Re: Clarification: "Jail" -vs- "Chroot"
On 14/07/2010 00:30, Aiza wrote:
> Ed Flecko wrote:
>> Hi folks,
>> I'm reading about "jails" and "chroot", and I'm not clear about the
>> differences so I'm hoping someone can clarify this for me.
>>
>> Here's what I "think" is correct:
>>
>> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
>>
>> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
>>
>> 3.) When reading something (book, article, etc.), is there a way to
>> determine if the author is, in fact, talking about truly a "jail" or
>> are they really just referring to a "chroot" environment? For example,
>> I have a book ("Preventing web attacks with Apache") that says:
>>
>> "Chroot is short for change root and essentially allows you to run
>> programs in a protected or jailed environment. The main benefit of a
>> chroot jail is that the jail will limit the portion of the file system
>> the daemon can see to the root directory of the jail. Additionally,
>> since the jail only needs to support Apache, the programs available in
>> the jail can be extremely limited."
>>
>> 4.) Jail is the more secure of the two options?
>>
>> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
>> edition of "Absolute FreeBSD" says:
>>
>> "Chrooting is useful for web servers that have multiple clients on one
>> machine—that is, web servers with many virtual hosts."
>>
>> Comments??? Suggestions???
>>
>> Thank you!
>>
>> Ed
>
> Well let me take a shot at this. First of all we are only talking
> about the FreeBSD operating system. The ability to chroot a directory
> tree has been available since RELEASES 2.0. The jail utility first
> appeared in RELEASE 4.0. The jail utility is just a basic effort to
> automate the building and administration of an chrooted directory tree
> which is pretty much useless unless it contains a complete copy of the
> Freebsd operating system binaries.
Actually as the manpage says "In the other extreme case a jail might
contain only one file: the executable to be run in the jail."
you put in a jail what you need. It doesnt have to be a complete install
its just commonly for that purpose. Also a jail offers more features
than chroot, such as sperate securelevels from the host, limits on
number of child jails (Hierarchical Jails) etc.
> The major short coming of the jail command jail system is each jail
> has it's own copy of the hosts running system binaries. Freebsd
> reserves a limited number of control structures for storing files and
> directories, called inodes. Creating a few jails consumes many of
> these valuable inodes, eventually preventing the creation of new jails
> and new files on the host. Worst yet is each jail loads it's own copy
> of it's running binaries into memory which causes thrashing on the
> swap device as memory pages are swapped in and out as the limited
> memory is shared between the host and jails. Besides consuming
> resources and creating performance degradation, this also causes a
> major administration headache when wanting to update the host running
> system, because the host and the jails all have to be running the same
> RELEASE version.
>
you can run other (lower) version userland if you want to as long as the
host has the correct COMPAT options in its kernel config. I'll agree on
the administration headache though.
> Now with some considerable hand jobbing per the jail section of the
> handbook, a jail environment can be created where by a single copy of
> the jailed running binaries are shared among all the jails. But this
> still leaves you with an administration nightmare as the number of
> jails deployed grows past 5. Now there are some ports in the port
> system that are utility wrappers around the jail command that tries to
> address this administration nightmare. My experience with these are
> they are very poorly documented and you really need to have a good
> grasp on how jails work and network ip address usage before they are
> useful. Their easy of use quickly evaporates as the number of jails
> deployed reaches 10.
>
> The next generation of a jail utility for the deployment of a large
> number of jails is in project phase right now. Keep checking the ports
> system for qjail.
>
I quite like ezjail but I'll be sure to keep an eye open for qjail.
Vince
> Now about what to run in a jail. Well since each jail is like a
> complete stand-a-lone operating system, you can populate it with any
> application you want. The real limitation is how is that jail going to
> gain public internet access so the domain name of your apache website
> can be found and accessed. A static ip address is pretty much
> required, though with some creative ip address assignments this can be
> circumvented. Thats a whole other subject area.
>
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questi
Re: Clarification: "Jail" -vs- "Chroot"
On Wed, Jul 14, 2010 at 2:30 AM, Aiza wrote:
> Ed Flecko wrote:
>
>> Hi folks,
>> I'm reading about "jails" and "chroot", and I'm not clear about the
>> differences so I'm hoping someone can clarify this for me.
>>
>> Here's what I "think" is correct:
>>
>> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
>>
>> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
>>
>> 3.) When reading something (book, article, etc.), is there a way to
>> determine if the author is, in fact, talking about truly a "jail" or
>> are they really just referring to a "chroot" environment? For example,
>> I have a book ("Preventing web attacks with Apache") that says:
>>
>> "Chroot is short for change root and essentially allows you to run
>> programs in a protected or jailed environment. The main benefit of a
>> chroot jail is that the jail will limit the portion of the file system
>> the daemon can see to the root directory of the jail. Additionally,
>> since the jail only needs to support Apache, the programs available in
>> the jail can be extremely limited."
>>
>> 4.) Jail is the more secure of the two options?
>>
>> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
>> edition of "Absolute FreeBSD" says:
>>
>> "Chrooting is useful for web servers that have multiple clients on one
>> machine—that is, web servers with many virtual hosts."
>>
>> Comments??? Suggestions???
>>
>> Thank you!
>>
>> Ed
>>
>
> Well let me take a shot at this. First of all we are only talking about the
> FreeBSD operating system. The ability to chroot a directory tree has been
> available since RELEASES 2.0. The jail utility first appeared in RELEASE
> 4.0. The jail utility is just a basic effort to automate the building and
> administration of an chrooted directory tree which is pretty much useless
> unless it contains a complete copy of the Freebsd operating system binaries.
> The major short coming of the jail command jail system is each jail has it's
> own copy of the hosts running system binaries. Freebsd reserves a limited
> number of control structures for storing files and directories, called
> inodes. Creating a few jails consumes many of these valuable inodes,
> eventually preventing the creation of new jails and new files on the host.
> Worst yet is each jail loads it's own copy of it's running binaries into
> memory which causes thrashing on the swap device as memory pages are swapped
> in and out as the limited memory is shared between the host and jails.
> Besides consuming resources and creating performance degradation, this also
> causes a major administration headache when wanting to update the host
> running system, because the host and the jails all have to be running the
> same RELEASE version.
>
> Now with some considerable hand jobbing per the jail section of the
> handbook, a jail environment can be created where by a single copy of the
> jailed running binaries are shared among all the jails. But this still
> leaves you with an administration nightmare as the number of jails deployed
> grows past 5. Now there are some ports in the port system that are utility
> wrappers around the jail command that tries to address this administration
> nightmare. My experience with these are they are very poorly documented and
> you really need to have a good grasp on how jails work and network ip
> address usage before they are useful. Their easy of use quickly evaporates
> as the number of jails deployed reaches 10.
>
> The next generation of a jail utility for the deployment of a large number
> of jails is in project phase right now. Keep checking the ports system for
> qjail.
>
> Now about what to run in a jail. Well since each jail is like a complete
> stand-a-lone operating system, you can populate it with any application you
> want. The real limitation is how is that jail going to gain public internet
> access so the domain name of your apache website can be found and accessed.
> A static ip address is pretty much required, though with some creative ip
> address assignments this can be circumvented. Thats a whole other subject
> area.
Hello community,
Aiza could you please tell us more about qjail. google isn't very helpful
and I am very interested in the subject.
thank you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Clarification: "Jail" -vs- "Chroot"
Ed Flecko wrote:
Hi folks,
I'm reading about "jails" and "chroot", and I'm not clear about the
differences so I'm hoping someone can clarify this for me.
Here's what I "think" is correct:
1.) FreeBSD has both "chroot" capability as well as "jail" capability.
2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
3.) When reading something (book, article, etc.), is there a way to
determine if the author is, in fact, talking about truly a "jail" or
are they really just referring to a "chroot" environment? For example,
I have a book ("Preventing web attacks with Apache") that says:
"Chroot is short for change root and essentially allows you to run
programs in a protected or jailed environment. The main benefit of a
chroot jail is that the jail will limit the portion of the file system
the daemon can see to the root directory of the jail. Additionally,
since the jail only needs to support Apache, the programs available in
the jail can be extremely limited."
4.) Jail is the more secure of the two options?
5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
edition of "Absolute FreeBSD" says:
"Chrooting is useful for web servers that have multiple clients on one
machine—that is, web servers with many virtual hosts."
Comments??? Suggestions???
Thank you!
Ed
Well let me take a shot at this. First of all we are only talking about
the FreeBSD operating system. The ability to chroot a directory tree has
been available since RELEASES 2.0. The jail utility first appeared in
RELEASE 4.0. The jail utility is just a basic effort to automate the
building and administration of an chrooted directory tree which is
pretty much useless unless it contains a complete copy of the Freebsd
operating system binaries. The major short coming of the jail command
jail system is each jail has it's own copy of the hosts running system
binaries. Freebsd reserves a limited number of control structures for
storing files and directories, called inodes. Creating a few jails
consumes many of these valuable inodes, eventually preventing the
creation of new jails and new files on the host. Worst yet is each jail
loads it's own copy of it's running binaries into memory which causes
thrashing on the swap device as memory pages are swapped in and out as
the limited memory is shared between the host and jails. Besides
consuming resources and creating performance degradation, this also
causes a major administration headache when wanting to update the host
running system, because the host and the jails all have to be running
the same RELEASE version.
Now with some considerable hand jobbing per the jail section of the
handbook, a jail environment can be created where by a single copy of
the jailed running binaries are shared among all the jails. But this
still leaves you with an administration nightmare as the number of jails
deployed grows past 5. Now there are some ports in the port system that
are utility wrappers around the jail command that tries to address this
administration nightmare. My experience with these are they are very
poorly documented and you really need to have a good grasp on how jails
work and network ip address usage before they are useful. Their easy of
use quickly evaporates as the number of jails deployed reaches 10.
The next generation of a jail utility for the deployment of a large
number of jails is in project phase right now. Keep checking the ports
system for qjail.
Now about what to run in a jail. Well since each jail is like a complete
stand-a-lone operating system, you can populate it with any application
you want. The real limitation is how is that jail going to gain public
internet access so the domain name of your apache website can be found
and accessed. A static ip address is pretty much required, though with
some creative ip address assignments this can be circumvented. Thats a
whole other subject area.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Clarification: "Jail" -vs- "Chroot"
Hi,
> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
Yes, it has both of them. You still want to use chroot, also it is kind of
'part' of a jail (technically perhaps it's implemented separately).
> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
In Solaris, you have zones, and there are several projects to do the same
thing with Linux (Linux-vserver etc).
> 3.) When reading something (book, article, etc.), is there a way to
> determine if the author is, in fact, talking about truly a "jail" or
> are they really just referring to a "chroot" environment? For example,
> I have a book ("Preventing web attacks with Apache") that says:
>
> "Chroot is short for change root and essentially allows you to run
> programs in a protected or jailed environment. The main benefit of a
> chroot jail is that the jail will limit the portion of the file system
> the daemon can see to the root directory of the jail. Additionally,
> since the jail only needs to support Apache, the programs available in
> the jail can be extremely limited."
Usually, only FreeBSD-specific books will talk about jails, as chroot is the
generic Unix-way for that. Anyway, in many cases you can use a jail for the
same things a chroot-environment is talked about.
In this case, I think he's really talking about a chroot, as he's only
talking about the file system, not the network etc.
> 4.) Jail is the more secure of the two options?
I cannot really answer this, but a jail is the more separated way. So, I
would say, a jail is more secure. If the extras of a jail are not needed, it
is perhaps more insecure, as there are more points to break into theu system.
But, don't rely on my answer, I never looked at the kernel-side of jails the
very technical way.
> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
> edition of "Absolute FreeBSD" says:
>
> "Chrooting is useful for web servers that have multiple clients on one
> machine—that is, web servers with many virtual hosts."
On the FreeBSD-machines I manage, I use chroot for the services that are not
that security-relevant or can easily be separated, i.e. on some
distributions you can put your apache or bind easily into a
chroot-environment.
Also, a chroot-environment can have other targets than a jail, e.g. if you
only want to have another file system-visibility instead of a new jail as you
do when you have to start with a live-cd into a non-booting system.
Sorry for my English. :)
Regards, Julian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Clarification: "Jail" -vs- "Chroot"
Hi folks,
I'm reading about "jails" and "chroot", and I'm not clear about the
differences so I'm hoping someone can clarify this for me.
Here's what I "think" is correct:
1.) FreeBSD has both "chroot" capability as well as "jail" capability.
2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
3.) When reading something (book, article, etc.), is there a way to
determine if the author is, in fact, talking about truly a "jail" or
are they really just referring to a "chroot" environment? For example,
I have a book ("Preventing web attacks with Apache") that says:
"Chroot is short for change root and essentially allows you to run
programs in a protected or jailed environment. The main benefit of a
chroot jail is that the jail will limit the portion of the file system
the daemon can see to the root directory of the jail. Additionally,
since the jail only needs to support Apache, the programs available in
the jail can be extremely limited."
4.) Jail is the more secure of the two options?
5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
edition of "Absolute FreeBSD" says:
"Chrooting is useful for web servers that have multiple clients on one
machine—that is, web servers with many virtual hosts."
Comments??? Suggestions???
Thank you!
Ed
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
