the operating system. Other jails remain completely untouched. Almost the entire isolation magic occurs at the kernel level; users only ever see the components they are supposed to see.”
As Kamp explains it, “Jails is like a one-way mirror.” He said further, “This means that an unjailed process can see all the jailed processes and, subject to UNIX access controls, send them signals, attach debuggers to them and so on. But the jailed processes cannot ‘see’ out of their jails, neither into other jails, nor into the unjailed part of the system.”
chroot, the progenitor to jails, probably first turned up sometime between 1975 and 1979 in 2BSD.
Previously:
(2018) FreeBSD Celebrates 25th Anniversary, Tuesday, June 19th
(2016) FreeBSD Devs Ponder Changes to Security Processes
(2016) Beat This: Server Retired After 18 Years and 10 Months
(2014) How to Avoid Systemd?
(Score: 2) by sjames on Saturday March 06 2021, @10:49AM
A caution though, chroot is not jail. On many systems (including Linux) chroot is not regarded as a security measure and so can be escaped.