Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by martyb on Saturday March 06 2021, @04:52AM   Printer-friendly
from the Do-not-pass-Go,-Do-not-collect-$200 dept.

Klara Systems has an article with a deep dive into the origins of FreeBSD jails. These ideas have been around for many decades and taken form in several stages and finally became part of FreeBSD over 20 years ago. FreeBSD jails share the main system's kernel and are therefore a relatively light weight means for userspace isolation, compared to "containers". Within the jail, the environment appears as a normal system and processes within the jail can not see upward into the host or laterally into other jails.

In the late 1990s, [Poul-Henning] Kamp was contacted by a man from South Carolina named Derrick T. Woolworth. Woolworth had a problem and was looking for a solution. He ran a web hosting company named R&D Associates Inc and he “had this idea for running multiple different versions of Apache and MySQL on the same server”. Woolworth “complained about the fact that different customers in his webhotel needed different versions of apache, mysql, perl etc, and that this forced him to run many machines, each almost idle, just for these different software loads.”

Woolworth offered to pay for the development of such a feature. “The deal was that he would pay for the development and then after one year I would commit them to FreeBSD.” With that Jails were born. After Woolworth’s year of exclusivity expired, Jails were included in FreeBSD 4.

(Interestingly, the first use of jail in the computer world was in 1991. An AT&T researcher named Bill Cheswick created what he called a “chroot ‘Jail’ ” to watch a hacker trying to get into their systems.)

Jails allow “administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration.” Jails is a method for giving “permission to access certain isolated areas of the operating system. Other jails remain completely untouched. Almost the entire isolation magic occurs at the kernel level; users only ever see the components they are supposed to see.”

As Kamp explains it, “Jails is like a one-way mirror.” He said further, “This means that an unjailed process can see all the jailed processes and, subject to UNIX access controls, send them signals, attach debuggers to them and so on. But the jailed processes cannot ‘see’ out of their jails, neither into other jails, nor into the unjailed part of the system.”

chroot, the progenitor to jails, probably first turned up sometime between 1975 and 1979 in 2BSD.

Previously:
(2018) FreeBSD Celebrates 25th Anniversary, Tuesday, June 19th
(2016) FreeBSD Devs Ponder Changes to Security Processes
(2016) Beat This: Server Retired After 18 Years and 10 Months
(2014) How to Avoid Systemd?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by TheRaven on Saturday March 06 2021, @11:55AM

    by TheRaven (270) on Saturday March 06 2021, @11:55AM (#1120745) Journal
    This is true, but the original jails paper explicitly calls out the chroot system as inspiration and aimed to build a proper chroot. The main problem with chroot was that it didn't jail the root user, so you could always issue system calls such as mount and friends that let you escape. That was fixed with jails.

    The original jails implementation was far from complete. It didn't give you a separate namespace for SysV IPC, for example, which meant that you couldn't run PostgreSQL in a jail securely (there was a sysctl to turn of SysV IPC in jails entirely, but then PostgreSQL didn't run at all, if you turned it on then your jail could access any SysV IPC objects). This was fixed later, though Solaris Zones actually did it first.

    The network stack virtualization (VNET) was even more recent. Amusingly, part of the motivation for jails was that it's less overhead to share a kernel across virtual systems than to run a full VM, but with the network stack it turned out that you got a lot more resource contention by adding a load of jails to the network stack. It was much faster to have a separate copy of all network-stack state.

    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4