Slash Boxes

SoylentNews is people

posted by martyb on Saturday March 06 2021, @04:52AM   Printer-friendly
from the Do-not-pass-Go,-Do-not-collect-$200 dept.

Klara Systems has an article with a deep dive into the origins of FreeBSD jails. These ideas have been around for many decades and taken form in several stages and finally became part of FreeBSD over 20 years ago. FreeBSD jails share the main system's kernel and are therefore a relatively light weight means for userspace isolation, compared to "containers". Within the jail, the environment appears as a normal system and processes within the jail can not see upward into the host or laterally into other jails.

In the late 1990s, [Poul-Henning] Kamp was contacted by a man from South Carolina named Derrick T. Woolworth. Woolworth had a problem and was looking for a solution. He ran a web hosting company named R&D Associates Inc and he “had this idea for running multiple different versions of Apache and MySQL on the same server”. Woolworth “complained about the fact that different customers in his webhotel needed different versions of apache, mysql, perl etc, and that this forced him to run many machines, each almost idle, just for these different software loads.”

Woolworth offered to pay for the development of such a feature. “The deal was that he would pay for the development and then after one year I would commit them to FreeBSD.” With that Jails were born. After Woolworth’s year of exclusivity expired, Jails were included in FreeBSD 4.

(Interestingly, the first use of jail in the computer world was in 1991. An AT&T researcher named Bill Cheswick created what he called a “chroot ‘Jail’ ” to watch a hacker trying to get into their systems.)

Jails allow “administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration.” Jails is a method for giving “permission to access certain isolated areas of the operating system. Other jails remain completely untouched. Almost the entire isolation magic occurs at the kernel level; users only ever see the components they are supposed to see.”

As Kamp explains it, “Jails is like a one-way mirror.” He said further, “This means that an unjailed process can see all the jailed processes and, subject to UNIX access controls, send them signals, attach debuggers to them and so on. But the jailed processes cannot ‘see’ out of their jails, neither into other jails, nor into the unjailed part of the system.”

chroot, the progenitor to jails, probably first turned up sometime between 1975 and 1979 in 2BSD.

(2018) FreeBSD Celebrates 25th Anniversary, Tuesday, June 19th
(2016) FreeBSD Devs Ponder Changes to Security Processes
(2016) Beat This: Server Retired After 18 Years and 10 Months
(2014) How to Avoid Systemd?

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Touché) by leon_the_cat on Saturday March 06 2021, @12:27PM (1 child)

    by leon_the_cat (10052) on Saturday March 06 2021, @12:27PM (#1120748) Journal

    Great! But I tried running script inside one and now its dead. Just checked the log and it says it didn't kill itself. Any ideas??

    Starting Score:    1  point
    Moderation   0  
       Offtopic=1, Touché=1, Total=2
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Saturday March 06 2021, @03:51PM

    by Anonymous Coward on Saturday March 06 2021, @03:51PM (#1120811)

    Yes. Stop watching the news.